store hashes globally

2025-08-29 13:11:52 +00:00 · 2025-08-29 13:11:52 +00:00 · 1c3bc85d48
commit 1c3bc85d48
parent 48e08ce3e7
6 changed files with 68 additions and 10 deletions
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@ -33,6 +33,8 @@ use log;
 use rand::RngCore;
 use crate::templates;
 use std::ops::Range;
+use crate::systemstate::target_os::freertos::GlobalFreeRTOSTraceMetadata;
+use crate::systemstate::target_os::GlobalSystemTraceData;

 // Constants ================================================================================

@ -102,8 +104,9 @@ macro_rules! do_dump_stg {
    if $cli.dump_graph {
        let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"dot"} else {$c});
        println!("Dumping graph to {:?}", &dump_path);
+        let tcb_index = $state.metadata::<GlobalFreeRTOSTraceMetadata>().unwrap().tcb_index().clone();
        if let Some(md) = $state.named_metadata_map_mut().get_mut::<STGFeedbackState<FreeRTOSSystem>>("stgfeedbackstate") {
-            let out = md.graph.map(|_i,x| x.color_print(&md.systemstate_index, &md.tcb_index), |_i,x| x.color_print());
+            let out = md.graph.map(|_i,x| x.color_print(&md.systemstate_index, &tcb_index), |_i,x| x.color_print());
            let outs = Dot::with_config(&out, &[]).to_string();
            let outs = outs.replace("\\\"","\"");
            let outs = outs.replace(';',"\\n");
--- a/fuzzers/FRET/src/systemstate/feedbacks.rs
+++ b/fuzzers/FRET/src/systemstate/feedbacks.rs
@ -17,7 +17,7 @@ use super::target_os::TargetSystem;
 use std::borrow::Cow;
 use std::marker::PhantomData;

-use crate::systemstate::{stg::STGFeedbackState, target_os::*};
+use crate::systemstate::{stg::STGFeedbackState, target_os::{freertos::GlobalFreeRTOSTraceMetadata, *}};
 use libafl::prelude::StateInitializer;

 //=========================== Debugging Feedback
@ -80,9 +80,9 @@ where {
                        .metadata::<SYS::TraceData>()
                        .expect("TraceData not found").clone();
                    let tcb_index = state
-                        .metadata::<STGFeedbackState<SYS>>()
+                        .metadata::<SYS::GlobalTraceData>()
                        .expect("STGFeedbackState not found")
-                        .tcb_index.clone();
+                        .tcb_index().clone();
                    std::fs::write(
                        tracename,
                        ron::to_string(&(trace, tcb_index))
--- a/fuzzers/FRET/src/systemstate/stg.rs
+++ b/fuzzers/FRET/src/systemstate/stg.rs
@ -162,7 +162,6 @@ where
    // aggregated traces as a graph
    pub graph: DiGraph<STGNode<SYS>, STGEdge>,
    pub systemstate_index: HashMap<HashIndex, SYS::State>,
-    pub tcb_index: HashMap<HashIndex, SYS::TCB>,
    pub state_abb_hash_index: HashMap<(u64, u64), NodeIndex>,
    stgnode_index: HashMap<u64, NodeIndex>,
    entrypoint: NodeIndex,
@ -232,7 +231,6 @@ where
            wort_per_stg_path: HashMap::new(),
            worst_abb_exec_count: HashMap::new(),
            systemstate_index,
-            tcb_index,
            state_abb_hash_index,
            worst_task_jobs: HashMap::new(),
        }
--- a/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs
+++ b/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs
@ -119,12 +119,12 @@ impl FreeRTOSSystemStateModule {
    }
 }

-impl<S, I> EmulatorModule<I, S> for FreeRTOSSystemStateHelper
+impl<I, S> EmulatorModule<I, S> for FreeRTOSSystemStateModule
 where
    S: Unpin + HasMetadata,
    I: Unpin,
 {
-    fn first_exec<ET>(&mut self, _qemu: Qemu, emulator_modules: &mut EmulatorModules<ET, I, S>, _state: &mut S)
+    fn first_exec<ET>(&mut self, _qemu: Qemu, emulator_modules: &mut EmulatorModules<ET, I, S>, state: &mut S)
    where
        ET: EmulatorModuleTuple<I, S>,
    {
@ -150,6 +150,21 @@ where
            ReadExecHook::Empty,
            ReadExecNHook::Function(trace_reads::<ET, I, S>),
        );
+        if !state.has_metadata::<GlobalFreeRTOSTraceMetadata>() {
+            let mut data = GlobalFreeRTOSTraceMetadata::default();
+
+            let mut start_tcb = RefinedTCB::default();
+            *start_tcb.task_name_mut()="Start".to_string();
+            let h_start_tcb = compute_hash(&start_tcb);
+            data.tcb_index_mut().insert(h_start_tcb, start_tcb);
+
+            let mut end_tcb = RefinedTCB::default();
+            *end_tcb.task_name_mut()="End".to_string();
+            let h_end_tcb = compute_hash(&end_tcb);
+            data.tcb_index_mut().insert(h_end_tcb, end_tcb);
+
+            state.add_metadata(data);
+        }
        unsafe { INPUT_MEM = self.input_mem.clone() };
    }

