add systemstate feature and dump times
This commit is contained in:
parent
d936234976
commit
f4e1990387
@ -10,6 +10,7 @@ std = []
|
|||||||
snapshot_restore = []
|
snapshot_restore = []
|
||||||
snapshot_fast = [ "snapshot_restore" ]
|
snapshot_fast = [ "snapshot_restore" ]
|
||||||
singlecore = []
|
singlecore = []
|
||||||
|
systemstate = []
|
||||||
|
|
||||||
[profile.release]
|
[profile.release]
|
||||||
lto = true
|
lto = true
|
||||||
|
|||||||
@ -3,6 +3,8 @@
|
|||||||
[ -n "$2" -a "$2" != "+" -a -z "$FUZZ_MAIN" ] && export FUZZ_MAIN="$2"
|
[ -n "$2" -a "$2" != "+" -a -z "$FUZZ_MAIN" ] && export FUZZ_MAIN="$2"
|
||||||
[ -n "$3" -a "$3" != "+" -a -z "$FUZZ_INPUT" ] && export FUZZ_INPUT="$3"
|
[ -n "$3" -a "$3" != "+" -a -z "$FUZZ_INPUT" ] && export FUZZ_INPUT="$3"
|
||||||
[ -n "$4" -a "$4" != "+" -a -z "$BREAKPOINT" ] && export BREAKPOINT="$4"
|
[ -n "$4" -a "$4" != "+" -a -z "$BREAKPOINT" ] && export BREAKPOINT="$4"
|
||||||
[ -n "$5" -a "$5" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$5"
|
[ -n "$5" -a "$5" != "+" -a -z "$FUZZ_ITERS" ] && export FUZZ_ITERS="$5"
|
||||||
[ -n "$6" -a "$6" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$6"
|
[ -n "$6" -a "$6" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$6"
|
||||||
|
[ -n "$7" -a "$7" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$7"
|
||||||
|
[ -n "$8" -a "$8" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$8"
|
||||||
target/debug/qemu_systemmode -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native # -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
|
target/debug/qemu_systemmode -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native # -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
|
||||||
@ -84,6 +84,8 @@ impl Default for MaxIcountMetadata {
|
|||||||
|
|
||||||
//========== Observer
|
//========== Observer
|
||||||
|
|
||||||
|
pub static mut ICOUNT_HISTORY : Vec<u64> = vec![];
|
||||||
|
|
||||||
/// A simple observer, just overlooking the runtime of the target.
|
/// A simple observer, just overlooking the runtime of the target.
|
||||||
#[derive(Serialize, Deserialize, Debug, Clone)]
|
#[derive(Serialize, Deserialize, Debug, Clone)]
|
||||||
pub struct QemuClockObserver {
|
pub struct QemuClockObserver {
|
||||||
@ -130,7 +132,8 @@ where
|
|||||||
fn post_exec(&mut self, _state: &mut S, _input: &S::Input, _exit_kind: &ExitKind) -> Result<(), Error> {
|
fn post_exec(&mut self, _state: &mut S, _input: &S::Input, _exit_kind: &ExitKind) -> Result<(), Error> {
|
||||||
unsafe { self.end_tick = emu::icount_get_raw() };
|
unsafe { self.end_tick = emu::icount_get_raw() };
|
||||||
// println!("clock post {}", self.end_tick);
|
// println!("clock post {}", self.end_tick);
|
||||||
println!("Number of Ticks: {} <- {} {}",self.end_tick - self.start_tick, self.end_tick, self.start_tick);
|
// println!("Number of Ticks: {} <- {} {}",self.end_tick - self.start_tick, self.end_tick, self.start_tick);
|
||||||
|
unsafe { ICOUNT_HISTORY.push(self.end_tick - self.start_tick) };
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -35,7 +35,7 @@ use libafl_qemu::{
|
|||||||
QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr,
|
QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr,
|
||||||
};
|
};
|
||||||
use crate::{
|
use crate::{
|
||||||
clock::{QemuClockObserver, ClockTimeFeedback, QemuClockIncreaseFeedback},
|
clock::{QemuClockObserver, ClockTimeFeedback, QemuClockIncreaseFeedback, ICOUNT_HISTORY},
|
||||||
qemustate::QemuStateRestoreHelper,
|
qemustate::QemuStateRestoreHelper,
|
||||||
systemstate::{helpers::QemuSystemStateHelper, observers::QemuSystemStateObserver, feedbacks::DumpSystraceFeedback}, worst::TimeMaximizerCorpusScheduler,
|
systemstate::{helpers::QemuSystemStateHelper, observers::QemuSystemStateObserver, feedbacks::DumpSystraceFeedback}, worst::TimeMaximizerCorpusScheduler,
|
||||||
};
|
};
|
||||||
