update helper scripts

* fixing?

* more

* delete macos build_and_run fuzzers as its runtime exceeds 360minutes and can't fix it

.github/workflows/build_and_test.yml

@@ -2,10 +2,10 @@ name: build and test
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main, 'pr/**' ]
   pull_request:
     branches: [ main ]
-
+  workflow_dispatch:
 env:
   CARGO_TERM_COLOR: always
 
@@ -16,6 +16,9 @@ jobs:
           os: [ubuntu-latest, windows-latest, macOS-latest]
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Install mimetype
+        if: runner.os == 'Linux'
+        run: sudo apt-get install libfile-mimeinfo-perl
       - uses: actions-rs/toolchain@v1
         with:
           profile: minimal
@@ -31,9 +34,6 @@ jobs:
           crate: mdbook-linkcheck
       - uses: actions/checkout@v3
       - uses: Swatinem/rust-cache@v2
-      - name: Install mimetype
-        if: runner.os == 'Linux'
-        run: sudo apt-get install libfile-mimeinfo-perl
       - name: Check for binary blobs
         if: runner.os == 'Linux'
         run: ./scripts/check_for_blobs.sh
@@ -49,6 +49,8 @@ jobs:
         run: cargo test
       - name: Test libafl no_std
         run: cd libafl && cargo test --no-default-features
+      - name: Test libafl_bolts no_std no_alloc
+        run: cd libafl_bolts && cargo test --no-default-features
       - name: Test libafl_targets no_std
         run: cd libafl_targets && cargo test --no-default-features
      
@@ -61,18 +63,18 @@ jobs:
       with:
         profile: minimal
         toolchain: stable
-    - name: set mold linker as default linker
-      uses: rui314/setup-mold@v1
+    - name: Remove existing clang and LLVM
+      run: sudo apt purge llvm* clang*
     - name: Install and cache deps
       uses: awalsh128/cache-apt-pkgs-action@v1.1.0
       with:
-        packages: llvm llvm-dev clang ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev
+        packages: llvm-15 llvm-15-dev clang-15 ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev libz3-dev
     - name: get clang version
-      run: command -v llvm-config && clang -v
-    - name: Install cargo-hack
-      run: curl -LsSf https://github.com/taiki-e/cargo-hack/releases/latest/download/cargo-hack-x86_64-unknown-linux-gnu.tar.gz | tar xzf - -C ~/.cargo/bin
+      run: command -v llvm-config-15 && clang-15 -v
     - name: Add nightly rustfmt and clippy
-      run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
+      run: rustup toolchain install nightly --component rustfmt --component clippy --component miri --allow-downgrade
+    - name: Install ucd-generate
+      run: cargo install -f ucd-generate
     - uses: actions/checkout@v3
     - uses: Swatinem/rust-cache@v2
 
@@ -82,6 +84,8 @@ jobs:
       run: cargo check --features=sancov_pcguard_edges
     - name: Format
       run: cargo fmt -- --check
+    - name: Cleanup
+      run: cargo clean
     - name: Run clang-format style check for C/C++ programs.
       run: clang-format-13 -n -Werror --style=file $(find . -type f \( -name '*.cpp' -o -iname '*.hpp' -o -name '*.cc' -o -name '*.cxx' -o -name '*.cc' -o -name '*.h' \) | grep -v '/target/' | grep -v 'libpng-1\.6\.37' | grep -v 'stb_image\.h' | grep -v 'dlmalloc\.c' | grep -v 'QEMU-Nyx')
     - name: run shellcheck
@@ -91,23 +95,64 @@ jobs:
       
     # ---- doc check ----
     - name: Build Docs
-      run: cargo doc
+      run: RUSTFLAGS="--cfg docsrs" cargo +nightly doc --all-features
     - name: Test Docs
-      run: cargo +nightly test --doc --all-features
-
-    # ---- build and feature check ----
+      run: RUSTFLAGS="--cfg docsrs" cargo +nightly test --doc --all-features
+    # ---- build normal and examples ----
     - name: Run a normal build
       run: cargo build --verbose
+    - name: Build examples
+      run: cargo build --examples --verbose
+    
+    # --- miri undefined behavior test --
+    - name: Run miri tests
+      run: RUST_BACKTRACE=1 MIRIFLAGS="-Zmiri-disable-isolation" cargo +nightly miri test
+
+    # Clean up files to save up disk space
+    - name: Cleanup
+      run: cargo clean
+      
+    # --- test embedding the libafl_libfuzzer_runtime library
+    # Fix me plz
+    # - name: Test Build libafl_libfuzzer with embed
+    #  run: cargo +nightly test --features=embed-runtime --manifest-path libafl_libfuzzer/Cargo.toml
+
+  ubuntu-check:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Remove Dotnet & Haskell
+      run: rm -rf /usr/share/dotnet && rm -rf /opt/ghc
+    - uses: actions-rs/toolchain@v1
+      with:
+        profile: minimal
+        toolchain: stable
+        components: llvm-tools
+    - name: Remove existing clang and LLVM
+      run: sudo apt purge llvm* clang*
+    - name: Install and cache deps
+      uses: awalsh128/cache-apt-pkgs-action@v1.1.0
+      with:
+        packages: llvm-15 llvm-15-dev clang-15 ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev libz3-dev
+    - name: get clang version
+      run: command -v llvm-config-15 && clang-15 -v
+    - name: Install cargo-hack
+      run: curl -LsSf https://github.com/taiki-e/cargo-hack/releases/latest/download/cargo-hack-x86_64-unknown-linux-gnu.tar.gz | tar xzf - -C ~/.cargo/bin
+    - name: Install ucd-generate
+      run: cargo install -f ucd-generate
+    - name: Add nightly
+      run: rustup toolchain install nightly --allow-downgrade
+    - uses: actions/checkout@v3
+    - uses: Swatinem/rust-cache@v2
+
+    # ---- build and feature check ----
     # cargo-hack's --feature-powerset would be nice here but libafl has a too many knobs
     - name: Check each feature
       # Skipping `python` as it has to be built with the `maturin` tool
       # `agpl`, `nautilus` require nightly
       # `sancov_pcguard_edges` is tested seperately
-      run: cargo hack check --each-feature --clean-per-run --exclude-features=prelude,agpl,nautilus,python,sancov_pcguard_edges,arm,aarch64,i386,be,systemmode --no-dev-deps
+      run: LLVM_CONFIG=llvm-config-15 cargo hack check --workspace --each-feature --clean-per-run --exclude-features=prelude,agpl,nautilus,python,sancov_pcguard_edges,arm,aarch64,i386,be,systemmode,whole_archive --no-dev-deps --exclude libafl_libfuzzer
     - name: Check nightly features
       run: cargo +nightly check --features=agpl && cargo +nightly check --features=nautilus
-    - name: Build examples
-      run: cargo build --examples --verbose
 
   ubuntu-concolic:
     runs-on: ubuntu-latest
@@ -130,45 +175,63 @@ jobs:
       with:
         profile: minimal
         toolchain: stable
-    - name: set mold linker as default linker
-      uses: rui314/setup-mold@v1
+    - name: Remove existing clang and LLVM
+      run: sudo apt purge llvm* clang*
     - name: Install deps
-      run: sudo apt-get install -y llvm llvm-dev clang ninja-build python3-dev python3-pip python3-venv
+      run: sudo apt-get install -y llvm-15 llvm-15-dev clang-15 ninja-build python3-dev python3-pip python3-venv libz3-dev
     - name: Install maturin
       run: python3 -m pip install maturin
     - uses: actions/checkout@v3
     - uses: Swatinem/rust-cache@v2
     - name: Run a maturin build
-      run: cd ./bindings/pylibafl && maturin build
+      run: export LLVM_CONFIG=llvm-config-15 && cd ./bindings/pylibafl && python3 -m venv .env && . .env/bin/activate && pip install --upgrade --force-reinstall . && ./test.sh
+    - name: Run python test
+      run: . ./bindings/pylibafl/.env/bin/activate && cd ./fuzzers/baby_fuzzer && python3 baby_fuzzer.py 2>&1 | grep "Bye"
 
   fuzzers:
     strategy:
       matrix:
-          os: [ubuntu-latest, macos-latest]
+          os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions-rs/toolchain@v1
       with:
         profile: minimal
         toolchain: stable
-    - name: set mold linker as default linker
-      if: runner.os == 'Linux' # mold only support linux until now
-      uses: rui314/setup-mold@v1
+    - name: Free Disk Space (Ubuntu)
+      uses: jlumbroso/free-disk-space@main
+      with:
+        # this might remove tools that are actually needed,
+        # if set to "true" but frees about 6 GB
+        tool-cache: false
+        
+        # all of these default to true, but feel free to set to
+        # "false" if necessary for your workflow
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: false
+        docker-images: true
+        swap-storage: true
     - name: Add nightly rustfmt and clippy
       run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
     - name: Add no_std toolchain
       run: rustup toolchain install nightly-x86_64-unknown-linux-gnu ; rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu
-    - name: Install python
-      if: runner.os == 'macOS'
-      run: brew install --force-bottle --overwrite python@3.11
+    - name: Add wasm target
+      run: rustup target add wasm32-unknown-unknown
+    - name: Install ucd-generate
+      run: cargo install -f ucd-generate
+    - name: Remove obsolete llvm (Linux)
+      run: sudo apt purge llvm* clang*
     - uses: lyricwulf/abc@v1
-      with: 
-        # todo: remove afl++-clang when nyx support samcov_pcguard
-        linux: llvm llvm-dev clang nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libgtk-3-dev afl++-clang pax-utils
-        # update bash for macos to support `declare -A` command`
-        macos: llvm libpng nasm coreutils z3 bash
+      with:  
+        linux: llvm-15 llvm-15-dev clang-15 nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi gcc-aarch64-linux-gnu g++-aarch64-linux-gnu gcc-mipsel-linux-gnu g++-mipsel-linux-gnu gcc-powerpc-linux-gnu g++-powerpc-linux-gnu libc6-dev-i386-cross libc6-dev libc6-dev-i386 lib32gcc-11-dev lib32stdc++-11-dev libgtk-3-dev pax-utils libz3-dev
+    - name: Set clang version
+      run: sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-15 100
+    - name: Set clang++ version
+      run: sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-15 100
     - name: pip install
-      run: python3 -m pip install msgpack jinja2
+      run: python3 -m pip install msgpack jinja2 find_libpython
     # Note that nproc needs to have coreutils installed on macOS, so the order of CI commands matters.
     - name: enable mult-thread for `make`
       run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)"
@@ -176,16 +239,105 @@ jobs:
       uses: baptiste0928/cargo-install@v1.3.0
       with:
         crate: cargo-make
+    - name: install wasm-pack
+      uses: baptiste0928/cargo-install@v1.3.0
+      with:
+        crate: wasm-pack
+    - name: install chrome
+      uses: browser-actions/setup-chrome@v1
+      with:
+        chrome-version: stable
     - uses: actions/checkout@v3
       with:
         submodules: true # recursively checkout submodules
+        fetch-depth: 0 # to diff with origin/main
     - uses: Swatinem/rust-cache@v2
+    - name: Symlink Headers
+      if: runner.os == 'Linux'
+      # We can't install gcc-multilib which would usually do this for us due to collisions with other packages
+      run: sudo ln -s /usr/include/asm-generic /usr/include/asm
     - name: Build and run example fuzzers (Linux)
       if: runner.os == 'Linux'
-      run: ./scripts/test_all_fuzzers.sh
-    - name: Build and run example fuzzers (macOS)
-      if: runner.os == 'macOS' # use bash v4
-      run: /usr/local/bin/bash ./scripts/test_all_fuzzers.sh
+      run: RUN_ON_CI=1 LLVM_CONFIG=llvm-config-15 ./scripts/test_all_fuzzers.sh
+
+  qemu_fuzzers:
+    strategy:
+      matrix:
+          os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions-rs/toolchain@v1
+      with:
+        profile: minimal
+        toolchain: stable
+    - name: Free Disk Space (Ubuntu)
+      if: runner.os == 'Linux'
+      uses: jlumbroso/free-disk-space@main
+      with:
+        # this might remove tools that are actually needed,
+        # if set to "true" but frees about 6 GB
+        tool-cache: false
+        
+        # all of these default to true, but feel free to set to
+        # "false" if necessary for your workflow
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: false
+        docker-images: true
+        swap-storage: true
+    - name: Add nightly rustfmt and clippy
+      run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
+    - name: Add no_std toolchain
+      run: rustup toolchain install nightly-x86_64-unknown-linux-gnu ; rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu
+    - name: Add wasm target
+      run: rustup target add wasm32-unknown-unknown
+    - name: Install ucd-generate
+      run: cargo install -f ucd-generate
+    - name: Remove obsolete llvm (Linux)
+      if: runner.os == 'Linux'
+      run: sudo apt purge llvm* clang*
+    - uses: lyricwulf/abc@v1
+      with:  
+        linux: llvm-15 llvm-15-dev clang-15 nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi gcc-aarch64-linux-gnu g++-aarch64-linux-gnu gcc-mipsel-linux-gnu g++-mipsel-linux-gnu gcc-powerpc-linux-gnu g++-powerpc-linux-gnu libc6-dev-i386-cross libc6-dev libc6-dev-i386 lib32gcc-11-dev lib32stdc++-11-dev libgtk-3-dev pax-utils libz3-dev
+        # update bash for macos to support `declare -A` command`
+        macos: llvm@15 libpng nasm coreutils z3 bash wget
+    - name: Set clang version
+      if: runner.os == 'Linux'
+      run: sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-15 100
+    - name: Set clang++ version
+      if: runner.os == 'Linux'
+      run: sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-15 100
+    - name: pip install
+      run: python3 -m pip install msgpack jinja2 find_libpython
+    # Note that nproc needs to have coreutils installed on macOS, so the order of CI commands matters.
+    - name: enable mult-thread for `make`
+      run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)"
+    - name: install cargo-make
+      uses: baptiste0928/cargo-install@v1.3.0
+      with:
+        crate: cargo-make
+    - name: install wasm-pack
+      uses: baptiste0928/cargo-install@v1.3.0
+      with:
+        crate: wasm-pack
+    - name: install chrome
+      uses: browser-actions/setup-chrome@v1
+      with:
+        chrome-version: stable
+    - uses: actions/checkout@v3
+      with:
+        submodules: true # recursively checkout submodules
+        fetch-depth: 0 # to diff with origin/main
+    - uses: Swatinem/rust-cache@v2
+    - name: Symlink Headers
+      if: runner.os == 'Linux'
+      # We can't install gcc-multilib which would usually do this for us due to collisions with other packages
+      run: sudo ln -s /usr/include/asm-generic /usr/include/asm
+    - name: Build and run example fuzzers (Linux)
+      if: runner.os == 'Linux'
+      run: RUN_ON_CI=1 RUN_QEMU_FUZZER=1 LLVM_CONFIG=llvm-config-15 ./scripts/test_all_fuzzers.sh
+
 
   nostd-build:
     runs-on: ubuntu-latest
@@ -208,6 +360,8 @@ jobs:
       run: cd ./libafl && cargo test --no-default-features 
     - name: libafl armv6m-none-eabi (32 bit no_std) clippy
       run: cd ./libafl && cargo clippy --target thumbv6m-none-eabi --no-default-features
+    - name: Build no_std no_alloc bolts
+      run: cd ./libafl_bolts && cargo +nightly build -Zbuild-std=core --target aarch64-unknown-none --no-default-features -v --release && cd ../
 
   build-docker:
     runs-on: ubuntu-latest
@@ -238,10 +392,16 @@ jobs:
     - name: install cargo-make
       run: cargo install --force cargo-make
     - uses: ilammy/msvc-dev-cmd@v1
+    - name: install cxx bridge
+      run: cargo install cxxbridge-cmd
+    - name: Build fuzzers/libfuzzer_stb_image 
+      run: cd fuzzers/libfuzzer_stb_image && cargo build --release
     - name: Build fuzzers/frida_libpng
       run: cd fuzzers/frida_libpng/ && cargo make test
     - name: Build fuzzers/frida_gdiplus
       run: cd fuzzers/frida_gdiplus/ && cargo make test
+    - name: Build fuzzers/tinyinst_simple
+      run: cd fuzzers/tinyinst_simple/ && cargo make test
       
   macos:
     runs-on: macOS-latest
@@ -252,8 +412,12 @@ jobs:
         toolchain: stable
     - name: Add nightly rustfmt and clippy
       run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
+    - name: Install ucd-generate
+      run: cargo install -f ucd-generate
     - name: Install deps
       run: brew install z3 gtk+3
+    - name: Install cxxbridge
+      run: cargo install cxxbridge-cmd
     - uses: actions/checkout@v3
     - uses: Swatinem/rust-cache@v2
     - name: MacOS Build
@@ -274,7 +438,7 @@ jobs:
         toolchain: stable
     - uses: nttld/setup-ndk@v1
       with:
-        ndk-version: r21e
+        ndk-version: r25b
     - name: install ios
       run: rustup target add aarch64-apple-ios
     - name: install android
@@ -284,7 +448,7 @@ jobs:
     - uses: actions/checkout@v3
     - uses: Swatinem/rust-cache@v2
     - name: Build iOS
-      run: cargo build --target aarch64-apple-ios
+      run: cargo build --target aarch64-apple-ios && cd libafl_frida && cargo build --target aarch64-apple-ios && cd ..
     - name: Build Android
       run: cargo ndk -t arm64-v8a build --release 
     #run: cargo build --target aarch64-linux-android
@@ -298,28 +462,29 @@ jobs:
     #  run: C:\Rust\.cargo\bin\cargo.exe test --verbose
 
   freebsd:
-    runs-on: macos-12
+    runs-on: ubuntu-22.04
     name: Simple build in FreeBSD
     steps:
     - uses: actions/checkout@v3
     - name: Test in FreeBSD
       id: test
-      uses: vmactions/freebsd-vm@v0
+      uses: vmactions/freebsd-vm@v1
       with:
         usesh: true
         sync: rsync
         copyback: false
         mem: 2048
-        release: 13.1
+        release: 13.2
         prepare: |
-          pkg install -y curl bash sudo llvm14
+          pkg install -y curl bash sudo llvm16
           curl https://sh.rustup.rs -sSf | sh -s -- -y
 
         run: |
           freebsd-version
           . "$HOME/.cargo/env"
           rustup toolchain install nightly
-          export LLVM_CONFIG=/usr/local/bin/llvm-config14
+          cargo install -f ucd-generate
+          export LLVM_CONFIG=/usr/local/bin/llvm-config16
           pwd
           ls -lah
           echo "local/bin"

.gitignore

@@ -21,6 +21,8 @@ vendor
 *.obj
 
 .cur_input
+.cur_input_*
+cur_input
 .venv
 
 crashes
@@ -32,6 +34,8 @@ perf.data.old
 .vscode
 test.dict
 
+.idea/
+
 # Ignore all built fuzzers
 fuzzer_*
 AFLplusplus
@@ -46,6 +50,7 @@ a
 forkserver_test
 __pycache__
 *.lafl_lock
+*.metadata
 
 *atomic_file_testfile*
 **/libxml2
@@ -53,4 +58,11 @@ __pycache__
 **/libxml2-*.tar.gz
 
 libafl_nyx/QEMU-Nyx
-libafl_nyx/packer
+libafl_nyx/packer
+
+.z3-trace
+
+# No gdb history
+.gdb_history
+# No llvm IR
+*.ll

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "libafl_concolic/symcc_runtime/symcc"]
-	path = libafl_concolic/symcc_runtime/symcc
-	url = https://github.com/AFLplusplus/symcc.git

Cargo.toml

@@ -1,42 +1,48 @@
 [workspace]
+resolver = "2"
 members = [
     "libafl",
-    "libafl_derive",
+    "libafl_bolts",
     "libafl_cc",
-    "libafl_targets",
-    "libafl_frida",
-    "libafl_qemu",
-    "libafl_tinyinst",
-    "libafl_sugar",
-    "libafl_nyx",
     "libafl_concolic/symcc_runtime",
     "libafl_concolic/symcc_libafl",
     "libafl_concolic/test/dump_constraints",
     "libafl_concolic/test/runtime_test",
+    "libafl_derive",
+    "libafl_frida",
+    "libafl_libfuzzer",
+    "libafl_nyx",
+    "libafl_qemu",
+    "libafl_sugar",
+    "libafl_targets",
+    "libafl_tinyinst",
+    "utils/build_and_test_fuzzers",
     "utils/deexit",
-    "utils/gramatron/construct_automata",
     "utils/libafl_benches",
+    "utils/gramatron/construct_automata",
 ]
 default-members = [
     "libafl",
-    "libafl_derive",
+    "libafl_bolts",
     "libafl_cc",
+    "libafl_derive",
     "libafl_targets",
 ]
 exclude = [
-    "fuzzers",
     "bindings",
-    "scripts",
+    "fuzzers",
     "libafl_qemu/libafl_qemu_build",
-    "libafl_qemu/libafl_qemu_sys"
+    "libafl_qemu/libafl_qemu_sys",
+    "utils/noaslr",
+    "utils/gdb_qemu",
+    "scripts",
 ]
 
 [workspace.package]
-version = "0.8.2"
+version = "0.11.2"
 
 [profile.release]
 lto = true
 codegen-units = 1
 opt-level = 3
 debug = true
-

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM rust:bullseye AS libafl
+FROM rust:1.73.0 AS libafl
 LABEL "maintainer"="afl++ team <afl@aflplus.plus>"
 LABEL "about"="LibAFL Docker image"
 
@@ -17,9 +17,11 @@ RUN sh -c 'echo set encoding=utf-8 > /root/.vimrc' \
     echo "[build]\nrustc-wrapper = \"${RUSTC_WRAPPER}\"" >> ~/.cargo/config
 
 RUN rustup component add rustfmt clippy
+RUN rustup default nightly
 
 # Install clang 11, common build tools
-RUN apt update && apt install -y build-essential gdb git wget clang clang-tools libc++-11-dev libc++abi-11-dev llvm
+RUN apt update && apt install -y build-essential gdb git wget python3-venv ninja-build lsb-release software-properties-common gnupg
+RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 15
 
 # Copy a dummy.rs and Cargo.toml first, so that dependencies are cached
 WORKDIR /libafl
@@ -28,10 +30,13 @@ COPY Cargo.toml README.md ./
 COPY libafl_derive/Cargo.toml libafl_derive/Cargo.toml
 COPY scripts/dummy.rs libafl_derive/src/lib.rs
 
-COPY libafl/Cargo.toml libafl/build.rs libafl/
-COPY libafl/examples libafl/examples
+COPY libafl/Cargo.toml libafl/build.rs libafl/README.md libafl/
 COPY scripts/dummy.rs libafl/src/lib.rs
 
+COPY libafl_bolts/Cargo.toml libafl_bolts/build.rs libafl_bolts/README.md libafl_bolts/
+COPY libafl_bolts/examples libafl_bolts/examples
+COPY scripts/dummy.rs libafl_bolts/src/lib.rs
+
 COPY libafl_frida/Cargo.toml libafl_frida/build.rs libafl_frida/
 COPY scripts/dummy.rs libafl_frida/src/lib.rs
 COPY libafl_frida/src/gettls.c libafl_frida/src/gettls.c
@@ -75,6 +80,10 @@ COPY scripts/dummy.rs libafl_nyx/src/lib.rs
 COPY libafl_tinyinst/Cargo.toml libafl_tinyinst/
 COPY scripts/dummy.rs libafl_tinyinst/src/lib.rs
 
+# avoid pulling in the runtime, as this is quite an expensive build, until later
+COPY libafl_libfuzzer/Cargo.toml libafl_libfuzzer/
+COPY scripts/dummy.rs libafl_libfuzzer/src/lib.rs
+
 COPY utils utils
 
 RUN cargo build && cargo build --release
@@ -95,6 +104,8 @@ COPY libafl_cc/src libafl_cc/src
 RUN touch libafl_cc/src/lib.rs
 COPY libafl_derive/src libafl_derive/src
 RUN touch libafl_derive/src/lib.rs
+COPY libafl_bolts/src libafl_bolts/src
+RUN touch libafl_bolts/src/lib.rs
 COPY libafl/src libafl/src
 RUN touch libafl/src/lib.rs
 COPY libafl_targets/src libafl_targets/src
@@ -112,6 +123,10 @@ COPY libafl_concolic/symcc_runtime libafl_concolic/symcc_runtime
 COPY libafl_concolic/test libafl_concolic/test
 COPY libafl_nyx/src libafl_nyx/src
 RUN touch libafl_nyx/src/lib.rs
+COPY libafl_libfuzzer/src libafl_libfuzzer/src
+COPY libafl_libfuzzer/libafl_libfuzzer_runtime libafl_libfuzzer/libafl_libfuzzer_runtime
+COPY libafl_libfuzzer/build.rs libafl_libfuzzer/build.rs
+RUN touch libafl_libfuzzer/src/lib.rs
 RUN cargo build && cargo build --release
 
 # Copy fuzzers over

README.md

@@ -1,6 +1,6 @@
 # LibAFL, the fuzzer library.
 
- <img align="right" src="https://github.com/AFLplusplus/Website/raw/master/static/logo_256x256.png" alt="AFL++ Logo">
+ <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/libafl_logo.svg" alt="LibAFL logo" width="250" heigh="250">
 
 Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
 
@@ -10,6 +10,7 @@ LibAFL is written and maintained by
  * [Dominik Maier](https://twitter.com/domenuk) <dominik@aflplus.plus>
  * [s1341](https://twitter.com/srubenst1341) <github@shmarya.net>
  * [Dongjia Zhang](https://github.com/tokatoka) <toka@aflplus.plus>
+ * [Addison Crump](https://github.com/addisoncrump) <me@addisoncrump.info>
 
 ## Why LibAFL?
 
@@ -33,7 +34,7 @@ LibAFL offers integrations with popular instrumentation frameworks. At the momen
 
 + SanitizerCoverage, in [libafl_targets](./libafl_targets)
 + Frida, in [libafl_frida](./libafl_frida)
-+ QEMU user-mode, in [libafl_qemu](./libafl_qemu)
++ QEMU user-mode and system mode, including hooks for emulation, in [libafl_qemu](./libafl_qemu)
 + TinyInst, in [libafl_tinyinst](./libafl_tinyinst) by [elbiazo](https://github.com/elbiazo)
 
 ## Getting started
@@ -44,36 +45,36 @@ We highly recommend *not* to use e.g. your Linux distribition package as this is
 Rust directly, instructions can be found [here](https://www.rust-lang.org/tools/install).
 
 - LLVM tools  
-The LLVM tools are needed (newer than LLVM 11.0.0 but older than LLVM 15.0.0)
+The LLVM tools (including clang, clang++) are needed (newer than LLVM 11.0.0 up to LLVM 17.0.0)
 
 - Cargo-make  
 We use cargo-make to build the fuzzers in `fuzzers/` directory. You can install it with
 
-```
+```sh
 cargo install cargo-make
 ```
 
 2. Clone the LibAFL repository with
 
-```
+```sh
 git clone https://github.com/AFLplusplus/LibAFL
 ```
 
 3. Build the library using
 
-```
+```sh
 cargo build --release
 ```
 
 4. Build the API documentation with
 
-```
+```sh
 cargo doc
 ```
 
-5. Browse the LibAFL book (WIP!) with (requires [mdbook](https://github.com/rust-lang/mdBook))
+5. Browse the LibAFL book (WIP!) with (requires [mdbook](https://rust-lang.github.io/mdBook/index.html))
 
-```
+```sh
 cd docs && mdbook serve
 ```
 
@@ -81,9 +82,11 @@ We collect all example fuzzers in [`./fuzzers`](./fuzzers/).
 Be sure to read their documentation (and source), this is *the natural way to get started!*
 
 You can run each example fuzzer with
-```
+
+```sh
 cargo make run
 ```
+
 as long as the fuzzer directory has `Makefile.toml` file.
 
 The best-tested fuzzer is [`./fuzzers/libfuzzer_libpng`](./fuzzers/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
@@ -106,6 +109,8 @@ The best-tested fuzzer is [`./fuzzers/libfuzzer_libpng`](./fuzzers/libfuzzer_lib
 
 + Blogpost on binary-only fuzzing lib libaf_qemu, [Hacking TMNF - Fuzzing the game server](https://blog.bricked.tech/posts/tmnf/part1/), by [RickdeJager](https://github.com/RickdeJager).
 
