Add avoid_crash option to scheduler (#2530)

tokatoka · web-flow · commit 5b7d307a6a63 · 2024-09-18T17:57:40.000+02:00
* chg

* add avoid_crash

* a

* clp

* just use .00 at this point

* libafl-fuzz chg
diff --git a/fuzzers/fuzzbench/fuzzbench/src/lib.rs b/fuzzers/fuzzbench/fuzzbench/src/lib.rs
@@ -310,7 +310,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/fuzzbench/fuzzbench_ctx/src/lib.rs b/fuzzers/fuzzbench/fuzzbench_ctx/src/lib.rs
@@ -320,7 +320,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/fuzzbench/fuzzbench_fork_qemu/src/fuzzer.rs b/fuzzers/fuzzbench/fuzzbench_fork_qemu/src/fuzzer.rs
@@ -313,7 +313,7 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/fuzzbench/fuzzbench_forkserver/src/main.rs b/fuzzers/fuzzbench/fuzzbench_forkserver/src/main.rs
@@ -308,7 +308,7 @@ fn fuzz(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 
diff --git a/fuzzers/fuzzbench/fuzzbench_forkserver_cmplog/src/main.rs b/fuzzers/fuzzbench/fuzzbench_forkserver_cmplog/src/main.rs
@@ -309,7 +309,7 @@ fn fuzz(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 
diff --git a/fuzzers/fuzzbench/fuzzbench_qemu/src/fuzzer.rs b/fuzzers/fuzzbench/fuzzbench_qemu/src/fuzzer.rs
@@ -319,7 +319,7 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/fuzzbench/fuzzbench_text/src/lib.rs b/fuzzers/fuzzbench/fuzzbench_text/src/lib.rs
@@ -380,7 +380,7 @@ fn fuzz_binary(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 
@@ -605,7 +605,7 @@ fn fuzz_text(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 
diff --git a/fuzzers/libpng/libfuzzer_libpng/src/lib.rs b/fuzzers/libpng/libfuzzer_libpng/src/lib.rs
@@ -149,7 +149,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/libpng/libfuzzer_libpng_cmin/src/lib.rs b/fuzzers/libpng/libfuzzer_libpng_cmin/src/lib.rs
@@ -149,7 +149,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/libpng/libfuzzer_libpng_tcp_manager/src/lib.rs b/fuzzers/libpng/libfuzzer_libpng_tcp_manager/src/lib.rs
@@ -147,7 +147,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/others/dynamic_analysis/src/lib.rs b/fuzzers/others/dynamic_analysis/src/lib.rs
@@ -316,7 +316,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/others/libafl-fuzz/src/fuzzer.rs b/fuzzers/others/libafl-fuzz/src/fuzzer.rs
@@ -16,8 +16,8 @@ use libafl::{
     },
     observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
     schedulers::{
-        powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, QueueScheduler,
-        StdWeightedScheduler,
+        powersched::{BaseSchedule, PowerSchedule},
+        IndexesLenTimeMinimizerScheduler, QueueScheduler, StdWeightedScheduler,
     },
     stages::{
         mutational::MultiMutationalStage, CalibrationStage, ColorizationStage, IfStage,
@@ -185,7 +185,7 @@ where
         )
     };
     let mutational_stage = TimeTrackingStageWrapper::<FuzzTime, _, _>::new(inner_mutational_stage);
-    let strategy = opt.power_schedule.unwrap_or(PowerSchedule::EXPLORE);
+    let strategy = opt.power_schedule.unwrap_or(BaseSchedule::EXPLORE);
 
     // Create our ColorizationStage
     let colorization = ColorizationStage::new(&edges_observer);
@@ -197,8 +197,9 @@ where
     if opt.sequential_queue {
         scheduler = SupportedSchedulers::Queue(QueueScheduler::new(), PhantomData);
     } else {
+        let ps = PowerSchedule::new(strategy);
         let mut weighted_scheduler =
-            StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(strategy));
+            StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(ps));
         if opt.cycle_schedules {
             weighted_scheduler = weighted_scheduler.cycling_scheduler();
         }
diff --git a/fuzzers/others/libafl-fuzz/src/hooks.rs b/fuzzers/others/libafl-fuzz/src/hooks.rs
@@ -10,12 +10,6 @@ pub struct LibAflFuzzEventHook {
     exit_on_solution: bool,
 }
 
