SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

avoid copy of function names

Browse Source
This commit is contained in:
Alwin Berger 2025-07-30 12:14:22 +00:00
parent aac9cff7bf
commit 803f21b208
7 changed files with 43 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fuzzers/FRET/src/systemstate/helpers.rs
View File

@ -1,7 +1,7 @@
use hashbrown::HashMap; use hashbrown::HashMap;
use libafl_bolts::prelude::{SerdeAny, SerdeAnyMap}; use libafl_bolts::prelude::{SerdeAny, SerdeAnyMap};
use libafl_qemu::{elf::EasyElf, read_user_reg_unchecked, GuestAddr, GuestPhysAddr}; use libafl_qemu::{elf::EasyElf, read_user_reg_unchecked, GuestAddr, GuestPhysAddr};
use std::{cmp::min, hash::{DefaultHasher, Hash, Hasher}, ops::Range}; use std::{borrow::Cow, cmp::min, hash::{DefaultHasher, Hash, Hasher}, ops::Range};
use crate::{ use crate::{
fuzzer::{DO_NUM_INTERRUPT, FIRST_INT}, fuzzer::{DO_NUM_INTERRUPT, FIRST_INT},
@ -76,7 +76,7 @@ pub fn get_function_range(elf: &EasyElf, symbol: &str) -> Option<std::ops::Range
/// Check if an address is in any of the ranges /// Check if an address is in any of the ranges
pub fn in_any_range<'a>( pub fn in_any_range<'a>(
ranges: &'a Vec<(String, Range<u32>)>, ranges: &'a Vec<(Cow<'static, str>, Range<u32>)>,
addr: GuestAddr, addr: GuestAddr,
) -> Option<&'a std::ops::Range<GuestAddr>> { ) -> Option<&'a std::ops::Range<GuestAddr>> {
for (_, r) in ranges { for (_, r) in ranges {
@ -193,8 +193,8 @@ where
#[allow(unused)] #[allow(unused)]
pub fn abb_profile( pub fn abb_profile(
mut intervals: Vec<ExecInterval>, mut intervals: Vec<ExecInterval>,
) -> HashMap<String, HashMap<u32, (usize, usize, u64, u64)>> { ) -> HashMap<Cow<'static, str>, HashMap<u32, (usize, usize, u64, u64)>> {
let mut ret: HashMap<String, HashMap<u32, (usize, usize, u64, u64)>> = HashMap::new(); let mut ret: HashMap<Cow<'static, str>, HashMap<u32, (usize, usize, u64, u64)>> = HashMap::new();
intervals.sort_by_key(|x| x.get_task_name_unchecked()); intervals.sort_by_key(|x| x.get_task_name_unchecked());
intervals intervals
.chunk_by_mut(|x, y| x.get_task_name_unchecked() == y.get_task_name_unchecked()) .chunk_by_mut(|x, y| x.get_task_name_unchecked() == y.get_task_name_unchecked())