++ [A LibAFL Introductory Workshop](https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop), by [Jordan Whitehead](https://github.com/jordan9001)
+
 ## Contributing
 
 For bugs, feel free to open issues or contact us directly. Thank you for your support. <3

TROPHIES.md

@@ -0,0 +1,17 @@
+# Bugs found by `libafl` and `libafl_libfuzzer`
+
+* pdf-rs
+    * <https://github.com/pdf-rs/pdf/issues/183>
+    * <https://github.com/pdf-rs/pdf/issues/184>
+    * <https://github.com/pdf-rs/pdf/issues/185>
+    * <https://github.com/pdf-rs/pdf/issues/186>
+    * <https://github.com/pdf-rs/pdf/issues/187>
+    * <https://github.com/pdf-rs/pdf/issues/189>
+* nu-shell
+    * https://github.com/nushell/nushell/issues/10365
+    * https://github.com/nushell/nushell/issues/9417
+* exrs
+    * https://github.com/johannesvollmer/exrs/pull/221
+* pcre2
+    * https://github.com/PCRE2Project/pcre2/issues/275
+

bindings/pylibafl/.gitignore

@@ -0,0 +1 @@
+dist/

bindings/pylibafl/Cargo.toml

@@ -1,13 +1,15 @@
 [package]
 name = "pylibafl"
-version = "0.8.2"
+version = "0.11.2"
 edition = "2021"
 
 [dependencies]
-pyo3 = { version = "0.17", features = ["extension-module"] }
-libafl_qemu = { path = "../../libafl_qemu", version = "0.8.2", features = ["python"] }
-libafl_sugar = { path = "../../libafl_sugar", version = "0.8.2", features = ["python"] }
-libafl = { path = "../../libafl", version = "0.8.2", features = ["python"] }
+pyo3 = { version = "0.18.3", features = ["extension-module"] }
+pyo3-log = "0.8.1"
+libafl_qemu = { path = "../../libafl_qemu", version = "0.11.2", features = ["python"] }
+libafl_sugar = { path = "../../libafl_sugar", version = "0.11.2", features = ["python"] }
+libafl = { path = "../../libafl", version = "0.11.2", features = ["python"] }
+libafl_bolts = { path = "../../libafl_bolts", version = "0.11.2", features = ["python"] }
 
 [build-dependencies]
 pyo3-build-config = { version = "0.17" }

bindings/pylibafl/pyproject.toml

@@ -0,0 +1,26 @@
+[build-system]
+requires = ["maturin[patchelf]>=0.14.10,<0.15"]
+build-backend = "maturin"
+
+[project]
+name = "PyLibAFL"
+version = "0.10.1"
+description = "Advanced Fuzzing Library for Python"
+readme = "README.md"
+requires-python = ">=3.8"
+license = {text = "Apache-2.0"}
+classifiers = [
+    "License :: OSI Approved :: Apache Software License",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Rust",
+    "Topic :: Security",
+]
+
+[project.urls]
+repository = "https://github.com/AFLplusplus/LibAFL.git"
+
+[tool.maturin]
+bindings = "pylibafl"
+manifest-path = "Cargo.toml"
+python-source = "python"
+all-features = true

bindings/pylibafl/src/lib.rs

@@ -1,4 +1,5 @@
 use libafl;
+use libafl_bolts;
 #[cfg(target_os = "linux")]
 use libafl_qemu;
 use libafl_sugar;
@@ -26,7 +27,7 @@ class BaseFeedback:
         pass
     def is_interesting(self, state, mgr, input, observers, exit_kind) -> bool:
         return False
-    def append_metadata(self, state, testcase):
+    def append_metadata(self, state, observers, testcase):
         pass
     def discard_metadata(self, state, input):
         pass
@@ -84,23 +85,27 @@ def feedback_or_fast(a, b):
 #[pymodule]
 #[pyo3(name = "pylibafl")]
 pub fn python_module(py: Python, m: &PyModule) -> PyResult<()> {
+    pyo3_log::init();
+
     let modules = py.import("sys")?.getattr("modules")?;
 
     let sugar_module = PyModule::new(py, "sugar")?;
     libafl_sugar::python_module(py, sugar_module)?;
     m.add_submodule(sugar_module)?;
-
     modules.set_item("pylibafl.sugar", sugar_module)?;
 
     #[cfg(target_os = "linux")]
-    let qemu_module = PyModule::new(py, "qemu")?;
-    #[cfg(target_os = "linux")]
-    libafl_qemu::python_module(py, qemu_module)?;
-    #[cfg(target_os = "linux")]
-    m.add_submodule(qemu_module)?;
+    {
+        let qemu_module = PyModule::new(py, "qemu")?;
+        libafl_qemu::python_module(py, qemu_module)?;
+        m.add_submodule(qemu_module)?;
+        modules.set_item("pylibafl.qemu", qemu_module)?;
+    }
 
-    #[cfg(target_os = "linux")]
-    modules.set_item("pylibafl.qemu", qemu_module)?;
+    let bolts_module = PyModule::new(py, "libafl_bolts")?;
+    libafl_bolts::pybind::python_module(py, bolts_module)?;
+    m.add_submodule(bolts_module)?;
+    modules.set_item("pylibafl.libafl_bolts", bolts_module)?;
 
     let libafl_module = PyModule::new(py, "libafl")?;
     libafl::pybind::python_module(py, libafl_module)?;
@@ -114,7 +119,6 @@ pub fn python_module(py: Python, m: &PyModule) -> PyResult<()> {
     }
 
     m.add_submodule(libafl_module)?;
-
     modules.set_item("pylibafl.libafl", libafl_module)?;
 
     Ok(())

bindings/pylibafl/test.py

@@ -1,5 +1,8 @@
 from pylibafl.libafl import *
 import ctypes
+import platform
+
+MAP_SIZE = 4096
 
 
 class FooObserver(BaseObserver):
@@ -33,11 +36,16 @@ class FooExecutor(BaseExecutor):
         return (self.h)(input)
 
 
-libc = ctypes.cdll.LoadLibrary("libc.so.6")
+if platform.system() == "Darwin":
+    libc = ctypes.cdll.LoadLibrary("libc.dylib")
+else:
+    libc = ctypes.cdll.LoadLibrary("libc.so.6")
 
-area_ptr = libc.calloc(1, 4096)
+# Get a buffer to use for our map observer
+libc.calloc.restype = ctypes.c_void_p
+area_ptr = libc.calloc(1, MAP_SIZE)
 
-observer = StdMapObserverI8("mymap", area_ptr, 4096)
+observer = StdMapObserverI8("mymap", area_ptr, MAP_SIZE)
 
 m = observer.as_map_observer()
 
@@ -69,7 +77,12 @@ mgr = SimpleEventManager(monitor.as_monitor())
 
 
 def harness(buf) -> ExitKind:
+    """
+    The harness fn that the fuzzer will execute in a loop
+    """
     # print(buf)
+
+    # set the observer map byte from python
     m[0] = 1
     if len(buf) > 0 and buf[0] == ord("a"):
         m[1] = 1
@@ -91,4 +104,6 @@ stage_tuple_list = StagesTuple([stage.as_stage()])
 
 fuzzer.add_input(state, executor.as_executor(), mgr.as_manager(), b"\0\0")
 
+print("Starting to fuzz from python!")
+
 fuzzer.fuzz_loop(executor.as_executor(), state, mgr.as_manager(), stage_tuple_list)

bindings/pylibafl/test.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+timeout 10 python3 ./test.py
+export exit_code=$?
+if [ $exit_code -eq 124 ]; then
+  # 124 = timeout happened. All good.
+  exit 0
+else
+  exit $exit_code
+fi
+

docs/.gitignore

@@ -1 +1,2 @@
 book
+!listings/**/*

docs/listings/baby_fuzzer/listing-01/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "baby_fuzzer_listing_01"
+version = "0.1.0"
+authors = ["Your Name <you@example.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

docs/listings/baby_fuzzer/listing-01/src/main.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}

docs/listings/baby_fuzzer/listing-02/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "baby_fuzzer_listing_02"
+version = "0.1.0"
+authors = ["Your Name <you@example.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libafl = { path = "path/to/libafl/" }
+libafl_bolts = { path = "path/to/libafl_bolts/" }
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true

docs/listings/baby_fuzzer/listing-02/src/main.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}

docs/listings/baby_fuzzer/listing-03/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "baby_fuzzer_listing_03"
+version = "0.1.0"
+authors = ["Your Name <you@example.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libafl = { path = "path/to/libafl/" }
+libafl_bolts = { path = "path/to/libafl_bolts/" }
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[features]
+panic = []

docs/listings/baby_fuzzer/listing-03/src/main.rs

@@ -0,0 +1,26 @@
+extern crate libafl;
+extern crate libafl_bolts;
+use libafl::{
+    executors::ExitKind,
+    inputs::{BytesInput, HasTargetBytes},
+};
+use libafl_bolts::AsSlice;
+
+fn main() {
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        if buf.len() > 0 && buf[0] == 'a' as u8 {
+            if buf.len() > 1 && buf[1] == 'b' as u8 {
+                if buf.len() > 2 && buf[2] == 'c' as u8 {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "panic")]
+    harness(&input);
+}

docs/listings/baby_fuzzer/listing-04/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "baby_fuzzer_listing_04"
+version = "0.1.0"
+authors = ["Your Name <you@example.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libafl = { path = "path/to/libafl/" }
+libafl_bolts = { path = "path/to/libafl_bolts/" }
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[features]
+panic = []

docs/listings/baby_fuzzer/listing-04/src/main.rs

@@ -0,0 +1,86 @@
+/* ANCHOR: use */
+extern crate libafl;
+extern crate libafl_bolts;
+
+use libafl::{
+    corpus::{InMemoryCorpus, OnDiskCorpus},
+    events::SimpleEventManager,
+    executors::{inprocess::InProcessExecutor, ExitKind},
+    fuzzer::StdFuzzer,
+    generators::RandPrintablesGenerator,
+    inputs::{BytesInput, HasTargetBytes},
+    monitors::SimpleMonitor,
+    schedulers::QueueScheduler,
+    state::StdState,
+};
+use libafl_bolts::{current_nanos, rands::StdRand, AsSlice};
+use std::path::PathBuf;
+/* ANCHOR_END: use */
+
+fn main() {
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        if buf.len() > 0 && buf[0] == 'a' as u8 {
+            if buf.len() > 1 && buf[1] == 'b' as u8 {
+                if buf.len() > 2 && buf[2] == 'c' as u8 {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "panic")]
+    harness(&input);
+
+    /* ANCHOR: state */
+    // create a State from scratch
+    let mut state = StdState::new(
+        // RNG
+        StdRand::with_seed(current_nanos()),
+        // Corpus that will be evolved, we keep it in memory for performance
+        InMemoryCorpus::new(),
+        // Corpus in which we store solutions (crashes in this example),
+        // on disk so the user can get them after stopping the fuzzer
+        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
+        &mut (),
+        &mut (),
+    )
+    .unwrap();
+    /* ANCHOR_END: state */
+
+    /* ANCHOR: event_manager */
+    // The Monitor trait defines how the fuzzer stats are displayed to the user
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
+
+    // The event manager handles the various events generated during the fuzzing loop
+    // such as the notification of the addition of a new item to the corpus
+    let mut mgr = SimpleEventManager::new(mon);
+    /* ANCHOR_END: event_manager */
+
+    /* ANCHOR: scheduler_fuzzer */
+    // A queue policy to get testcases from the corpus
+    let scheduler = QueueScheduler::new();
+
+    // A fuzzer with feedbacks and a corpus scheduler
+    let mut fuzzer = StdFuzzer::new(scheduler, (), ());
+    /* ANCHOR_END: scheduler_fuzzer */
+
+    /* ANCHOR: executor */
+    // Create the executor for an in-process function
+    let mut executor = InProcessExecutor::new(&mut harness, (), &mut fuzzer, &mut state, &mut mgr)
+        .expect("Failed to create the Executor");
+    /* ANCHOR_END: executor */
+
+    /* ANCHOR: generator */
+    // Generator of printable bytearrays of max size 32
+    let mut generator = RandPrintablesGenerator::new(32);
+
+    // Generate 8 initial inputs
+    state
+        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
+        .expect("Failed to generate the initial corpus");
+    /* ANCHOR_END: generator */
+}

docs/listings/baby_fuzzer/listing-05/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "baby_fuzzer_listing_05"
+version = "0.1.0"
+authors = ["Your Name <you@example.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libafl = { path = "path/to/libafl/" }
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[features]
+panic = []

docs/listings/baby_fuzzer/listing-05/src/main.rs

@@ -0,0 +1,116 @@
+/* ANCHOR: use */
+extern crate libafl;
+extern crate libafl_bolts;
+
+use libafl::{
+    corpus::{InMemoryCorpus, OnDiskCorpus},
+    events::SimpleEventManager,
+    executors::{inprocess::InProcessExecutor, ExitKind},
+    feedbacks::{CrashFeedback, MaxMapFeedback},
+    fuzzer::StdFuzzer,
+    generators::RandPrintablesGenerator,
+    inputs::{BytesInput, HasTargetBytes},
+    monitors::SimpleMonitor,
+    observers::StdMapObserver,
+    schedulers::QueueScheduler,
+    state::StdState,
+};
+use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice};
+use std::path::PathBuf;
+/* ANCHOR_END: use */
+
+/* ANCHOR: signals */
+// Coverage map with explicit assignments due to the lack of instrumentation
+static mut SIGNALS: [u8; 16] = [0; 16];
+
+fn signals_set(idx: usize) {
+    unsafe { SIGNALS[idx] = 1 };
+}
+
+fn main() {
+    // The closure that we want to fuzz
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        signals_set(0); // set SIGNALS[0]
+        if buf.len() > 0 && buf[0] == 'a' as u8 {
+            signals_set(1); // set SIGNALS[1]
+            if buf.len() > 1 && buf[1] == 'b' as u8 {
+                signals_set(2); // set SIGNALS[2]
+                if buf.len() > 2 && buf[2] == 'c' as u8 {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    /* ANCHOR_END: signals */
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "panic")]
+    harness(&input);
+
+    /* ANCHOR: observer */
+    // Create an observation channel using the signals map
+    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    /* ANCHOR_END: observer */
+
+    /* ANCHOR: state_with_feedback_and_objective */
+    // Feedback to rate the interestingness of an input
+    let mut feedback = MaxMapFeedback::new(&observer);
+
+    // A feedback to choose if an input is a solution or not
+    let mut objective = CrashFeedback::new();
+
+    // create a State from scratch
+    let mut state = StdState::new(
+        // RNG
+        StdRand::with_seed(current_nanos()),
+        // Corpus that will be evolved, we keep it in memory for performance
+        InMemoryCorpus::new(),
+        // Corpus in which we store solutions (crashes in this example),
+        // on disk so the user can get them after stopping the fuzzer
+        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
+        &mut feedback,
+        &mut objective,
+    )
+    .unwrap();
+    /* ANCHOR_END: state_with_feedback_and_objective */
+
+    // The Monitor trait defines how the fuzzer stats are displayed to the user
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
+
+    // The event manager handles the various events generated during the fuzzing loop
+    // such as the notification of the addition of a new item to the corpus
+    let mut mgr = SimpleEventManager::new(mon);
+
+    // A queue policy to get testcasess from the corpus
+    let scheduler = QueueScheduler::new();
+    /* ANCHOR: state_with_feedback_and_objective */
+
+    // A fuzzer with feedbacks and a corpus scheduler
+    let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+    /* ANCHOR_END: state_with_feedback_and_objective */
+
+    /* ANCHOR: executor_with_observer */
+    // Create the executor for an in-process function with just one observer
+    let mut executor = InProcessExecutor::new(
+        &mut harness,
+        tuple_list!(observer),
+        &mut fuzzer,
+        &mut state,
+        &mut mgr,
+    )
+    .expect("Failed to create the Executor");
+    /* ANCHOR_END: executor_with_observer */
+
+    // Generator of printable bytearrays of max size 32
+    let mut generator = RandPrintablesGenerator::new(32);
+
+    // Generate 8 initial inputs
+    state
+        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
+        .expect("Failed to generate the initial corpus");
+    /* ANCHOR: signals */
+}
+/* ANCHOR_END: signals */

docs/listings/baby_fuzzer/listing-06/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "baby_fuzzer_listing_06"
+version = "0.1.0"
+authors = ["Your Name <you@example.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libafl = { path = "path/to/libafl/" }
+libafl_bolts = { path = "path/to/libafl_bolts/" }
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[features]
+panic = []

docs/listings/baby_fuzzer/listing-06/src/main.rs

@@ -0,0 +1,116 @@
+/* ANCHOR: use */
+extern crate libafl;
+extern crate libafl_bolts;
+
+use libafl::{
+    corpus::{InMemoryCorpus, OnDiskCorpus},
+    events::SimpleEventManager,
+    executors::{inprocess::InProcessExecutor, ExitKind},
+    feedbacks::{CrashFeedback, MaxMapFeedback},
+    fuzzer::{Fuzzer, StdFuzzer},
+    generators::RandPrintablesGenerator,
+    inputs::{BytesInput, HasTargetBytes},
+    monitors::SimpleMonitor,
+    mutators::scheduled::{havoc_mutations, StdScheduledMutator},
+    observers::StdMapObserver,
+    schedulers::QueueScheduler,
+    stages::mutational::StdMutationalStage,
+    state::StdState,
+};
+use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice};
+use std::path::PathBuf;
+/* ANCHOR_END: use */
+
+// Coverage map with explicit assignments due to the lack of instrumentation
+static mut SIGNALS: [u8; 16] = [0; 16];
+
+fn signals_set(idx: usize) {
+    unsafe { SIGNALS[idx] = 1 };
+}
+
+fn main() {
+    // The closure that we want to fuzz
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        signals_set(0); // set SIGNALS[0]
+        if buf.len() > 0 && buf[0] == 'a' as u8 {
+            signals_set(1); // set SIGNALS[1]
+            if buf.len() > 1 && buf[1] == 'b' as u8 {
+                signals_set(2); // set SIGNALS[2]
+                if buf.len() > 2 && buf[2] == 'c' as u8 {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "panic")]
+    harness(&input);
+
+    // Create an observation channel using the signals map
+    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+
+    // Feedback to rate the interestingness of an input
+    let mut feedback = MaxMapFeedback::new(&observer);
+
+    // A feedback to choose if an input is a solution or not
+    let mut objective = CrashFeedback::new();
+
+    // create a State from scratch
+    let mut state = StdState::new(
+        // RNG
+        StdRand::with_seed(current_nanos()),
+        // Corpus that will be evolved, we keep it in memory for performance
+        InMemoryCorpus::new(),
+        // Corpus in which we store solutions (crashes in this example),
+        // on disk so the user can get them after stopping the fuzzer
+        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
+        &mut feedback,
+        &mut objective,
+    )
+    .unwrap();
+
+    // The Monitor trait defines how the fuzzer stats are displayed to the user
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
+
+    // The event manager handles the various events generated during the fuzzing loop
+    // such as the notification of the addition of a new item to the corpus
+    let mut mgr = SimpleEventManager::new(mon);
+
+    // A queue policy to get testcasess from the corpus
+    let scheduler = QueueScheduler::new();
+
+    // A fuzzer with feedbacks and a corpus scheduler
+    let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+
+    // Create the executor for an in-process function with just one observer
+    let mut executor = InProcessExecutor::new(
+        &mut harness,
+        tuple_list!(observer),
+        &mut fuzzer,
+        &mut state,
+        &mut mgr,
+    )
+    .expect("Failed to create the Executor");
+
+    // Generator of printable bytearrays of max size 32
+    let mut generator = RandPrintablesGenerator::new(32);
+
+    // Generate 8 initial inputs
+    state
+        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
+        .expect("Failed to generate the initial corpus");
+
+    /* ANCHOR: mutational_stage */
+    // Setup a mutational stage with a basic bytes mutator
+    let mutator = StdScheduledMutator::new(havoc_mutations());
+    let mut stages = tuple_list!(StdMutationalStage::new(mutator));
+
+    fuzzer
+        .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
+        .expect("Error in the fuzzing loop");
+    /* ANCHOR_END: mutational_stage */
+}

docs/src/SUMMARY.md

@@ -25,6 +25,7 @@
   - [Architecture](./design/architecture.md)
   - [Metadata](./design/metadata.md)
   - [Migrating from LibAFL <0.9 to 0.9](./design/migration-0.9.md)
+  - [Migrating from LibAFL <0.11 to 0.11](./design/migration-0.11.md)
 
 - [Message Passing](./message_passing/message_passing.md)
   - [Spawning Instances](./message_passing/spawn_instances.md)

docs/src/advanced_features/concolic.md

@@ -1,7 +1,8 @@
 # Concolic Tracing and Hybrid Fuzzing
+
 LibAFL has support for concolic tracing based on the [SymCC](https://github.com/eurecom-s3/symcc) instrumenting compiler.
 
-For those uninitiated, the following attempts to describe concolic tracing from the ground up using an example.
+For those uninitiated, the following text attempts to describe concolic tracing from the ground up using an example.
 Then, we'll go through the relationship of SymCC and LibAFL concolic tracing.
 Finally, we'll walk through building a basic hybrid fuzzer using LibAFL.
 
@@ -92,18 +93,18 @@ In hybrid fuzzing, we combine this tracing + solving approach with more traditio
 The concolic tracing support in LibAFL is implemented using SymCC.
 SymCC is a compiler plugin for clang that can be used as a drop-in replacement for a normal C or C++ compiler.
 SymCC will instrument the compiled code with callbacks into a runtime that can be supplied by the user.
-These callbacks allow the runtime to construct a trace that similar to the previous example.
+These callbacks allow the runtime to construct a trace that is similar to the previous example.
 
 ### SymCC and its Runtimes
 
-SymCC ships with 2 runtimes: 
+SymCC ships with 2 runtimes:
 
- * a 'simple' runtime that attempts to solve any branches it comes across using [Z3](https://github.com/Z3Prover/z3/wiki) and
- * a [QSym](https://github.com/sslab-gatech/qsym)-based runtime, which does a bit more filtering on the expressions and also solves using Z3.
+* A 'simple' runtime that attempts to negate and analytically solve any branch conditions it comes across using [Z3](https://github.com/Z3Prover/z3/wiki) and
+* A [QSym](https://github.com/sslab-gatech/qsym)-based runtime, which does a bit more filtering on the expressions and also solves them using Z3.
 
 The integration with LibAFL, however, requires you to **BYORT** (_bring your own runtime_) using the [`symcc_runtime`](https://docs.rs/symcc_runtime/0.1/symcc_runtime) crate.
 This crate allows you to easily build a custom runtime out of the built-in building blocks or create entirely new runtimes with full flexibility.
-Checkout out the `symcc_runtime` docs for more information on how to build your own runtime.
+Check out the `symcc_runtime` docs for more information on how to build your own runtime.
 
 ### SymQEMU
 
@@ -123,7 +124,7 @@ There are three main steps involved with building a hybrid fuzzer using LibAFL:
 3. building the fuzzer.
 
 Note that the order of these steps is important.
-For example, we need to have runtime ready before we can do instrumentation with SymCC.
+For example, we need to have a runtime ready before we can do instrumentation with SymCC.
 
 ### Building a Runtime
 
@@ -134,10 +135,12 @@ Check out the [example hybrid fuzzer's runtime](https://github.com/AFLplusplus/L
 ### Instrumentation
 
 There are two main instrumentation methods to make use of concolic tracing in LibAFL:
-* Using an **compile-time** instrumented target with **SymCC**. 
+
+* Using a **compile-time** instrumented target with **SymCC**.
 This only works when the source is available for the target and the target is reasonably easy to build using the SymCC compiler wrapper.
 * Using **SymQEMU** to dynamically instrument the target at **runtime**.
-This avoids a separate instrumented target with concolic tracing instrumentation and does not require source code.
+This avoids building a separate instrumented target with concolic tracing instrumentation and so does not require source code.
+
 It should be noted, however, that the 'quality' of the generated expressions can be significantly worse and SymQEMU generally produces significantly more and significantly more convoluted expressions than SymCC.
 Therefore, it is recommended to use SymCC over SymQEMU when possible.
 
@@ -158,23 +161,23 @@ Make sure you satisfy the [build requirements](https://github.com/eurecom-s3/sym
 
 Build SymQEMU according to its [build instructions](https://github.com/eurecom-s3/symqemu#readme).
 By default, SymQEMU looks for the runtime in a sibling directory.
-Since we don't have a runtime there, we need to let it know the path to your runtime by setting `--symcc-build` argument of the `configure` script to the path of your runtime.
+Since we don't have a runtime there, we need to explicitly set the `--symcc-build` argument of the `configure` script to the path of your runtime.
 
 ### Building the Fuzzer
 
 No matter the instrumentation method, the interface between the fuzzer and the instrumented target should now be consistent.
 The only difference between using SymCC and SymQEMU should be the binary that represents the target:
-In the case of SymCC it will be the binary that was build with instrumentation and with SymQEMU it will be the emulator binary (eg. `x86_64-linux-user/symqemu-x86_64`), followed by your uninstrumented target binary and arguments.
+In the case of SymCC it will be the binary that was build with instrumentation and with SymQEMU it will be the emulator binary (eg. `x86_64-linux-user/symqemu-x86_64`), followed by your uninstrumented target binary and its arguments.
 
 You can use the [`CommandExecutor`](https://docs.rs/libafl/0.6.0/libafl/executors/command/struct.CommandExecutor.html) to execute your target ([example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L244)).
-When configuring the command, make sure you pass the `SYMCC_INPUT_FILE` environment variable the input file path, if your target reads input from a file (instead of standard input).
+When configuring the command, make sure you pass the `SYMCC_INPUT_FILE` environment variable (set to the input file path), if your target reads input from a file (instead of standard input).
 
 #### Serialization and Solving
 
 While it is perfectly possible to build a custom runtime that also performs the solving step of hybrid fuzzing in the context of the target process, the intended use of the LibAFL concolic tracing support is to serialize the (filtered and pre-processed) branch conditions using the [`TracingRuntime`](https://docs.rs/symcc_runtime/0.1/symcc_runtime/tracing/struct.TracingRuntime.html).
 This serialized representation can be deserialized in the fuzzer process for solving using a [`ConcolicObserver`](https://docs.rs/libafl/0.6.0/libafl/observers/concolic/struct.ConcolicObserver.html) wrapped in a [`ConcolicTracingStage`](https://docs.rs/libafl/0.6.0/libafl/stages/concolic/struct.ConcolicTracingStage.html), which will attach a [`ConcolicMetadata`](https://docs.rs/libafl/0.6.0/libafl/observers/concolic/struct.ConcolicMetadata.html) to every [`TestCase`](https://docs.rs/libafl/0.6.0/libafl/corpus/testcase/struct.Testcase.html).
 
-The `ConcolicMetadata` can be used to replay the concolic trace and solved using an SMT-Solver.
+The `ConcolicMetadata` can be used to replay the concolic trace and to solve the conditions using an SMT-Solver.
 Most use-cases involving concolic tracing, however, will need to define some policy around which branches they want to solve.
 The [`SimpleConcolicMutationalStage`](https://docs.rs/libafl/0.6.0//libafl/stages/concolic/struct.SimpleConcolicMutationalStage.html) can be used for testing purposes.
 It will attempt to solve all branches, like the original simple backend from SymCC, using Z3.

docs/src/advanced_features/frida.md

@@ -17,7 +17,7 @@ If you are on Windows, you'll need to install llvm tools.
 LibAFL uses Frida's [__Stalker__](https://frida.re/docs/stalker/) to trace the execution of your program and instrument your harness.
 Thus, you have to compile your harness to a dynamic library. Frida instruments your PUT after dynamically loading it.
 
