@@ -12,11 +12,16 @@ is desired.
1212 - [ Using Snapshots] ( #using-snapshots )
1313 - [ Using CMPLog] ( #using-cmplog )
1414 - [ Set Corpus and Solutions Directory] ( #set-corpus-and-solutions-directory )
15+ - [ Enable and Set the Checkpoint Path] ( #enable-and-set-the-checkpoint-path )
1516 - [ Enable Random Corpus Generation] ( #enable-random-corpus-generation )
1617 - [ Set an Iteration Limit] ( #set-an-iteration-limit )
1718 - [ Adding Tokens From Target Software] ( #adding-tokens-from-target-software )
1819 - [ Setting an Architecture Hint] ( #setting-an-architecture-hint )
1920 - [ Adding a Trace Processor] ( #adding-a-trace-processor )
21+ - [ Disabling Coverage Reporting] ( #disabling-coverage-reporting )
22+ - [ Enable Logging and Set Log path] ( #enable-logging-and-set-log-path )
23+ - [ Keep All Corpus Entries] ( #keep-all-corpus-entries )
24+ - [ Use Initial Buffer Contents As Corpus] ( #use-initial-buffer-contents-as-corpus )
2025
2126## Solution Configuration
2227
@@ -36,6 +41,18 @@ Note that this timeout is in virtual time, not real time. This means that whethe
3641simulation runs faster or slower than real time, the timeout will be accurate to the
3742target software's execution speed.
3843
44+ The fuzzing executor also has a timeout, which runs in real time. This timeout
45+ is intended to detect situations where the fuzzer reaches a broken state where
46+ it is no longer able to iterate (e.g. the virtual time timeout is not working)
47+ and stop. By default, this timeout is set to 60 seconds and resets each
48+ iteration. Only iterations which take more than 60 seconds will trigger the
49+ timeout, but some very large fuzzing cases could exceed this time. To increase
50+ it, for example to set the timeout to 10 minutes:
51+
52+ ``` python
53+ @tsffs.executor_timeout = 600
54+ ```
55+
3956### Setting Exception Solutions
4057
4158The primary way TSFFS detects bugs is via CPU exceptions that are raised, but should not
@@ -163,7 +180,25 @@ changed with:
163180
164181
165182``` python
166- tsffs.solutions_directory = SIM_lookup_file(" %s imics%/other_solutions_directory"
183+ @tsffs.solutions_directory = SIM_lookup_file("%simics%/other_solutions_directory")
184+ ```
185+
186+ ### Enable and Set the Checkpoint Path
187+
188+ The fuzzer captures an on-disk checkpoint before starting fuzzing by default. On Simics
189+ 7 and higher, this increases the snapshot restore speed very significantly, so it should
190+ only be disabled if required.
191+
192+ To disable this behavior, you can set:
193+
194+ ``` python
195+ @tsffs.pre_snapshot_checkpoint = False
196+ ```
197+
198+ To set the path for the checkpoint, you can set:
199+
200+ ``` python
201+ @tsffs.checkpoint_path = SIM_lookup_file("%simics%") + "/checkpoint.ckpt"
167202```
168203
169204### Enable Random Corpus Generation
@@ -182,6 +217,14 @@ This can be enabled with:
182217@tsffs.generate_random_corpus = True
183218```
184219
220+ The size of the initial random corpus can be set via (note, larger random corpuses are
221+ generally not useful and a real corpus matching the expected data format should be used
222+ instead!):
223+
224+ ``` python
225+ @tsffs.initial_random_corpus_size = 64
226+ ```
227+
185228### Set an Iteration Limit
186229
187230The fuzzer can be set to execute only a specific number of iterations before exiting.
@@ -249,7 +292,7 @@ running `i386` code in backward-compatibility mode.
249292An architecture hint can be set with:
250293
251294``` python
252- @tsffs.iface.tsffs .add_architecture_hint (qsp.mb.cpu0.core[0 ][0 ], " i386"
295+ @tsffs.iface.config .add_architecture_hint (qsp.mb.cpu0.core[0 ][0 ], " i386"
253296```
254297
255298### Adding a Trace Processor
@@ -259,5 +302,53 @@ to the [manual start API](../harnessing/closed-box.md) is traced during executio
259302code running on multiple cores, the additional cores can be added with:
260303
261304``` python
262- @tsffs.iface.tsffs.add_trace_processor (qsp.mb.cpu0.core[0 ][1 ])
263- ```
305+ @tsffs.iface.config.add_trace_processor (qsp.mb.cpu0.core[0 ][1 ])
306+ ```
307+
308+ ### Disabling Coverage Reporting
309+
310+ By default, the fuzzer will report new interesting control flow edges. This is
311+ normally useful to check the fuzzer's progress and ensure it is finding new
312+ paths. However in some cases, output may not be needed, so coverage reporting
313+ can be disabled with:
314+
315+ ``` python
316+ @tsffs.coverage_reporting = False
317+ ```
318+
319+ ### Enable Logging and Set Log path
320+
321+ By default, the fuzzer will log useful informational messages in JSON format to
322+ a log in the project directory (` log.json ` ).
323+
324+ The path for this log can be set by setting:
325+
326+ ``` python
327+ @tsffs.log_path = SIM_lookup_file("%simics%) + "/log.json"
328+ ```
329+
330+ You can also disable the logging completely with:
331+
332+ ``` python
333+ @tsffs.log_to_file = False
334+ ```
335+
336+ ### Keep All Corpus Entries
337+
338+ For debugging purposes, TSFFS can be set to keep * all* corpus entries, not just
339+ corpus entries which cause interesting results. This generates a large number
340+ of corpus files.
341+
342+ ``` python
343+ @tsffs.keep_all_corpus = True
344+ ```
345+
346+ ### Use Initial Buffer Contents As Corpus
347+
348+ When using compiled-in or manual harnessing, the initial contents of the
349+ testcase
350+ buffer can be used as a seed corpus entry. This can be enabled with:
351+
352+ ``` python
353+ @tsffs.use_initial_as_corpus = True
354+ ```
0 commit comments