17
fuzzers/FRET/src/systemstate/mod.rs
View File

@ -9,6 +9,7 @@ use std::hash::Hash;
use hashbrown::HashMap; use hashbrown::HashMap;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use itertools::Itertools; use itertools::Itertools;
use std::borrow::Cow;
pub mod helpers; pub mod helpers;
pub mod feedbacks; pub mod feedbacks;
@ -56,8 +57,8 @@ pub struct ExecInterval {
pub end_tick: u64, pub end_tick: u64,
pub start_state: u64, pub start_state: u64,
pub end_state: u64, pub end_state: u64,
pub start_capture: (CaptureEvent, String), pub start_capture: (CaptureEvent, Cow<'static, str>),
pub end_capture: (CaptureEvent, String), pub end_capture: (CaptureEvent, Cow<'static, str>),
pub level: u8, pub level: u8,
// tick_spend_preempted: u64, // tick_spend_preempted: u64,
pub abb: Option<AtomicBasicBlock> pub abb: Option<AtomicBasicBlock>
@ -93,11 +94,11 @@ impl ExecInterval {
return (self.start_state, self.abb.as_ref().expect("ABB not set").get_hash()) return (self.start_state, self.abb.as_ref().expect("ABB not set").get_hash())
} }
pub fn get_task_name(&self) -> Option<String> { pub fn get_task_name(&self) -> Option<Cow<'static, str>> {
self.abb.as_ref().map(|x| x.instance_name.clone()).flatten() self.abb.as_ref().map(|x| x.instance_name.clone()).flatten()
} }
pub fn get_task_name_unchecked(&self) -> String { pub fn get_task_name_unchecked(&self) -> Cow<'static, str> {
self.get_task_name().unwrap_or_else(|| "unknown".to_string()) self.get_task_name().unwrap_or_else(|| Cow::Owned("unknown".to_owned()))
} }
pub fn is_abb_end(&self) -> bool { pub fn is_abb_end(&self) -> bool {
@ -117,7 +118,7 @@ pub struct AtomicBasicBlock {
ends: HashSet<GuestAddr>, ends: HashSet<GuestAddr>,
level: u8, level: u8,
instance_id: usize, instance_id: usize,
instance_name: Option<String>, instance_name: Option<Cow<'static, str>>,
} }
impl PartialEq for AtomicBasicBlock { impl PartialEq for AtomicBasicBlock {
@ -146,7 +147,7 @@ impl fmt::Display for AtomicBasicBlock {
for end in &self.ends { for end in &self.ends {
ends_str.push_str(&format!("0x{:#x}, ", end)); ends_str.push_str(&format!("0x{:#x}, ", end));
} }
write!(f, "ABB {} {{ level: {}, start: 0x{:#x}, ends: [{}]}}", &self.instance_name.as_ref().unwrap_or(&"".to_string()), self.level, self.start, ends_str.trim().trim_matches(',')) write!(f, "ABB {} {{ level: {}, start: 0x{:#x}, ends: [{}]}}", &self.instance_name.as_ref().unwrap_or(&Cow::Owned("".to_owned())), self.level, self.start, ends_str.trim().trim_matches(','))
} }
} }
impl fmt::Debug for AtomicBasicBlock { impl fmt::Debug for AtomicBasicBlock {
@ -155,7 +156,7 @@ impl fmt::Debug for AtomicBasicBlock {
for end in &self.ends { for end in &self.ends {
ends_str.push_str(&format!("{:#x}, ", end)); ends_str.push_str(&format!("{:#x}, ", end));
} }
write!(f, "ABB {} {{ level: {}, start: 0x{:#x}, ends: [{}]}}", &self.instance_name.as_ref().unwrap_or(&"".to_string()), self.level, self.start, ends_str.trim().trim_matches(',')) write!(f, "ABB {} {{ level: {}, start: 0x{:#x}, ends: [{}]}}", &self.instance_name.as_ref().unwrap_or(&Cow::Owned("".to_owned())), self.level, self.start, ends_str.trim().trim_matches(','))
} }
} }

6
fuzzers/FRET/src/systemstate/stg.rs
View File

@ -108,7 +108,7 @@ where
pub struct STGEdge pub struct STGEdge
{ {
pub event: CaptureEvent, pub event: CaptureEvent,
pub name: String, pub name: Cow<'static, str>,
pub worst: Option<(u64, Vec<(u32, u8)>)>, pub worst: Option<(u64, Vec<(u32, u8)>)>,
} }
@ -126,7 +126,7 @@ impl STGEdge {
short short
} }
pub fn color_print(&self) -> String { pub fn color_print(&self) -> String {
let mut short = self.name.clone(); let mut short = self.name.to_string();
short.push_str(match self.event { short.push_str(match self.event {
CaptureEvent::APIStart => "\", color=\"blue", CaptureEvent::APIStart => "\", color=\"blue",
CaptureEvent::APIEnd => "\", color=\"black", CaptureEvent::APIEnd => "\", color=\"black",
@ -556,7 +556,7 @@ where
} }
// every path terminates at the end // every path terminates at the end
if !fbs.graph.neighbors_directed(return_node_trace[return_node_trace.len()-1].0, Direction::Outgoing).any(|x| x == fbs.exitpoint) { if !fbs.graph.neighbors_directed(return_node_trace[return_node_trace.len()-1].0, Direction::Outgoing).any(|x| x == fbs.exitpoint) {
let mut e__ = STGEdge { event: CaptureEvent::End, name: String::from("End"), worst: None }; let mut e__ = STGEdge { event: CaptureEvent::End, name: Cow::Borrowed("End"), worst: None };
if let Some((time, accesses)) = instance_time.get_mut(&trace[trace.len()-1].abb.as_ref().unwrap().instance_id) { if let Some((time, accesses)) = instance_time.get_mut(&trace[trace.len()-1].abb.as_ref().unwrap().instance_id) {
e__.worst = Some((*time, accesses.clone())); e__.worst = Some((*time, accesses.clone()));
} }