-For example in our `frida_libpng` example, we load the dynamic library and find the symbol to harness as follows:
+In our `frida_libpng` example, we load the dynamic library and find the symbol to harness as follows:
 
 ```rust,ignore
         let lib = libloading::Library::new(module_name).unwrap();
@@ -28,9 +28,9 @@ For example in our `frida_libpng` example, we load the dynamic library and find
 
 ## `FridaInstrumentationHelper` and Runtimes
 
-To use functionalities that Frida offers, we'll first need to obtain `Gum` object by `Gum::obtain()`.
+To use functionalities that Frida offers, we'll first need to obtain a `Gum` object by `Gum::obtain()`.
 
-In LibAFL, we use the `FridaInstrumentationHelper` struct to manage frida-related state. `FridaInstrumentationHelper` is a key component that sets up the [__Transformer__](https://frida.re/docs/stalker/#transformer) that is used to generate the instrumented code. It also initializes the `Runtimes` that offer various instrumentation.
+In LibAFL, we use the `FridaInstrumentationHelper` struct to manage frida-related state. `FridaInstrumentationHelper` is a key component that sets up the [__Transformer__](https://frida.re/docs/stalker/#transformer) that is used to generate the instrumented code. It also initializes the `Runtimes` that offer various instrumentations.
 
 We have `CoverageRuntime` that can track the edge coverage,  `AsanRuntime` for address sanitizer, `DrCovRuntime` that uses [__DrCov__](https://dynamorio.org/page_drcov.html) for coverage collection (to be imported in coverage tools like Lighthouse, bncov, dragondance,...), and `CmpLogRuntime` for cmplog instrumentation.
 All of these runtimes can be slotted into `FridaInstrumentationHelper` at build time.
@@ -53,12 +53,12 @@ Combined with any `Runtime` you'd like to use, you can initialize the `FridaInst
 
 ## Running the Fuzzer
 
-After setting up the `FridaInstrumentationHelper`. You can obtain the pointer to the coverage map by calling `map_ptr_mut()`.
+After setting up the `FridaInstrumentationHelper` you can obtain the pointer to the coverage map by calling `map_mut_ptr()`.
 
 ```rust,ignore
-        let edges_observer = HitcountsMapObserver::new(StdMapObserver::new_from_ptr(
+        let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
             "edges",
-            frida_helper.map_ptr_mut().unwrap(),
+            frida_helper.map_mut_ptr().unwrap(),
             MAP_SIZE,
         ));
 ```
@@ -83,5 +83,5 @@ You can then link this observer to `FridaInProcessExecutor` as follows:
         );
 ```
 
-And, finally you can run the fuzzer.
-See the `frida_` examples in [`./fuzzers`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/) for more information and, for linux or full-system, play around with `libafl_qemu`, another binary-only tracer.
+And finally you can run the fuzzer.
+See the `frida_` examples in [`./fuzzers`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/) for more information and, for linux or full-system, play around with `libafl_qemu`, another binary-only tracer.

docs/src/advanced_features/no_std.md

@@ -1,6 +1,6 @@
 # Using LibAFL in `no_std` environments
 
-It is possible to use LibAFL in `no_std` environments e.g. custom platforms like microcontrollers, kernels, hypervisors, and more.
+It is possible to use LibAFL in `no_std` environments e.g. on custom platforms like microcontrollers, kernels, hypervisors, and more.
 
 You can simply add LibAFL to your `Cargo.toml` file:
 
@@ -16,7 +16,7 @@ cargo build --no-default-features --target aarch64-unknown-none
 
 ## Use custom timing
 
-The minimum amount of input LibAFL needs for `no_std` is a monotonically increasing timestamp.
+The minimum amount of support LibAFL needs for a `no_std` environment is a monotonically increasing timestamp.
 For this, anywhere in your project you need to implement the `external_current_millis` function, which returns the current time in milliseconds.
 
 ```c

docs/src/advanced_features/nyx.md

@@ -2,12 +2,12 @@
 
 NYX supports both source-based and binary-only fuzzing.
 
-Currently, `libafl_nyx` only supports [afl++](https://github.com/AFLplusplus/AFLplusplus)'s instruction. To install it, you can use `sudo apt install aflplusplus`. Or compile from the source:
+Currently, `libafl_nyx` only supports [afl++](https://github.com/AFLplusplus/AFLplusplus)'s instruction type. To install it, you can use `sudo apt install aflplusplus`. Or compile from the source:
 
 ```bash
 git clone https://github.com/AFLplusplus/AFLplusplus
 cd AFLplusplus
-make all # this will not compile afl's additional extension
+make all # this will not compile afl's additional extensions
 ```
 
 Then you should compile the target with the afl++ compiler wrapper:
@@ -20,9 +20,9 @@ export CXX=afl-clang-fast++
 make
 ```
 
-For binary-only fuzzing, Nyx uses intel-PT(Intel® Processor Trace). You can find the supported CPU at <https://www.intel.com/content/www/us/en/support/articles/000056730/processors.html>.
+For binary-only fuzzing, Nyx uses intel-PT(Intel® Processor Trace). You can find the list of supported CPUs at <https://www.intel.com/content/www/us/en/support/articles/000056730/processors.html>.
 
-## Preparing Nyx working directory
+## Preparing the Nyx working directory
 
 This step is used to pack the target into Nyx's kernel. Don't worry, we have a template shell script in our [example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_parallel/setup_libxml2.sh):
 
@@ -49,7 +49,7 @@ python3 ./packer/packer/nyx_config_gen.py /tmp/nyx_libxml2/ Kernel || exit
 
 ## Standalone fuzzing
 
-In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_standalone/src/main.rs). First you need to run `./setup_libxml2.sh`, It will prepare your target and create your nyx work directory in `/tmp/libxml2`. After that, you can start write your code.
+In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_standalone/src/main.rs) you first need to run `./setup_libxml2.sh`. It will prepare your target and create your nyx work directory in `/tmp/libxml2`. After that, you can start to write your code.
 
 First, to create `Nyxhelper`:
 
@@ -57,22 +57,21 @@ First, to create `Nyxhelper`:
 let share_dir = Path::new("/tmp/nyx_libxml2/");
 let cpu_id = 0; // use first cpu
 let parallel_mode = false; // close parallel_mode
-let mut helper = NyxHelper::new(share_dir, cpu_id, true, parallel_mode, None).unwrap(); // we don't the set the last parameter in standalone mode, we just use None, here
+let mut helper = NyxHelper::new(share_dir, cpu_id, true, parallel_mode, None).unwrap(); // we don't need to set the last parameter in standalone mode, we just use None, here
 ```
 
 Then, fetch `trace_bits`, create an observer and the `NyxExecutor`:
 
 ```rust,ignore
-let trace_bits = unsafe { std::slice::from_raw_parts_mut(helper.trace_bits, helper.map_size) };
-let observer = StdMapObserver::new("trace", trace_bits);
+let observer = unsafe { StdMapObserver::from_mut_ptr("trace", helper.trace_bits, helper.map_size) };
 let mut executor = NyxExecutor::new(&mut helper, tuple_list!(observer)).unwrap();
 ```
 
-Finally, use them as normal and pass them into `fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)` to start fuzzing.
+Finally, use them normally and pass them into `fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)` to start fuzzing.
 
 ## Parallel fuzzing
 
-In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_parallel/src/main.rs). First you need to run `./setup_libxml2.sh` as described before.
+In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_parallel/src/main.rs) you first need to run `./setup_libxml2.sh` as described before.
 
 Parallel fuzzing relies on [`Launcher`](../message_passing/spawn_instances.md), so spawn logic should be written in the scoop of anonymous function `run_client`:
 
@@ -91,7 +90,7 @@ let mut helper = NyxHelper::new(
     cpu_id,    // current cpu id
     true,      // open snap_mode
     parallel_mode, // open parallel mode
-    Some(parent_cpu_id.id as u32), // the cpu-id of master instance, there is only one master instance, other instances will be treated as slaved
+    Some(parent_cpu_id.id as u32), // the cpu-id of main instance, there is only one main instance, other instances will be treated as secondaries
 )
 .unwrap();
 ```
@@ -99,13 +98,11 @@ let mut helper = NyxHelper::new(
 Then you can fetch the trace_bits and create an observer and `NyxExecutor`
 
 ```rust,ignore
-let trace_bits =
-    unsafe { std::slice::from_raw_parts_mut(helper.trace_bits, helper.map_size) };
-let observer = StdMapObserver::new("trace", trace_bits);
+let observer = unsafe { StdMapObserver::from_mut_ptr("trace", helper.trace_bits, helper.map_size) }
 let mut executor = NyxExecutor::new(&mut helper, tuple_list!(observer)).unwrap();
 ```
 
-Finally, open a `Launcher` as normal to start fuzzing:
+Finally, open a `Launcher` as usual to start fuzzing:
 
 ```rust,ignore
 match Launcher::builder()
@@ -121,6 +118,6 @@ match Launcher::builder()
 {
     Ok(()) => (),
     Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
-    Err(err) => panic!("Failed to run launcher: {:?}", err),
+    Err(err) => panic!("Failed to run launcher: {err:?}"),
 }
 ```

docs/src/baby_fuzzer/baby_fuzzer.md

@@ -17,7 +17,7 @@ You can find a complete version of this tutorial as an example fuzzer in [`fuzze
 
 We use cargo to create a new Rust project with LibAFL as a dependency.
 
-```sh
+```console
 $ cargo new baby_fuzzer
 $ cd baby_fuzzer
 ```
@@ -25,18 +25,11 @@ $ cd baby_fuzzer
 The generated `Cargo.toml` looks like the following:
 
 ```toml
-[package]
-name = "baby_fuzzer"
-version = "0.1.0"
-authors = ["Your Name <you@example.com>"]
-edition = "2018"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[dependencies]
+{{#include ../../listings/baby_fuzzer/listing-01/Cargo.toml}}
 ```
 
 In order to use LibAFl we must add it as dependency adding `libafl = { path = "path/to/libafl/" }` under `[dependencies]`.
+That path actually needs to point to the `libafl` directory within the cloned repo, not the root of the repo itself.
 You can use the LibAFL version from [crates.io](https://crates.io/crates/libafl) if you want, in this case, you have to use `libafl = "*"` to get the latest version (or set it to the current version).
 
 As we are going to fuzz Rust code, we want that a panic does not simply cause the program to exit, but raise an `abort` that can then be caught by the fuzzer.
@@ -47,28 +40,10 @@ Alongside this setting, we add some optimization flags for the compilation, when
 The final `Cargo.toml` should look similar to the following:
 
 ```toml
-[package]
-name = "baby_fuzzer"
-version = "0.1.0"
-authors = ["Your Name <you@example.com>"]
-edition = "2018"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[dependencies]
-libafl = { path = "path/to/libafl/" }
-
-[profile.dev]
-panic = "abort"
-
-[profile.release]
-panic = "abort"
-lto = true
-codegen-units = 1
-opt-level = 3
-debug = true
+{{#include ../../listings/baby_fuzzer/listing-02/Cargo.toml}}
 ```
 
+
 ## The function under test
 
 Opening `src/main.rs`, we have an empty `main` function.
@@ -76,52 +51,32 @@ To start, we create the closure that we want to fuzz. It takes a buffer as input
 `ExitKind` is used to inform the fuzzer about the harness' exit status.
 
 ```rust
-extern crate libafl;
-use libafl::{
-    bolts::AsSlice,
-    inputs::{BytesInput, HasTargetBytes},
-    executors::ExitKind,
-};
-
-fn main(){
-    let mut harness = |input: &BytesInput| {
-        let target = input.target_bytes();
-        let buf = target.as_slice();
-        if buf.len() > 0 && buf[0] == 'a' as u8 {
-            if buf.len() > 1 && buf[1] == 'b' as u8 {
-                if buf.len() > 2 && buf[2] == 'c' as u8 {
-                    panic!("=)");
-                }
-            }
-        }
-        ExitKind::Ok
-    };
-    // To test the panic:
-    let input = BytesInput::new(Vec::from("abc"));
-    #[cfg(feature = "panic")]
-    harness(&input);
-}
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-03/src/main.rs}}
 ```
 
+To test the crash manually, you can add a feature in `Cargo.toml` that enables the call that triggers the panic:
+
+```toml
+{{#include ../../listings/baby_fuzzer/listing-03/Cargo.toml:22:24}}
+```
+
+And then run the program with that feature activated:
+
+```console
+$ cargo run -F panic
+```
+
+And you should see the program crash as expected.
+
 ## Generating and running some tests
 
-One of the main components that a LibAFL-based fuzzer uses is the State, a container of the data that is evolved during the fuzzing process.
-Includes all State, such as the Corpus of inputs, the current RNG state, and potential Metadata for the testcases and run.
+One of the main components that a LibAFL-based fuzzer uses is the State, a container of the data that will evolve during the fuzzing process.
+It includes all state, such as the Corpus of inputs, the current RNG state, and potential Metadata for the testcases and run.
 In our `main` we create a basic State instance like the following:
 
-```rust,ignore
-// create a State from scratch
-let mut state = StdState::new(
-    // RNG
-    StdRand::with_seed(current_nanos()),
-    // Corpus that will be evolved, we keep it in memory for performance
-    InMemoryCorpus::new(),
-    // Corpus in which we store solutions (crashes in this example),
-    // on disk so the user can get them after stopping the fuzzer
-    OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
-    &mut (),
-    &mut ()
-).unwrap();
+
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:state}}
 ```
 
 - The first parameter is a random number generator, that is part of the fuzzer state, in this case, we use the default one `StdRand`, but you can choose a different one. We seed it with the current nanoseconds.
@@ -129,43 +84,26 @@ let mut state = StdState::new(
 
   To avoid type annotation error, you can use `InMemoryCorpus::<BytesInput>::new()` to replace `InMemoryCorpus::new()`. If not, type annotation will be automatically inferred when adding `executor`.
 
-- third parameter is another corpus that stores the "solution" testcases for the fuzzer. For our purpose, the solution is the input that triggers the panic. In this case, we want to store it to disk under the `crashes` directory, so we can inspect it.
-- last two parameters are feedback and objective, we will discuss them later.
+- The third parameter is another Corpus that stores the "solution" testcases for the fuzzer. For our purpose, the solution is the input that triggers the panic. In this case, we want to store it to disk under the `crashes` directory, so we can inspect it.
+- The last two parameters are feedback and objective, we will discuss them later.
 
 Another required component is the **EventManager**. It handles some events such as the addition of a testcase to the corpus during the fuzzing process. For our purpose, we use the simplest one that just displays the information about these events to the user using a `Monitor` instance.
 
-```rust,ignore
-// The Monitor trait defines how the fuzzer stats are displayed to the user
-let mon = SimpleMonitor::new(|s| println!("{}", s));
-
-// The event manager handle the various events generated during the fuzzing loop
-// such as the notification of the addition of a new item to the corpus
-let mut mgr = SimpleEventManager::new(mon);
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:event_manager}}
 ```
 
 In addition, we have the **Fuzzer**, an entity that contains some actions that alter the State. One of these actions is the scheduling of the testcases to the fuzzer using a **Scheduler**.
 We create it as `QueueScheduler`, a scheduler that serves testcases to the fuzzer in a FIFO fashion.
 
-```rust,ignore
-// A queue policy to get testcasess from the corpus
-let scheduler = QueueScheduler::new();
-
-// A fuzzer with feedbacks and a corpus scheduler
-let mut fuzzer = StdFuzzer::new(scheduler, (), ());
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:scheduler_fuzzer}}
 ```
 
 Last but not least, we need an **Executor** that is the entity responsible to run our program under test. In this example, we want to run the harness function in-process (without forking off a child, for example), and so we use the `InProcessExecutor`.
 
-```rust,ignore
-// Create the executor for an in-process function
-let mut executor = InProcessExecutor::new(
-    &mut harness,
-    (),
-    &mut fuzzer,
-    &mut state,
-    &mut mgr,
-)
-.expect("Failed to create the Executor");
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:executor}}
 ```
 
 It takes a reference to the harness, the state, and the event manager. We will discuss the second parameter later.
@@ -175,41 +113,19 @@ Now we have the 4 major entities ready for running our tests, but we still canno
 
 For this purpose, we use a **Generator**, `RandPrintablesGenerator` that generates a string of printable bytes.
 
-```rust,ignore
-use libafl::generators::RandPrintablesGenerator;
-
-// Generator of printable bytearrays of max size 32
-let mut generator = RandPrintablesGenerator::new(32);
-
-// Generate 8 initial inputs
-state
-    .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
-    .expect("Failed to generate the initial corpus".into());
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:generator}}
 ```
 
 Now you can prepend the necessary `use` directives to your main.rs and compile the fuzzer.
 
 ```rust
-extern crate libafl;
-
-use std::path::PathBuf;
-use libafl::{
-    bolts::{AsSlice, current_nanos, rands::StdRand},
-    corpus::{InMemoryCorpus, OnDiskCorpus},
-    events::SimpleEventManager,
-    executors::{inprocess::InProcessExecutor, ExitKind},
-    fuzzer::StdFuzzer,
-    generators::RandPrintablesGenerator,
-    inputs::{BytesInput, HasTargetBytes},
-    monitors::SimpleMonitor,
-    schedulers::QueueScheduler,
-    state::StdState,
-};
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:use}}
 ```
 
 When running, you should see something similar to:
 
-```sh
+```console
 $ cargo run
     Finished dev [unoptimized + debuginfo] target(s) in 0.04s
      Running `target/debug/baby_fuzzer`
@@ -225,60 +141,22 @@ Now we want to turn our simple fuzzer into a feedback-based one and increase the
 **Observer** can record the information about properties of a fuzzing run and then feeds the fuzzer. We use the `StdMapObserver`, the default observer that uses a map to keep track of covered elements. In our fuzzer, each condition is mapped to an entry of such map.
 
 We represent such map as a `static mut` variable.
-As we don't rely on any instrumentation engine, we have to manually track the satisfied conditions by `singals_set` in our harness:
+As we don't rely on any instrumentation engine, we have to manually track the satisfied conditions by `signals_set` in our harness:
 
 ```rust
-extern crate libafl;
-use libafl::{
-    bolts::AsSlice,
-    inputs::{BytesInput, HasTargetBytes},
-    executors::ExitKind,
-};
-
-// Coverage map with explicit assignments due to the lack of instrumentation
-static mut SIGNALS: [u8; 16] = [0; 16];
-
-fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
-}
-
-// The closure that we want to fuzz
-let mut harness = |input: &BytesInput| {
-    let target = input.target_bytes();
-    let buf = target.as_slice();
-    signals_set(0); // set SIGNALS[0]
-    if buf.len() > 0 && buf[0] == 'a' as u8 {
-        signals_set(1); // set SIGNALS[1]
-        if buf.len() > 1 && buf[1] == 'b' as u8 {
-            signals_set(2); // set SIGNALS[2]
-            if buf.len() > 2 && buf[2] == 'c' as u8 {
-                panic!("=)");
-            }
-        }
-    }
-    ExitKind::Ok
-};
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:signals}}
 ```
 
 The observer can be created directly from the `SIGNALS` map, in the following way:
 
-```rust,ignore
-// Create an observation channel using the signals map
-let observer = StdMapObserver::new("signals", unsafe { &mut SIGNALS });
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:observer}}
 ```
 
 The observers are usually kept in the corresponding executor as they keep track of information that is valid for just one run. We have then to modify our InProcessExecutor creation to include the observer as follows:
 
-```rust,ignore
-// Create the executor for an in-process function with just one observer
-let mut executor = InProcessExecutor::new(
-    &mut harness,
-    tuple_list!(observer),
-    &mut fuzzer,
-    &mut state,
-    &mut mgr,
-)
-.expect("Failed to create the Executor".into());
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:executor_with_observer}}
 ```
 
 Now that the fuzzer can observe which condition is satisfied, we need a way to rate an input as interesting (i.e. worth of addition to the corpus) based on this observation. Here comes the notion of Feedback.
@@ -287,49 +165,23 @@ Now that the fuzzer can observe which condition is satisfied, we need a way to r
 
 We use `MaxMapFeedback`, a feedback that implements a novelty search over the map of the MapObserver. Basically, if there is a value in the observer's map that is greater than the maximum value registered so far for the same entry, it rates the input as interesting and updates its state.
 
-**Objective Feedback** is another kind of Feedback which decide if an input is a "solution". It will save input to solutions(`./crashes` in our case) other than corpus when the input is rated interesting. We use `CrashFeedback` to tell the fuzzer that if an input causes the program to crash it is a solution for us.
+**Objective Feedback** is another kind of Feedback which decides if an input is a "solution". It will save input to solutions(`./crashes` in our case) rather than corpus when the input is rated interesting. We use `CrashFeedback` to tell the fuzzer that if an input causes the program to crash it is a solution for us.
 
 We need to update our State creation including the feedback state and the Fuzzer including the feedback and the objective:
 
-```rust,ignore
-extern crate libafl;
-use libafl::{
-    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
-    corpus::{InMemoryCorpus, OnDiskCorpus},
-    feedbacks::{MaxMapFeedback, CrashFeedback},
-    fuzzer::StdFuzzer,
-    state::StdState,
-    observers::StdMapObserver,
-};
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:state_with_feedback_and_objective}}
+```
 
-// Feedback to rate the interestingness of an input
-let mut feedback = MaxMapFeedback::new(&observer);
+Once again, you need to add the necessary `use` directives for this to work properly:
 
-// A feedback to choose if an input is a solution or not
-let mut objective = CrashFeedback::new();
-
-// create a State from scratch
-let mut state = StdState::new(
-    // RNG
-    StdRand::with_seed(current_nanos()),
-    // Corpus that will be evolved, we keep it in memory for performance
-    InMemoryCorpus::new(),
-    // Corpus in which we store solutions (crashes in this example),
-    // on disk so the user can get them after stopping the fuzzer
-    OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
-    &mut feedback,
-    &mut objective
-).unwrap();
-
-// ...
-
-// A fuzzer with feedbacks and a corpus scheduler
-let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:use}}
 ```
 
 ## The actual fuzzing
 
-Now, after including the correct `use`, we can run the program, but the outcome is not so different from the previous one as the random generator does not take into account what we save as interesting in the corpus. To do that, we need to plug a Mutator.
+Now, we can run the program, but the outcome is not so different from the previous one as the random generator does not take into account what we save as interesting in the corpus. To do that, we need to plug a Mutator.
 
 **Stages** perform actions on individual inputs, taken from the corpus.
 For instance, the `MutationalStage` executes the harness several times in a row, every time with mutated inputs.
@@ -337,28 +189,20 @@ For instance, the `MutationalStage` executes the harness several times in a row,
 As the last step, we create a MutationalStage that uses a mutator inspired by the havoc mutator of AFL.
 
