Add found_objectives metadata (#2093)

* try * add stuff * clp * Move to counter, remove penalization * fix * even milder * fix * clp * no score --------- Co-authored-by: Dominik Maier <dmnk@google.com>
2024-05-03 16:37:05 +02:00 · 2024-05-03 16:37:05 +02:00 · f75c5ff4d3
commit f75c5ff4d3
parent 7fe0c576db
4 changed files with 44 additions and 16 deletions
--- a/libafl/src/corpus/testcase.rs
+++ b/libafl/src/corpus/testcase.rs
@ -65,6 +65,8 @@ where
    parent_id: Option<CorpusId>,
    /// If the testcase is "disabled"
    disabled: bool,
+    /// has found crash (or timeout) or not
+    objectives_found: usize,
 }

 impl<I> HasMetadata for Testcase<I>
@ -227,6 +229,7 @@ where
            scheduled_count: 0,
            parent_id: None,
            disabled: false,
+            objectives_found: 0,
        }
    }

@ -248,6 +251,7 @@ where
            scheduled_count: 0,
            parent_id: Some(parent_id),
            disabled: false,
+            objectives_found: 0,
        }
    }

@ -269,6 +273,7 @@ where
            scheduled_count: 0,
            parent_id: None,
            disabled: false,
+            objectives_found: 0,
        }
    }

@ -290,6 +295,7 @@ where
            scheduled_count: 0,
            parent_id: None,
            disabled: false,
+            objectives_found: 0,
        }
    }

@ -308,6 +314,16 @@ where
    pub fn set_parent_id_optional(&mut self, parent_id: Option<CorpusId>) {
        self.parent_id = parent_id;
    }
+
+    /// Gets how many objectives were found by mutating this testcase
+    pub fn objectives_found(&self) -> usize {
+        self.objectives_found
+    }
+
+    /// Adds one objectives to the `objectives_found` counter. Mostly called from crash handler or executor.
+    pub fn found_objective(&mut self) {
+        let _ = self.objectives_found.saturating_add(1);
+    }
 }

 impl<I> Default for Testcase<I>
@ -331,6 +347,7 @@ where
            #[cfg(feature = "std")]
            metadata_path: None,
            disabled: false,
+            objectives_found: 0,
        }
    }
 }
--- a/libafl/src/executors/inprocess/mod.rs
+++ b/libafl/src/executors/inprocess/mod.rs
@ -32,7 +32,7 @@ use crate::{
    fuzzer::HasObjective,
    inputs::UsesInput,
    observers::{ObserversTuple, UsesObservers},
-    state::{HasCorpus, HasExecutions, HasSolutions, State, UsesState},
+    state::{HasCorpus, HasCurrentTestcase, HasExecutions, HasSolutions, State, UsesState},
    Error, HasMetadata,
 };

@ -454,6 +454,11 @@ pub fn run_observers_and_save_state<E, EM, OF, Z>(
        let mut new_testcase = Testcase::with_executions(input.clone(), executions);
        new_testcase.add_metadata(exitkind);
        new_testcase.set_parent_id_optional(*state.corpus().current());
+
+        if let Ok(mut tc) = state.current_testcase_mut() {
+            tc.found_objective();
+        }
+
        fuzzer
            .objective_mut()
            .append_metadata(state, event_mgr, &*observers, &mut new_testcase)
--- a/libafl/src/fuzzer/mod.rs
+++ b/libafl/src/fuzzer/mod.rs
@ -17,7 +17,10 @@ use crate::{
    schedulers::Scheduler,
    stages::{HasCurrentStage, StagesTuple},
    start_timer,
-    state::{HasCorpus, HasExecutions, HasImported, HasLastReportTime, HasSolutions, UsesState},
+    state::{
+        HasCorpus, HasCurrentTestcase, HasExecutions, HasImported, HasLastReportTime, HasSolutions,
+        UsesState,
+    },
    Error, HasMetadata,
 };
 #[cfg(feature = "introspection")]
@ -360,7 +363,13 @@ where
    F: Feedback<CS::State>,
    OF: Feedback<CS::State>,
    OT: ObserversTuple<CS::State> + Serialize + DeserializeOwned,
-    CS::State: HasCorpus + HasSolutions + HasExecutions + HasCorpus + HasImported,
+    CS::State: HasCorpus
+        + HasSolutions
+        + HasExecutions
+        + HasCorpus
+        + HasImported
+        + HasCurrentTestcase<<Self::State as UsesInput>::Input>
+        + HasCurrentCorpusIdx,
 {
    fn execute_no_process<EM>(
        &mut self,
@ -495,6 +504,9 @@ where
                // The input is a solution, add it to the respective corpus
                let mut testcase = Testcase::with_executions(input, executions);
                testcase.set_parent_id_optional(*state.corpus().current());
+                if let Ok(mut tc) = state.current_testcase_mut() {
+                    tc.found_objective();
+                }
                self.objective_mut()
                    .append_metadata(state, manager, observers, &mut testcase)?;
                state.solutions_mut().add(testcase)?;
--- a/libafl/src/schedulers/testcase_score.rs
+++ b/libafl/src/schedulers/testcase_score.rs
@ -303,21 +303,15 @@ where

        let q_bitmap_size = tcmeta.bitmap_size() as f64;

-        if let Some(strat) = psmeta.strat() {
-            match strat {
-                PowerSchedule::FAST
-                | PowerSchedule::COE
-                | PowerSchedule::LIN
-                | PowerSchedule::QUAD => {
+        if let Some(
+            PowerSchedule::FAST | PowerSchedule::COE | PowerSchedule::LIN | PowerSchedule::QUAD,
+        ) = psmeta.strat()
+        {
            let hits = psmeta.n_fuzz()[tcmeta.n_fuzz_entry()];
            if hits > 0 {
                weight /= libm::log10(f64::from(hits)) + 1.0;
            }
        }
-                // EXPLORE and EXPLOIT fall into this
-                _ => {}
-            }
-        }

        weight *= avg_exec_us / q_exec_us;
        weight *= libm::log2(q_bitmap_size).max(1.0) / avg_bitmap_size;