23
fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs
View File

@ -2,6 +2,7 @@
use libafl_qemu::GuestAddr; use libafl_qemu::GuestAddr;
use qemu_module::{FreeRTOSSystemStateHelper, MEM_READ}; use qemu_module::{FreeRTOSSystemStateHelper, MEM_READ};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::borrow::Cow;
use crate::{ use crate::{
impl_emu_lookup, impl_emu_lookup,
@ -195,23 +196,23 @@ fn trigger_collection(
match event { match event {
CaptureEvent::APIStart => { CaptureEvent::APIStart => {
let s = h.api_fn_addrs.get(&edge.1).unwrap(); let s : &Cow<'static, str> = h.api_fn_addrs.get(&edge.1).unwrap();
systemstate.capture_point = (CaptureEvent::APIStart, s.to_string()); systemstate.capture_point = (CaptureEvent::APIStart, s.clone());
} }
CaptureEvent::APIEnd => { CaptureEvent::APIEnd => {
let s = h.api_fn_addrs.get(&edge.0).unwrap(); let s : &Cow<'static, str> = h.api_fn_addrs.get(&edge.0).unwrap();
systemstate.capture_point = (CaptureEvent::APIEnd, s.to_string()); systemstate.capture_point = (CaptureEvent::APIEnd, s.clone());
} }
CaptureEvent::ISRStart => { CaptureEvent::ISRStart => {
let s = h.isr_fn_addrs.get(&edge.1).unwrap(); let s : &Cow<'static, str> = h.isr_fn_addrs.get(&edge.1).unwrap();
systemstate.capture_point = (CaptureEvent::ISRStart, s.to_string()); systemstate.capture_point = (CaptureEvent::ISRStart, s.clone());
} }
CaptureEvent::ISREnd => { CaptureEvent::ISREnd => {
let s = h.isr_fn_addrs.get(&edge.0).unwrap(); let s : &Cow<'static, str> = h.isr_fn_addrs.get(&edge.0).unwrap();
systemstate.capture_point = (CaptureEvent::ISREnd, s.to_string()); systemstate.capture_point = (CaptureEvent::ISREnd, s.clone());
} }
CaptureEvent::End => { CaptureEvent::End => {
systemstate.capture_point = (CaptureEvent::End, "".to_string()); systemstate.capture_point = (CaptureEvent::End, Cow::Borrowed(""));
} }
CaptureEvent::Undefined => (), CaptureEvent::Undefined => (),
} }
@ -302,7 +303,7 @@ pub struct RawFreeRTOSSystemState {
read_invalid: bool, read_invalid: bool,
input_counter: u32, input_counter: u32,
edge: (GuestAddr, GuestAddr), edge: (GuestAddr, GuestAddr),
capture_point: (CaptureEvent, String), capture_point: (CaptureEvent, Cow<'static, str>),
mem_reads: Vec<(u32, u8)>, mem_reads: Vec<(u32, u8)>,
} }
/// List of system state dumps from EmulatorModules /// List of system state dumps from EmulatorModules
@ -459,7 +460,7 @@ impl fmt::Display for FreeRTOSSystemState {
#[derive(Debug, Default, Serialize, Deserialize, Clone)] #[derive(Debug, Default, Serialize, Deserialize, Clone)]
pub(crate)struct FreeRTOSSystemStateContext { pub(crate)struct FreeRTOSSystemStateContext {
pub qemu_tick: u64, pub qemu_tick: u64,
pub capture_point: (CaptureEvent, String), pub capture_point: (CaptureEvent, Cow<'static, str>),
pub edge: (GuestAddr, GuestAddr), pub edge: (GuestAddr, GuestAddr),
pub mem_reads: Vec<(u32, u8)>, pub mem_reads: Vec<(u32, u8)>,
} }