 ```rust,ignore
-use libafl::{
-    mutators::scheduled::{havoc_mutations, StdScheduledMutator},
-    stages::mutational::StdMutationalStage,
-    fuzzer::Fuzzer,
-};
-
-// ...
-
-// Setup a mutational stage with a basic bytes mutator
-let mutator = StdScheduledMutator::new(havoc_mutations());
-let mut stages = tuple_list!(StdMutationalStage::new(mutator));
-
-fuzzer
-    .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
-    .expect("Error in the fuzzing loop");
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-06/src/main.rs:mutational_stage}}
 ```
 
 `fuzz_loop` will request a testcase for each iteration to the fuzzer using the scheduler and then it will invoke the stage.
 
-After adding this code, we have a proper fuzzer, that can run a find the input that panics the function in less than a second.
+Again, we need to add the new `use` directives:
 
-```text
+```rust,ignore
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-06/src/main.rs:use}}
+```
+
+After adding this code, we have a proper fuzzer, that can run and find the input that panics the function in less than a second.
+
+```console
 $ cargo run
    Compiling baby_fuzzer v0.1.0 (/home/andrea/Desktop/baby_fuzzer)
     Finished dev [unoptimized + debuginfo] target(s) in 1.56s

docs/src/baby_fuzzer/more_examples.md

@@ -9,4 +9,4 @@ Examples can be found under `./fuzzer`.
 | baby_fuzzer_nautilus | [nautilus](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-3_Aschermann_paper.pdf) is a **coverage guided, grammar based** fuzzer|
 |baby_fuzzer_tokens| basic **token level** fuzzer with token level mutations|
 |baby_fuzzer_with_forkexecutor| example for **InProcessForkExecutor**|
-|baby_no_std|a minimalistic example how to create a libafl based fuzzer that works on **`no_std`** environments like TEEs, Kernels or on barew metal|
+|baby_no_std|a minimalistic example how to create a libafl based fuzzer that works on **`no_std`** environments like TEEs, Kernels or on bare metal|

docs/src/core_concepts/corpus.md

@@ -4,8 +4,8 @@ The Corpus is where testcases are stored. We define a Testcase as an Input and a
 
 A Corpus can store testcases in different ways, for example on disk, or in memory, or implement a cache to speedup on disk storage.
 
-Usually, a testcase is added to the Corpus when it is considered as interesting, but a Corpus is used also to store testcases that fulfill an objective (like crashing the tested program for instance).
+Usually, a testcase is added to the Corpus when it is considered as interesting, but a Corpus is used also to store testcases that fulfill an objective (like crashing the program under test for instance).
 
-Related to the Corpus, there is the way in which the fuzzer should ask for the next testcase to fuzz picking it from the Corpus. The taxonomy for this in LibAFL is CorpusScheduler, the entity representing the policy to pop testcases from the Corpus, FIFO for instance.
+Related to the Corpus is the way in which the next testcase (the fuzzer would ask for) is retrieved from the Corpus. The taxonomy for this handling in LibAFL is CorpusScheduler, the entity representing the policy to pop testcases from the Corpus, in a FIFO fashion for instance.
 
 Speaking about the code, [`Corpus`](https://docs.rs/libafl/0/libafl/corpus/trait.Corpus.html) and [`CorpusScheduler`](https://docs.rs/libafl/0/libafl/corpus/trait.CorpusScheduler.html) are traits.

docs/src/core_concepts/executor.md

@@ -13,7 +13,7 @@ In Rust, we bind this concept to the [`Executor`](https://docs.rs/libafl/0/libaf
 
 By default, we implement some commonly used Executors such as [`InProcessExecutor`](https://docs.rs/libafl/0/libafl/executors/inprocess/struct.InProcessExecutor.html) in which the target is a harness function providing in-process crash detection. Another Executor is the [`ForkserverExecutor`](https://docs.rs/libafl/0/libafl/executors/forkserver/struct.ForkserverExecutor.html) that implements an AFL-like mechanism to spawn child processes to fuzz.
 
-A common pattern when creating an Executor is wrapping an existing one, for instance [`TimeoutExecutor`](https://docs.rs/libafl/0.6.1/libafl/executors/timeout/struct.TimeoutExecutor.html) wraps an executor and install a timeout callback before calling the original run function of the wrapped executor.
+A common pattern when creating an Executor is wrapping an existing one, for instance [`TimeoutExecutor`](https://docs.rs/libafl/0.6.1/libafl/executors/timeout/struct.TimeoutExecutor.html) wraps an executor and installs a timeout callback before calling the original `run` function of the wrapped executor.
 
 ## InProcessExecutor
 Let's begin with the base case; `InProcessExecutor`.
@@ -24,7 +24,7 @@ When you want to execute the harness as fast as possible, you will most probably
  One thing to note here is, when your harness is likely to have heap corruption bugs, you want to use another allocator so that corrupted heap does not affect the fuzzer itself. (For example, we adopt MiMalloc in some of our fuzzers.). Alternatively you can compile your harness with address sanitizer to make sure you can catch these heap bugs.
 
 ## ForkserverExecutor
-Next, we'll take a look at the `ForkserverExecutor`. In this case, it is `afl-cc` (from AFLplusplus/AFLplusplus) that compiles the harness code, and therefore, we can't use `EDGES_MAP` anymore. Hopefully, we have [_a way_](https://github.com/AFLplusplus/AFLplusplus/blob/2e15661f184c77ac1fbb6f868c894e946cbb7f17/instrumentation/afl-compiler-rt.o.c#L270) to tell the forkserver which map to record the coverage.
+Next, we'll take a look at the `ForkserverExecutor`. In this case, it is `afl-cc` (from AFLplusplus/AFLplusplus) that compiles the harness code, and therefore, we can't use `EDGES_MAP` anymore. Fortunately we have [_a way_](https://github.com/AFLplusplus/AFLplusplus/blob/2e15661f184c77ac1fbb6f868c894e946cbb7f17/instrumentation/afl-compiler-rt.o.c#L270) to tell the forkserver which map to record the coverage in.
 
 As you can see from the forkserver example,
 
@@ -48,7 +48,7 @@ See AFL++'s [_documentation_](https://github.com/AFLplusplus/AFLplusplus/blob/st
 Finally, we'll talk about the `InProcessForkExecutor`.
 `InProcessForkExecutor` has only one difference from `InprocessExecutor`; It forks before running the harness and that's it.
 
-But why do we want to do so? well, under some circumstances, you may find your harness pretty unstable or your harness wreaks havoc on the global states. In this case, you want to fork it before executing the harness runs in the child process so that it doesn't break things.
+But why do we want to do so? Well, under some circumstances, you may find your harness pretty unstable or your harness wreaks havoc on the global states. In this case, you want to fork it before executing the harness runs in the child process so that it doesn't break things.
 
 However, we have to take care of the shared memory, it's the child process that runs the harness code and writes the coverage to the map.
 

docs/src/core_concepts/feedback.md

@@ -10,17 +10,25 @@ The concept of "interestingness" is abstract, but typically it is related to a n
 
 As an example, given an Observer that reports all the sizes of memory allocations, a maximization Feedback can be used to maximize these sizes to sport pathological inputs in terms of memory consumption.
 
-In terms of code, the library offers the [`Feedback`](https://docs.rs/libafl/0/libafl/feedbacks/trait.Feedback.html) and the [`FeedbackState`](https://docs.rs/libafl/0/libafl/feedbacks/trait.FeedbackState.html) traits.
-The first is used to implement functors that, given the state of the observers from the last execution, tells if the execution was interesting. The second is tied with `Feedback` and it is the state of the data that the feedback wants to persist in the fuzzers's state, for instance the cumulative map holding all the edges seen so far in the case of a feedback based on edge coverage.
+In terms of code, the library offers the [`Feedback`](https://docs.rs/libafl/0/libafl/feedbacks/trait.Feedback.html) trait.
+It is used to implement functors that, given the state of the observers from the last execution, tells if the execution was interesting.
+So to speak, it reduces the observations to a boolean result of [`is_interesting`](https://docs.rs/libafl/0/libafl/feedbacks/trait.Feedback.html#tymethod.is_interesting) - or not.
+For this, a `Feedback` can store anything it wants to persist in the fuzzers's state.
+This might be, for instance, the cumulative map of all edges seen so far, in the case of a feedback based on edge coverage.
+This can be achieved by adding `Metadata` in [`init_state`](https://docs.rs/libafl/0/libafl/feedbacks/trait.Feedback.html#method.init_state) and accessing it later in `is_interesting`.
+`Feedback` can also add custom metadata to a newly created [`Testcase`](https://docs.rs/libafl/0/libafl/corpus/testcase/struct.Testcase.html) using [`append_metadata`](https://docs.rs/libafl/0.10.1/libafl/feedbacks/trait.Feedback.html#method.append_metadata).
 
-Multiple Feedbacks can be combined into boolean formula, considering for instance an execution as interesting if it triggers new code paths or execute in less time compared to the average execution time using [`feedback_or`](https://docs.rs/libafl/*/libafl/macro.feedback_or.html).
+Multiple Feedbacks can be combined into a boolean expression, considering for instance an execution as interesting if it triggers new code paths or execute in less time compared to the average execution time using [`feedback_or`](https://docs.rs/libafl/*/libafl/macro.feedback_or.html).
 
-On top, logic operators like `feedback_or` and `feedback_and` have a `_fast` option (`feedback_or_fast` where the second feedback will not be evaluated, if the first part already answers the `interestingness` question, to save precious performance.
+On top, logic operators like `feedback_or` and `feedback_and` have a `_fast` variant (e.g. `feedback_or_fast`) where the second feedback will not be evaluated, if the value of the first feedback operand already answers the `interestingness` question so as to save precious performance.
 
 Using `feedback_and_fast` in combination with [`ConstFeedback`](https://docs.rs/libafl/*/libafl/feedbacks/enum.ConstFeedback.html#method.new), certain feedbacks can be disabled dynamically.
 
 ## Objectives
 
 While feedbacks are commonly used to decide if an [`Input`](https://docs.rs/libafl/*/libafl/inputs/trait.Input.html) should be kept for future mutations, they serve a double-purpose, as so-called `Objective Feedbacks`.
-In this case, the `interestingness` of a feedback indicates, if an `Objective` has been hit.
-Commonly, these would be a`crash or a timeout, but they can also be used to find specific parts of the program, for sanitization, or a differential fuzzing success.
+In this case, the `interestingness` of a feedback indicates if an `Objective` has been hit.
+Commonly, these objectives would be a crash or a timeout, but they can also be used to detect if specific parts of the program have been reached, for sanitization, or a differential fuzzing success.
+Objectives use the same trait as a normal [`Feedback`](https://docs.rs/libafl/0/libafl/feedbacks/trait.Feedback.html) and the implementations can be used interchangeably.
+
+The only difference is that `interesting` Objectives won't be mutated further, and are counted as `Solutions`, a successful fuzzing campaign.

docs/src/core_concepts/input.md

@@ -6,10 +6,10 @@ In our model of an abstract fuzzer, we define the Input as the internal represen
 
 In the straightforward case, the input of the program is a byte array and in fuzzers such as AFL we store and manipulate exactly these byte arrays.
 
-But it is not always the case. A program can expect inputs that are not byte arrays (e.g. a sequence of syscalls) and the fuzzer does not represent the Input in the same way that the program consumes it.
+But it is not always the case. A program can expect inputs that are not linear byte arrays (e.g. a sequence of syscalls forming a use case or protocol) and the fuzzer does not represent the Input in the same way that the program consumes it.
 
 In case of a grammar fuzzer for instance, the Input is generally an Abstract Syntax Tree because it is a data structure that can be easily manipulated while maintaining the validity, but the program expects a byte array as input, so just before the execution, the tree is serialized to a sequence of bytes.
 
 In the Rust code, an [`Input`](https://docs.rs/libafl/*/libafl/inputs/trait.Input.html) is a trait that can be implemented only by structures that are serializable and have only owned data as fields.
 
-While most fuzzer use a normal `BytesInput`], more advanced inputs like inputs include special inputs for grammar fuzzing ([GramatronInput](https://docs.rs/libafl/*/libafl/inputs/gramatron/struct.GramatronInput.html) or `NautilusInput` on nightly), as well as the token-level [EncodedInput](https://docs.rs/libafl/*/libafl/inputs/encoded/struct.EncodedInput.html).
+While most fuzzers use a normal `BytesInput`, more advanced ones use inputs that include special inputs for grammar fuzzing ([GramatronInput](https://docs.rs/libafl/*/libafl/inputs/gramatron/struct.GramatronInput.html) or `NautilusInput` on Rust nightly), as well as the token-level [EncodedInput](https://docs.rs/libafl/*/libafl/inputs/encoded/struct.EncodedInput.html).

docs/src/core_concepts/mutator.md

@@ -1,9 +1,9 @@
 # Mutator
 
-The Mutator is an entity that takes one or more Inputs and generates a new derived one.
+The Mutator is an entity that takes one or more Inputs and generates a new instance of Input derived by its inputs.
 
 Mutators can be composed, and they are generally linked to a specific Input type.
 
-There can be, for instance, a Mutator that applies more than a single type of mutation on the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the only one, there is also, for instance, the random replacement of a byte of the copy of a chunk.
+There can be, for instance, a Mutator that applies more than a single type of mutation to the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the only one, there is also, for instance, the random replacement of a byte of the copy of a chunk.
 
 In LibAFL, [`Mutator`](https://docs.rs/libafl/*/libafl/mutators/trait.Mutator.html) is a trait.

docs/src/core_concepts/observer.md

@@ -4,8 +4,8 @@ An Observer is an entity that provides an information observed during the execut
 
 The information contained in the Observer is not preserved across executions, but it may be serialized and passed on to other nodes if an `Input` is considered `interesting`, and added to the `Corpus`.
 
-As an example, the coverage map, filled during the execution to report the executed edges used by fuzzers such as AFL and `HonggFuzz` can be considered an observation. Another `Observer` can be the time spent executing a run, the program output, or more advanced observation, like maximum stack depth at runtime.
-This information is not preserved across runs, and it is an observation of a dynamic property of the program.
+As an example, the coverage map, filled during the execution to report the executed edges used by fuzzers such as AFL and `HonggFuzz` can be considered an observation. Another `Observer` can collect the time spent executing a run, the program output, or a more advanced observation, like maximum stack depth at runtime.
+This information is an observation of a dynamic property of the program.
 
 In terms of code, in the library this entity is described by the [`Observer`](https://docs.rs/libafl/0/libafl/observers/trait.Observer.html) trait.
 

docs/src/core_concepts/stage.md

@@ -1,8 +1,8 @@
 # Stage
 
-A Stage is an entity that operates on a single Input got from the Corpus.
+A Stage is an entity that operates on a single Input received from the Corpus.
 
-For instance, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more time. How many times this has to be done can be scheduled, AFL for instance uses a performance score of the input to choose how many times the havoc mutator should be invoked. This can depend also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or be a fixed value.
+For instance, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more times. How many times this has to be done can be scheduled, AFL for instance uses a performance score of the input to choose how many times the havoc mutator should be invoked. This can depend also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or a fixed value.
 
 A stage can also be an analysis stage, for instance, the Colorization stage of Redqueen that aims to introduce more entropy in a testcase or the Trimming stage of AFL that aims to reduce the size of a testcase.
 

docs/src/design/architecture.md

@@ -10,6 +10,6 @@ Thinking about similar fuzzers, you can observe that most of the time the data s
 
 Beside the entities previously described, we introduce the [`Testcase`](https://docs.rs/libafl/0.6/libafl/corpus/testcase/struct.Testcase.html) and [`State`](https://docs.rs/libafl/0.6/libafl/state/struct.StdState.html) entities. The Testcase is a container for an Input stored in the Corpus and its metadata (so, in the implementation, the Corpus stores Testcases) and the State contains all the metadata that are evolved while running the fuzzer, Corpus included.
 
-The State, in the implementation, contains only owned objects that are serializable, and it is serializable itself. Some fuzzers may want to serialize its state when pausing or just, when doing in-process fuzzing, serialize on crash and deserialize in the new process to continue to fuzz with all the metadata preserved.
+The State, in the implementation, contains only owned objects that are serializable, and it is serializable itself. Some fuzzers may want to serialize their state when pausing or just, when doing in-process fuzzing, serialize on crash and deserialize in the new process to continue to fuzz with all the metadata preserved.
 
 Additionally, we group the entities that are "actions", like the `CorpusScheduler` and the `Feedbacks`, in a common place, the [`Fuzzer'](https://docs.rs/libafl/*/libafl/fuzzer/struct.StdFuzzer.html).

docs/src/design/metadata.md

@@ -5,10 +5,10 @@ A metadata in LibAFL is a self-contained structure that holds associated data to
 In terms of code, a metadata can be defined as a Rust struct registered in the SerdeAny register.
 
 ```rust
-extern crate libafl;
-extern crate serde;
+# extern crate libafl_bolts;
+# extern crate serde;
 
-use libafl::SerdeAny;
+use libafl_bolts::SerdeAny;
 use serde::{Serialize, Deserialize};
 
 #[derive(Debug, Serialize, Deserialize, SerdeAny)]
@@ -19,7 +19,7 @@ pub struct MyMetadata {
 
 The struct must be static, so it cannot hold references to borrowed objects.
 
-As an alternative to `derive(SerdeAny)` that is a proc-macro in `libafl_derive` the user can use `libafl::impl_serdeany!(MyMetadata);`.
+As an alternative to `derive(SerdeAny)` which is a proc-macro in `libafl_derive` the user can use `libafl_bolts::impl_serdeany!(MyMetadata);`.
 
 ## Usage
 

docs/src/design/migration-0.11.md

@@ -0,0 +1,27 @@
+# Migrating from LibAFL <0.11 to 0.11
+
+We moved the old `libafl::bolts` module to its own crate called `libafl_bolts`.
+For this, imports for types in LibAFL bolts have changed in version 0.11, everything else should remain the same.
+
+## Reasons for This Change
+
+With the change we can now use a lot of low-level features of LibAFL for projects that are unrelated to fuzzing, or just completely different to LibAFL.
+Some cross-platform things in bolts include
+
+* SerdeAnyMap: a map that stores and retrieves elements by type and is serializable and deserializable
+* ShMem: A cross-platform (Windows, Linux, Android, MacOS) shared memory implementation
+* LLMP: A fast, lock-free IPC mechanism via SharedMap
+* Core_affinity: A maintained version of `core_affinity` that can be used to get core information and bind processes to cores
+* Rands: Fast random number generators for fuzzing (like [RomuRand](http://www.romu-random.org/))
+* MiniBSOD: get and print information about the current process state including important registers.
+* Tuples: Haskel-like compile-time tuple lists
+* Os: OS specific stuff like signal handling, windows exception handling, pipes, and helpers for `fork`
+
+## What changed
+
+You will need to move all `libafl::bolts::` imports to `libafl_bolts:::` and add the crate dependency in your Cargo.toml (and specify feature flags there).
+As only exception, the `libafl::bolts::launcher::Launcher` has moved to `libafl::events::launcher::Launcher` since it has fuzzer and `EventManager` specific code.
+If you are using `prelude`, you may need to also ad `libafl_bolts::prelude`.
+
+That's it.
+Enjoy using `libafl_bolts` in other projects.

docs/src/design/migration-0.9.md

@@ -75,7 +75,7 @@ where
 ```
 
 The executor is constrained to `EM` and `Z`, with each of their respective states being constrained to `E`'s state. It
-is no longer necessary to explicitly defined a generic for the input type, the state type, or the generic type, as these
+is no longer necessary to explicitly define a generic for the input type, the state type, or the generic type, as these
 are all present as associated types for `E`. Additionally, we don't even need to specify any details about the observers
 (`OT` in the previous version) as the type does not need to be constrained and is not shared by other types.
 
@@ -101,7 +101,7 @@ See `fuzzers/` for examples of these changes.
 If you implemented a Mutator, Executor, State, or another kind of component, you must update your implementation. The
 main changes to the API are in the use of "Uses*" for associated types.
 
-In many scenarios, Input, Observers, and State generics have been moved into traits with associated types (namely,
+In many scenarios, Input, Observer, and State generics have been moved into traits with associated types (namely,
 "UsesInput", "UsesObservers", and "UsesState". These traits are required for many existing traits now and are very
 straightforward to implement. In a majority of cases, you will have generics on your custom implementation or a fixed
 type to implement this with. Thankfully, Rust will let you know when you need to implement this type.
@@ -127,7 +127,7 @@ where
 }
 ```
 
-After 0.9, all `Corpus` implementations are required to implement `UsesInput` and `Corpus` no longer has a generic for
+After 0.9, all `Corpus` implementations are required to implement `UsesInput`. Also `Corpus` no longer has a generic for
 the input type (as it is now provided by the UsesInput impl). The migrated implementation is shown below:
 
 ```rust,ignore
@@ -160,3 +160,26 @@ Now, `Corpus` cannot be accidentally implemented for another type other than tha
 is fixed to the associated type for `UsesInput`.
 
 A more complex example of migration can be found in the "Reasons for this change" section of this document.
+
+## Observer Changes
+
+Additionally, we changed the Observer API, as the API in 0.8 led to undefined behavior.
+At the same time, we used the change to simplify the common case: creating an `StdMapObserver`
+from libafl_target's `EDGES_MAP`.
+In the future, instead of using:
+
+```rust,ignore
+let edges = unsafe { &mut EDGES_MAP[0..MAX_EDGES_NUM] };
+let edges_observer = StdMapObserver::new("edges", edges);
+```
+
+creating the edges observer is as simple as using the new `std_edges_map_observer` function.
+
+```rust,ignore
+let edges_observer = unsafe { std_edges_map_observer("edges") };
+```
+
+Alternatively, `StdMapObserver::new` will still work, but now the whole method is marked as `unsafe`.
+The reason is that the caller has to make sure `EDGES_MAP` (or other maps) are not moved or freed in memory,
+for the lifetime of the `MapObserver`.
+This means that the buffer should either be `static` or `Pin`.

docs/src/getting_started/build.md

@@ -6,7 +6,7 @@ LibAFL, as most of the Rust projects, can be built using `cargo` from the root d
 $ cargo build --release
 ```
 
-Note that the `--release` flag is optional for development, but you needed to add it to fuzzing at a decent speed.
+Note that the `--release` flag is optional for development, but you need to add it to do fuzzing at a decent speed.
 Slowdowns of 10x or more are not uncommon for Debug builds.
 
 The LibAFL repository is composed of multiple crates.

docs/src/getting_started/crates.md

@@ -10,7 +10,7 @@ libafl = { version = "*" }
 
 ## Crate List
 
-For LibAFL, each crate has its self-contained purpose, and the user may not need to use all of them in its project.
+For LibAFL, each crate has its self-contained purpose, and the user may not need to use all of them in their project.
 Following the naming convention of the folders in the project's root, they are:
 
 ### [`libafl`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl)
@@ -31,20 +31,35 @@ You can choose the features by using `features = ["feature1", "feature2", ...]`
 Out of this list, by default, `std`, `derive`, and `rand_trait` are already set.
 You can choose to disable them by setting `default-features = false` in your `Cargo.toml`.
 
-### libafl_sugar
+### [`libafl_bolts`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl)
+
+The `libafl_bolts` crate is a minimal tool shed filled with useful low-level rust features, not necessarily related to fuzzers.
+In it, you'll find highlights like:
+
+- `core_affinity` to bind the current process to cores
+- `SerdeAnyMap` a map that can store typed values in a serializable fashion
+- `minibsod` to dump the current process state
+- `LLMP`, "low level message passing", a lock-free IPC mechanism
+- `Rand`, different fast (non-cryptographically secure) RNG implementations like RomuRand
+- `ShMem`, a platform independent shard memory implementation
+- `Tuples`, a compiletime tuple implementation
+
+... and much more.
+
+### `libafl_sugar`
 
 The sugar crate abstracts away most of the complexity of LibAFL's API.
 Instead of high flexibility, it aims to be high-level and easy-to-use.
 It is not as flexible as stitching your fuzzer together from each individual component, but allows you to build a fuzzer with minimal lines of code.
 To see it in action, take a look at the [`libfuzzer_stb_image_sugar` example fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/libfuzzer_stb_image_sugar).
 
-### libafl_derive
+### `libafl_derive`
 
 This a proc-macro crate paired with the `libafl` crate.
 
 At the moment, it just exposes the `derive(SerdeAny)` macro that can be used to define Metadata structs, see the section about [Metadata](../design/metadata.md) for details.
 
-### libafl_targets
+### `libafl_targets`
 
 This crate exposes code to interact with, and to instrument, targets.
 To enable and disable features at compile-time, the features are enabled and disabled using feature flags.
@@ -52,36 +67,36 @@ To enable and disable features at compile-time, the features are enabled and dis
 Currently, the supported flags are:
 
 - `pcguard_edges` defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges in a map.
-- `pcguard_hitcounts defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges with the hitcounts (like AFL) in a map.
+- `pcguard_hitcounts` defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges with the hitcounts (like AFL) in a map.
 - `libfuzzer` exposes a compatibility layer with libFuzzer style harnesses.
 - `value_profile` defines the SanitizerCoverage trace-cmp hooks to track the matching bits of each comparison in a map.
 
-### libafl_cc
+### `libafl_cc`
 
-This is a library that provides utils wrap compilers and create source-level fuzzers.
+This is a library that provides utils to wrap compilers and create source-level fuzzers.
 
 At the moment, only the Clang compiler is supported.
 To understand it deeper, look through the tutorials and examples.
 
-### libafl_frida
+### `libafl_frida`
 
 This library bridges LibAFL with Frida as instrumentation backend.
 With this crate, you can instrument targets on Linux/macOS/Windows/Android for coverage collection.
 Additionally, it supports CmpLog, and AddressSanitizer instrumentation and runtimes for aarch64.
 See further information, as well as usage instructions, [later in the book](../advanced_features/frida.md).
 
-### libafl_qemu
+### `libafl_qemu`
 
 This library bridges LibAFL with QEMU user-mode to fuzz ELF cross-platform binaries.
 
 It works on Linux and can collect edge coverage without collisions!
 It also supports a wide range of hooks and instrumentation options.
 
-### libafl_nyx
+### `libafl_nyx`
 
 [Nyx](https://nyx-fuzz.com/) is a KVM-based snapshot fuzzer. `libafl_nyx` adds these capabilities to LibAFL. There is a specific section explaining usage of libafl_nyx [later in the book](../advanced_features/nyx.md).
 
-### libafl_concolic
+### `libafl_concolic`
 
 Concolic fuzzing is the combination of fuzzing and a symbolic execution engine.
 This can reach greater depth than normal fuzzing, and is exposed in this crate.

docs/src/getting_started/setup.md

@@ -11,15 +11,15 @@ The first step is to download LibAFL and all dependencies that are not automatic
 > previous command. Additionally, PowerShell-specific examples will use `>`
 > rather than `$`.
 
-While you technically do not need to install LibAFL, but can use the version from crates.io directly, we do recommend to download or clone the GitHub version.
+While technically you do not need to install LibAFL, but can use the version from crates.io directly, we do recommend to download or clone the GitHub version.
 This gets you the example fuzzers, additional utilities, and latest patches.
 The easiest way to do this is to use `git`.
 
 ```sh
-$ git clone git@github.com:AFLplusplus/LibAFL.git
+$ git clone https://github.com/AFLplusplus/LibAFL.git
 ```
 
-You can alternatively, on a UNIX-like machine, download a compressed archive and extract it with:
+Alternatively, on a UNIX-like machine, you can download a compressed archive and extract it with:
 
 ```sh
 wget https://github.com/AFLplusplus/LibAFL/archive/main.tar.gz
@@ -31,7 +31,7 @@ $ ls LibAFL-main # this is the extracted folder
 ## Clang installation
 
 One of the external dependencies of LibAFL is the Clang C/C++ compiler.
-While most of the code is in pure Rust, we still need a C compiler because stable Rust still does not support features that some parts of LibAFL may need, such as weak linking, and LLVM builtins linking.
+While most of the code is written in pure Rust, we still need a C compiler because stable Rust still does not support features that some parts of LibAFL may need, such as weak linking, and LLVM builtins linking.
 For these parts, we use C to expose the missing functionalities to our Rust codebase.
 
 In addition, if you want to perform source-level fuzz testing of C/C++ applications,

docs/src/introduction.md

@@ -4,10 +4,10 @@ Fuzzers are important tools for security researchers and developers alike.
 A wide range of state-of-the-art tools like [AFL++](https://github.com/AFLplusplus/AFLplusplus), [libFuzzer](https://llvm.org/docs/LibFuzzer.html) or [honggfuzz](https://github.com/google/honggfuzz) are available to users. They do their job in a very effective way, finding thousands of bugs.
 
 From the perspective of a power user, however, these tools are limited.
-Their design does not treat extensibility as a first-class citizen.
+Their designs do not treat extensibility as a first-class citizen.
 Usually, a fuzzer developer can choose to either fork one of these existing tools, or to create a new fuzzer from scratch.
 In any case, researchers end up with tons of fuzzers, all of which are incompatible with each other.
-Their outstanding features can not just be combined for new projects.
+Their outstanding features cannot just be combined for new projects.
 By reinventing the wheel over and over, we may completely miss out on features that are complex to reimplement.
 
 To tackle this issue, we created LibAFL, a library that is _not just another fuzzer_, but a collection of reusable pieces for individual fuzzers.
@@ -24,11 +24,11 @@ Some highlight features currently include:
 This means it does not require a specific OS-dependent runtime to function.
 Define an allocator and a way to map pages, and you are good to inject LibAFL in obscure targets like embedded devices, hypervisors, or maybe even WebAssembly?
 - `adaptable`: Given years of experience fine-tuning *AFLplusplus* and our academic fuzzing background, we could incorporate recent fuzzing trends into LibAFL's design and make it future-proof.
-To give an example, as opposed to old-skool fuzzers, a `BytesInput` is just one of the potential forms of inputs:
+To give an example, as opposed to old-school fuzzers, a `BytesInput` is just one of the potential forms of inputs:
 feel free to use and mutate an Abstract Syntax Tree instead, for structured fuzzing.
 - `scalable`: As part of LibAFL, we developed `Low Level Message Passing`, `LLMP` for short, which allows LibAFL to scale almost linearly over cores. That is, if you chose to use this feature - it is your fuzzer, after all.
 Scaling to multiple machines over TCP is also possible, using LLMP's `broker2broker` feature.
 - `fast`: We do everything we can at compile time so that the runtime overhead is as minimal as it can get.
-- `bring your own target`: We support binary-only modes, like QEMU-Mode and Frida-Mode with ASAN and CmpLog, as well as multiple compilation passes for sourced-based instrumentation.
+- `bring your own target`: We support binary-only modes, like (full-system) QEMU-Mode and Frida-Mode with ASan and CmpLog, as well as multiple compilation passes for sourced-based instrumentation.
 Of course, we also support custom instrumentation, as you can see in the Python example based on Google's Atheris.
 - `usable`: This one is on you to decide. Dig right in!

docs/src/libafl.md

@@ -1,11 +1,11 @@
 # The LibAFL Fuzzing Library
 
- <img align="right" src="https://github.com/AFLplusplus/Website/raw/master/static/logo_256x256.png" alt="AFL++ Logo">
+ <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/libafl_logo.svg" alt="LibAFL Logo" style="width: 256px; height: auto">
 
 *by Andrea Fioraldi and Dominik Maier*
 
 Welcome to LibAFL, the Advanced Fuzzing Library.
-This book shall be a gentle introduction into the library.
+This book shall be a gentle introduction to the library.
 
 This version of the LibAFL book is coupled with the release 1.0 beta of the library.
 

docs/src/message_passing/configurations.md

@@ -3,7 +3,7 @@
 Configurations for individual fuzzer nodes are relevant for multi node fuzzing.
 The chapter describes how to run nodes with different configurations
 in one fuzzing cluster.
-This allows, for example, a node compiled with ASAN, to know that it needs to rerun new testcases for a node without ASAN, while the same binary/configuration does not.
+This allows, for example, a node compiled with ASan, to know that it needs to rerun new testcases for a node without ASan, while the same binary/configuration does not.
 
 Fuzzers with the same configuration can exchange Observers for new testcases and reuse them without rerunning the input.
 A different configuration indicates, that only the raw input can be exchanged, it must be rerun on the other node to capture relevant observations.

docs/src/message_passing/message_passing.md

@@ -1,8 +1,8 @@
 # Message Passing
 
-LibAFL offers a standard mechanism for message passing over processes and machines with a low overhead.
+LibAFL offers a standard mechanism for message passing between processes and machines with a low overhead.
 We use message passing to inform the other connected clients/fuzzers/nodes about new testcases, metadata, and statistics about the current run.
-Depending on individual needs, LibAFL can also write testcase contents to disk, while still using events to notify other fuzzers, using an `OnDiskCorpus`.
+Depending on individual needs, LibAFL can also write testcase contents to disk, while still using events to notify other fuzzers, using the `CachedOnDiskCorpus` or similar.
 
 In our tests, message passing scales very well to share new testcases and metadata between multiple running fuzzer instances for multi-core fuzzing.
 Specifically, it scales _a lot_ better than using memory locks on a shared corpus, and _a lot_ better than sharing the testcases via the filesystem, as AFL traditionally does.
@@ -12,7 +12,7 @@ The `EventManager` interface is used to send Events over the wire using `Low Lev
 
 ## Low Level Message Passing (LLMP)
 
-LibAFL comes with a reasonably lock-free message passing mechanism that scales well across cores and, using its *broker2broker* mechanism, even to connected machines via TCP.
+LibAFL comes with a reasonably lock-free message passing mechanism that scales well across cores and, using its _broker2broker_ mechanism, even to connected machines via TCP.
 Most example fuzzers use this mechanism, and it is the best `EventManager` if you want to fuzz on more than a single core.
 In the following, we will describe the inner workings of `LLMP`.
 
@@ -28,12 +28,12 @@ Shared maps, called shared memory for the sake of not colliding with Rust's `map
 Each client, usually a fuzzer trying to share stats and new testcases, maps an outgoing `ShMem` map.
 With very few exceptions, only this client writes to this map, therefore, we do not run in race conditions and can live without locks.
 The broker reads from all client's `ShMem` maps.
-It checks all incoming client maps periodically and then forwards new messages to its outgoing broadcast-`ShMem`, mapped by all connected clients.
+It periodically checks all incoming client maps and then forwards new messages to its outgoing broadcast-`ShMem`, mapped by all connected clients.
 
 To send new messages, a client places a new message at the end of their shared memory and then updates a static field to notify the broker.
 Once the outgoing map is full, the sender allocates a new `ShMem` using the respective `ShMemProvider`.
 It then sends the information needed to map the newly-allocated page in connected processes to the old page, using an end of page (`EOP`) message.
-Once the receiver maps the new page, flags it as safe for unmapping from the sending process (to avoid race conditions if we have more than a single EOP in a short time), and then continues to read from the new `ShMem`.
+Once the receiver maps the new page, it flags it as safe for unmapping by the sending process (to avoid race conditions if we have more than a single EOP in a short time), and then continues to read from the new `ShMem`.
 
 The schema for client's maps to the broker is as follows:
 
@@ -54,10 +54,10 @@ After the broker received a new message from clientN, (`clientN_out->current_id
 
 The clients periodically, for example after finishing `n` mutations, check for new incoming messages by checking if (`current_broadcast_map->current_id != last_message->message_id`).
 While the broker uses the same EOP mechanism to map new `ShMem`s for its outgoing map, it never unmaps old pages.
-This additional memory overhead serves a good purpose: by keeping all broadcast pages around, we make sure that new clients can join in on a fuzzing campaign at a later point in time
+This additional memory resources serve a good purpose: by keeping all broadcast pages around, we make sure that new clients can join in on a fuzzing campaign at a later point in time.
 They just need to re-read all broadcasted messages from start to finish.
 
-So the outgoing messages flow like this over the outgoing broadcast `Shmem`:
+So the outgoing messages flow is like this over the outgoing broadcast `Shmem`:
 
 ```text
 [broker]

docs/src/message_passing/spawn_instances.md

@@ -4,18 +4,18 @@ Multiple fuzzer instances can be spawned using different ways.
 
