From 5176828dbb715850ab0364d68627014da40da4e6 Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Sun, 27 Feb 2022 23:14:04 +0100
Subject: [PATCH] add TimeStateMaximizerCorpusScheduler

---
 fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs   |  3 ++-
 fuzzers/wcet_qemu_sys/src/sysstate/mod.rs | 33 ++++++++++++++++++++++-
 fuzzers/wcet_qemu_sys/src/worst.rs        |  4 +++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
index 5325863177..bc046a7c30 100644
--- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
@@ -386,7 +386,8 @@ fn fuzz(
 
     // A minimization+queue policy to get testcasess from the corpus
     // let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
-    let scheduler = QueueCorpusScheduler::new();
+    let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
+    // let scheduler = QueueCorpusScheduler::new();
     
 
     // A fuzzer with feedbacks and a corpus scheduler
diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs b/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs
index 9a0c2c2208..1fb8d69692 100644
--- a/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs
+++ b/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs
@@ -1,4 +1,7 @@
 //! Sysstate referes to the State of a FreeRTOS fuzzing target
+use std::collections::hash_map::DefaultHasher;
+use libafl::bolts::HasRefCnt;
+use libafl::bolts::AsSlice;
 use std::hash::Hasher;
 use std::hash::Hash;
 use hashbrown::HashMap;
@@ -98,10 +101,38 @@ impl Hash for MiniFreeRTOSSystemState {
 #[derive(Debug, Default, Serialize, Deserialize, Clone)]
 pub struct FreeRTOSSystemStateMetadata {
     inner: Vec<MiniFreeRTOSSystemState>,
+    indices: Vec<usize>,    // Hashed enumeration of States
+    tcref: isize,
 }
 impl FreeRTOSSystemStateMetadata {
     pub fn new(inner: Vec<MiniFreeRTOSSystemState>) -> Self{
-        Self {inner: inner}
+        let tmp = inner.iter().enumerate().map(|x| compute_hash(x) as usize).collect();
+        Self {inner: inner, indices: tmp, tcref: 0}
+    }
+}
+pub fn compute_hash<T>(obj: T) -> u64 
+where
+    T: Hash
+{
+    let mut s = DefaultHasher::new();
+    obj.hash(&mut s);
+    s.finish()
+}
+
+impl AsSlice<usize> for FreeRTOSSystemStateMetadata {
+    /// Convert the slice of system-states to a slice of hashes over enumerated states
+    fn as_slice(&self) -> &[usize] {
+        self.indices.as_slice()
+    }
+}
+
+impl HasRefCnt for FreeRTOSSystemStateMetadata {
+    fn refcnt(&self) -> isize {
+        self.tcref
+    }
+
+    fn refcnt_mut(&mut self) -> &mut isize {
+        &mut self.tcref
     }
 }
 
diff --git a/fuzzers/wcet_qemu_sys/src/worst.rs b/fuzzers/wcet_qemu_sys/src/worst.rs
index 1d1d0d73f5..8fef77acf0 100644
--- a/fuzzers/wcet_qemu_sys/src/worst.rs
+++ b/fuzzers/wcet_qemu_sys/src/worst.rs
@@ -1,3 +1,4 @@
+use crate::sysstate::FreeRTOSSystemStateMetadata;
 use num_traits::PrimInt;
 use core::fmt::Debug;
 use core::cmp::Ordering::{Greater,Less,Equal};
@@ -509,6 +510,9 @@ where
 pub type LenTimeMaximizerCorpusScheduler<CS, I, S> =
     MinimizerCorpusScheduler<CS, MaxExecsLenFavFactor<I>, I, MapIndexesMetadata, S>;
 
+pub type TimeStateMaximizerCorpusScheduler<CS, I, S> =
+    MinimizerCorpusScheduler<CS, MaxExecsLenFavFactor<I>, I, FreeRTOSSystemStateMetadata, S>;
+
 /// Multiply the testcase size with the execution time.
 /// This favors small and quick testcases.
 #[derive(Debug, Clone)]