10
fuzzers/FRET/src/systemstate/target_os/freertos/post_processing.rs
View File

@ -124,7 +124,7 @@ pub(crate) fn refine_system_states(
}); });
ret.1.push(FreeRTOSSystemStateContext { ret.1.push(FreeRTOSSystemStateContext {
qemu_tick: i.qemu_tick, qemu_tick: i.qemu_tick,
capture_point: (i.capture_point.0, i.capture_point.1.to_string()), capture_point: (i.capture_point.0, i.capture_point.1),
edge: i.edge, edge: i.edge,
mem_reads: i.mem_reads, mem_reads: i.mem_reads,
}); });
@ -328,7 +328,7 @@ pub(crate) fn add_abb_info(
}, },
instance_id: id_count, instance_id: id_count,
instance_name: if trace[i].level < 2 { instance_name: if trace[i].level < 2 {
Some(curr_name.clone().clone()) Some(Cow::Owned(curr_name.to_owned()))
} else { } else {
None None
}, },
@ -352,7 +352,7 @@ pub(crate) fn add_abb_info(
2 2
}, },
instance_id: id_count, instance_id: id_count,
instance_name: Some(curr_name.clone().clone()), instance_name: Some(Cow::Owned(curr_name.to_owned())),
}))); })));
id_count += 1; id_count += 1;
open_abb_at_this_ret_addr_and_task.insert( open_abb_at_this_ret_addr_and_task.insert(
@ -390,7 +390,7 @@ pub(crate) fn add_abb_info(
}, },
instance_id: id_count, instance_id: id_count,
instance_name: if trace[i].level < 1 { instance_name: if trace[i].level < 1 {
Some(curr_name.clone().clone()) Some(Cow::Owned(curr_name.to_owned()))
} else { } else {
None None
}, },
@ -474,7 +474,7 @@ pub(crate) fn get_releases(
// A timed release is SysTickHandler isr block that moves a task from the delay list to the ready list. // A timed release is SysTickHandler isr block that moves a task from the delay list to the ready list.
if i.start_capture.0 == CaptureEvent::ISRStart if i.start_capture.0 == CaptureEvent::ISRStart
&& (i.start_capture.1 == "xPortSysTickHandler" && (i.start_capture.1 == "xPortSysTickHandler"
|| USR_ISR_SYMBOLS.contains(&i.start_capture.1.as_str())) || USR_ISR_SYMBOLS.contains(&&*i.start_capture.1))
{ {
// detect race-conditions, get start and end state from the nearest valid intervals // detect race-conditions, get start and end state from the nearest valid intervals
if states if states