 ## Manually, via a TCP port
 
-The straightforward way to do Multi-Threading is to use the `LlmpRestartingEventManager`, specifically to use `setup_restarting_mgr_std`.
+The straightforward way to do Multi-Threading is to use the [`LlmpRestartingEventManager`](https://docs.rs/libafl/latest/libafl/events/llmp/struct.LlmpRestartingEventManager.html), specifically to use [`setup_restarting_mgr_std`](https://docs.rs/libafl/latest/libafl/events/llmp/fn.setup_restarting_mgr_std.html).
 It abstracts away all the pesky details about restarts on crash handling (for in-memory fuzzers) and multi-threading.
 With it, every instance you launch manually tries to connect to a TCP port on the local machine.
 
-If the port is not yet bound, this instance becomes the broker, itself binding to the port to await new clients.
+If the port is not yet bound, this instance becomes the broker, binding itself to the port to await new clients.
 
 If the port is already bound, the EventManager will try to connect to it.
 The instance becomes a client and can now communicate with all other nodes.
 
-Launching nodes manually has the benefit that you can have multiple nodes with different configurations, such as clients fuzzing with and without ASAN.
+Launching nodes manually has the benefit that you can have multiple nodes with different configurations, such as clients fuzzing with and without `ASan``.
 
-While it's called "restarting" manager, it uses `fork` on Unix operating systems as optimization and only actually restarts from scratch on Windows.
+While it's called "restarting" manager, it uses `fork` on Unix-like operating systems as optimization and only actually restarts from scratch on Windows.
 
 
 ## Automated, with Launcher
@@ -23,7 +23,7 @@ While it's called "restarting" manager, it uses `fork` on Unix operating systems
 The Launcher is the lazy way to do multiprocessing.
 You can use the Launcher builder to create a fuzzer that spawns multiple nodes with one click, all using restarting event managers and the same configuration.
 