@ -279,9 +294,9 @@ where
                .collect::<Vec<_>>();
            jobs
        };
-        _state.metadata_mut::<STGFeedbackState<FreeRTOSSystem>>()
+        _state.metadata_mut::<GlobalFreeRTOSTraceMetadata>()
            .unwrap()
-            .tcb_index
+            .tcb_index_mut()
            .extend(tcb_map.into_iter());
        _state.add_metadata(FreeRTOSTraceMetadata::new(refined_states, intervals, mem_reads, jobs, need_to_debug));
    }
--- a/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs
+++ b/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs
@ -25,6 +25,7 @@ impl TargetSystem for FreeRTOSSystem {
    type State = FreeRTOSSystemState;
    type TCB = RefinedTCB;
    type TraceData = FreeRTOSTraceMetadata;
+    type GlobalTraceData = GlobalFreeRTOSTraceMetadata;
 }

 impl TaskControlBlock for RefinedTCB {
@ -279,6 +280,36 @@ pub(super)struct FreeRTOSSystemStateContext {
    pub mem_reads: Vec<(u32, u8)>,
 }

+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct GlobalFreeRTOSTraceMetadata
+{
+    pub tcb_index: HashMap<HashIndex, <<FreeRTOSTraceMetadata as SystemTraceData>::State as SystemState>::TCB>,
+    tcref: isize,
+}
+
+impl GlobalSystemTraceData for GlobalFreeRTOSTraceMetadata
+{
+    type State = FreeRTOSSystemState;
+    type TCB = RefinedTCB;
+
+    fn tcb_index(&self) -> &HashMap<HashIndex, Self::TCB> {
+        &self.tcb_index
+    }
+    fn tcb_index_mut(&mut self) -> &mut HashMap<HashIndex, Self::TCB> {
+        &mut self.tcb_index
+    }
+}
+
+impl HasRefCnt for GlobalFreeRTOSTraceMetadata
+{
+    fn refcnt(&self) -> isize {
+        self.tcref
+    }
+
+    fn refcnt_mut(&mut self) -> &mut isize {
+        &mut self.tcref
+    }
+}

 #[derive(Debug, Default, Serialize, Deserialize, Clone)]
 pub struct FreeRTOSTraceMetadata
@ -368,6 +399,7 @@ impl SystemTraceData for FreeRTOSTraceMetadata
    }
 }

+libafl_bolts::impl_serdeany!(GlobalFreeRTOSTraceMetadata);
 libafl_bolts::impl_serdeany!(FreeRTOSTraceMetadata);
 libafl_bolts::impl_serdeany!(RefinedTCB);
 libafl_bolts::impl_serdeany!(FreeRTOSSystemState);
--- a/fuzzers/FRET/src/systemstate/target_os/mod.rs
+++ b/fuzzers/FRET/src/systemstate/target_os/mod.rs
@ -29,6 +29,8 @@ pub trait TargetSystem: Serialize + Sized + for<'de> Deserialize<'de> + Default
    type TCB: TaskControlBlock;
    /// The type used to store trace data for the system.
    type TraceData: SystemTraceData<State = Self::State>;
+    // The type used to store global trace data for the system.
+    type GlobalTraceData: GlobalSystemTraceData<State = Self::State, TCB = Self::TCB>;
 }

 /// A trait representing the system state of a target system, which includes methods to access the current task.
@ -43,6 +45,14 @@ pub trait SystemState: Serialize + Sized + for<'a> Deserialize<'a> + Default + D
    fn print_lists(&self, tcb_index: &HashMap<HashIndex, Self::TCB>) -> String;
 }

+pub trait GlobalSystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default + Debug + Clone + SerdeAny + HasRefCnt {
+    type State: SystemState;
+    type TCB: TaskControlBlock;
+
+    fn tcb_index(&self) -> &HashMap<HashIndex, Self::TCB>;
+    fn tcb_index_mut(&mut self) -> &mut HashMap<HashIndex, Self::TCB>;
+}
+
 pub trait SystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default + Debug + Clone + SerdeAny + HasRefCnt {
    type State: SystemState;