-impl LibAflFuzzEventHook {
-    pub fn new(exit_on_solution: bool) -> Self {
-        Self { exit_on_solution }
-    }
-}
-
 impl<S> EventManagerHook<S> for LibAflFuzzEventHook
 where
     S: State + Stoppable,
diff --git a/fuzzers/others/libafl-fuzz/src/main.rs b/fuzzers/others/libafl-fuzz/src/main.rs
@@ -25,7 +25,7 @@ use fuzzer::run_client;
 use libafl::{
     events::{CentralizedLauncher, EventConfig},
     monitors::MultiMonitor,
-    schedulers::powersched::PowerSchedule,
+    schedulers::powersched::BaseSchedule,
     Error,
 };
 use libafl_bolts::{
@@ -126,7 +126,7 @@ struct Opt {
     rng_seed: Option<u64>,
     /// power schedules compute a seed's performance score: explore(default), fast, exploit, seek, rare, mmopt, coe, lin
     #[arg(short = 'p')]
-    power_schedule: Option<PowerSchedule>,
+    power_schedule: Option<BaseSchedule>,
     /// enable `CmpLog` by specifying a binary compiled for it.
     #[arg(short = 'c')]
     cmplog: Option<String>,
diff --git a/fuzzers/others/libfuzzer_windows_asan/src/lib.rs b/fuzzers/others/libfuzzer_windows_asan/src/lib.rs
@@ -114,7 +114,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/others/tutorial/src/lib.rs b/fuzzers/others/tutorial/src/lib.rs
@@ -135,7 +135,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = PacketLenMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/qemu/qemu_launcher/src/instance.rs b/fuzzers/qemu/qemu_launcher/src/instance.rs
@@ -127,7 +127,7 @@ impl<'a, M: Monitor> Instance<'a, M> {
         // A minimization+queue policy to get testcasess from the corpus
         let scheduler = IndexesLenTimeMinimizerScheduler::new(
             &edges_observer,
-            PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+            PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
         );
 
         let observers = tuple_list!(edges_observer, time_observer);
diff --git a/libafl/src/schedulers/powersched.rs b/libafl/src/schedulers/powersched.rs
@@ -155,10 +155,104 @@ impl SchedulerMetadata {
     }
 }
 
+/// The struct for the powerschedule algorithm
+#[derive(Debug, Clone, Serialize, Deserialize, Copy)]
+pub struct PowerSchedule {
+    base: BaseSchedule,
+    avoid_crash: bool,
+}
+
+impl PowerSchedule {
+    #[must_use]
+    /// Constructor
+    pub fn new(base: BaseSchedule) -> Self {
+        Self {
+            base,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `explore` power schedule
+    #[must_use]
+    pub fn explore() -> Self {
+        Self {
+            base: BaseSchedule::EXPLORE,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `exploit` power schedule
+    #[must_use]
+    pub fn exploit() -> Self {
+        Self {
+            base: BaseSchedule::EXPLOIT,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `fast` power schedule
+    #[must_use]
+    pub fn fast() -> Self {
+        Self {
+            base: BaseSchedule::FAST,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `coe` power schedule
+    #[must_use]
+    pub fn coe() -> Self {
+        Self {
+            base: BaseSchedule::COE,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `lin` power schedule
+    #[must_use]
+    pub fn lin() -> Self {
+        Self {
+            base: BaseSchedule::LIN,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `quad` power schedule
+    #[must_use]
+    pub fn quad() -> Self {
+        Self {
+            base: BaseSchedule::QUAD,
+            avoid_crash: false,
+        }
+    }
+
+    /// Getter to `avoid_crash`
+    #[must_use]
+    pub fn avoid_crash(&self) -> bool {
+        self.avoid_crash
+    }
+
+    /// Avoid scheduling testcases that caused crashes
+    pub fn set_avoid_crash(&mut self) {
+        self.avoid_crash = true;
+    }
+
+    /// Getter to the base scheduler
+    #[must_use]
+    pub fn base(&self) -> &BaseSchedule {
+        &self.base
+    }
+
+    /// Setter to the base scheduler
+    pub fn set_base(&mut self, base: BaseSchedule) {
+        self.base = base;
+    }
+}
+
 /// The power schedule to use
 #[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq)]
 #[cfg_attr(feature = "clap", derive(clap::ValueEnum))]
-pub enum PowerSchedule {
+pub enum BaseSchedule {
     /// The `explore` power schedule
     EXPLORE,
     /// The `exploit` power schedule
diff --git a/libafl/src/schedulers/testcase_score.rs b/libafl/src/schedulers/testcase_score.rs
diff --git a/libafl/src/schedulers/weighted.rs b/libafl/src/schedulers/weighted.rs
diff --git a/libafl_libfuzzer/runtime/src/lib.rs b/libafl_libfuzzer/runtime/src/lib.rs