-To use launcher, first you need to write an anonymous function `let mut run_client = |state: Option<_>, mut mgr, _core_id|{}`, which uses three parameters to create individual fuzzer. Then you can specify the `shmem_provider`,`broker_port`,`monitor`,`cores` and other stuff through `Launcher::builder()`:
+To use launcher, first you need to write an anonymous function `let mut run_client = |state: Option<_>, mut mgr, _core_id|{}`, which uses three parameters to create an individual fuzzer. Then you can specify the `shmem_provider`,`broker_port`,`monitor`,`cores` and other stuff through `Launcher::builder()`:
 
 ```rust,ignore
     Launcher::builder()
@@ -42,13 +42,17 @@ To use launcher, first you need to write an anonymous function `let mut run_clie
 This first starts a broker, then spawns `n` clients, according to the value passed to `cores`.
 The value is a string indicating the cores to bind to, for example, `0,2,5` or `0-3`.
 For each client, `run_client` will be called.
-On Windows, the Launcher will restart each client, while on Unix, it will use `fork`.
+If the launcher uses `fork`, it will hide child output, unless the settings indicate otherwise, or the `LIBAFL_DEBUG_OUTPUT` env variable is set.
+On Windows, the Launcher will restart each client, while on Unix-alikes, it will use `fork`.
 
 Advanced use-cases:
 
 1. To connect multiple nodes together via TCP, you can use the `remote_broker_addr`. this requires the `llmp_bind_public` compile-time feature for `LibAFL`.
-2. To use multiple launchers for individual configurations, you can set `spawn_broker` to `false` on all but one.
+2. To use multiple launchers for individual configurations, you can set `spawn_broker` to `false` on all instances but one.
 3. Launcher will not select the cores automatically, so you need to specify the `cores` that you want.
+4. On `Unix`, you can chose between a forking and non-forking version of Launcher by setting the `fork` feature in LibAFL. Some targets may not like forking, but it is faster than restarting processes from scratch. Windows will never fork.
+5. For simple debugging, first set the `LIBAFL_DEBUG_OUTPUT` env variable to see if a child process printed anything.
+6. For further debugging of fuzzer failures, it may make sense to replace `Launcher` temporarily with a [`SimpleEventManager`](https://docs.rs/libafl/latest/libafl/events/simple/struct.SimpleEventManager.html#method.new) and call your harness fn (`run_client(None, mgr, 0);`) directly, so that fuzzing runs in the same thread and is easier to debug, before moving back to `Launcher` after the bugfix.
 
 For more examples, you can check out `qemu_launcher` and `libfuzzer_libpng_launcher` in [`./fuzzers/`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers).
 

docs/src/tutorial/tutorial.md

@@ -2,4 +2,4 @@
 
 In this chapter, we will build a custom fuzzer using the [Lain](https://github.com/microsoft/lain) mutator in Rust.
 
-This tutorial will introduce you in writing extensions to LibAFL like Feedbacks and Testcase's metadata.
+This tutorial will introduce you to writing extensions to LibAFL like Feedbacks and Testcase's metadata.

fuzzers/FRET/.gitignore

@@ -0,0 +1,4 @@
+*.qcow2
+corpus
+*.axf
+demo

fuzzers/FRET/Cargo.toml

@@ -0,0 +1,65 @@
+[package]
+name = "fret"
+version = "0.8.2"
+authors = ["Alwin Berger <alwin.berger@tu-dortmund.de>"]
+edition = "2021"
+
+[features]
+default = ["std", "snapshot_restore", "singlecore", "restarting", "do_hash_notify_state", "config_stg", "fuzz_int" ]
+std = []
+# Exec environemnt basics
+snapshot_restore = []
+snapshot_fast = [ "snapshot_restore" ]
+singlecore = []
+restarting = ['singlecore']
+run_until_saturation = []
+fuzz_int = []
+# information capture
+observe_edges = [] # observe cfg edges
+observe_hitcounts = [ "observe_edges" ] # reduces edge granularity
+observe_systemstate = []
+do_hash_notify_state = []
+trace_stg = [ "observe_systemstate" ]
+# feedbacks
+feed_stg = [ "trace_stg", "observe_systemstate" ]
+# feed_stg_edge = [ "feed_stg"]
+feed_stg_pathhash = [ "feed_stg"]
+feed_stg_abbhash = [ "feed_stg"]
+feed_stg_aggregatehash = [ "feed_stg"]
+mutate_stg = [ "observe_systemstate" ]
+feed_longest = [ ]
+feed_afl = [ "observe_edges" ]
+feed_genetic = []
+gensize_1 = [ ]
+gensize_10 = [ ]
+gensize_100 = [ ]
+# schedulers
+sched_genetic = []
+sched_afl = []
+sched_stg = []
+# sched_stg_edge = ['sched_stg'] # every edge in the stg
+sched_stg_pathhash = ['sched_stg'] # every path in the stg
+sched_stg_abbhash = ['sched_stg'] # every path of abbs
+sched_stg_aggregatehash = ['sched_stg'] # every aggregated path (order independent)
+# overall_configs
+config_genetic = ["gensize_100","feed_genetic","sched_genetic","trace_stg"]
+config_afl = ["feed_afl","sched_afl","observe_hitcounts","trace_stg"]
+config_frafl = ["feed_afl","sched_afl","feed_longest","trace_stg"]
+config_stg = ["feed_stg_aggregatehash","sched_stg_aggregatehash","mutate_stg"]
+
+[profile.release]
+lto = true
+codegen-units = 1
+debug = true
+
+[dependencies]
+libafl = { path = "../../libafl/" }
+libafl_bolts = { path = "../../libafl_bolts/" }
+libafl_qemu = { path = "../../libafl_qemu/", features = ["arm", "systemmode"] }
+serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
+hashbrown =  { version = "0.14.0", features = ["serde"] } # A faster hashmap, nostd compatible
+petgraph = { version="0.6.4", features = ["serde-1"] }
+ron = "0.7" # write serialized data - including hashmaps
+rand = "0.5"
+clap = { version = "4.4.11", features = ["derive"] }
+csv = "1.3.0"

fuzzers/FRET/README.md

@@ -0,0 +1,26 @@
+# Qemu systemmode with launcher
+
+This folder contains an example fuzzer for the qemu systemmode, using LLMP for fast multi-process fuzzing and crash detection.
+
+## Build
+
+To build this example, run
+
+```bash
+cargo build --release
+cd example; sh build.sh; cd ..
+```
+
+This will build the the fuzzer (src/fuzzer.rs) and a small example binary based on FreeRTOS, which can run under a qemu emulation target.
+
+## Run
+
+Since the instrumentation is based on snapshtos QEMU needs a virtual drive (even if it is unused...).
+Create on and then run the fuzzer:
+```bash
+# create an image
+qemu-img create -f qcow2 dummy.qcow2 32M
+# run the fuzzer
+KERNEL=./example/example.elf target/release/qemu_systemmode -icount shift=auto,align=off,sleep=off -machine mps2-an385 -monitor null -kernel ./example/example.elf -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S
+```
+Currently the ``KERNEL`` variable is needed because the fuzzer does not parse QEMUs arguments to find the binary.

fuzzers/FRET/benchmark/.gitignore

@@ -0,0 +1,12 @@
+*dump
+timedump*
+corpora
+build
+mnt
+.R*
+*.png
+*.pdf
+bins
+.snakemake
+*.zip
+*.tar.*

fuzzers/FRET/benchmark/Makefile

@@ -0,0 +1,57 @@
+TIME=7200
+
+corpora/%/seed:
+	mkdir -p $$(dirname $@)
+	LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
+	export \
+	KERNEL=benchmark/build/$*.elf \
+	FUZZ_MAIN=$$(echo $$LINE | cut -d, -f2) \
+	FUZZ_INPUT=$$(echo $$LINE | cut -d, -f3) \
+	FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \
+	BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
+	SEED_DIR=benchmark/corpora/$* \
+	DUMP_SEED=seed; \
+	../fuzzer.sh
+
+timedump/%$(FUZZ_RANDOM)$(SUFFIX): corpora/%/seed
+	mkdir -p $$(dirname $@)
+	LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
+	export \
+	KERNEL=benchmark/build/$*.elf \
+	FUZZ_MAIN=$$(echo $$LINE | cut -d, -f2) \
+	FUZZ_INPUT=$$(echo $$LINE | cut -d, -f3) \
+	FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \
+	BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
+	SEED_RANDOM=1 \
+	TIME_DUMP=benchmark/$@ \
+	CASE_DUMP=benchmark/$@; \
+	../fuzzer.sh + + + + + $(TIME) + + + > $@_log
+	#SEED_DIR=benchmark/corpora/$*
+
+all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijkstra$(FUZZ_RANDOM) timedump/sequential/epic$(FUZZ_RANDOM) \
+	timedump/sequential/g723_enc$(FUZZ_RANDOM) timedump/sequential/audiobeam$(FUZZ_RANDOM) \
+	timedump/sequential/gsm_enc$(FUZZ_RANDOM)
+
+all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) #timedump/kernel/fft$(FUZZ_RANDOM)
+
+all_app: timedump/app/lift$(FUZZ_RANDOM)
+
+all_system: timedump/lift$(FUZZ_RANDOM)$(SUFFIX)
+
+all_period: timedump/waters$(FUZZ_RANDOM)$(SUFFIX)
+
+tacle_rtos: timedump/tacle_rtos$(FUZZ_RANDOM)
+
+graphics:
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential audiobeam
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential dijkstra
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential epic
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential g723_enc
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential gsm_enc
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential huff_dec
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential mpeg2
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_dec
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_enc
+
+clean:
+	rm -rf corpora timedump

fuzzers/FRET/benchmark/Snakefile

@@ -0,0 +1,272 @@
+import csv
+import os
+def_flags="--no-default-features --features std,snapshot_restore,singlecore,restarting,do_hash_notify_state"
+remote="remote/"
+RUNTIME=1800
+TARGET_REPS_A=2
+TARGET_REPS_B=2
+NUM_NODES=2
+REP_PER_NODE_A=int(TARGET_REPS_A/NUM_NODES)
+REP_PER_NODE_B=int(TARGET_REPS_B/NUM_NODES)
+NODE_ID= 0 if os.getenv('NODE_ID') == None else int(os.environ['NODE_ID'])
+MY_RANGE_A=range(NODE_ID*REP_PER_NODE_A,(NODE_ID+1)*REP_PER_NODE_A)
+MY_RANGE_B=range(NODE_ID*REP_PER_NODE_B,(NODE_ID+1)*REP_PER_NODE_B)
+
+rule build_showmap:
+    output:
+        directory("bins/target_showmap")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_stg"
+
+rule build_random:
+    output:
+        directory("bins/target_random")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_longest"
+
+rule build_frafl:
+    output:
+        directory("bins/target_frafl")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_frafl,feed_longest"
+
+rule build_afl:
+    output:
+        directory("bins/target_afl")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_afl,observer_hitcounts"
+
+rule build_stg:
+    output:
+        directory("bins/target_stg")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_stg"
+
+rule build_stgpath:
+    output:
+        directory("bins/target_stgpath")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg"
+
+rule build_showmap_int:
+    output:
+        directory("bins/target_showmap_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int"
+
+rule build_random_int:
+    output:
+        directory("bins/target_random_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_longest,fuzz_int"
+
+
+rule build_frafl_int:
+    output:
+        directory("bins/target_frafl_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_frafl,fuzz_int"
+
+rule build_afl_int:
+    output:
+        directory("bins/target_afl_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_afl,fuzz_int,"
+
+rule build_stg_int:
+    output:
+        directory("bins/target_stg_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int"
+
+rule build_stgpath_int:
+    output:
+        directory("bins/target_stgpath_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg,fuzz_int"
+
+rule build_feedgeneration1:
+    output:
+        directory("bins/target_feedgeneration1")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,gensize_1"
+
+rule build_feedgeneration1_int:
+    output:
+        directory("bins/target_feedgeneration1_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_1"
+
+rule build_feedgeneration10:
+    output:
+        directory("bins/target_feedgeneration10")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,gensize_10"
+
+rule build_feedgeneration10_int:
+    output:
+        directory("bins/target_feedgeneration10_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_10"
+
+rule build_feedgeneration100:
+    output:
+        directory("bins/target_feedgeneration100")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_genetic,gensize_100"
+
+rule build_feedgeneration100_int:
+    output:
+        directory("bins/target_feedgeneration100_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},config_genetic,fuzz_int,gensize_100"
+
+rule run_bench:
+    input:
+        "build/{target}.elf",
+        "bins/target_{fuzzer}"
+    output:
+        multiext("timedump/{fuzzer}/{target}#{num}", ".time", ".log") # , ".case"
+    run:
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['kernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['kernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            if wildcards.fuzzer.find('random') >= 0:
+                script="""
+                    export RUST_BACKTRACE=1
+                    mkdir -p $(dirname {output[0]})
+                    set +e
+                    echo $(pwd)/{input[1]}/debug/fret -n $(pwd)/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -t -a -g -k {input[0]} -c ./target_symbols.csv fuzz --random -t {RUNTIME} -s {wildcards.num}
+                    $(pwd)/{input[1]}/debug/fret -n $(pwd)/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -t -a -g -k {input[0]} -c ./target_symbols.csv fuzz --random -t {RUNTIME} -s {wildcards.num} > {output[1]} 2>&1
+                    exit 0
+                    """
+            else:
+                script="""
+                    export RUST_BACKTRACE=1
+                    mkdir -p $(dirname {output[0]})
+                    set +e
+                    echo $(pwd)/{input[1]}/debug/fret -n $(pwd)/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -t -a -g -k {input[0]} -c ./target_symbols.csv fuzz -t {RUNTIME} -s {wildcards.num}
+                    $(pwd)/{input[1]}/debug/fret -n $(pwd)/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -t -a -g -k {input[0]} -c ./target_symbols.csv fuzz -t {RUNTIME} -s {wildcards.num} > {output[1]} 2>&1
+                    exit 0
+                    """
+            shell(script)
+
+rule run_showmap:
+    input:
+        "{remote}build/{target}.elf",
+        "bins/target_showmap",
+        "bins/target_showmap_int",
+        "{remote}timedump/{fuzzer}/{target}#{num}.case"
+    output:
+        "{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",
+        "{remote}timedump/{fuzzer}/{target}#{num}_case.time",
+    run:
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['kernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['kernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            script=""
+            if wildcards.fuzzer.find('_int') > -1:
+                script="export FUZZER=$(pwd)/{input[2]}/debug/fret\n"
+            else:
+                script="export FUZZER=$(pwd)/{input[1]}/debug/fret\n"
+            script+="""
+                mkdir -p $(dirname {output})
+                set +e
+                echo $(pwd)/{input[1]}/debug/fret -n $(pwd)/{remote}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[3]}
+                $(pwd)/{input[1]}/debug/fret -n $(pwd)/{remote}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[3]}
+                exit 0
+                """
+            if wildcards.fuzzer.find('random') >= 0:
+                script="export FUZZ_RANDOM=1\n"+script
+            shell(script)
+
+rule tarnsform_trace:
+    input:
+        "{remote}timedump/{fuzzer}/{target}.{num}.trace.ron"
+    output:
+        "{remote}timedump/{fuzzer}/{target}.{num}.trace.csv"
+    shell:
+        "$(pwd)/../../../../state2gantt/target/debug/state2gantt {input} > {output[0]}"
+
+rule trace2gantt:
+    input:
+        "{remote}timedump/{fuzzer}/{target}.{num}.trace.csv"
+    output:
+        "{remote}timedump/{fuzzer}/{target}.{num}.trace.csv.png"
+    shell:
+        "Rscript --vanilla $(pwd)/../../../../state2gantt/gantt.R {input}"
+
+rule all_main:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl','feedgeneration10','state'], target=['waters','watersv2'],num=range(0,3))
+
+rule all_main_int:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random_int','afl_int','feedgeneration10_int','state_int'], target=['waters_int','watersv2_int'],num=range(0,4))
+
+rule all_compare_feedgeneration:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1','feedgeneration10','feedgeneration100'], target=['waters_int','watersv2'],num=range(0,10))
+
+rule all_compare_feedgeneration_int:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1_int','feedgeneration10_int','feedgeneration100_int'], target=['waters_int','watersv2_int'],num=range(0,10))
+
+rule all_compare_afl:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','frafl','feedlongest'], target=['waters','watersv2'],num=range(0,10))
+
+rule all_compare_afl_int:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','frafl_int','feedlongest_int'], target=['waters_int','watersv2_int'],num=range(0,10))
+
+rule all_images:
+    input:
+        expand("{remote}timedump/{fuzzer}/{target}.{num}.trace.csv.png",remote=remote, fuzzer=['afl','feedgeneration10','state'], target=['waters','watersv2'],num=range(0,3))
+
+rule all_images_int:
+    input:
+        expand("{remote}timedump/{fuzzer}/{target}.{num}.trace.csv.png",remote=remote, fuzzer=['afl_int','feedgeneration10_int','state_int'], target=['waters_int','watersv2_int'],num=range(0,3))
+
+rule clusterfuzz:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl','feedgeneration10','state'], target=['waters','watersv2'],num=MY_RANGE_A),
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random_int','afl_int','feedgeneration10_int','state_int'], target=['waters_int','watersv2_int'],num=MY_RANGE_A),
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1','feedgeneration10','feedgeneration100'], target=['waters_int','watersv2'],num=MY_RANGE_B),
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1_int','feedgeneration10_int','feedgeneration100_int'], target=['waters_int','watersv2_int'],num=MY_RANGE_B),
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','frafl','feedlongest'], target=['waters','watersv2'],num=MY_RANGE_B),
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','frafl_int','feedlongest_int'], target=['waters_int','watersv2_int'],num=MY_RANGE_B),
+
+rule all_new:
+    input:
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100', 'frafl', 'stg'], target=['waters', 'watersv2'],num=range(0,3)),
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100_int', 'frafl_int', 'stg_int'], target=['waters_int', 'watersv2_int'],num=range(0,3)),
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random', 'stgpath'], target=['waters', 'watersv2'],num=range(0,3)),
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random_int', 'stgpath_int'], target=['waters_int', 'watersv2_int'],num=range(0,3))
+
+rule all_showmap:
+    input:
+        expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['frafl', 'stg'], target=['watersv2'],num=range(2,3)),
+        expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['frafl_int', 'stg_int'], target=['watersv2_int'],num=range(0,3)),
+        expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['random', 'stgpath'], target=['watersv2'],num=range(0,1)),
+        expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['random_int', 'stgpath_int'], target=['watersv2_int'],num=range(0,1))
+
+    
+
+rule all_bins:
+    input:
+        expand("bins/target_{target}{flag}",target=['random','frafl','stg','stgpath','feedgeneration100'],flag=['','_int'])

fuzzers/FRET/benchmark/build_all_demos.sh

@@ -0,0 +1,17 @@
+make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC WATERS_DEMO=1 INTERRUPT_ACTIVATION=1
+cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf build/waters_int.elf 
+
+make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC WATERS_DEMO=1 INTERRUPT_ACTIVATION=0
+cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf build/waters.elf 
+
+make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC WATERSV2_DEMO=1 INTERRUPT_ACTIVATION=1
+cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf build/watersv2_int.elf 
+
+make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC WATERSV2_DEMO=1 INTERRUPT_ACTIVATION=0
+cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf build/watersv2.elf 
+
+make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC INTERACT_DEMO=1 INTERRUPT_ACTIVATION=1
+cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf build/interact_int.elf 
+
+make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC INTERACT_DEMO=1 INTERRUPT_ACTIVATION=0
+cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf build/interact.elf 

fuzzers/FRET/benchmark/logtail.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+find $1 -type 'f' -iname "${2}#*.log" | while IFS="" read -r p || [ -n "$p" ]
+do
+    LINE=$(tail -n 100 $p | grep -io "run time: .* corpus: [0-9]*" | tail -n 1)
+    echo $p: $LINE
+    LINE=$(grep -i "interesting corpus elements" $p | tail -n 1)
+    echo $p: $LINE
+done

fuzzers/FRET/benchmark/plot_all_benchmarks.sh

@@ -0,0 +1,7 @@
+Rscript plot_multi.r remote waters ~/code/FRET/LibAFL/fuzzers/FRET/benchmark/remote &
+Rscript plot_multi.r remote waters_int ~/code/FRET/LibAFL/fuzzers/FRET/benchmark/remote &
+Rscript plot_multi.r remote watersv2 ~/code/FRET/LibAFL/fuzzers/FRET/benchmark/remote &
+Rscript plot_multi.r remote watersv2_int ~/code/FRET/LibAFL/fuzzers/FRET/benchmark/remote &
+Rscript plot_multi.r remote interact ~/code/FRET/LibAFL/fuzzers/FRET/benchmark/remote &
+Rscript plot_multi.r remote interact_int ~/code/FRET/LibAFL/fuzzers/FRET/benchmark/remote &
+wait

fuzzers/FRET/benchmark/plot_all_traces.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+find ./remote/timedump -type 'f' -iregex '.*case' | while IFS="" read -r p || [ -n "$p" ]
+do
+    N=$(dirname "$p")/$(basename -s .case "$p")
+    T="${N}_case.trace.ron"
+    P="${N}_case"
+    echo $N
+    if [ ! -f "$T" ]; then
+        snakemake -c1 "$T"
+    fi
+    if [ ! -f "$P.html" ]; then
+        ~/code/FRET/state2gantt/driver.sh "$T"
+    fi
+done

fuzzers/FRET/benchmark/plot_comparison.r

@@ -0,0 +1,83 @@
+library("mosaic")
+args = commandArgs(trailingOnly=TRUE)
+
+#myolors=c("#339933","#0066ff","#993300") # grün, balu, rot
+myolors=c("dark green","dark blue","dark red", "yellow") # grün, balu, rot
+
+if (length(args)==0) {
+  runtype="timedump"
+  target="waters"
+  filename_1=sprintf("%s.png",target)
+  filename_2=sprintf("%s_maxline.png",target)
+  filename_3=sprintf("%s_hist.png",target)
+} else {
+  runtype=args[1]
+  target=args[2]
+  filename_1=sprintf("%s.png",args[2])
+  filename_2=sprintf("%s_maxline.png",args[2])
+  filename_3=sprintf("%s_hist.png",args[2])
+  # filename_1=args[3]
+}
+
+file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_state",runtype,target)
+file_2=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_afl",runtype,target)
+file_3=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_random",runtype,target)
+file_4=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_graph",runtype,target)
+timetrace <- read.table(file_1, quote="\"", comment.char="")
+timetrace_afl <- read.table(file_2, quote="\"", comment.char="")
+timetrace_rand <- read.table(file_3, quote="\"", comment.char="")
+timetrace_graph <- read.table(file_4, quote="\"", comment.char="")
+timetrace[[2]]=seq_len(length(timetrace[[1]]))
+timetrace_afl[[2]]=seq_len(length(timetrace_afl[[1]]))
+timetrace_rand[[2]]=seq_len(length(timetrace_rand[[1]]))
+timetrace_graph[[2]]=seq_len(length(timetrace_graph[[1]]))
+names(timetrace)[1] <- "timetrace"
+names(timetrace)[2] <- "iter"
+names(timetrace_afl)[1] <- "timetrace"
+names(timetrace_afl)[2] <- "iter"
+names(timetrace_rand)[1] <- "timetrace"
+names(timetrace_rand)[2] <- "iter"
+names(timetrace_graph)[1] <- "timetrace"
+names(timetrace_graph)[2] <- "iter"
+
+png(file=filename_1)
+# pdf(file=filename_1,width=8, height=8)
+plot(timetrace[[2]],timetrace[[1]], col=myolors[1], xlab="iters", ylab="wcet", pch='.')
+points(timetrace_afl[[2]],timetrace_afl[[1]], col=myolors[2], pch='.')
+points(timetrace_rand[[2]],timetrace_rand[[1]], col=myolors[3], pch='.')
+points(timetrace_graph[[2]],timetrace_graph[[1]], col=myolors[4], pch='.')
+abline(lm(timetrace ~ iter, data=timetrace),col=myolors[1])
+abline(lm(timetrace ~ iter, data=timetrace_afl),col=myolors[2])
+abline(lm(timetrace ~ iter, data=timetrace_rand),col=myolors[3])
+dev.off()
+
+png(file=filename_3)
+gf_histogram(~ timetrace,data=timetrace, fill=myolors[1]) %>%
+gf_histogram(~ timetrace,data=timetrace_afl, fill=myolors[2]) %>%
+gf_histogram(~ timetrace,data=timetrace_rand, fill=myolors[3]) %>%
+gf_histogram(~ timetrace,data=timetrace_graph, fill=myolors[4])
+dev.off()
+
+# Takes a flat list
+trace2maxline <- function(tr) {
+  maxline = tr
+  for (var in seq_len(length(maxline))[2:length(maxline)]) {
+    maxline[var] = max(maxline[var],maxline[var-1])
+  }
+  #plot(seq_len(length(maxline)),maxline,"l",xlab="Index",ylab="WOET")
+  return(maxline)
+}
+timetrace[[1]] <- trace2maxline(timetrace[[1]])
+timetrace_afl[[1]] <- trace2maxline(timetrace_afl[[1]])
+timetrace_rand[[1]] <- trace2maxline(timetrace_rand[[1]])
+timetrace_graph[[1]] <- trace2maxline(timetrace_graph[[1]])
+
+png(file=filename_2)
+plot(timetrace[[2]],timetrace[[1]], col=myolors[1], xlab="iters", ylab="wcet", pch='.')
+points(timetrace_afl[[2]],timetrace_afl[[1]], col=myolors[2], pch='.')
+points(timetrace_rand[[2]],timetrace_rand[[1]], col=myolors[3], pch='.')
+points(timetrace_graph[[2]],timetrace_graph[[1]], col=myolors[4], pch='.')
+#abline(lm(timetrace ~ iter, data=timetrace),col=myolors[1])
+#abline(lm(timetrace ~ iter, data=timetrace_afl),col=myolors[2])
+#abline(lm(timetrace ~ iter, data=timetrace_rand),col=myolors[3])
+dev.off()

fuzzers/FRET/benchmark/plot_multi.r

@@ -0,0 +1,335 @@
+library("mosaic")
+library("dplyr")
+library("foreach")
+library("doParallel")
+
+#setup parallel backend to use many processors
+cores=detectCores()
+cl <- makeCluster(cores[1]-1) #not to overload your computer
+registerDoParallel(cl)
+
+args = commandArgs(trailingOnly=TRUE)
+
+if (length(args)==0) {
+  runtype="remote"
+  #target="waters"
+  target="watersv2"
+  #target="waters_int"
+  #target="watersv2_int"
+  outputpath="~/code/FRET/LibAFL/fuzzers/FRET/benchmark/"
+  #MY_SELECTION <- c('state', 'afl', 'graph', 'random')
+  SAVE_FILE=TRUE
+} else {
+  runtype=args[1]
+  target=args[2]
+  outputpath=args[3]
+  #MY_SELECTION <- args[4:length(args)]
+  #if (length(MY_SELECTION) == 0)
+  #  MY_SELECTION<-NULL
+  SAVE_FILE=TRUE
+  print(runtype)
+  print(target)
+  print(outputpath)
+}
+worst_cases <- list(waters=0, waters_int=0, tmr=405669, micro_longint=0, gen3=0)
+worst_case <- worst_cases[[target]]
+if (is.null(worst_case)) {
+  worst_case = 0
+}
+
+#MY_COLORS=c("green","blue","red", "orange", "pink", "black")
+MY_COLORS <- c("green", "blue", "red", "magenta", "orange", "cyan", "pink", "gray", "orange", "black", "yellow","brown")
+BENCHDIR=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s",runtype)
+BASENAMES=Filter(function(x) x!="" && substr(x,1,1)!='.',list.dirs(BENCHDIR,full.names=FALSE))
+PATTERNS="%s#[0-9]*.time$"
+#RIBBON='sd'
+#RIBBON='span'
+RIBBON='both'
+DRAW_WC = worst_case > 0
+LEGEND_POS="bottomright"
+#LEGEND_POS="bottomright"
+CONTINUE_LINE_TO_END=FALSE
+
+# https://www.r-bloggers.com/2013/04/how-to-change-the-alpha-value-of-colours-in-r/
+alpha <- function(col, alpha=1){
+  if(missing(col))
+    stop("Please provide a vector of colours.")
+  apply(sapply(col, col2rgb)/255, 2, 
+        function(x) 
+          rgb(x[1], x[2], x[3], alpha=alpha))  
+}
+
+# Trimm a list of data frames to common length
+trim_data <- function(input,len=NULL) {
+  if (is.null(len)) {
+    len <- min(sapply(input, function(v) dim(v)[1]))
+  }
+  return(lapply(input, function(d) slice_head(d,n=len)))
+}
+
+length_of_data <- function(input) {
+  min(sapply(input, function(v) dim(v)[1]))
+}
+
+# Takes a flat list
+trace2maxline <- function(tr) {
+  maxline = tr
+  for (var in seq_len(length(maxline))[2:length(maxline)]) {
+    #if (maxline[var]>1000000000) {
+    #  maxline[var]=maxline[var-1]
+    #} else {
+      maxline[var] = max(maxline[var],maxline[var-1]) 
+    #}
+  }
+  #plot(seq_len(length(maxline)),maxline,"l",xlab="Index",ylab="WOET")
+  return(maxline)
+}
+
+# Take a list of data frames, output same form but maxlines
+data2maxlines <- function(tr) {
+  min_length <- min(sapply(tr, function(v) dim(v)[1]))
+  maxline <- tr
+  for (var in seq_len(length(tr))) {
+    maxline[[var]][[1]]=trace2maxline(tr[[var]][[1]])
+  }
+  return(maxline)
+}
+# Take a multi-column data frame, output same form but maxlines
+frame2maxlines <- function(tr) {
+  for (var in seq_len(length(tr))) {
+    tr[[var]]=trace2maxline(tr[[var]])
+  }
+  return(tr)
+}
+
+trace2maxpoints <- function(tr) {
+  minval = tr[1,1]
+  collect = tr[1,]
+  for (i in seq_len(dim(tr)[1])) {
+    if (minval < tr[i,1]) {
+      collect = rbind(collect,tr[i,])
+      minval = tr[i,1]
+    }
+  }
+  tmp = tr[dim(tr)[1],]
+  tmp[1] = minval[1]
+  collect = rbind(collect,tmp)
+  return(collect)
+}
+
+sample_maxpoints <- function(tr,po) {
+  index = 1
+  collect=NULL
+  endpoint = dim(tr)[1]
+  for (p in po) {
+    if (p<=tr[1,2]) {
+      tmp = tr[index,]
+      tmp[2] = p
+      collect = rbind(collect, tmp)
+    } else if (p>=tr[endpoint,2]) {
+      tmp = tr[endpoint,]
+      tmp[2] = p
+      collect = rbind(collect, tmp)
+    } else {
+      for (i in seq(index,endpoint)-1) {
+        if (p >= tr[i,2] && p<tr[i+1,2]) {
+          tmp = tr[i,]
+          tmp[2] = p
+          collect = rbind(collect, tmp)
+          index = i
+          break
+        }
+      } 
+    }
+  }
+  return(collect)
+}
+
+#https://www.r-bloggers.com/2012/01/parallel-r-loops-for-windows-and-linux/
+all_runtypetables <- foreach (bn=BASENAMES) %do% {
+  runtypefiles <- list.files(file.path(BENCHDIR,bn),pattern=sprintf(PATTERNS,target),full.names = TRUE)
+  if (length(runtypefiles) > 0) {
+    runtypetables_reduced <- foreach(i=seq_len(length(runtypefiles))) %dopar% {
+      rtable = read.csv(runtypefiles[[i]], col.names=c(sprintf("%s%d",bn,i),sprintf("times%d",i)))
+      trace2maxpoints(rtable)
+    }
+    #runtypetables <- lapply(seq_len(length(runtypefiles)),
+    #    function(i)read.csv(runtypefiles[[i]], col.names=c(sprintf("%s%d",bn,i),sprintf("times%d",i))))
+    #runtypetables_reduced <- lapply(runtypetables, trace2maxpoints)
+    runtypetables_reduced
+    #all_runtypetables = c(all_runtypetables, list(runtypetables_reduced))
+  }
+}
+all_runtypetables = all_runtypetables[lapply(all_runtypetables, length) > 0]
+all_min_points = foreach(rtt=all_runtypetables,.combine = cbind) %do% {
+  bn = substr(names(rtt[[1]])[1],1,nchar(names(rtt[[1]])[1])-1)
+  ret = data.frame(min(unlist(lapply(rtt, function(v) v[dim(v)[1],2]))))
+  names(ret)[1] = bn
+  ret/(3600 * 1000)
+}
+all_max_points = foreach(rtt=all_runtypetables,.combine = cbind) %do% {
+  bn = substr(names(rtt[[1]])[1],1,nchar(names(rtt[[1]])[1])-1)
+  ret = data.frame(max(unlist(lapply(rtt, function(v) v[dim(v)[1],2]))))
+  names(ret)[1] = bn
+  ret/(3600 * 1000)
+}
+all_points = sort(unique(Reduce(c, lapply(all_runtypetables, function(v) Reduce(c, lapply(v, function(w) w[[2]]))))))
+all_maxlines <- foreach (rtt=all_runtypetables) %do% {
+  bn = substr(names(rtt[[1]])[1],1,nchar(names(rtt[[1]])[1])-1)
+  runtypetables_sampled = foreach(v=rtt) %dopar% {
+    sample_maxpoints(v, all_points)[1]
+  }
+  #runtypetables_sampled = lapply(rtt, function(v) sample_maxpoints(v, all_points)[1])
+  tmp_frame <- Reduce(cbind, runtypetables_sampled)
+  statframe <- data.frame(rowMeans(tmp_frame),apply(tmp_frame, 1, sd),apply(tmp_frame, 1, min),apply(tmp_frame, 1, max), apply(tmp_frame, 1, median))
+  names(statframe) <- c(bn, sprintf("%s_sd",bn), sprintf("%s_min",bn), sprintf("%s_max",bn), sprintf("%s_med",bn))
+  #statframe[sprintf("%s_times",bn)] = all_points
+  round(statframe)
+  #all_maxlines = c(all_maxlines, list(round(statframe))) 
+}
+one_frame<-data.frame(all_maxlines)
+one_frame[length(one_frame)+1] <- all_points/(3600 * 1000)
+names(one_frame)[length(one_frame)] <- 'time'
+
+typenames = names(one_frame)[which(names(one_frame) != 'time')]
+typenames = typenames[which(!endsWith(typenames, "_sd"))]
+typenames = typenames[which(!endsWith(typenames, "_med"))]
+ylow=min(one_frame[typenames])
+yhigh=max(one_frame[typenames],worst_case)
+typenames = typenames[which(!endsWith(typenames, "_min"))]
+typenames = typenames[which(!endsWith(typenames, "_max"))]
+
+ml2lines <- function(ml,lim) {
+  lines = NULL
+  last = 0
+  for (i in seq_len(dim(ml)[1])) {
+    if (!CONTINUE_LINE_TO_END && lim<ml[i,2]) {
+      break
+    }
+    lines = rbind(lines, cbind(X=last, Y=ml[i,1]))
+    lines = rbind(lines, cbind(X=ml[i,2], Y=ml[i,1]))
+    last = ml[i,2]
+  }
+  return(lines)
+}
+
+plotting <- function(selection, filename, MY_COLORS_) {
+# filter out names of iters and sd cols
+typenames = names(one_frame)[which(names(one_frame) != 'times')]
+typenames = typenames[which(!endsWith(typenames, "_sd"))]
+typenames = typenames[which(!endsWith(typenames, "_med"))]
+typenames = typenames[which(!endsWith(typenames, "_min"))]
+typenames = typenames[which(!endsWith(typenames, "_max"))]
+typenames = selection[which(selection %in% typenames)]
+if (length(typenames) == 0) {return()}
+
+h_ = 500
+w_ = h_*4/3
+
+if (SAVE_FILE) {png(file=sprintf("%s/%s_%s.png",outputpath,target,filename), width=w_, height=h_)}
+par(mar=c(4,4,1,1))
+par(oma=c(0,0,0,0))
+
+plot(c(0,max(one_frame['time'])),c(ylow,yhigh), col='white', xlab="Time [h]", ylab="WORT [insn]", pch='.')
+
+for (t in seq_len(length(typenames))) {
+  #proj = one_frame[seq(1, dim(one_frame)[1], by=max(1, length(one_frame[[1]])/(10*w_))),]
+  #points(proj[c('iters',typenames[t])], col=MY_COLORS_[t], pch='.')
+  avglines = ml2lines(one_frame[c(typenames[t],'time')],all_max_points[typenames[t]])
+  #lines(avglines, col=MY_COLORS_[t])
+  medlines = ml2lines(one_frame[c(sprintf("%s_med",typenames[t]),'time')],all_max_points[typenames[t]])
+  lines(medlines, col=MY_COLORS_[t], lty='solid')
+  milines = NULL
+  malines = NULL
+  milines = ml2lines(one_frame[c(sprintf("%s_min",typenames[t]),'time')],all_max_points[typenames[t]])
+  malines = ml2lines(one_frame[c(sprintf("%s_max",typenames[t]),'time')],all_max_points[typenames[t]])
