From eb3914e5c1942d2c7689a8c421fef5f1e4e2d487 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Mon, 6 Jun 2022 00:42:45 +0200 Subject: [PATCH] introduce INPUT_BYTES_OFFSET constant --- fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs | 24 ++++++++++++------- fuzzers/wcet_qemu_sys/src/bin/showmap.rs | 21 +++++++++------- fuzzers/wcet_qemu_sys/src/sysstate/graph.rs | 10 ++++---- fuzzers/wcet_qemu_sys/src/sysstate/mod.rs | 2 ++ .../wcet_qemu_sys/src/sysstate/observers.rs | 3 ++- 5 files changed, 38 insertions(+), 22 deletions(-) diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs index 3c4b6059eb..d9c0f828a3 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs @@ -34,6 +34,7 @@ use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper; use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver; use wcet_qemu_sys::sysstate::feedbacks::SysStateFeedbackState; use wcet_qemu_sys::sysstate::feedbacks::NovelSysStateFeedback; +use wcet_qemu_sys::sysstate::INPUT_BYTES_OFFSET; use wcet_qemu_sys::worst::QemuHashMapObserver; use wcet_qemu_sys::minimizer::QemuCaseMinimizerStage; use hashbrown::HashMap; @@ -530,13 +531,15 @@ fn fuzz( let mut buf = target.as_slice(); let mut len = buf.len(); let mut int_tick : Option = None; - if len > 2 { - let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt - t[0]=buf[0]; - t[1]=buf[1]; - int_tick = Some(u32::from_le_bytes(t)); - buf = &buf[2..]; - len = buf.len(); + if INPUT_BYTES_OFFSET!= 0 { + if len > 2 { + let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt + t[0]=buf[0]; + t[1]=buf[1]; + int_tick = Some(u32::from_le_bytes(t)); + buf = &buf[2..]; + len = buf.len(); + } } if len >= 32 { buf = &buf[0..32]; @@ -544,7 +547,9 @@ fn fuzz( } unsafe { - libafl_int_offset = 347780+int_tick.unwrap_or(0); + if INPUT_BYTES_OFFSET!= 0 { + libafl_int_offset = 347780+int_tick.unwrap_or(0); + } // INTR_OFFSET = int_tick; emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes()); emu.write_mem(input_addr,buf); @@ -610,7 +615,7 @@ fn fuzz( // let tracing = ShadowTracingStage::new(&mut executor); // The order of the stages matter! - let mut stages = tuple_list!(QemuCaseMinimizerStage::new(16),mutation); + let mut stages = tuple_list!(mutation,QemuCaseMinimizerStage::new(16)); // Remove target ouput (logs still survive) #[cfg(unix)] @@ -642,6 +647,7 @@ fn fuzz( .unwrap(); let newgraph = feedbackstate.graph.map( |_, n| n.get_taskname(), + // |_, n| format!("{} {:?}",n.get_taskname(),n.get_input_counts().iter().min().unwrap_or(&0)), |_, e| e, ); let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel])); diff --git a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs index b79308050d..43404ae230 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs @@ -4,6 +4,7 @@ use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET; use std::io::Read; use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver; use wcet_qemu_sys::sysstate::feedbacks::DumpSystraceFeedback; +use wcet_qemu_sys::sysstate::INPUT_BYTES_OFFSET; use wcet_qemu_sys::worst::QemuHashMapObserver; use wcet_qemu_sys::{ worst::{DumpMapFeedback,DummyFeedback}, @@ -339,13 +340,15 @@ fn fuzz( let mut buf = target.as_slice(); let mut len = buf.len(); let mut int_tick : Option = None; - if len > 2 { - let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt - t[0]=buf[0]; - t[1]=buf[1]; - int_tick = Some(u32::from_le_bytes(t)); - buf = &buf[2..]; - len = buf.len(); + if INPUT_BYTES_OFFSET!= 0 { + if len > 2 { + let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt + t[0]=buf[0]; + t[1]=buf[1]; + int_tick = Some(u32::from_le_bytes(t)); + buf = &buf[2..]; + len = buf.len(); + } } if len >= 32 { buf = &buf[0..32]; @@ -353,7 +356,9 @@ fn fuzz( } unsafe { - // libafl_int_offset = 347780+int_tick.unwrap_or(0); + if INPUT_BYTES_OFFSET!= 0 { + libafl_int_offset = 347780+int_tick.unwrap_or(0); + } // INTR_OFFSET = int_tick; emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes()); emu.write_mem(input_addr,buf); diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/graph.rs b/fuzzers/wcet_qemu_sys/src/sysstate/graph.rs index 82182fd50b..e12e490ed1 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/graph.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/graph.rs @@ -104,6 +104,9 @@ impl SysGraphNode { pub fn get_taskname(&self) -> &str { &self.base.current_task.task_name } + pub fn get_input_counts(&self) -> Vec { + self.variants.iter().map(|x| x.input_counter).collect() + } } impl PartialEq for SysGraphNode { fn eq(&self, other: &SysGraphNode) -> bool { @@ -456,13 +459,12 @@ where let mut collection : Vec> = Vec::new(); let mut current_pointer : usize = 0; - let INPUT_BYTES_OFFSET = 0; // Offset for interrupt bytes for t in &trace.inner { let node = &g[*t]; for v in &node.variants { if v.input == input.bytes() { if v.input_counter > current_pointer.try_into().unwrap() { - collection.push(v.input[INPUT_BYTES_OFFSET+current_pointer..INPUT_BYTES_OFFSET+v.input_counter as usize].to_owned()); + collection.push(v.input[current_pointer..v.input_counter as usize].to_owned()); current_pointer = v.input_counter as usize; } break; @@ -474,7 +476,7 @@ where collection[index_to_mutate][i] = myrand.below(0xFF) as u8; } for i in collection.concat().iter().enumerate() { - input.bytes_mut()[INPUT_BYTES_OFFSET+i.0]=*i.1; + input.bytes_mut()[i.0]=*i.1; } Ok(MutationResult::Mutated) @@ -547,7 +549,7 @@ where // follow the path, extract snippets from last reads, find common snippets. // those are likley keys parts. choose random parts from other sibling traces let inp_c_end = g[*trace.inner.last().unwrap()].base.input_counter; - let mut num_to_reverse = 1; + let mut num_to_reverse = myrand.below(trace.inner.len().try_into().unwrap()); for t in trace.inner.iter().rev() { let int_c_prefix = g[*t].base.input_counter; if int_c_prefix < inp_c_end { diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs b/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs index 16649c61be..ac609edf99 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs @@ -15,6 +15,8 @@ pub mod observers; pub mod feedbacks; pub mod graph; +pub const INPUT_BYTES_OFFSET : u32 = 2; // Offset for interrupt bytes + // Constants const NUM_PRIOS: usize = 5; diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs b/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs index 3328cc1db0..0a33266787 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs @@ -1,3 +1,4 @@ +use crate::sysstate::INPUT_BYTES_OFFSET; use libafl::inputs::HasTargetBytes; use libafl::bolts::HasLen; use libafl::bolts::tuples::Named; @@ -129,7 +130,7 @@ for mut i in input.drain(..) { start_tick: start_tick, end_tick: i.qemu_tick, ready_list_after: collector, - input_counter: i.input_counter, + input_counter: i.input_counter+INPUT_BYTES_OFFSET, last_pc: i.last_pc, }); start_tick=i.qemu_tick;