From d2fe86f867b6e754f44791aa28a5dfb5741b3825 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Fri, 29 Aug 2025 13:11:52 +0000 Subject: [PATCH] store hashes globally --- fuzzers/FRET/src/fuzzer.rs | 5 ++- fuzzers/FRET/src/systemstate/feedbacks.rs | 6 ++-- fuzzers/FRET/src/systemstate/stg.rs | 2 -- .../target_os/freertos/extraction.rs | 21 ++++++++++-- .../src/systemstate/target_os/freertos/mod.rs | 32 +++++++++++++++++++ fuzzers/FRET/src/systemstate/target_os/mod.rs | 10 ++++++ 6 files changed, 67 insertions(+), 9 deletions(-) diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index e5340cf3e2..92eb24ab01 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -33,6 +33,8 @@ use log; use rand::RngCore; use crate::templates; use std::ops::Range; +use crate::systemstate::target_os::freertos::GlobalFreeRTOSTraceMetadata; +use crate::systemstate::target_os::GlobalSystemTraceData; // Constants ================================================================================ @@ -102,8 +104,9 @@ macro_rules! do_dump_stg { if $cli.dump_graph { let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"dot"} else {$c}); println!("Dumping graph to {:?}", &dump_path); + let tcb_index = $state.metadata::().unwrap().tcb_index().clone(); if let Some(md) = $state.named_metadata_map_mut().get_mut::>("stgfeedbackstate") { - let out = md.graph.map(|_i,x| x.color_print(&md.systemstate_index, &md.tcb_index), |_i,x| x.color_print()); + let out = md.graph.map(|_i,x| x.color_print(&md.systemstate_index, &tcb_index), |_i,x| x.color_print()); let outs = Dot::with_config(&out, &[]).to_string(); let outs = outs.replace("\\\"","\""); let outs = outs.replace(';',"\\n"); diff --git a/fuzzers/FRET/src/systemstate/feedbacks.rs b/fuzzers/FRET/src/systemstate/feedbacks.rs index 9e8fcebfc9..749b1b45e6 100644 --- a/fuzzers/FRET/src/systemstate/feedbacks.rs +++ b/fuzzers/FRET/src/systemstate/feedbacks.rs @@ -18,7 +18,7 @@ use super::target_os::TargetSystem; use std::borrow::Cow; use std::marker::PhantomData; -use crate::systemstate::{stg::STGFeedbackState, target_os::*}; +use crate::systemstate::{stg::STGFeedbackState, target_os::{freertos::GlobalFreeRTOSTraceMetadata, *}}; use libafl::prelude::StateInitializer; //=========================== Debugging Feedback @@ -81,9 +81,9 @@ where { .metadata::() .expect("TraceData not found").clone(); let tcb_index = state - .metadata::>() + .metadata::() .expect("STGFeedbackState not found") - .tcb_index.clone(); + .tcb_index().clone(); std::fs::write( tracename, ron::to_string(&(trace, tcb_index)) diff --git a/fuzzers/FRET/src/systemstate/stg.rs b/fuzzers/FRET/src/systemstate/stg.rs index 42a6ddaaed..ccd99db120 100644 --- a/fuzzers/FRET/src/systemstate/stg.rs +++ b/fuzzers/FRET/src/systemstate/stg.rs @@ -165,7 +165,6 @@ where // aggregated traces as a graph pub graph: DiGraph, STGEdge>, pub systemstate_index: HashMap, - pub tcb_index: HashMap, pub state_abb_hash_index: HashMap<(u64, u64), NodeIndex>, stgnode_index: HashMap, entrypoint: NodeIndex, @@ -235,7 +234,6 @@ where wort_per_stg_path: HashMap::new(), worst_abb_exec_count: HashMap::new(), systemstate_index, - tcb_index, state_abb_hash_index, worst_task_jobs: HashMap::new(), } diff --git a/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs b/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs index 7de4818f36..f2abdc601d 100644 --- a/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs +++ b/fuzzers/FRET/src/systemstate/target_os/freertos/extraction.rs @@ -124,7 +124,7 @@ impl EmulatorModule for FreeRTOSSystemStateModule where S: UsesInput + Unpin + HasMetadata, { - fn first_exec(&mut self, emulator_modules: &mut EmulatorModules, _state: &mut S) + fn first_exec(&mut self, emulator_modules: &mut EmulatorModules, state: &mut S) where ET: EmulatorModuleTuple, { @@ -150,6 +150,21 @@ where Hook::Empty, Hook::Function(trace_reads::), ); + if !state.has_metadata::() { + let mut data = GlobalFreeRTOSTraceMetadata::default(); + + let mut start_tcb = RefinedTCB::default(); + *start_tcb.task_name_mut()="Start".to_string(); + let h_start_tcb = compute_hash(&start_tcb); + data.tcb_index_mut().insert(h_start_tcb, start_tcb); + + let mut end_tcb = RefinedTCB::default(); + *end_tcb.task_name_mut()="End".to_string(); + let h_end_tcb = compute_hash(&end_tcb); + data.tcb_index_mut().insert(h_end_tcb, end_tcb); + + state.add_metadata(data); + } unsafe { INPUT_MEM = self.input_mem.clone() }; } @@ -277,9 +292,9 @@ where .collect::>(); jobs }; - _state.metadata_mut::>() + _state.metadata_mut::() .unwrap() - .tcb_index + .tcb_index_mut() .extend(tcb_map.into_iter()); _state.add_metadata(FreeRTOSTraceMetadata::new(refined_states, intervals, mem_reads, jobs, need_to_debug)); } diff --git a/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs b/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs index 48362b17d6..4ccbb007a0 100644 --- a/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs +++ b/fuzzers/FRET/src/systemstate/target_os/freertos/mod.rs @@ -25,6 +25,7 @@ impl TargetSystem for FreeRTOSSystem { type State = FreeRTOSSystemState; type TCB = RefinedTCB; type TraceData = FreeRTOSTraceMetadata; + type GlobalTraceData = GlobalFreeRTOSTraceMetadata; } impl TaskControlBlock for RefinedTCB { @@ -279,6 +280,36 @@ pub(super)struct FreeRTOSSystemStateContext { pub mem_reads: Vec<(u32, u8)>, } +#[derive(Debug, Default, Serialize, Deserialize, Clone)] +pub struct GlobalFreeRTOSTraceMetadata +{ + pub tcb_index: HashMap::State as SystemState>::TCB>, + tcref: isize, +} + +impl GlobalSystemTraceData for GlobalFreeRTOSTraceMetadata +{ + type State = FreeRTOSSystemState; + type TCB = RefinedTCB; + + fn tcb_index(&self) -> &HashMap { + &self.tcb_index + } + fn tcb_index_mut(&mut self) -> &mut HashMap { + &mut self.tcb_index + } +} + +impl HasRefCnt for GlobalFreeRTOSTraceMetadata +{ + fn refcnt(&self) -> isize { + self.tcref + } + + fn refcnt_mut(&mut self) -> &mut isize { + &mut self.tcref + } +} #[derive(Debug, Default, Serialize, Deserialize, Clone)] pub struct FreeRTOSTraceMetadata @@ -368,6 +399,7 @@ impl SystemTraceData for FreeRTOSTraceMetadata } } +libafl_bolts::impl_serdeany!(GlobalFreeRTOSTraceMetadata); libafl_bolts::impl_serdeany!(FreeRTOSTraceMetadata); libafl_bolts::impl_serdeany!(RefinedTCB); libafl_bolts::impl_serdeany!(FreeRTOSSystemState); diff --git a/fuzzers/FRET/src/systemstate/target_os/mod.rs b/fuzzers/FRET/src/systemstate/target_os/mod.rs index 9b2eaf824a..c2351d95a8 100644 --- a/fuzzers/FRET/src/systemstate/target_os/mod.rs +++ b/fuzzers/FRET/src/systemstate/target_os/mod.rs @@ -29,6 +29,8 @@ pub trait TargetSystem: Serialize + Sized + for<'de> Deserialize<'de> + Default type TCB: TaskControlBlock; /// The type used to store trace data for the system. type TraceData: SystemTraceData; + // The type used to store global trace data for the system. + type GlobalTraceData: GlobalSystemTraceData; } /// A trait representing the system state of a target system, which includes methods to access the current task. @@ -43,6 +45,14 @@ pub trait SystemState: Serialize + Sized + for<'a> Deserialize<'a> + Default + D fn print_lists(&self, tcb_index: &HashMap) -> String; } +pub trait GlobalSystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default + Debug + Clone + SerdeAny + HasRefCnt { + type State: SystemState; + type TCB: TaskControlBlock; + + fn tcb_index(&self) -> &HashMap; + fn tcb_index_mut(&mut self) -> &mut HashMap; +} + pub trait SystemTraceData: Serialize + Sized + for<'a> Deserialize<'a> + Default + Debug + Clone + SerdeAny + HasRefCnt { type State: SystemState;