+  if (exists("RIBBON") && ( RIBBON=='max' )) {
+    #lines(milines, col=MY_COLORS_[t], lty='dashed')
+    lines(malines, col=MY_COLORS_[t], lty='dashed')
+    #points(proj[c('iters',sprintf("%s_min",typenames[t]))], col=MY_COLORS_[t], pch='.')
+    #points(proj[c('iters',sprintf("%s_max",typenames[t]))], col=MY_COLORS_[t], pch='.')
+  }
+  if (exists("RIBBON") && RIBBON != '') {
+  for (i in seq_len(dim(avglines)[1]-1)) {
+    if (RIBBON=='both') {
+      # draw boxes
+      x_l <- milines[i,][['X']]
+      x_r <- milines[i+1,][['X']]
+      y_l <- milines[i,][['Y']]
+      y_h <- malines[i,][['Y']]
+      rect(x_l, y_l, x_r, y_h, col=alpha(MY_COLORS_[t], alpha=0.1), lwd=0)
+    }
+    if (FALSE && RIBBON=='span') {
+      # draw boxes
+      x_l <- milines[i,][['X']]
+      x_r <- milines[i+1,][['X']]
+      y_l <- milines[i,][['Y']]
+      y_h <- malines[i,][['Y']]
+      rect(x_l, y_l, x_r, y_h, col=alpha(MY_COLORS_[t], alpha=0.1), lwd=0)
+    }
+    #if (FALSE && RIBBON=='both' || RIBBON=='sd') {
+    #  # draw sd
+    #  x_l <- avglines[i,][['X']]
+    #  x_r <- avglines[i+1,][['X']]
+    #  y_l <- avglines[i,][['Y']]-one_frame[ceiling(i/2),][[sprintf("%s_sd",typenames[t])]]
+    #  y_h <- avglines[i,][['Y']]+one_frame[ceiling(i/2),][[sprintf("%s_sd",typenames[t])]]
+    #  if (x_r != x_l) {
+    #    rect(x_l, y_l, x_r, y_h, col=alpha(MY_COLORS_[t], alpha=0.1), lwd=0) 
+    #  }
+    #}
+    #sd_ <- row[sprintf("%s_sd",typenames[t])][[1]]
+    #min_ <- row[sprintf("%s_min",typenames[t])][[1]]
+    #max_ <- row[sprintf("%s_max",typenames[t])][[1]]
+    #if (exists("RIBBON")) {
+    #  switch (RIBBON,
+    #    'sd' = arrows(x_, y_-sd_, x_, y_+sd_, length=0, angle=90, code=3, col=alpha(MY_COLORS_[t], alpha=0.03)),
+    #    'both' = arrows(x_, y_-sd_, x_, y_+sd_, length=0, angle=90, code=3, col=alpha(MY_COLORS_[t], alpha=0.05)),
+    #    'span' = #arrows(x_, min_, x_, max_, length=0, angle=90, code=3, col=alpha(MY_COLORS_[t], alpha=0.03))
+    #  )
+    #}
+    ##arrows(x_, y_-sd_, x_, y_+sd_, length=0.05, angle=90, code=3, col=alpha(MY_COLORS[t], alpha=0.1))
+  }
+  }
+}
+leglines=typenames
+if (DRAW_WC) {
+  lines(c(0,length(one_frame[[1]])),y=c(worst_case,worst_case), lty='dotted')
+  leglines=c(typenames, 'worst observed') 
+}
+legend(LEGEND_POS, legend=leglines,#"bottomright",
+       col=c(MY_COLORS_[1:length(typenames)],"black"),
+       lty=c(rep("solid",length(typenames)),"dotted"))
+
+if (SAVE_FILE) {dev.off()}
+}
+stopCluster(cl)
+
+par(mar=c(3.8,3.8,0,0))
+par(oma=c(0,0,0,0))
+
+#RIBBON='both'
+#MY_SELECTION = c('state_int','generation100_int')
+#MY_SELECTION = c('state','frafl')
+
+if (exists("MY_SELECTION")) {
+  plotting(MY_SELECTION, 'custom', MY_COLORS[c(1,2)])
+} else {
+  # MY_SELECTION=c('state', 'afl', 'random', 'feedlongest', 'feedgeneration', 'feedgeneration10')
+  #MY_SELECTION=c('state_int', 'afl_int', 'random_int', 'feedlongest_int', 'feedgeneration_int', 'feedgeneration10_int')
+  #MY_SELECTION=c('state', 'frAFL', 'statenohash', 'feedgeneration10')
+  #MY_SELECTION=c('state_int', 'frAFL_int', 'statenohash_int', 'feedgeneration10_int')
+  MY_SELECTION=typenames
+  RIBBON='both'
+  for (i in seq_len(length(MY_SELECTION))) {
+    n <- MY_SELECTION[i]
+    plotting(c(n), n, c(MY_COLORS[i]))
+  }
+  RIBBON='max'
+  plotting(MY_SELECTION,'all', MY_COLORS)
+}
+
+for (t in seq_len(length(typenames))) {
+  li = one_frame[dim(one_frame)[1],]
+  pear = (li[[typenames[[t]]]]-li[[sprintf("%s_med",typenames[[t]])]])/li[[sprintf("%s_sd",typenames[[t]])]]
+  print(sprintf("%s pearson: %g",typenames[[t]],pear))
+}

fuzzers/FRET/benchmark/target_symbols.csv

@@ -0,0 +1,28 @@
+kernel,main_function,input_symbol,input_size,return_function
+mpeg2,mpeg2_main,mpeg2_oldorgframe,90112,mpeg2_return
+audiobeam,audiobeam_main,audiobeam_input,11520,audiobeam_return
+epic,epic_main,epic_image,4096,epic_return
+dijkstra,dijkstra_main,dijkstra_AdjMatrix,10000,dijkstra_return
+fft,fft_main,fft_twidtable,2046,fft_return
+bsort,bsort_main,bsort_Array,400,bsort_return
+insertsort,insertsort_main,insertsort_a,400,insertsort_return
+g723_enc,g723_enc_main,g723_enc_INPUT,1024,g723_enc_return
+rijndael_dec,rijndael_dec_main,rijndael_dec_data,32768,rijndael_dec_return
+rijndael_enc,rijndael_enc_main,rijndael_enc_data,31369,rijndael_enc_return
+huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return
+huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return
+gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return
+tmr,main,FUZZ_INPUT,32,trigger_Qemu_break
+tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break
+lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break
+waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
+watersv2,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
+waters_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
+watersv2_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
+micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
+micro_int,main_int,FUZZ_INPUT,16,trigger_Qemu_break
+micro_longint,main_micro_longint,FUZZ_INPUT,16,trigger_Qemu_break
+minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
+gen3,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
+interact,main_interact,FUZZ_INPUT,4096,trigger_Qemu_break
+interact_int,main_interact,FUZZ_INPUT,4096,trigger_Qemu_break

fuzzers/FRET/example/build.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+arm-none-eabi-gcc -ggdb -ffreestanding -nostartfiles -lgcc -T mps2_m3.ld -mcpu=cortex-m3 main.c startup.c -o example.elf

fuzzers/FRET/example/main.c

@@ -0,0 +1,38 @@
+int BREAKPOINT() {
+  for (;;)
+  {
+  }
+}
+
+int LLVMFuzzerTestOneInput(unsigned int* Data, unsigned int Size) {
+  //if (Data[3] == 0) {while(1){}}  // cause a timeout
+  for (int i=0; i<Size; i++) {
+    // if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;}    // cause qemu to crash
+    for (int j=i+1; j<Size; j++) {
+      if (Data[j] == 0) {continue;}
+      if (Data[j]>Data[i]) {
+        int tmp = Data[i];
+        Data[i]=Data[j];
+        Data[j]=tmp;
+        if (Data[i] <= 100) {j--;}
+      }
+    }
+  }
+  return BREAKPOINT();
+}
+    unsigned int FUZZ_INPUT[] = {
+    101,201,700,230,860,
+    234,980,200,340,678,
+    230,134,900,236,900,
+    123,800,123,658,607,
+    246,804,567,568,207,
+    407,246,678,457,892,
+    834,456,878,246,699,
+    854,234,844,290,125,
+    324,560,852,928,910,
+    790,853,345,234,586,
+    };
+
+int main() {
+  LLVMFuzzerTestOneInput(FUZZ_INPUT, 50);
+}

fuzzers/FRET/example/mps2_m3.ld

@@ -0,0 +1,143 @@
+/*
+ * FreeRTOS V202112.00
+ * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of
+ * this software and associated documentation files (the "Software"), to deal in
+ * the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ * the Software, and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * https://www.FreeRTOS.org
+ * https://github.com/FreeRTOS
+ *
+ */
+
+MEMORY
+{
+    RAM (xrw)  : ORIGIN = 0x00000000, LENGTH = 4M
+    /* Originally                                    */
+    /* FLASH (xr) : ORIGIN = 0x00000000, LENGTH = 4M */
+    /* RAM (xrw)  : ORIGIN = 0x20000000, LENGTH = 4M */
+}
+ENTRY(Reset_Handler)
+
+_Min_Heap_Size = 0x300000 ;        /* Required amount of heap. */
+_Min_Stack_Size = 0x4000 ;       /* Required amount of stack. */
+M_VECTOR_RAM_SIZE = (16 + 48) * 4;
+_estack = ORIGIN(RAM) + LENGTH(RAM);
+
+SECTIONS
+{
+
+    .isr_vector :
+    {
+        __vector_table = .;
+        KEEP(*(.isr_vector))
+        . = ALIGN(4);
+    } > RAM /* FLASH */
+
+    .text :
+    {
+        . = ALIGN(4);
+        *(.text*)
+        KEEP (*(.init))
+        KEEP (*(.fini))
+        KEEP(*(.eh_frame))
+        *(.rodata*)
+        . = ALIGN(4);
+        _etext = .;
+    } > RAM /* FLASH */
+
+    .ARM.extab :
+    {
+        . = ALIGN(4);
+        *(.ARM.extab* .gnu.linkonce.armextab.*)
+        . = ALIGN(4);
+    } >RAM /* FLASH */
+
+    .ARM :
+    {
+        . = ALIGN(4);
+        __exidx_start = .;
+        *(.ARM.exidx* .gnu.linkonce.armexidx.*)
+        __exidx_end = .;
+        . = ALIGN(4);
+    } >RAM /* FLASH */
+
+    .interrupts_ram :
+    {
+        . = ALIGN(4);
+        __VECTOR_RAM__ = .;
+        __interrupts_ram_start__ = .;
+        . += M_VECTOR_RAM_SIZE;
+        . = ALIGN(4);
+        __interrupts_ram_end = .;
+    } > RAM
+
+    _sidata = LOADADDR(.data);
+
+    .data : /* AT ( _sidata ) */
+    {
+        . = ALIGN(4);
+        _sdata = .;
+        *(.data*)
+        . = ALIGN(4);
+        _edata = .;
+    } > RAM /* RAM AT > FLASH */
+
+    .uninitialized (NOLOAD):
+    {
+        . = ALIGN(32);
+        __uninitialized_start = .;
+        *(.uninitialized)
+        KEEP(*(.keep.uninitialized))
+        . = ALIGN(32);
+        __uninitialized_end = .;
+    } > RAM
+
+    .bss :
+    {
+        . = ALIGN(4);
+        _sbss = .;
+        __bss_start__ = _sbss;
+        *(.bss*)
+        *(COMMON)
+        . = ALIGN(4);
+        _ebss = .;
+        __bss_end__ = _ebss;
+    } >RAM
+
+    .heap :
+    {
+        . = ALIGN(8);
+        PROVIDE ( end = . );
+        PROVIDE ( _end = . );
+        _heap_bottom = .;
+        . = . + _Min_Heap_Size;
+        _heap_top = .;
+        . = . + _Min_Stack_Size;
+        . = ALIGN(8);
+       } >RAM
+
+   /* Set stack top to end of RAM, and stack limit move down by
+    * size of stack_dummy section */
+   __StackTop = ORIGIN(RAM) + LENGTH(RAM);
+   __StackLimit = __StackTop - _Min_Stack_Size;
+   PROVIDE(__stack = __StackTop);
+     
+  /* Check if data + heap + stack exceeds RAM limit */
+  ASSERT(__StackLimit >= _heap_top, "region RAM overflowed with stack")
+}
+

fuzzers/FRET/example/startup.c

@@ -0,0 +1,114 @@
+/*
+ * FreeRTOS V202112.00
+ * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of
+ * this software and associated documentation files (the "Software"), to deal in
+ * the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ * the Software, and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * https://www.FreeRTOS.org
+ * https://github.com/FreeRTOS
+ *
+ */
+
+typedef unsigned int uint32_t;
+
+extern int main();
+
+extern uint32_t _estack, _sidata, _sdata, _edata, _sbss, _ebss;
+
+/* Prevent optimization so gcc does not replace code with memcpy */
+__attribute__( ( optimize( "O0" ) ) )
+__attribute__( ( naked ) )
+void Reset_Handler( void )
+{
+    /* set stack pointer */
+    __asm volatile ( "ldr r0, =_estack" );
+    __asm volatile ( "mov sp, r0" );
+
+    /* copy .data section from flash to RAM */
+    // Not needed for this example, see linker script
+    // for( uint32_t * src = &_sidata, * dest = &_sdata; dest < &_edata; )
+    // {
+    //     *dest++ = *src++;
+    // }
+
+    /* zero out .bss section */
+    for( uint32_t * dest = &_sbss; dest < &_ebss; )
+    {
+        *dest++ = 0;
+    }
+
+    /* jump to board initialisation */
+    void _start( void );
+    _start();
+}
+
+const uint32_t * isr_vector[] __attribute__( ( section( ".isr_vector" ) ) ) =
+{
+    ( uint32_t * ) &_estack,
+    ( uint32_t * ) &Reset_Handler,       /* Reset                -15 */
+    0,     /* NMI_Handler          -14 */
+    0,    /* HardFault_Handler    -13 */
+    0,    /* MemManage_Handler    -12 */
+    0,    /* BusFault_Handler     -11 */
+    0,    /* UsageFault_Handler   -10 */
+    0,                                   /* reserved */
+    0,                                   /* reserved */
+    0,                                   /* reserved */
+    0,                                   /* reserved   -6 */
+    0,     /* SVC_Handler              -5 */
+    0,    /* DebugMon_Handler         -4 */
+    0,                                   /* reserved */
+    0,  /* PendSV handler    -2 */
+    0, /* SysTick_Handler   -1 */
+    0,                                   /* uart0 receive 0 */
+    0,                                   /* uart0 transmit */
+    0,                                   /* uart1 receive */
+    0,                                   /* uart1 transmit */
+    0,                                   /* uart 2 receive */
+    0,                                   /* uart 2 transmit */
+    0,                                   /* GPIO 0 combined interrupt */
+    0,                                   /* GPIO 2 combined interrupt */
+    0,                                   /* Timer 0 */
+    0,                                   /* Timer 1 */
+    0,                                   /* Dial Timer */
+    0,                                   /* SPI0 SPI1 */
+    0,                                   /* uart overflow 1, 2,3 */
+    0,                                   /* Ethernet   13 */
+};
+
+__attribute__( ( naked ) ) void exit(__attribute__((unused)) int status )
+{
+    /* Force qemu to exit using ARM Semihosting */
+    __asm volatile (
+        "mov r1, r0\n"
+        "cmp r1, #0\n"
+        "bne .notclean\n"
+        "ldr r1, =0x20026\n" /* ADP_Stopped_ApplicationExit, a clean exit */
+        ".notclean:\n"
+        "movs r0, #0x18\n"   /* SYS_EXIT */
+        "bkpt 0xab\n"
+        "end: b end\n"
+        );
+}
+
+void _start( void )
+{
+    main( );
+    exit( 0 );
+}
+

fuzzers/FRET/src/clock.rs

@@ -0,0 +1,357 @@
+use hashbrown::{hash_map::Entry, HashMap};
+use libafl_bolts::{
+    current_nanos,
+    rands::StdRand,
+    tuples::{tuple_list,MatchName},
+    impl_serdeany,
+    Named,
+};
+use libafl::{
+    executors::{ExitKind},
+    fuzzer::{StdFuzzer},
+    inputs::{BytesInput, HasTargetBytes},
+    observers::{Observer,VariableMapObserver},
+    state::{StdState, HasNamedMetadata},
+    Error,
+    observers::ObserversTuple, prelude::UsesInput,
+};
+use serde::{Deserialize, Serialize};
+use std::{cell::UnsafeCell, cmp::max, env, fs::OpenOptions, io::Write, time::Instant};
+
+use libafl_qemu::{
+    emu,
+    emu::Emulator,
+    executor::QemuExecutor,
+    helper::{QemuHelper, QemuHelperTuple, QemuInstrumentationFilter},
+};
+use libafl::events::EventFirer;
+use libafl::state::MaybeHasClientPerfMonitor;
+use libafl::prelude::State;
+use libafl::inputs::Input;
+use libafl::feedbacks::Feedback;
+use libafl::SerdeAny;
+use libafl::state::HasMetadata;
+use libafl::corpus::testcase::Testcase;
+use core::{fmt::Debug, time::Duration};
+// use libafl::feedbacks::FeedbackState;
+// use libafl::state::HasFeedbackStates;
+use std::time::{SystemTime, UNIX_EPOCH};
+use std::path::PathBuf;
+
+pub static mut FUZZ_START_TIMESTAMP : SystemTime = UNIX_EPOCH;
+
+pub const QEMU_ICOUNT_SHIFT : u32 = 5;
+pub const QEMU_ISNS_PER_SEC : u32 = u32::pow(10, 9) / u32::pow(2, QEMU_ICOUNT_SHIFT);
+pub const QEMU_ISNS_PER_USEC : u32 = QEMU_ISNS_PER_SEC / 1000000;
+pub const QEMU_NS_PER_ISN : u32 = 1 << QEMU_ICOUNT_SHIFT;
+pub const TARGET_SYSCLK_FREQ : u32 = 25 * 1000 * 1000;
+pub const TARGET_MHZ_PER_MIPS : f32 = TARGET_SYSCLK_FREQ as f32 / QEMU_ISNS_PER_SEC as f32;
+pub const TARGET_MIPS_PER_MHZ : f32 = QEMU_ISNS_PER_SEC as f32 / TARGET_SYSCLK_FREQ as f32;
+pub const TARGET_SYSCLK_PER_QEMU_SEC : u32 = (TARGET_SYSCLK_FREQ as f32 * TARGET_MIPS_PER_MHZ) as u32;
+pub const QEMU_SYSCLK_PER_TARGET_SEC : u32 = (TARGET_SYSCLK_FREQ as f32 * TARGET_MHZ_PER_MIPS) as u32;
+
+//========== Metadata
+#[derive(Debug, SerdeAny, Serialize, Deserialize)]
+pub struct QemuIcountMetadata {
+    runtime: u64,
+}
+
+/// Metadata for [`QemuClockIncreaseFeedback`]
+#[derive(Debug, Serialize, Deserialize, SerdeAny)]
+pub struct MaxIcountMetadata {
+    pub max_icount_seen: u64,
+    pub name: String,
+}
+
+// impl FeedbackState for MaxIcountMetadata
+// {
+//     fn reset(&mut self) -> Result<(), Error> {
+//         self.max_icount_seen = 0;
+//         Ok(())
+//     }
+// }
+
+impl Named for MaxIcountMetadata
+{
+    #[inline]
+    fn name(&self) -> &str {
+        self.name.as_str()
+    }
+}
+
+impl MaxIcountMetadata
+{
+    /// Create new `MaxIcountMetadata`
+    #[must_use]
+    pub fn new(name: &'static str) -> Self {
+        Self {
+            max_icount_seen: 0,
+            name: name.to_string(),
+        }
+    }
+}
+
+impl Default for MaxIcountMetadata {
+    fn default() -> Self {
+        Self::new("MaxClock")
+    }
+}
+
+/// A piece of metadata tracking all icounts
+#[derive(Debug, SerdeAny, Serialize, Deserialize)]
+pub struct IcHist (pub Vec<(u64, u128)>, pub (u64,u128));
+
+//========== Observer
+
+/// A simple observer, just overlooking the runtime of the target.
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct QemuClockObserver {
+    name: String,
+    start_tick: u64,
+    end_tick: u64,
+    dump_path: Option<PathBuf>
+}
+
+impl QemuClockObserver {
+    /// Creates a new [`QemuClockObserver`] with the given name.
+    #[must_use]
+    pub fn new(name: &'static str, dump_path: Option<PathBuf>) -> Self {
+        Self {
+            name: name.to_string(),
+            start_tick: 0,
+            end_tick: 0,
+            dump_path
+        }
+    }
+
+    /// Gets the runtime for the last execution of this target.
+    #[must_use]
+    pub fn last_runtime(&self) -> u64 {
+        self.end_tick - self.start_tick
+    }
+}
+
+impl<S> Observer<S> for QemuClockObserver
+where
+    S: UsesInput + HasMetadata,
+{
+    fn pre_exec(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        // Only remember the pre-run ticks if presistent mode ist used
+        #[cfg(not(feature = "snapshot_restore"))]
+        unsafe {
+            self.start_tick=emu::icount_get_raw();
+            self.end_tick=self.start_tick;
+        }
+        // unsafe {
+        //     println!("clock pre {}",emu::icount_get_raw());
+        // }
+        Ok(())
+    }
+
+    fn post_exec(&mut self, _state: &mut S, _input: &S::Input, _exit_kind: &ExitKind) -> Result<(), Error> {
+        unsafe { self.end_tick = emu::icount_get_raw() };
+        if let Some(td) = &self.dump_path {
+            // println!("clock post {}", self.end_tick);
+            // println!("Number of Ticks: {} <- {} {}",self.end_tick - self.start_tick, self.end_tick, self.start_tick);
+            let metadata =_state.metadata_map_mut();
+            let hist = metadata.get_mut::<IcHist>();
+            let timestamp = SystemTime::now().duration_since(unsafe {FUZZ_START_TIMESTAMP}).unwrap().as_millis();
+            match hist {
+                None => {
+                    metadata.insert(IcHist(vec![(self.end_tick - self.start_tick, timestamp)],
+                    (self.end_tick - self.start_tick, timestamp)));
+                }
+                Some(v) => {
+                    v.0.push((self.end_tick - self.start_tick, timestamp));
+                    if v.1.0 < self.end_tick-self.start_tick {
+                        v.1 = (self.end_tick - self.start_tick, timestamp);
+                    }
+                    if v.0.len() >= 100 {
+                        let mut file = OpenOptions::new()
+                            .read(true)
+                            .write(true)
+                            .create(true)
+                            .append(true)
+                            .open(td).expect("Could not open timedump");
+                        let newv : Vec<(u64, u128)> = Vec::with_capacity(110);
+                        for i in std::mem::replace(&mut v.0, newv).into_iter() {
+                            writeln!(file, "{},{}", i.0, i.1).expect("Write to dump failed");
+                        }
+                    }
+                }
+            }
+        }
+        Ok(())
+    }
+}
+
+impl Named for QemuClockObserver {
+    #[inline]
+    fn name(&self) -> &str {
+        &self.name
+    }
+}
+
+impl Default for QemuClockObserver {
+    fn default() -> Self {
+        Self {
+            name: String::from("clock"),
+            start_tick: 0,
+            end_tick: 0,
+            dump_path: None
+        }
+    }
+}
+
+//========== Feedback
+/// Nop feedback that annotates execution time in the new testcase, if any
+/// for this Feedback, the testcase is never interesting (use with an OR).
+/// It decides, if the given [`QemuClockObserver`] value of a run is interesting.
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct ClockTimeFeedback {
+    exec_time: Option<Duration>,
+    name: String,
+}
+
+impl<S> Feedback<S> for ClockTimeFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor + HasMetadata,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        // TODO Replace with match_name_type when stable
+        let observer = observers.match_name::<QemuClockObserver>(self.name()).unwrap();
+        self.exec_time = Some(Duration::from_nanos(observer.last_runtime() << QEMU_ICOUNT_SHIFT)); // Assume a somewhat realistic multiplier of clock, it does not matter
+        Ok(false)
+    }
+
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(
+        &mut self,
+        _state: &mut S,
+        observers: &OT,
+        testcase: &mut Testcase<S::Input>,
+    ) -> Result<(), Error> {
+        *testcase.exec_time_mut() = self.exec_time;
+        self.exec_time = None;
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        self.exec_time = None;
+        Ok(())
+    }
+}
+
+impl Named for ClockTimeFeedback {
+    #[inline]
+    fn name(&self) -> &str {
+        self.name.as_str()
+    }
+}
+
+impl ClockTimeFeedback {
+    /// Creates a new [`ClockFeedback`], deciding if the value of a [`QemuClockObserver`] with the given `name` of a run is interesting.
+    #[must_use]
+    pub fn new(name: &'static str) -> Self {
+        Self {
+            exec_time: None,
+            name: name.to_string(),
+        }
+    }
+
+    /// Creates a new [`ClockFeedback`], deciding if the given [`QemuClockObserver`] value of a run is interesting.
+    #[must_use]
+    pub fn new_with_observer(observer: &QemuClockObserver) -> Self {
+        Self {
+            exec_time: None,
+            name: observer.name().to_string(),
+        }
+    }
+}
+
+/// A [`Feedback`] rewarding increasing the execution cycles on Qemu.
+#[derive(Debug)]
+pub struct QemuClockIncreaseFeedback {
+    name: String,
+}
+
+impl<S> Feedback<S> for QemuClockIncreaseFeedback
+where
+    S: State + UsesInput + HasNamedMetadata + MaybeHasClientPerfMonitor + Debug,
+{
+    fn is_interesting<EM, OT>(
+        &mut self,
+        state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        _observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = _observers.match_name::<QemuClockObserver>("clock")
+            .expect("QemuClockObserver not found");
+        let clock_state = state
+            .named_metadata_map_mut()
+            .get_mut::<MaxIcountMetadata>(&self.name)
+            .unwrap();
+        if observer.last_runtime() > clock_state.max_icount_seen {
+            // println!("Clock improving {}",observer.last_runtime());
+            clock_state.max_icount_seen = observer.last_runtime();
+            return Ok(true);
+        }
+        Ok(false)
+    }
+
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(&mut self, _state: &mut S, observers: &OT, testcase: &mut Testcase<S::Input>) -> Result<(), Error> {
+        // testcase.metadata_mut().insert(QemuIcountMetadata{runtime: self.last_runtime});
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        Ok(())
+    }
+
+}
+
+impl Named for QemuClockIncreaseFeedback {
+    #[inline]
+    fn name(&self) -> &str {
+        &self.name
+    }
+}
+
+impl QemuClockIncreaseFeedback {
+    /// Creates a new [`HitFeedback`]
+    #[must_use]
+    pub fn new(name: &'static str) -> Self {
+        Self {name: String::from(name)}
+    }
+}
+
+impl Default for QemuClockIncreaseFeedback {
+    fn default() -> Self {
+        Self::new("MaxClock")
+    }
+}

fuzzers/FRET/src/fuzzer.rs

@@ -0,0 +1,816 @@
+//! A fuzzer using qemu in systemmode for binary-only coverage of kernels
+//!
+use core::time::Duration;
+use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}, cmp::{min, max}, mem::transmute_copy, collections::btree_map::Range, ptr::addr_of_mut, ffi::OsStr};
+use hashbrown::HashMap;
+use libafl_bolts::{
+core_affinity::Cores, current_nanos, rands::StdRand, shmem::{ShMemProvider, StdShMemProvider}, tuples::tuple_list, AsMutSlice, AsSlice
+};
+use libafl::{
+corpus::{Corpus, InMemoryCorpus, OnDiskCorpus}, events::{launcher::Launcher, EventConfig}, executors::{ExitKind, TimeoutExecutor}, feedback_or, feedback_or_fast, feedbacks::{CrashFeedback, MaxMapFeedback, TimeoutFeedback}, fuzzer::{Fuzzer, StdFuzzer}, inputs::{BytesInput, HasTargetBytes}, monitors::MultiMonitor, observers::VariableMapObserver, prelude::{havoc_mutations, minimizer::TopRatedsMetadata, CorpusId, Generator, HasBytesVec, HitcountsMapObserver, RandBytesGenerator, SimpleEventManager, SimpleMonitor, SimpleRestartingEventManager, StdScheduledMutator}, schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler}, stages::StdMutationalStage, state::{HasCorpus, HasMetadata, HasNamedMetadata, StdState}, Error, Evaluator
+};
+use libafl_qemu::{
+edges::{self, edges_map_mut_slice, QemuEdgeCoverageHelper, MAX_EDGES_NUM}, elf::EasyElf, emu::{libafl_qemu_remove_native_breakpoint, libafl_qemu_set_native_breakpoint, Emulator}, GuestAddr, GuestPhysAddr, QemuExecutor, QemuHooks, QemuInstrumentationFilter, Regs
+};
+use rand::{SeedableRng, StdRng, Rng};
+use crate::{
+clock::{ClockTimeFeedback, IcHist, QemuClockIncreaseFeedback, QemuClockObserver, FUZZ_START_TIMESTAMP}, mutational::{input_bytes_to_interrupt_times, InterruptShiftStage, MINIMUM_INTER_ARRIVAL_TIME}, qemustate::QemuStateRestoreHelper, systemstate::{self, feedbacks::{DumpSystraceFeedback, NovelSystemStateFeedback, SystraceErrorFeedback}, helpers::{QemuSystemStateHelper, ISR_SYMBOLS}, observers::QemuSystemStateObserver, schedulers::{GenerationScheduler, LongestTraceScheduler}, stg::{stg_map_mut_slice, GraphMaximizerCorpusScheduler, STGEdge, STGNode, StgFeedback, MAX_STG_NUM}}, worst::{AlwaysTrueFeedback, ExecTimeIncFeedback, TimeMaximizerCorpusScheduler, TimeStateMaximizerCorpusScheduler} 
+};
+use std::time::{SystemTime, UNIX_EPOCH};
+use clap::{Parser, Subcommand};
+use csv::Reader;
+use petgraph::{dot::{Config, Dot}, Graph};
+use petgraph::graph::EdgeIndex;
+use petgraph::graph::NodeIndex;
+use petgraph::prelude::DiGraph;
+use crate::systemstate::stg::STGFeedbackState;
+use crate::clock::QEMU_ICOUNT_SHIFT;
+
+// Constants ================================================================================
+
+pub static mut RNG_SEED: u64 = 1;
+
+pub static mut LIMIT : u32 = u32::MAX;
+pub const FIRST_INT : u32 = 500000;
+
+pub const MAX_NUM_INTERRUPT: usize = 128;
+pub const DO_NUM_INTERRUPT: usize = 128;
+pub static mut MAX_INPUT_SIZE: usize = 32;
+/// Read ELF program headers to resolve physical load addresses.
+fn virt2phys(vaddr: GuestPhysAddr, tab: &EasyElf) -> GuestPhysAddr {
+let ret;
+for i in &tab.goblin().program_headers {
+    if i.vm_range().contains(&vaddr.try_into().unwrap()) {
+        ret = vaddr - TryInto::<GuestPhysAddr>::try_into(i.p_vaddr).unwrap()
+            + TryInto::<GuestPhysAddr>::try_into(i.p_paddr).unwrap();
+        return ret - (ret % 2);
+    }
+}
+return vaddr;
+}
+
+pub fn load_symbol(elf : &EasyElf, symbol : &str, do_translation : bool) -> GuestAddr {
+try_load_symbol(elf, symbol, do_translation).expect(&format!("Symbol {} not found", symbol))
+}
+
+pub fn try_load_symbol(elf : &EasyElf, symbol : &str, do_translation : bool) -> Option<GuestAddr> {
+let ret = elf
+    .resolve_symbol(symbol, 0);
+if do_translation {
+    Option::map_or(ret, None, |x| Some(virt2phys(x as GuestPhysAddr,&elf) as GuestAddr))
+} else {ret}
+}
+
+pub fn get_function_range(elf: &EasyElf, symbol: &str) -> Option<std::ops::Range<GuestAddr>> {
+let gob = elf.goblin();
+
+let mut funcs : Vec<_> = gob.syms.iter().filter(|x| x.is_function()).collect();
+funcs.sort_unstable_by(|x,y| x.st_value.cmp(&y.st_value));
+
+for sym in &gob.syms {
+    if let Some(sym_name) = gob.strtab.get_at(sym.st_name) {
+        if sym_name == symbol {
+            if sym.st_value == 0 {
+                return None;
+            } else {
+                //#[cfg(cpu_target = "arm")]
+                // Required because of arm interworking addresses aka bit(0) for thumb mode
+                let addr = (sym.st_value as GuestAddr) & !(0x1 as GuestAddr);
+                //#[cfg(not(cpu_target = "arm"))]
+                //let addr = sym.st_value as GuestAddr;
+                // look for first function after addr
+                let sym_end = funcs.iter().find(|x| x.st_value > sym.st_value);
+                if let Some(sym_end) = sym_end {
+                    // println!("{} {:#x}..{} {:#x}", gob.strtab.get_at(sym.st_name).unwrap_or(""),addr, gob.strtab.get_at(sym_end.st_name).unwrap_or(""),sym_end.st_value & !0x1);
+                    return Some(addr..((sym_end.st_value & !0x1) as GuestAddr));
+                }
+                return None;
+            };
+        }
+    }
+}
+return None;
+}
+
+pub fn get_all_fn_symbol_ranges(elf: &EasyElf, api_range: std::ops::Range<GuestAddr>) -> HashMap<String,std::ops::Range<GuestAddr>> {
+let mut api_addreses : HashMap<String,std::ops::Range<GuestAddr>> = HashMap::new();
+
+let gob = elf.goblin();
+
+let mut funcs : Vec<_> = gob.syms.iter().filter(|x| x.is_function() && api_range.contains(&x.st_value.try_into().unwrap())).collect();
+funcs.sort_unstable_by(|x,y| x.st_value.cmp(&y.st_value));
+
+for sym in &funcs {
+    let sym_name = gob.strtab.get_at(sym.st_name);
+    if let Some(sym_name) = sym_name {
+        // if ISR_SYMBOLS.contains(&sym_name) {continue;}; // skip select symbols, which correspond to ISR-safe system calls
+        if let Some(r) = get_function_range(elf, sym_name) {
+            api_addreses.insert(sym_name.to_string(), r);
+        }
+    }
+}
+for i in api_addreses.iter() {
+    println!("{} {:#x}..{:#x}", i.0, i.1.start, i.1.end);
+}
+
+return api_addreses;
+}
+
+extern "C" {
+static mut libafl_interrupt_offsets : [u32; MAX_NUM_INTERRUPT];
+static mut libafl_num_interrupts : usize;
+}
+
+// Argument parsing ================================================================================
+
+#[derive(Parser)]
+#[command(author, version, about, long_about = None)]
+struct Cli {
+/// Kernel Image
+#[arg(short, long, value_name = "FILE")]
+kernel: PathBuf,
+
+/// Sets a custom config file
+#[arg(short, long, value_name = "FILE")]
+config: PathBuf,
+
+/// Sets the prefix of dumed files
+#[arg(short='n', long, value_name = "FILENAME")]
+dump_name: Option<PathBuf>,
+
+/// do time dumps
+#[arg(short='t', long)]
+dump_times: bool,
+
+/// do worst-case dumps
+#[arg(short='a', long)]
+dump_cases: bool,
+
+/// do trace dumps (if supported)
+#[arg(short='r', long)]
+dump_traces: bool,
+
+/// do graph dumps (if supported)
+#[arg(short='g', long)]
+dump_graph: bool,
+
+#[command(subcommand)]
+command: Commands,
+}
+#[derive(Subcommand,Clone)]
+enum Commands {
+/// run a single input
+Showmap {
+    /// take this input
+    #[arg(short, long)]
+    input: PathBuf,
+},
+/// start fuzzing campaign
+Fuzz {
+    /// disable heuristic
+    #[arg(short, long)]
+    random: bool,
+    /// seed for randomness
+    #[arg(short, long)]
+    seed: Option<u64>,
+    /// runtime in seconds
+    #[arg(short, long)]
+    time: Option<u64>,
+}
+}
+
+/// Takes a state, cli and a suffix, writes out the current worst case
+macro_rules! do_dump_case {
+( $s:expr,$cli:expr, $c:expr) => {
+    if ($cli.dump_cases) {
+        let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"case"} else {$c});
+        println!("Dumping worst case to {:?}", &dump_path);
+        let corpus = $s.corpus();
+        let mut worst = Duration::new(0,0);
+        let mut worst_input = None;
+        for i in 0..corpus.count() {
+            let tc = corpus.get(corpus.nth(i.into())).expect("Could not get element from corpus").borrow();
+            if worst < tc.exec_time().expect("Testcase missing duration") {
+                worst_input = Some(tc.input().as_ref().unwrap().bytes().to_owned());
+                worst = tc.exec_time().expect("Testcase missing duration");
+            }
+        }
+        if let Some(wi) = worst_input {
+            fs::write(dump_path,wi).expect("Failed to write worst corpus element");
+        }
+    }
+}
+}
+
+/// Takes a state, cli and a suffix, appends icount history
+macro_rules! do_dump_times {
+($state:expr, $cli:expr, $c:expr) => {
+    if $cli.dump_times {
+        let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"time"} else {$c});
+        let mut file = std::fs::OpenOptions::new()
+            .read(true)
+            .write(true)
+            .create(true)
+            .append(true)
+            .open(dump_path).expect("Could not open timedump");
+        if let Ok(ichist) = $state.metadata_mut::<IcHist>() {
+            for i in ichist.0.drain(..) {
+                writeln!(file, "{},{}", i.0, i.1).expect("Write to dump failed");
+            }
+        }
+    }
+};
+}
+
+/// Takes a state and a bool, writes out the current graph
+macro_rules! do_dump_stg {
+($state:expr, $cli:expr, $c:expr) => {
+    #[cfg(feature = "trace_stg")]
+    if $cli.dump_graph {
+        let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"stg"} else {$c});
+        println!("Dumping graph to {:?}", &dump_path);
+        if let Some(md) = $state.named_metadata_map_mut().get_mut::<STGFeedbackState>("stgfeedbackstate") {
+            let out = md.graph.map(|_i,x| x.color_print(), |_i,x| x.color_print());
+            let outs = Dot::with_config(&out, &[]).to_string();
+            let outs = outs.replace("\\\"","\"");
+            let outs = outs.replace(';',"\\n");
+            fs::write(dump_path,outs).expect("Failed to write graph");
+        }
+    }
+};
+}
+
+/// Takes a state and a bool, writes out top rated inputs
+macro_rules! do_dump_toprated {
+($state:expr, $cli:expr, $c:expr) => {
+    if $cli.dump_cases {
+        {
+            let dump_path = $cli.dump_name.clone().unwrap().with_extension(if $c=="" {"toprated"} else {$c});
+            println!("Dumping toprated to {:?}", &dump_path);
+            if let Some(md) = $state.metadata_map_mut().get_mut::<TopRatedsMetadata>() {
+                let mut uniq: Vec<CorpusId> = md.map.values().map(|x| x.clone()).collect();
