diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index b0643cc02b..0eb19f3be4 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -33,6 +33,8 @@ use log; use rand::RngCore; use crate::templates; use std::ops::Range; +use crate::systemstate::target_os::freertos::GlobalFreeRTOSTraceMetadata; +use crate::systemstate::target_os::GlobalSystemTraceData; // Constants ================================================================================ @@ -102,8 +104,9 @@ macro_rules! do_dump_stg { if $cli.dump_graph { let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"dot"} else {$c}); println!("Dumping graph to {:?}", &dump_path); + let tcb_index = $state.metadata::().unwrap().tcb_index().clone(); if let Some(md) = $state.named_metadata_map_mut().get_mut::>("stgfeedbackstate") { - let out = md.graph.map(|_i,x| x.color_print(&md.systemstate_index, &md.tcb_index), |_i,x| x.color_print()); + let out = md.graph.map(|_i,x| x.color_print(&md.systemstate_index, &tcb_index), |_i,x| x.color_print()); let outs = Dot::with_config(&out, &[]).to_string(); let outs = outs.replace("\\\"","\""); let outs = outs.replace(';',"\\n"); diff --git a/fuzzers/FRET/src/systemstate/feedbacks.rs b/fuzzers/FRET/src/systemstate/feedbacks.rs index c5690e04ac..9f6d1a5140 100644 --- a/fuzzers/FRET/src/systemstate/feedbacks.rs +++ b/fuzzers/FRET/src/systemstate/feedbacks.rs @@ -17,7 +17,7 @@ use super::target_os::TargetSystem; use std::borrow::Cow; use std::marker::PhantomData; -use crate::systemstate::{stg::STGFeedbackState, target_os::*}; +use crate::systemstate::{stg::STGFeedbackState, target_os::{freertos::GlobalFreeRTOSTraceMetadata, *}}; use libafl::prelude::StateInitializer; //=========================== Debugging Feedback @@ -80,9 +80,9 @@ where { .metadata::() .expect("TraceData not found").clone(); let tcb_index = state - .metadata::>() + .metadata::() .expect("STGFeedbackState not found") - .tcb_index.clone(); + .tcb_index().clone(); std::fs::write( tracename, ron::to_string(&(trace, tcb_index)) diff --git a/fuzzers/FRET/src/systemstate/stg.rs b/fuzzers/FRET/src/systemstate/stg.rs index e7a129720f..b5d51b4aae 100644 --- a/fuzzers/FRET/src/systemstate/stg.rs +++ b/fuzzers/FRET/src/systemstate/stg.rs @@ -162,7 +162,6 @@ where // aggregated traces as a graph pub graph: DiGraph, STGEdge>, pub systemstate_index: HashMap, - pub tcb_index: HashMap, pub state_abb_hash_index: HashMap<(u64, u64), NodeIndex>, stgnode_index: HashMap, entrypoint: NodeIndex, @@ -232,7 +231,6 @@ where wort_per_stg_path: HashMap::new(), worst_abb_exec_count: HashMap::new(), systemstate_index, - tcb_index, state_abb_hash_index, worst_task_jobs: HashMap::new(), } diff --git a/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs b/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs index 156f578aa9..9dada041a1 100644 --- a/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs +++ b/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs @@ -119,12 +119,12 @@ impl FreeRTOSSystemStateModule { } } -impl EmulatorModule for FreeRTOSSystemStateHelper +impl EmulatorModule for FreeRTOSSystemStateModule where S: Unpin + HasMetadata, I: Unpin, { - fn first_exec(&mut self, _qemu: Qemu, emulator_modules: &mut EmulatorModules, _state: &mut S) + fn first_exec(&mut self, _qemu: Qemu, emulator_modules: &mut EmulatorModules, state: &mut S) where ET: EmulatorModuleTuple, { @@ -150,6 +150,21 @@ where ReadExecHook::Empty, ReadExecNHook::Function(trace_reads::), ); + if !state.has_metadata::() { + let mut data = GlobalFreeRTOSTraceMetadata::default(); + + let mut start_tcb = RefinedTCB::default(); + *start_tcb.task_name_mut()="Start".to_string(); + let h_start_tcb = compute_hash(&start_tcb); + data.tcb_index_mut().insert(h_start_tcb, start_tcb); + + let mut end_tcb = RefinedTCB::default(); + *end_tcb.task_name_mut()="End".to_string(); + let h_end_tcb = compute_hash(&end_tcb); + data.tcb_index_mut().insert(h_end_tcb, end_tcb); + + state.add_metadata(data); + } unsafe { INPUT_MEM = self.input_mem.clone() }; } @@ -279,9 +294,9 @@ where .collect::>(); jobs }; - _state.metadata_mut::>() + _state.metadata_mut::() .unwrap() - .tcb_index + .tcb_index_mut() .extend(tcb_map.into_iter()); _state.add_metadata(FreeRTOSTraceMetadata::new(refined_states, intervals, mem_reads, jobs, need_to_debug)); } diff --git a/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs b/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs index 48362b17d6..4ccbb007a0 100644 --- a/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs +++ b/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs @@ -25,6 +25,7 @@ impl TargetSystem for FreeRTOSSystem { type State = FreeRTOSSystemState; type TCB = RefinedTCB; type TraceData = FreeRTOSTraceMetadata; + type GlobalTraceData = GlobalFreeRTOSTraceMetadata; } impl TaskControlBlock for RefinedTCB { @@ -279,6 +280,36 @@ pub(super)struct FreeRTOSSystemStateContext { pub mem_reads: Vec<(u32, u8)>, } +#[derive(Debug, Default, Serialize, Deserialize, Clone)] +pub struct GlobalFreeRTOSTraceMetadata +{ + pub tcb_index: HashMap::State as SystemState>::TCB>, + tcref: isize, +} + +impl GlobalSystemTraceData for GlobalFreeRTOSTraceMetadata +{ + type State = FreeRTOSSystemState; + type TCB = RefinedTCB; + + fn tcb_index(&self) -> &HashMap { + &self.tcb_index + } + fn tcb_index_mut(&mut self) -> &mut HashMap { + &mut self.tcb_index + } +} + +impl HasRefCnt for GlobalFreeRTOSTraceMetadata +{ + fn refcnt(&self) -> isize { + self.tcref + } + + fn refcnt_mut(&mut self) -> &mut isize { + &mut self.tcref + } +} #[derive(Debug, Default, Serialize, Deserialize, Clone)] pub struct FreeRTOSTraceMetadata @@ -368,6 +399,7 @@ impl SystemTraceData for FreeRTOSTraceMetadata } } +libafl_bolts::impl_serdeany!(GlobalFreeRTOSTraceMetadata); libafl_bolts::impl_serdeany!(FreeRTOSTraceMetadata); libafl_bolts::impl_serdeany!(RefinedTCB); libafl_bolts::impl_serdeany!(FreeRTOSSystemState); diff --git a/fuzzers/FRET/src/systemstate/target_os/mod.rs b/fuzzers/FRET/src/systemstate/target_os/mod.rs index 9b2eaf824a..c2351d95a8 100644 --- a/fuzzers/FRET/src/systemstate/target_os/mod.rs +++ b/fuzzers/FRET/src/systemstate/target_os/mod.rs @@ -29,6 +29,8 @@ pub trait TargetSystem: Serialize + Sized + for<'de> Deserialize<'de> + Default type TCB: TaskControlBlock; /// The type used to store trace data for the system. type TraceData: SystemTraceData; + // The type used to store global trace data for the system. + type GlobalTraceData: GlobalSystemTraceData; } /// A trait representing the system state of a target system, which includes methods to access the current task. @@ -43,6 +45,14 @@ pub trait SystemState: Serialize + Sized + for<'a> Deserialize<'a> + Default + D fn print_lists(&self, tcb_index: &HashMap) -> String; } +pub trait GlobalSystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default + Debug + Clone + SerdeAny + HasRefCnt { + type State: SystemState; + type TCB: TaskControlBlock; + + fn tcb_index(&self) -> &HashMap; + fn tcb_index_mut(&mut self) -> &mut HashMap; +} + pub trait SystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default + Debug + Clone + SerdeAny + HasRefCnt { type State: SystemState;