From defb475d28524776603348a1d96f1bbab4d4b962 Mon Sep 17 00:00:00 2001
From: "Dongjia \"toka\" Zhang" <tokazerkje@outlook.com>
Date: Tue, 4 Feb 2025 14:34:11 +0100
Subject: [PATCH] Fix EdgeCoverageModuleBuilder (#2931)

---
 fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml |  2 +-
 fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs |  3 +--
 libafl_qemu/src/modules/edges/mod.rs                  | 11 ++++++++++-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml b/fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml
index 7636140bca..3dc2494912 100644
--- a/fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml
+++ b/fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml
@@ -90,7 +90,7 @@ windows_alias = "unsupported"
 script_runner = "@shell"
 script = '''
 timeout 15s ${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_fork_qemu ${PROJECT_DIR}/harness -- --libafl-in ${PROJECT_DIR}/../../inprocess/libfuzzer_libpng/corpus --libafl-out ${PROJECT_DIR}/out ${PROJECT_DIR}/harness | tee fuzz_stdout.log
-if grep -qa "objectives: 1" fuzz_stdout.log; then
+if grep -qa "corpus: 5" fuzz_stdout.log; then
     echo "Fuzzer is working"
 else
     echo "Fuzzer does not generate any testcases or any crashes"
diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs b/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs
index 3f367dfcab..cd82d72b0d 100644
--- a/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs
+++ b/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs
@@ -56,7 +56,7 @@ use libafl_qemu::{
     Emulator, GuestReg, MmapPerms, QemuExitError, QemuExitReason, QemuForkExecutor,
     QemuShutdownCause, Regs,
 };
-use libafl_targets::{EDGES_MAP_DEFAULT_SIZE, EDGES_MAP_PTR};
+use libafl_targets::EDGES_MAP_DEFAULT_SIZE;
 #[cfg(unix)]
 use nix::unistd::dup;
 
@@ -155,7 +155,6 @@ fn fuzz(
 
     let mut edges_shmem = shmem_provider.new_shmem(EDGES_MAP_DEFAULT_SIZE).unwrap();
     let edges = edges_shmem.as_slice_mut();
-    unsafe { EDGES_MAP_PTR = edges.as_mut_ptr() };
 
     // Create an observation channel using the coverage map
     let mut edges_observer = unsafe {
diff --git a/libafl_qemu/src/modules/edges/mod.rs b/libafl_qemu/src/modules/edges/mod.rs
index 462c06adf5..baa8441c7c 100644
--- a/libafl_qemu/src/modules/edges/mod.rs
+++ b/libafl_qemu/src/modules/edges/mod.rs
@@ -194,11 +194,20 @@ impl<AF, PF, V, const IS_INITIALIZED: bool, const IS_CONST_MAP: bool, const MAP_
     #[must_use]
     pub fn const_map_observer<O, const NEW_MAP_SIZE: usize>(
         self,
-        _const_map_observer: &mut O,
+        map_observer: &mut O,
     ) -> EdgeCoverageModuleBuilder<AF, PF, V, true, true, NEW_MAP_SIZE>
     where
         O: ConstLenMapObserver<NEW_MAP_SIZE>,
     {
+        let map_ptr = map_observer.map_slice_mut().as_mut_ptr() as *mut u8;
+
+        unsafe {
+            LIBAFL_QEMU_EDGES_MAP_PTR = map_ptr;
+            // LIBAFL_QEMU_EDGES_MAP_SIZE_PTR = size_ptr; do i need this ?
+            LIBAFL_QEMU_EDGES_MAP_ALLOCATED_SIZE = NEW_MAP_SIZE;
+            LIBAFL_QEMU_EDGES_MAP_MASK_MAX = NEW_MAP_SIZE - 1;
+        }
+
         EdgeCoverageModuleBuilder::<AF, PF, V, true, true, NEW_MAP_SIZE>::new(
             self.variant,
             self.address_filter,