15
fuzzers/FRET/src/systemstate/target_os/freertos/qemu_module.rs
View File

@ -1,3 +1,4 @@
use std::borrow::Cow;
use std::ops::Range; use std::ops::Range;
use freertos::FreeRTOSTraceMetadata; use freertos::FreeRTOSTraceMetadata;
@ -31,11 +32,11 @@ pub struct FreeRTOSSystemStateHelper {
// Address of the application code // Address of the application code
pub app_range: Range<GuestAddr>, pub app_range: Range<GuestAddr>,
// Address of API functions // Address of API functions
pub api_fn_addrs: HashMap<GuestAddr, String>, pub api_fn_addrs: HashMap<GuestAddr, Cow<'static, str>>,
pub api_fn_ranges: Vec<(String, std::ops::Range<GuestAddr>)>, pub api_fn_ranges: Vec<(Cow<'static, str>, std::ops::Range<GuestAddr>)>,
// Address of interrupt routines // Address of interrupt routines
pub isr_fn_addrs: HashMap<GuestAddr, String>, pub isr_fn_addrs: HashMap<GuestAddr, Cow<'static, str>>,
pub isr_fn_ranges: Vec<(String, std::ops::Range<GuestAddr>)>, pub isr_fn_ranges: Vec<(Cow<'static, str>, std::ops::Range<GuestAddr>)>,
// Address of input memory // Address of input memory
pub input_mem: Range<GuestAddr>, pub input_mem: Range<GuestAddr>,
// FreeRTOS specific addresses // FreeRTOS specific addresses
@ -59,9 +60,9 @@ impl FreeRTOSSystemStateHelper {
) -> Self { ) -> Self {
let app_range = target_ranges.get("APP_CODE").unwrap().clone(); let app_range = target_ranges.get("APP_CODE").unwrap().clone();
let api_fn_ranges : Vec<_> = target_groups.get("API_FN").unwrap().iter().sorted_by_key(|x|x.1.start).map(|(n,r)| (n.clone(),r.clone())).collect(); let api_fn_ranges : Vec<_> = target_groups.get("API_FN").unwrap().iter().sorted_by_key(|x|x.1.start).map(|(n,r)| (Cow::Borrowed(Box::leak(n.clone().into_boxed_str())),r.clone())).collect();
let api_fn_addrs = api_fn_ranges.iter().map(|(n,r)| (r.start,n.clone())).collect(); let api_fn_addrs = api_fn_ranges.iter().map(|(n,r)| (r.start,n.clone())).collect();
let isr_fn_ranges : Vec<_> = target_groups.get("ISR_FN").unwrap().iter().sorted_by_key(|x|x.1.start).map(|(n,r)| (n.clone(),r.clone())).collect(); let isr_fn_ranges : Vec<_> = target_groups.get("ISR_FN").unwrap().iter().sorted_by_key(|x|x.1.start).map(|(n,r)| (Cow::Borrowed(Box::leak(n.clone().into_boxed_str())),r.clone())).collect();
let isr_fn_addrs = isr_fn_ranges.iter().map(|(n,r)| (r.start,n.clone())).collect(); let isr_fn_addrs = isr_fn_ranges.iter().map(|(n,r)| (r.start,n.clone())).collect();
let input_mem = target_symbols.get("FUZZ_INPUT").map(|x| *x..(*x+unsafe{MAX_INPUT_SIZE as GuestAddr})).unwrap(); let input_mem = target_symbols.get("FUZZ_INPUT").map(|x| *x..(*x+unsafe{MAX_INPUT_SIZE as GuestAddr})).unwrap();
@ -170,7 +171,7 @@ where
let pc = c.read_reg::<i32>(15).unwrap(); let pc = c.read_reg::<i32>(15).unwrap();
let last = current_systemstate_vec.last_mut().unwrap(); let last = current_systemstate_vec.last_mut().unwrap();
last.edge = (pc, 0); last.edge = (pc, 0);
last.capture_point =(CaptureEvent::End, "Breakpoint".to_string()); last.capture_point =(CaptureEvent::End, Cow::Borrowed("Breakpoint"));
// Find the first ISREnd of vPortSVCHandler (start of the first task) and drop anything before // Find the first ISREnd of vPortSVCHandler (start of the first task) and drop anything before
unsafe { unsafe {
let mut index = 0; let mut index = 0;

3
fuzzers/FRET/src/systemstate/target_os/mod.rs
View File

@ -1,3 +1,4 @@
use std::borrow::Cow;
use std::collections::hash_map::DefaultHasher; use std::collections::hash_map::DefaultHasher;
use std::fmt; use std::fmt;
use hashbrown::HashSet; use hashbrown::HashSet;
@ -81,7 +82,7 @@ pub trait SystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default
fn select_abb_profile( fn select_abb_profile(
&self, &self,
select_task: Option<String>, select_task: Option<String>,
) -> HashMap<String, HashMap<u32, (usize, usize, u64, u64)>> { ) -> HashMap<Cow<'static, str>, HashMap<u32, (usize, usize, u64, u64)>> {
if let Some(select_task) = select_task.as_ref() { if let Some(select_task) = select_task.as_ref() {
// Task selected, only profile this task // Task selected, only profile this task
let wjptybrt = self.worst_jobs_per_task_by_response_time(); let wjptybrt = self.worst_jobs_per_task_by_response_time();