fix build

fuzzers/FRET/fuzzer.sh

@@ -16,7 +16,7 @@ cd "$parent_path"
 
 [ -z "$FUZZER" ] && export FUZZER=target/debug/fret
 set +e
-$FUZZER -icount shift=4,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
+$FUZZER -icount shift=4,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=off,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
 if [ "$exitcode" = "101" ]
 then
     exit 101

fuzzers/FRET/src/fuzzer.rs

@@ -1,7 +1,7 @@
 //! A fuzzer using qemu in systemmode for binary-only coverage of kernels
 //!
 use core::time::Duration;
-use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}};
+use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}, ptr::addr_of_mut};
 
 use libafl::{
     bolts::{
@@ -31,7 +31,7 @@ use libafl::{
     prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager, HasBytesVec, minimizer::TopRatedsMetadata}, Evaluator,
 };
 use libafl_qemu::{
-    edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
+    edges, edges::{QemuEdgeCoverageHelper, edges_map_mut_slice, MAX_EDGES_NUM}, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
     QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr,
 };
 use crate::{
@@ -203,9 +203,11 @@ pub fn fuzz() {
         };
 
         // Create an observation channel using the coverage map
-        let edges = unsafe { &mut edges::EDGES_MAP };
-        let edges_counter = unsafe { &mut edges::MAX_EDGES_NUM };
-        let edges_observer = VariableMapObserver::new("edges", edges, edges_counter);
+        let edges_observer = unsafe {VariableMapObserver::from_mut_slice(
+                "edges",
+                edges_map_mut_slice(),
+                addr_of_mut!(MAX_EDGES_NUM),
+            )};
 
         // Create an observation channel to keep track of the execution time
         let clock_time_observer = QemuClockObserver::new("clocktime");
@@ -420,7 +422,7 @@ pub fn fuzz() {
                         let mut worst = Duration::new(0,0);
                         let mut worst_input = None;
                         for i in 0..corpus.count() {
-                            let tc = corpus.get(i).expect("Could not get element from corpus").borrow();
+                            let tc = corpus.get(i.into()).expect("Could not get element from corpus").borrow();
                             if worst < tc.exec_time().expect("Testcase missing duration") {
                                 worst_input = Some(tc.input().as_ref().unwrap().bytes().to_owned());
                                 worst = tc.exec_time().expect("Testcase missing duration");
@@ -445,7 +447,7 @@ pub fn fuzz() {
                         {
                             let mut gd = String::from(&td);
                             if let Some(md) = state.metadata_mut().get_mut::<TopRatedsMetadata>() {
-                                let mut uniq: Vec<usize> = md.map.values().map(|x| x.clone()).collect();
+                                let mut uniq: Vec<String> = md.map.values().map(|x| x.to_string()).collect();
                                 uniq.sort();
                                 uniq.dedup();
                                 gd.push_str(&format!(".{}.toprated", uniq.len()));

libafl/src/fuzzer/mod.rs

@@ -246,21 +246,21 @@ where
         state: &mut EM::State,
         manager: &mut EM,
         time: Duration
-    ) -> Result<usize, Error> {
+    ) -> Result<CorpusId, Error> {
         if time==Duration::ZERO {
             return Err(Error::illegal_argument(
                 "Cannot fuzz for 0 duration!".to_string(),
             ));
         }
 
-        let mut ret = 0;
+        let mut ret = None;
         let mut last = current_time();
         let monitor_timeout = STATS_TIMEOUT_DEFAULT;
 
         let starttime = std::time::Instant::now();
 
         while std::time::Instant::now().duration_since(starttime) < time {
-            ret = self.fuzz_one(stages, executor, state, manager)?;
+            ret = Some(self.fuzz_one(stages, executor, state, manager)?);
             last = manager.maybe_report_progress(state, last, monitor_timeout)?;
         }
 
@@ -269,7 +269,7 @@ where
         // But as the state may grow to a few megabytes,
         // for now we won' and the user has to do it (unless we find a way to do this on `Drop`).
 
-        Ok(ret)
+        Ok(ret.unwrap())
     }
 
     /// Fuzz for n iterations.
@@ -288,13 +288,13 @@ where
         state: &mut EM::State,
         manager: &mut EM,
         time: std::time::Instant
-    ) -> Result<usize, Error> {
-        let mut ret = 0;
+    ) -> Result<CorpusId, Error> {
+        let mut ret = None;
         let mut last = current_time();
         let monitor_timeout = STATS_TIMEOUT_DEFAULT;
 
         while std::time::Instant::now() < time {
-            ret = self.fuzz_one(stages, executor, state, manager)?;
+            ret = Some(self.fuzz_one(stages, executor, state, manager)?);
             last = manager.maybe_report_progress(state, last, monitor_timeout)?;
         }
 
@@ -303,7 +303,7 @@ where
         // But as the state may grow to a few megabytes,
         // for now we won' and the user has to do it (unless we find a way to do this on `Drop`).
 
-        Ok(ret)
+        Ok(ret.unwrap())
     }
 }