@ -98,16 +98,21 @@ pub fn fuzz() {
|
|||||||
.expect("Symbol main not found");
|
.expect("Symbol main not found");
|
||||||
println!("main address = {:#x}", main_addr);
|
println!("main address = {:#x}", main_addr);
|
||||||
|
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
let curr_tcb_pointer = elf // loads to the address specified in elf, without respecting program headers
|
let curr_tcb_pointer = elf // loads to the address specified in elf, without respecting program headers
|
||||||
.resolve_symbol("pxCurrentTCB", 0)
|
.resolve_symbol("pxCurrentTCB", 0)
|
||||||
.expect("Symbol pxCurrentTCBC not found");
|
.expect("Symbol pxCurrentTCBC not found");
|
||||||
// let curr_tcb_pointer = virt2phys(curr_tcb_pointer,&elf);
|
// let curr_tcb_pointer = virt2phys(curr_tcb_pointer,&elf);
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
println!("TCB pointer at {:#x}", curr_tcb_pointer);
|
println!("TCB pointer at {:#x}", curr_tcb_pointer);
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
let task_queue_addr = elf
|
let task_queue_addr = elf
|
||||||
.resolve_symbol("pxReadyTasksLists", 0)
|
.resolve_symbol("pxReadyTasksLists", 0)
|
||||||
.expect("Symbol pxReadyTasksLists not found");
|
.expect("Symbol pxReadyTasksLists not found");
|
||||||
// let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
|
// let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
println!("Task Queue at {:#x}", task_queue_addr);
|
println!("Task Queue at {:#x}", task_queue_addr);
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
let svh = elf
|
let svh = elf
|
||||||
.resolve_symbol("xPortPendSVHandler", 0)
|
.resolve_symbol("xPortPendSVHandler", 0)
|
||||||
.expect("Symbol xPortPendSVHandler not found");
|
.expect("Symbol xPortPendSVHandler not found");
|
||||||
@ -115,12 +120,15 @@ pub fn fuzz() {
|
|||||||
// let svh = elf
|
// let svh = elf
|
||||||
// .resolve_symbol("vPortEnterCritical", 0)
|
// .resolve_symbol("vPortEnterCritical", 0)
|
||||||
// .expect("Symbol vPortEnterCritical not found");
|
// .expect("Symbol vPortEnterCritical not found");
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
let app_start = elf
|
let app_start = elf
|
||||||
.resolve_symbol("__APP_CODE_START__", 0)
|
.resolve_symbol("__APP_CODE_START__", 0)
|
||||||
.expect("Symbol __APP_CODE_START__ not found");
|
.expect("Symbol __APP_CODE_START__ not found");
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
let app_end = elf
|
let app_end = elf
|
||||||
.resolve_symbol("__APP_CODE_END__", 0)
|
.resolve_symbol("__APP_CODE_END__", 0)
|
||||||
.expect("Symbol __APP_CODE_END__ not found");
|
.expect("Symbol __APP_CODE_END__ not found");
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
let app_range = app_start..app_end;
|
let app_range = app_start..app_end;
|
||||||
|
|
||||||
let breakpoint = elf
|
let breakpoint = elf
|
||||||
@ -140,11 +148,11 @@ pub fn fuzz() {
|
|||||||
let env: Vec<(String, String)> = env::vars().collect();
|
let env: Vec<(String, String)> = env::vars().collect();
|
||||||
let emu = Emulator::new(&args, &env);
|
let emu = Emulator::new(&args, &env);
|
||||||
|
|
||||||
// emu.set_breakpoint(main_addr);
|
emu.set_breakpoint(main_addr);
|
||||||
// unsafe {
|
unsafe {
|
||||||
// emu.run();
|
emu.run();
|
||||||
// }
|
}
|
||||||
// emu.remove_breakpoint(main_addr);
|
emu.remove_breakpoint(main_addr);
|
||||||
|
|
||||||
emu.set_breakpoint(breakpoint); // BREAKPOINT
|
emu.set_breakpoint(breakpoint); // BREAKPOINT
|
||||||
|
|
||||||
@ -192,13 +200,17 @@ pub fn fuzz() {
|
|||||||
// Feedback to rate the interestingness of an input
|
// Feedback to rate the interestingness of an input
|
||||||
// This one is composed by two Feedbacks in OR
|
// This one is composed by two Feedbacks in OR
|
||||||
let mut feedback = feedback_or!(
|
let mut feedback = feedback_or!(
|
||||||
DumpSystraceFeedback::with_dump(None),
|
|
||||||
