cva6 tracelog

IntelLabs · Aug 5, 2024 · 50e5522 · 50e5522
1 parent 23b813f
commit 50e5522
Show file tree

Hide file tree

Showing 3 changed files with 272 additions and 31 deletions.
diff --git a/fuzzers/cva6-vcs-processorfuzz/src/differential.rs b/fuzzers/cva6-vcs-processorfuzz/src/differential.rs
@@ -28,6 +28,10 @@ use libafl::{
 #[cfg(feature = "debug")]
 use color_print::cprintln;
 
+use libafl::HasFeedback;
+use libafl::feedbacks::Feedback;
+use libafl::prelude::EventFirer;
+
 /// A [`DiffExecutor`] wraps a primary executor, forwarding its methods, and a secondary one
 #[derive(Debug)]
 pub struct DiffExecutor<A, B, OTA, OTB, DOT> {
@@ -72,9 +76,9 @@ impl<A, B, EM, DOT, Z> Executor<EM, Z> for DiffExecutor<A, B, A::Observers, B::O
 where
     A: Executor<EM, Z> + HasObservers,
     B: Executor<EM, Z, State = A::State> + HasObservers,
-    EM: UsesState<State = A::State>,
+    EM: UsesState<State = A::State> + EventFirer,
     DOT: DifferentialObserversTuple<A::Observers, B::Observers, A::State>,
-    Z: UsesState<State = A::State>,
+    Z: UsesState<State = A::State> + HasFeedback,
 {
     fn run_target(
         &mut self,
@@ -106,6 +110,16 @@ where
         observers
             .differential
             .post_observe_first_all(observers.primary.as_mut())?;
+
+        // Skip second executor if first does not report interesting coverage
+        let is_corpus = fuzzer
+            .feedback_mut()
+            .is_interesting(state, mgr, input, observers, &ret1);
+
+        if is_corpus.is_ok() && is_corpus.unwrap() == False {
+            return Ok(ret1);
+        }
+
         observers
             .differential
             .pre_observe_second_all(observers.secondary.as_mut())?;

diff --git a/fuzzers/cva6-vcs-processorfuzz/src/main.rs b/fuzzers/cva6-vcs-processorfuzz/src/main.rs
@@ -66,6 +66,9 @@ use libpresifuzz_observers::verdi_xml_observer::VerdiCoverageMetric;
 use libpresifuzz_observers::verdi_xml_observer::VerdiCoverageMetric::*;
 use libpresifuzz_observers::verdi_xml_observer::VerdiXMLMapObserver;
 
+use libpresifuzz_observers::trace_observer::ExecTraceObserver;
+use libpresifuzz_observers::trace_observer::ProcessorFuzzExecTraceObserver;
+
 pub mod simv;
 use crate::simv::SimvCommandConfigurator;
 
@@ -206,8 +209,8 @@ pub fn fuzz() {
             SimvCommandConfigurator::new_from_config_file("config.yml", workdir, &mut [], "", 1);
 
         std::env::set_current_dir(&workdir).expect("Unable to change into {dir}");
-        let mut spike_trace_observer = ExecTraceObserver::<ProcessorfuzzExecTraceObserver>::new("spike_exec_trace_observer", "./spike.log");
-        let mut rocket_trace_observer = ExecTraceObserver::<CVA6ExecTraceObserver>::new("cva6_exec_trace_observer", "./cva6.log");
+        let mut spike_trace_observer = ExecTraceObserver::<ProcessoFuzzExecTraceObserver>::new("spike_exec_trace_observer", "./spike.log");
+        let mut cva6_trace_observer = ExecTraceObserver::<CVA6ExecTraceObserver>::new("cva6_exec_trace_observer", "./cva6.log");
 
         let mut objective = differential_feedback::DifferentialFeedback::new_with_observer(
             "spike_exec_trace_observer",
@@ -216,10 +219,8 @@ pub fn fuzz() {
         );
 
         let processorfuzz_feedback = ProcessorFuzzFeedback::new("spike_exec_trace_observer");
-        let mut feedback = feedback_or!(
-            processorfuzz_feedback,
-        );
-
+        let feedback = processorfuzz_feedback;
+
         // Instantiate State with feedback, objective, in/out corpus
         let mut state = StdState::new(
             StdRand::with_seed(current_nanos()),
@@ -244,6 +245,7 @@ pub fn fuzz() {
             spike.into_executor(tuple_list!()),
             simv.into_executor(tuple_list!()),
             tuple_list!(spike_trace_observer, rocket_trace_observer),
+            processorfuzz_feedback
         );
 
         let corpus_dir = PathBuf::from(corpus_dir.to_string());