exectime increase feedback

2023-01-11 16:09:06 +01:00 · 2023-01-11 16:09:06 +01:00 · eeaf7eb43f
commit eeaf7eb43f
parent 68c4887dad
6 changed files with 69 additions and 10 deletions
--- a/fuzzers/FRET/Cargo.toml
+++ b/fuzzers/FRET/Cargo.toml
@ -5,7 +5,7 @@ authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenuk
 edition = "2021"

 [features]
-default = ["std", "snapshot_fast", "singlecore"]
+default = ["std", "snapshot_restore", "singlecore"]
 std = []
 snapshot_restore = []
 snapshot_fast = [ "snapshot_restore" ]
--- a/fuzzers/FRET/benchmark/Makefile
+++ b/fuzzers/FRET/benchmark/Makefile
@ -1,4 +1,4 @@
-TIME=7200
+TIME=3600

 corpora/%/seed:
 	mkdir -p $$(dirname $@)
@ -28,5 +28,7 @@ timedump/%$(FUZZ_RANDOM): corpora/%/seed

 all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijkstra$(FUZZ_RANDOM) timedump/sequential/epic$(FUZZ_RANDOM)

+all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) # timedump/kernel/fft$(FUZZ_RANDOM)
+
 clean:
 	rm -rf corpora timedump
--- a/fuzzers/FRET/benchmark/target_symbols.csv
+++ b/fuzzers/FRET/benchmark/target_symbols.csv
@ -1,5 +1,8 @@
 kernel,main_function,input_symbol,input_size,return_function
-mpeg2,main,mpeg2_oldorgframe,90112,mpeg2_return
-audiobeam,main,audiobeam_input,11520,audiobeam_return
-epic,main,epic_image,4096,epic_return
-dijkstra,main,dijkstra_AdjMatrix,10000,dijkstra_return
+mpeg2,mpeg2_main,mpeg2_oldorgframe,90112,mpeg2_return
+audiobeam,audiobeam_main,audiobeam_input,11520,audiobeam_return
+epic,epic_main,epic_image,4096,epic_return
+dijkstra,dijkstra_main,dijkstra_AdjMatrix,10000,dijkstra_return
+fft,fft_main,fft_twidtable,2046,fft_return
+bsort,bsort_main,bsort_Array,400,bsort_return
+insertsort,insertsort_main,insertsort_a,44,insertsort_return
--- a/fuzzers/FRET/fuzzer.sh
+++ b/fuzzers/FRET/fuzzer.sh
@ -13,4 +13,4 @@ cd "$parent_path"
 [ -n "$9" -a "$9" != "+" -a -z "$SHOWMAP_TEXTINPUT" ]  && export SHOWMAP_TEXTINPUT="$9"

 [ -z "$FUZZER" ] && export FUZZER=target/debug/fret
-$FUZZER -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native # -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
+$FUZZER -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@ -37,7 +37,7 @@ use libafl_qemu::{
 use crate::{
    clock::{QemuClockObserver, ClockTimeFeedback, QemuClockIncreaseFeedback, ICOUNT_HISTORY},
    qemustate::QemuStateRestoreHelper,
-    systemstate::{helpers::QemuSystemStateHelper, observers::QemuSystemStateObserver, feedbacks::DumpSystraceFeedback}, worst::TimeMaximizerCorpusScheduler,
+    systemstate::{helpers::QemuSystemStateHelper, observers::QemuSystemStateObserver, feedbacks::DumpSystraceFeedback}, worst::{TimeMaximizerCorpusScheduler, ExecTimeIncFeedback},
 };

 pub static mut MAX_INPUT_SIZE: usize = 32;
@ -63,7 +63,7 @@ pub fn fuzz() {
        str::parse::<usize>(&s).expect("FUZZ_SIZE was not a number");
    };
    // Hardcoded parameters
-    let timeout = Duration::from_secs(3);
+    let timeout = Duration::from_secs(1);
    let broker_port = 1337;
    let cores = Cores::from_cmdline("1").unwrap();
    let corpus_dirs = [PathBuf::from("./corpus")];
@ -208,7 +208,9 @@ pub fn fuzz() {
            MaxMapFeedback::new_tracking(&edges_observer, true, true),
            // QemuClockIncreaseFeedback::default(),
            // Time feedback, this one does not need a feedback state
-            ClockTimeFeedback::new_with_observer(&clock_time_observer)
+            ClockTimeFeedback::new_with_observer(&clock_time_observer),
+            // Feedback to reward any input which increses the execution time
+            ExecTimeIncFeedback::new()
        );
        #[cfg(feature = "systemstate")]
        let mut feedback = feedback_or!(
--- a/fuzzers/FRET/src/worst.rs
+++ b/fuzzers/FRET/src/worst.rs
@ -261,4 +261,56 @@ impl Named for ExecTimeCollectorFeedbackState
    fn name(&self) -> &str {
        "ExecTimeCollectorFeedbackState"
    }
+}
+
+//===================================================================
+/// A Feedback which expects a certain minimum execution time
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct ExecTimeIncFeedback
+{
+    longest_time: u64,
+}
+
+impl<S> Feedback<S> for ExecTimeIncFeedback
+where
+    S: UsesInput + HasClientPerfMonitor,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = observers.match_name::<QemuClockObserver>("clocktime")
+            .expect("QemuClockObserver not found");
+        if observer.last_runtime() > self.longest_time {
+            self.longest_time = observer.last_runtime();
+        }
+        Ok(observer.last_runtime() > self.longest_time)
+    }
+}
+
+impl Named for ExecTimeIncFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "ExecTimeReachedFeedback"
+    }
+}
+
+impl ExecTimeIncFeedback
+where
+{
+    /// Creates a new [`ExecTimeReachedFeedback`]
+    #[must_use]
+    pub fn new() -> Self {
+        Self {longest_time: 0}
+    }
 }