// New maximization map feedback linked to the edges observer and the feedback state
|
// New maximization map feedback linked to the edges observer and the feedback state
|
||||||
MaxMapFeedback::new_tracking(&edges_observer, true, true),
|
MaxMapFeedback::new_tracking(&edges_observer, true, true),
|
||||||
// QemuClockIncreaseFeedback::default(),
|
// QemuClockIncreaseFeedback::default(),
|
||||||
// Time feedback, this one does not need a feedback state
|
// Time feedback, this one does not need a feedback state
|
||||||
ClockTimeFeedback::new_with_observer(&clock_time_observer)
|
ClockTimeFeedback::new_with_observer(&clock_time_observer)
|
||||||
);
|
);
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
|
let mut feedback = feedback_or!(
|
||||||
|
DumpSystraceFeedback::with_dump(None),
|
||||||
|
feedback
|
||||||
|
);
|
||||||
|
|
||||||
// A feedback to choose if an input is a solution or not
|
// A feedback to choose if an input is a solution or not
|
||||||
let mut objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
|
let mut objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
|
||||||
@ -227,15 +239,23 @@ pub fn fuzz() {
|
|||||||
|
|
||||||
// A fuzzer with feedbacks and a corpus scheduler
|
// A fuzzer with feedbacks and a corpus scheduler
|
||||||
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
|
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
|
||||||
let mut hooks = QemuHooks::new(&emu,
|
let qhelpers = tuple_list!(
|
||||||
tuple_list!(QemuEdgeCoverageHelper::default(),QemuStateRestoreHelper::new(),
|
QemuEdgeCoverageHelper::default(),
|
||||||
QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone())));
|
QemuStateRestoreHelper::new());
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
|
let qhelpers = tuple_list!(qhelpers,
|
||||||
|
QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone()));
|
||||||
|
let mut hooks = QemuHooks::new(&emu,qhelpers);
|
||||||
|
|
||||||
|
let observer_list = tuple_list!(edges_observer, clock_time_observer);
|
||||||
|
#[cfg(feature = "systemstate")]
|
||||||
|
let observer_list = tuple_list!(observer_list ,systemstate_observer);
|
||||||
|
|
||||||
// Create a QEMU in-process executor
|
// Create a QEMU in-process executor
|
||||||
let executor = QemuExecutor::new(
|
let executor = QemuExecutor::new(
|
||||||
&mut hooks,
|
&mut hooks,
|
||||||
&mut harness,
|
&mut harness,
|
||||||
tuple_list!(edges_observer, clock_time_observer, systemstate_observer),
|
observer_list,
|
||||||
&mut fuzzer,
|
&mut fuzzer,
|
||||||
&mut state,
|
&mut state,
|
||||||
&mut mgr,
|
&mut mgr,
|
||||||
@ -273,9 +293,33 @@ pub fn fuzz() {
|
|||||||
println!("We imported {} inputs from disk.", state.corpus().count());
|
println!("We imported {} inputs from disk.", state.corpus().count());
|
||||||
}
|
}
|
||||||
|
|
||||||
fuzzer
|
match env::var("FUZZ_ITERS") {
|
||||||
.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
|
Err(_) => {
|
||||||
.unwrap();
|
fuzzer
|
||||||
|
.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
|
||||||
|
.unwrap();
|
||||||
|
},
|
||||||
|
Ok(t) => {
|
||||||
|
println!("Iterations {}",t);
|
||||||
|
let num = str::parse::<u64>(&t).expect("FUZZ_ITERS was not a number");
|
||||||
|
fuzzer
|
||||||
|
.fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, num)
|
||||||
|
.unwrap();
|
||||||
|
let mut strbuf = String::new();
|
||||||
|
|
||||||
|
unsafe {
|
||||||
|
for i in ICOUNT_HISTORY.iter() {
|
||||||
|
strbuf.push_str(&format!("{}\n",i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
match env::var("TIME_DUMP") {
|
||||||
|
Err(_) => (),
|
||||||
|
Ok(td) => {
|
||||||
|
fs::write(td, strbuf).expect("could not write time dump");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#[cfg(not(feature = "singlecore"))]
|
#[cfg(not(feature = "singlecore"))]
|
||||||
Ok(())
|
Ok(())
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user