+                uniq.sort();
+                uniq.dedup();
+                fs::write(dump_path,ron::to_string(&md.map).expect("Failed to serialize metadata")).expect("Failed to write graph");
+            }
+        }
+    }
+};
+}
+
+fn env_from_config(kernel : &PathBuf, path : &PathBuf) {
+let is_csv = path.as_path().extension().map_or(false, |x| x=="csv");
+if !is_csv {
+    let lines = std::fs::read_to_string(path).expect("Config file not found");
+    let lines = lines.lines().filter(
+        |x| x.len()>0
+    );
+    for l in lines {
+        let pair = l.split_once('=').expect("Non VAR=VAL line in config");
+        std::env::set_var(pair.0, pair.1);
+    }
+} else {
+    let mut reader = csv::Reader::from_path(path).expect("CSV read from config failed");
+    let p = kernel.as_path();
+    let stem = p.file_stem().expect("Kernel filename error").to_str().unwrap();
+    for r in reader.records() {
+        let rec = r.expect("CSV entry error");
+        if stem == &rec[0] {
+            std::env::set_var("FUZZ_MAIN", &rec[1]);
+            std::env::set_var("FUZZ_INPUT", &rec[2]);
+            std::env::set_var("FUZZ_INPUT_LEN", &rec[3]);
+            std::env::set_var("BREAKPOINT", &rec[4]);
+            break;
+        }
+    }
+}
+}
+
+// Fuzzer setup ================================================================================
+
+pub fn fuzz() {
+let cli = Cli::parse();
+env_from_config(&cli.kernel, &cli.config);
+unsafe {FUZZ_START_TIMESTAMP = SystemTime::now();}
+if cli.dump_name.is_none() && (cli.dump_times || cli.dump_cases || cli.dump_traces || cli.dump_graph) {
+    panic!("Dump name not give but dump is requested");
+}
+let mut starttime = std::time::Instant::now();
+// Hardcoded parameters
+let timeout = Duration::from_secs(10);
+let broker_port = 1337;
+let cores = Cores::from_cmdline("1").unwrap();
+let corpus_dirs = [PathBuf::from("./corpus")];
+let objective_dir = PathBuf::from("./crashes");
+
+let mut elf_buffer = Vec::new();
+let elf = EasyElf::from_file(
+    &cli.kernel,
+    &mut elf_buffer,
+)
+.unwrap();
+
+// the main address where the fuzzer starts
+// if this is set for freeRTOS it has an influence on where the data will have to be written,
+// since the startup routine copies the data segemnt to it's virtual address
+let main_addr = elf
+    .resolve_symbol(&env::var("FUZZ_MAIN").unwrap_or_else(|_| "FUZZ_MAIN".to_owned()), 0);
+if let Some(main_addr) = main_addr {
+    println!("main address = {:#x}", main_addr);
+}
+
+let input_addr = load_symbol(&elf, &env::var("FUZZ_INPUT").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), true);
+println!("FUZZ_INPUT @ {:#x}", input_addr);
+
+let input_length_ptr = try_load_symbol(&elf, &env::var("FUZZ_LENGTH").unwrap_or_else(|_| "FUZZ_LENGTH".to_owned()), true);
+let input_counter_ptr = try_load_symbol(&elf, &env::var("FUZZ_POINTER").unwrap_or_else(|_| "FUZZ_POINTER".to_owned()), true);
+
+#[cfg(feature = "observe_systemstate")]
+let curr_tcb_pointer = load_symbol(&elf, "pxCurrentTCB", false); // loads to the address specified in elf, without respecting program headers
+#[cfg(feature = "observe_systemstate")]
+println!("TCB pointer at {:#x}", curr_tcb_pointer);
+#[cfg(feature = "observe_systemstate")]
+let task_queue_addr = load_symbol(&elf, "pxReadyTasksLists", false);
+#[cfg(feature = "observe_systemstate")]
+let task_delay_addr = load_symbol(&elf, "pxDelayedTaskList", false);
+#[cfg(feature = "observe_systemstate")]
+let task_delay_overflow_addr = load_symbol(&elf, "pxOverflowDelayedTaskList", false);
+#[cfg(feature = "observe_systemstate")]
+let scheduler_lock = load_symbol(&elf, "uxSchedulerSuspended", false);
+#[cfg(feature = "observe_systemstate")]
+let scheduler_running = load_symbol(&elf, "xSchedulerRunning", false);
+#[cfg(feature = "observe_systemstate")]
+let critical_section = load_symbol(&elf, "uxCriticalNesting", false);
+let app_start = load_symbol(&elf, "__APP_CODE_START__", false);
+let app_end = load_symbol(&elf, "__APP_CODE_END__", false);
+let app_range = app_start..app_end;
+let api_start = load_symbol(&elf, "__API_CODE_START__", false);
+let api_end = load_symbol(&elf, "__API_CODE_END__", false);
+let api_range = api_start..api_end;
+
+let breakpoint = elf
+    .resolve_symbol(
+        &env::var("BREAKPOINT").unwrap_or_else(|_| "BREAKPOINT".to_owned()),
+        0,
+    )
+    .expect("Symbol or env BREAKPOINT not found");
+println!("Breakpoint address = {:#x}", breakpoint);
+unsafe {
+    libafl_num_interrupts = 0;
+}
+
+if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") {
+    unsafe {MAX_INPUT_SIZE = str::parse::<usize>(&input_len).expect("FUZZ_INPUT_LEN was not a number");}
+}
+unsafe {dbg!(MAX_INPUT_SIZE);}
+
+if let Ok(seed) = env::var("SEED_RANDOM") {
+    unsafe {RNG_SEED = str::parse::<u64>(&seed).expect("SEED_RANDOM must be an integer.");}
+}
+
+let mut api_ranges = get_all_fn_symbol_ranges(&elf, api_range);
+let app_fn_ranges = get_all_fn_symbol_ranges(&elf, app_range.clone());
+
+let mut isr_ranges : HashMap<String,std::ops::Range<GuestAddr>> = systemstate::helpers::ISR_SYMBOLS.iter().filter_map(|x| (api_ranges.get(&x.to_string()).map(|y| (x.to_string(),y.clone())))).collect();
+systemstate::helpers::ISR_SYMBOLS.iter().for_each(|x| {let _ =(app_fn_ranges.get(&x.to_string()).map(|y| (x.to_string(),y.clone()))).map(|y| isr_ranges.insert(y.0,y.1));});    // add used defined isr
+let denylist=isr_ranges.values().map(|x| x.clone()).collect();
+let denylist = QemuInstrumentationFilter::DenyList(denylist); // do not count isr jumps, which are useless
+#[cfg(feature = "observe_systemstate")]
+let mut isr_addreses : HashMap<GuestAddr, String> = systemstate::helpers::ISR_SYMBOLS.iter().filter_map(|x| (api_ranges.remove(&x.to_string()).map(|y| (y.start,x.to_string())))).collect();
+#[cfg(feature = "observe_systemstate")]
+systemstate::helpers::ISR_SYMBOLS.iter().for_each(|x| {let _ =(app_fn_ranges.get(&x.to_string()).map(|y| (x.to_string(),y.clone()))).map(|y| isr_addreses.insert(y.1.start, y.0));});    // add used defined isr
+
+#[cfg(feature = "observe_systemstate")]
+for i in systemstate::helpers::ISR_SYMBOLS {
+    if isr_ranges.get(&i.to_string()).is_none() {
+        if let Some(fr) = get_function_range(&elf, i) {
+            isr_addreses.insert(fr.start, i.to_string());
+            isr_ranges.insert(i.to_string(), fr);
+        }
+    }
+}
+
+#[cfg(feature = "observe_systemstate")]
+let api_addreses : HashMap<GuestAddr, String> = api_ranges.iter().map(|(k,v)| (v.start,k.clone())).collect();
+
+#[cfg(feature = "observe_systemstate")]
+let api_ranges : Vec<_> = api_ranges.into_iter().collect();
+#[cfg(feature = "observe_systemstate")]
+let isr_ranges : Vec<_> = isr_ranges.into_iter().collect();
+
+// Client setup ================================================================================
+
+let mut run_client = |state: Option<_>, mut mgr, _core_id| {
+    // Initialize QEMU
+    let args: Vec<String> = vec![
+        "target/debug/fret",
+        "-icount",
+        &format!("shift={},align=off,sleep=off", QEMU_ICOUNT_SHIFT),
+        "-machine",
+        "mps2-an385",
+        "-cpu",
+        "cortex-m3",
+        "-monitor",
+        "null",
+        "-kernel",
+        &cli.kernel.as_os_str().to_str().expect("kernel path is not a string"),
+        "-serial",
+        "null",
+        "-nographic",
+        "-S",
+        // "-semihosting",
+        // "--semihosting-config",
+        // "enable=on,target=native",
+        "-snapshot",
+        "-drive",
+        "if=none,format=qcow2,file=dummy.qcow2",
+    ].into_iter().map(String::from).collect();
+    let env: Vec<(String, String)> = env::vars().collect();
+    let emu = Emulator::new(&args, &env).expect("Emulator creation failed");
+
+    if let Some(main_addr) = main_addr {
+        unsafe {
+            libafl_qemu_set_native_breakpoint(main_addr);
+            emu.run();
+            libafl_qemu_remove_native_breakpoint(main_addr);
+        }
+    }
+
+    unsafe { libafl_qemu_set_native_breakpoint(breakpoint); }// BREAKPOINT 
+
+    // The wrapped harness function, calling out to the LLVM-style harness
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let mut buf = target.as_slice();
+        let mut len = buf.len();
+        unsafe {
+            #[cfg(feature = "fuzz_int")]
+            {
+                let t = input_bytes_to_interrupt_times(buf);
+                for i in 0..t.len() {libafl_interrupt_offsets[i]=t[i];}
+                libafl_num_interrupts=t.len();
+
+                if buf.len() > libafl_num_interrupts*4 {
+                    buf = &buf[libafl_num_interrupts*4..];
+                    len = buf.len();
+                }
+                // for i in 0 .. libafl_num_interrupts {
+                //     libafl_interrupt_offsets[i] = FIRST_INT+TryInto::<u32>::try_into(i).unwrap()*MINIMUM_INTER_ARRIVAL_TIME;
+                // }
+                // println!("Load: {:?}", libafl_interrupt_offsets[0..libafl_num_interrupts].to_vec());
+                }
+                if len > MAX_INPUT_SIZE {
+                    buf = &buf[0..MAX_INPUT_SIZE];
+                    len = MAX_INPUT_SIZE;
+                }
+
+                // Note: I could not find a difference between write_mem and write_phys_mem for my usecase
+                emu.write_mem(input_addr, buf);
+                if let Some(s) = input_length_ptr {
+                    emu.write_mem(s, &len.to_le_bytes())
+                }
+
+                emu.run();
+
+                // If the execution stops at any point other then the designated breakpoint (e.g. a breakpoint on a panic method) we consider it a crash
+                let mut pcs = (0..emu.num_cpus())
+                    .map(|i| emu.cpu_from_index(i))
+                    .map(|cpu| -> Result<u32, String> { cpu.read_reg(Regs::Pc) });
+                match pcs
+                    .find(|pc| (breakpoint..breakpoint + 5).contains(pc.as_ref().unwrap_or(&0)))
+                {
+                    Some(_) => ExitKind::Ok,
+                    None => ExitKind::Crash,
+                }
+            }
+        };
+
+        // Create an observation channel to keep track of the execution time
+        let clock_time_observer = QemuClockObserver::new("clocktime", if cli.dump_times {cli.dump_name.clone().map(|x| x.with_extension("time"))} else {None} );
+
+        // Create an observation channel using the coverage map
+        #[cfg(feature = "observe_edges")]
+        let edges_observer = unsafe { VariableMapObserver::from_mut_slice(
+            "edges",
+            edges_map_mut_slice(),
+            addr_of_mut!(MAX_EDGES_NUM)
+        )};
+        #[cfg(feature = "observer_hitcounts")]
+        let edges_observer = HitcountsMapObserver::new(edges_observer);
+
+        #[cfg(feature = "observe_systemstate")]
+        let stg_coverage_observer = unsafe { VariableMapObserver::from_mut_slice(
+            "stg",
+            stg_map_mut_slice(),
+            addr_of_mut!(MAX_STG_NUM)
+        )};
+
+        #[cfg(feature = "observe_systemstate")]
+        let systemstate_observer = QemuSystemStateObserver::new();
+
+        // Feedback to rate the interestingness of an input
+        // This one is composed by two Feedbacks in OR
+        let mut feedback = feedback_or!(
+            // Time feedback, this one does not need a feedback state
+            ClockTimeFeedback::new_with_observer(&clock_time_observer)
+        );
+        #[cfg(feature = "feed_genetic")]
+        let mut feedback = feedback_or!(
+            feedback,
+            AlwaysTrueFeedback::new()
+        );
+        #[cfg(feature = "feed_afl")]
+        let mut feedback = feedback_or!(
+            feedback,
+            // New maximization map feedback linked to the edges observer and the feedback state
+            MaxMapFeedback::tracking(&edges_observer, true, true)
+        );
+        #[cfg(feature = "feed_longest")]
+        let mut feedback = feedback_or!(
+            // afl feedback needs to be activated first for MapIndexesMetadata
+            feedback,
+            // Feedback to reward any input which increses the execution time
+            ExecTimeIncFeedback::new()
+        );
+        #[cfg(all(feature = "observe_systemstate"))]
+        let mut feedback = feedback_or!(
+            feedback,
+            DumpSystraceFeedback::with_dump(if cli.dump_traces {cli.dump_name.clone().map(|x| x.with_extension("trace.ron"))} else {None})
+        );
+        #[cfg(feature = "trace_stg")]
+        let mut feedback = feedback_or!(
+            feedback,
+            StgFeedback::new(if cli.dump_graph {cli.dump_name.clone()} else {None})
+        );
+        #[cfg(feature = "feed_stg_edge")]
+        let mut feedback = feedback_or!(
+            feedback,
+            MaxMapFeedback::tracking(&stg_coverage_observer, true, true)
+        );
+
+        // A feedback to choose if an input is a solution or not
+        let mut objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new(), SystraceErrorFeedback::new(cli.dump_cases || matches!(cli.command, Commands::Fuzz{..})));
+
+        // If not restarting, create a State from scratch
+        let mut state = state.unwrap_or_else(|| {
+            StdState::new(
+                // RNG
+                unsafe {StdRand::with_seed(RNG_SEED) },
+                // Corpus that will be evolved, we keep it in memory for performance
+                InMemoryCorpus::new(),
+                // Corpus in which we store solutions (crashes in this example),
+                // on disk so the user can get them after stopping the fuzzer
+                OnDiskCorpus::new(objective_dir.clone()).unwrap(),
+                // States of the feedbacks.
+                // The feedbacks can report the data that should persist in the State.
+                &mut feedback,
+                // Same for objective feedbacks
+                &mut objective,
+            )
+            .unwrap()
+        });
+
+        // A minimization+queue policy to get testcasess from the corpus
+        #[cfg(not(any(feature = "sched_afl", feature = "sched_stg", feature = "sched_genetic")))]
+        let scheduler = QueueScheduler::new();  // fallback
+        #[cfg(feature = "sched_afl",)]
+        let scheduler = TimeMaximizerCorpusScheduler::new(QueueScheduler::new());
+        #[cfg(feature = "sched_stg")]
+        let scheduler = LongestTraceScheduler::new(GraphMaximizerCorpusScheduler::new(QueueScheduler::new()));
+        #[cfg(feature = "sched_genetic")]
+        let scheduler = GenerationScheduler::new();
+
+        // A fuzzer with feedbacks and a corpus scheduler
+        let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+
+        let qhelpers = tuple_list!();
+        #[cfg(feature = "observe_systemstate")]
+        let qhelpers = (QemuSystemStateHelper::new(api_addreses,api_ranges,isr_addreses,isr_ranges,curr_tcb_pointer,task_queue_addr,task_delay_addr,task_delay_overflow_addr,scheduler_lock,scheduler_running, critical_section,input_counter_ptr,app_range.clone()), qhelpers);
+        #[cfg(feature = "observe_edges")]
+        let qhelpers = (QemuEdgeCoverageHelper::new(denylist), qhelpers);
+        let qhelpers = (QemuStateRestoreHelper::new(), qhelpers);
+
+        let mut hooks = QemuHooks::new(emu.clone(),qhelpers);
+
+        let observer_list = tuple_list!();
+        #[cfg(feature = "observe_systemstate")]
+        let observer_list = (systemstate_observer, (stg_coverage_observer, observer_list));  // must come after clock
+        #[cfg(feature = "observe_edges")]
+        let observer_list = (edges_observer, observer_list);
+        let observer_list = (clock_time_observer, observer_list);
+
+        // Create a QEMU in-process executor
+        let executor = QemuExecutor::new(
+            &mut hooks,
+            &mut harness,
+            observer_list,
+            &mut fuzzer,
+            &mut state,
+            &mut mgr,
+        )
+        .expect("Failed to create QemuExecutor");
+
+        // Wrap the executor to keep track of the timeout
+        let mut executor = TimeoutExecutor::new(executor, timeout);
+
+        let mutations = havoc_mutations();
+        // Setup an havoc mutator with a mutational stage
+        let mutator = StdScheduledMutator::new(mutations);
+
+        let stages = ();
+        let mut stages = (StdMutationalStage::new(mutator), stages);
+        #[cfg(feature = "fuzz_int")]
+        let mut stages = (InterruptShiftStage::new(), stages);
+
+        if let Commands::Showmap { input } = cli.command.clone() {
+            let s = input.as_os_str();
+            let show_input = if s=="-" {
+                    let mut buf = Vec::<u8>::new();
+                    std::io::stdin().read_to_end(&mut buf).expect("Could not read Stdin");
+                    buf
+                } else if s=="$" {
+                    env::var("SHOWMAP_TEXTINPUT").expect("SHOWMAP_TEXTINPUT not set").as_bytes().to_owned()
+                } else {
+                    fs::read(s).expect("Input file for DO_SHOWMAP can not be read")
+                };
+            fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, BytesInput::new(show_input))
+                .unwrap();
+            do_dump_times!(state, &cli, "");
+            do_dump_stg!(state, &cli, "");
+        } else if let Commands::Fuzz { random, time, seed } = cli.command {
+            if let Some(se) = seed {
+                unsafe {
+                    let mut rng = StdRng::seed_from_u64(se);
+                    for i in 0..1000 {
+                        let inp = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
+                        fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
+                    }
+                }
+            }
+            else if let Ok(sf) = env::var("SEED_DIR") {
+                state
+                    .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &[PathBuf::from(&sf)])
+                    .unwrap_or_else(|_| {
+                        println!("Failed to load initial corpus at {:?}", &corpus_dirs);
+                        process::exit(0);
+                    });
+                println!("We imported {} inputs from seedfile.", state.corpus().count());
+            } else if state.corpus().count() < 1 {
+                state
+                    .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &corpus_dirs)
+                    .unwrap_or_else(|_| {
+                        println!("Failed to load initial corpus at {:?}", &corpus_dirs);
+                        process::exit(0);
+                    });
+                println!("We imported {} inputs from disk.", state.corpus().count());
+            }
+
+            match time {
+                None => {
+                    fuzzer
+                        .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
+                        .unwrap();
+                },
+                Some(t) => {
+                    println!("Iterations {}",t);
+                    let num = t;
+                    if random { unsafe {
+                        println!("Random Fuzzing, ignore corpus");
+                        // let mut generator = RandBytesGenerator::new(MAX_INPUT_SIZE);
+                        let target_duration = Duration::from_secs(num);
+                        let start_time = std::time::Instant::now();
+                        let mut rng = StdRng::seed_from_u64(RNG_SEED);
+                        while start_time.elapsed() < target_duration {
+                            // let inp = generator.generate(&mut state).unwrap();
+                            // libafl's generator is too slow
+                            let inp = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
+                            fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
+                        }
+                    }} else {
+                        // fuzzer
+                        //     .fuzz_loop_for_duration(&mut stages, &mut executor, &mut state, &mut mgr, Duration::from_secs(num))
+                        //     .unwrap();
+                        fuzzer
+                            .fuzz_loop_until(&mut stages, &mut executor, &mut state, &mut mgr, starttime.checked_add(Duration::from_secs(num)).unwrap())
+                            .unwrap();
+                        #[cfg(feature = "run_until_saturation")]
+                        {
+                            let mut dumper = |marker : String| {
+                                let d = format!("{}.case",marker);
+                                do_dump_case!(state, &cli, &d);
+                                let _d = format!("{}.stg",marker);
+                                do_dump_stg!(state, &cli, &_d);
+                                let d = format!("{}.toprated",marker);
+                                do_dump_toprated!(state, &cli, &d);
+                            };
+
+                            dumper(format!(".iter_{}",t));
+                            do_dump_times!(state, &cli, "");
+
+                            println!("Start running until saturation");
+                            let mut last = state.metadata_map().get::<IcHist>().unwrap().1;
+                            while SystemTime::now().duration_since(unsafe {FUZZ_START_TIMESTAMP}).unwrap().as_millis() < last.1 + Duration::from_secs(10800).as_millis() {
+                                starttime=starttime.checked_add(Duration::from_secs(30)).unwrap();
+                                fuzzer
+                                    .fuzz_loop_until(&mut stages, &mut executor, &mut state, &mut mgr, starttime)
+                                    .unwrap();
+                                let after = state.metadata_map().get::<IcHist>().unwrap().1;
+                                if after.0 > last.0 {
+                                    last=after;
+                                }
+                                do_dump_case!(state, &cli, "");
+                                do_dump_stg!(state, &cli, "");
+                                do_dump_toprated!(state, &cli, "");
+                            }
+                        }
+                    }
+                    do_dump_times!(state, &cli, "");
+                    do_dump_case!(state, &cli, "");
+                    do_dump_stg!(state, &cli, "");
+                    do_dump_toprated!(state, &cli, "");
+                },
+            }
+        }
+        #[cfg(not(feature = "singlecore"))]
+        return Ok(());
+    };
+
+    // Special case where no fuzzing happens, but standard input is dumped
+    if let Ok(input_dump) = env::var("DUMP_SEED") {
+        // Initialize QEMU
+        let args: Vec<String> = env::args().collect();
+        let env: Vec<(String, String)> = env::vars().collect();
+        let emu = Emulator::new(&args, &env).expect("Emu creation failed");
+
+        if let Some(main_addr) = main_addr {
+            unsafe { libafl_qemu_set_native_breakpoint(main_addr); }// BREAKPOINT 
+        }
+        unsafe {
+            emu.run();
+
+            let mut buf = [0u8].repeat(MAX_INPUT_SIZE);
+            emu.read_mem(input_addr, buf.as_mut_slice());
+
+            let dir = env::var("SEED_DIR").map_or("./corpus".to_string(), |x| x);
+            let filename = if input_dump == "" {"input"} else {&input_dump};
+            println!("Dumping input to: {}/{}",&dir,filename);
+            fs::write(format!("{}/{}",&dir,filename), buf).expect("could not write input dump");
+        }
+        return
+}
+
+    #[cfg(feature = "singlecore")]
+    {
+        let monitor = SimpleMonitor::new(|s| println!("{}", s));
+        #[cfg(not(feature = "restarting"))]
+        {
+            let mgr = SimpleEventManager::new(monitor);
+            run_client(None, mgr, 0);
+        }
+
+        #[cfg(feature = "restarting")]
+        {
+            let mut shmem_provider = StdShMemProvider::new().unwrap();
+            let (state, mut mgr) = match SimpleRestartingEventManager::launch(monitor, &mut shmem_provider)
+            {
+                // The restarting state will spawn the same process again as child, then restarted it each time it crashes.
+                Ok(res) => res,
+                Err(err) => match err {
+                    Error::ShuttingDown => {
+                        return;
+                    }
+                    _ => {
+                        panic!("Failed to setup the restarter: {}", err);
+                    }
+                },
+            };
+            run_client(state, mgr, 0);
+        }
+    }
+    // else -> multicore
+    #[cfg(not(feature = "singlecore"))]
+    {
+        // The shared memory allocator
+        let shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
+
+        // The stats reporter for the broker
+        let monitor = MultiMonitor::new(|s| println!("{}", s));
+
+        // Build and run a Launcher
+        match Launcher::builder()
+            .shmem_provider(shmem_provider)
+            .broker_port(broker_port)
+            .configuration(EventConfig::from_build_id())
+            .monitor(monitor)
+            .run_client(&mut run_client)
+            .cores(&cores)
+            // .stdout_file(Some("/dev/null"))
+            .build()
+            .launch()
+        {
+            Ok(()) => (),
+            Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
+            Err(err) => panic!("Failed to run launcher: {:?}", err),
+        }
+    }
+}

fuzzers/FRET/src/lib.rs

@@ -0,0 +1,12 @@
+#[cfg(target_os = "linux")]
+mod fuzzer;
+#[cfg(target_os = "linux")]
+mod clock;
+#[cfg(target_os = "linux")]
+mod qemustate;
+#[cfg(target_os = "linux")]
+pub mod systemstate;
+#[cfg(target_os = "linux")]
+mod mutational;
+#[cfg(target_os = "linux")]
+mod worst;

fuzzers/FRET/src/main.rs

@@ -0,0 +1,23 @@
+//! A libfuzzer-like fuzzer using qemu for binary-only coverage
+#[cfg(target_os = "linux")]
+mod fuzzer;
+#[cfg(target_os = "linux")]
+mod clock;
+#[cfg(target_os = "linux")]
+mod qemustate;
+#[cfg(target_os = "linux")]
+mod systemstate;
+#[cfg(target_os = "linux")]
+mod worst;
+#[cfg(target_os = "linux")]
+mod mutational;
+
+#[cfg(target_os = "linux")]
+pub fn main() {
+    fuzzer::fuzz();
+}
+
+#[cfg(not(target_os = "linux"))]
+pub fn main() {
+    panic!("qemu-user and libafl_qemu is only supported on linux!");
+}

fuzzers/FRET/src/mutational.rs

@@ -0,0 +1,346 @@
+//| The [`MutationalStage`] is the default stage used during fuzzing.
+//! For the current input, it will perform a range of random mutations, and then run them in the executor.
+
+use core::marker::PhantomData;
+use std::cmp::{max, min};
+
+use hashbrown::HashMap;
+use libafl_bolts::rands::{
+    StdRand, RandomSeed,
+    Rand
+};
+use libafl::{
+    corpus::{self, Corpus}, fuzzer::Evaluator, mark_feature_time, prelude::{new_hash_feedback, CorpusId, HasBytesVec, MutationResult, Mutator, UsesInput}, stages::Stage, start_timer, state::{HasCorpus, HasMetadata, HasNamedMetadata, HasRand, MaybeHasClientPerfMonitor, UsesState}, Error
+};
+use libafl::prelude::State;
+use crate::{clock::{IcHist, QEMU_ISNS_PER_USEC}, fuzzer::{DO_NUM_INTERRUPT, FIRST_INT, MAX_NUM_INTERRUPT}, systemstate::{stg::{STGFeedbackState, STGNodeMetadata}, CaptureEvent, ExecInterval, FreeRTOSSystemStateMetadata, ReducedFreeRTOSSystemState}};
+
+pub static mut MINIMUM_INTER_ARRIVAL_TIME : u32 = 1000 /*us*/ * QEMU_ISNS_PER_USEC; 
+// one isn per 2**4 ns
+// virtual insn/sec 62500000 = 1/16 GHz
+// 1ms = 62500 insn
+// 1us = 62.5 insn
+
+pub fn input_bytes_to_interrupt_times(buf: &[u8]) -> Vec<u32> {
+    let len = buf.len();
+    let mut start_tick : u32 = 0;
+    let mut ret = Vec::with_capacity(DO_NUM_INTERRUPT);
+    for i in 0..DO_NUM_INTERRUPT {
+        let mut t : [u8; 4] = [0,0,0,0];
+        if len > (i+1)*4 {
+            for j in 0usize..4usize {
+                t[j]=buf[i*4+j];
+            }
+            start_tick = u32::from_le_bytes(t);
+            if start_tick < FIRST_INT {start_tick=0;}
+            ret.push(start_tick);
+        } else {break;}
+    }
+    ret.sort_unstable();
+    // obey the minimum inter arrival time while maintaining the sort
+    for i in 0..ret.len() {
+        if ret[i]==0 {continue;}
+        for j in i+1..ret.len()-1 {
+            if ret[j]-ret[i] < unsafe{MINIMUM_INTER_ARRIVAL_TIME} {
+                ret[j] = u32::saturating_add(ret[i],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
+            } else {break;}
+        }
+    }
+    ret
+}
+
+
+//======================= Custom mutator
+
+/// The default mutational stage
+#[derive(Clone, Debug, Default)]
+pub struct InterruptShiftStage<E, EM, Z> {
+    #[allow(clippy::type_complexity)]
+    phantom: PhantomData<(E, EM, Z)>,
+}
+
+impl<E, EM, Z> InterruptShiftStage<E, EM, Z>
+where
+    E: UsesState<State = Z::State>,
+    EM: UsesState<State = Z::State>,
+    Z: Evaluator<E, EM>,
+    Z::State: MaybeHasClientPerfMonitor + HasCorpus + HasRand,
+{
+    pub fn new() -> Self {
+        Self { phantom: PhantomData }
+    }
+}
+
+impl<E, EM, Z> Stage<E, EM, Z> for InterruptShiftStage<E, EM, Z>
+where
+    E: UsesState<State = Z::State>,
+    EM: UsesState<State = Z::State>,
+    Z: Evaluator<E, EM>,
+    Z::State: MaybeHasClientPerfMonitor + HasCorpus + HasRand + HasMetadata + HasNamedMetadata,
+    <Z::State as UsesInput>::Input: HasBytesVec
+{
+    fn perform(
+        &mut self,
+        fuzzer: &mut Z,
+        executor: &mut E,
+        state: &mut Self::State,
+        manager: &mut EM,
+        corpus_idx: CorpusId,
+    ) -> Result<(), Error> {
+        let mut _input = state
+                .corpus()
+                .get(corpus_idx)?
+                .borrow_mut().clone();
+        let mut newinput = _input.input_mut().as_mut().unwrap().clone();
+        let mut do_rerun = false;
+        // if state.rand_mut().between(1, 100) <= 50 // only attempt the mutation half of the time
+        {
+            // need our own random generator, because borrowing rules
+            let mut myrand = StdRand::new();
+            let mut target_bytes : Vec<u8> = vec![];
+            {
+                let input = _input.input_mut().as_ref().unwrap();
+                target_bytes = input.bytes().to_vec();
+                let tmp = &mut state.rand_mut();
+                myrand.set_seed(tmp.next());   
+            }
+
+            // produce a slice of absolute interrupt times
+            let mut interrupt_offsets : [u32; MAX_NUM_INTERRUPT] = [u32::MAX; MAX_NUM_INTERRUPT];
+            let mut num_interrupts : usize = 0;
+            {
+                let t = input_bytes_to_interrupt_times(&target_bytes);
+                for i in 0..t.len() {interrupt_offsets[i]=t[i];}
+                num_interrupts=t.len();
+            }
+            interrupt_offsets.sort_unstable();
+
+            // println!("Vor Mutator: {:?}", interrupt_offsets[0..num_interrupts].to_vec());
+            // let num_i = min(target_bytes.len() / 4, DO_NUM_INTERRUPT);
+            let mut suffix = target_bytes.split_off(4 * num_interrupts);
+            let mut prefix : Vec<[u8; 4]> = vec![];
+            // let mut suffix : Vec<u8> = vec![];
+            #[cfg(feature = "mutate_stg")]
+            {
+                let metadata = state.metadata_map();
+                let hist = metadata.get::<IcHist>().unwrap();
+                let maxtick : u64 = hist.1.0;
+                drop(hist);
+                if interrupt_offsets[0] as u64 > maxtick {  // place interrupt in reachable range
+                    do_rerun = true;
+                    for _ in 0..num_interrupts {
+                        prefix.push(u32::to_le_bytes(myrand.between(0, min(maxtick, u32::MAX as u64)).try_into().expect("ticks > u32")));
+                    }
+                } else {
+                    // let choice = myrand.between(1,100);
+                    // if choice <= 25 {  // 0.5*0.25 = 12.5% of the time fully randomize all interrupts
+                    //     do_rerun = true;
+                    //     // let metadata = state.metadata_map();
+                    //     let hist = metadata.get::<IcHist>().unwrap();
+                    //     let maxtick : u64 = hist.1.0;
+                    //     // let maxtick : u64 = (_input.exec_time().expect("No duration found").as_nanos() >> 4).try_into().unwrap();
+                    //     let mut numbers : Vec<u32> = vec![];
+                    //     for i in 0..num_interrupts {
+                    //         prefix.push(u32::to_le_bytes(myrand.between(0, min(maxtick, u32::MAX as u64)).try_into().expect("ticks > u32")));
+                    //     }
+                    // }
+                    // else if choice <= 75 { // 0.5 * 0.25 = 12.5% of cases
+                    //     let feedbackstate = match state
+                    //         .named_metadata_map_mut()
+                    //         .get_mut::<STGFeedbackState>("stgfeedbackstate") {
+                    //             Some(s) => s,
+                    //             None => {
+                    //                 panic!("STGfeedbackstate not visible")
+                    //             }
+                    //         };
+                    //     let tmp = _input.metadata_map().get::<STGNodeMetadata>();
+                    //     if tmp.is_some() {
+                    //         let trace = tmp.expect("STGNodeMetadata not found");
+                    //         let mut node_indices = vec![];
+                    //         for i in (0..trace.intervals.len()).into_iter() {
+                    //             if let Some(abb) = &trace.intervals[i].abb {
+                    //                 if let Some(idx) = feedbackstate.state_abb_hash_index.get(&(abb.get_hash(), trace.intervals[i].start_state)) {
+                    //                     node_indices.push(Some(idx));
+                    //                     continue;
+                    //                 }
+                    //             }
+                    //             node_indices.push(None);
+                    //         }
+                    //         // let mut marks : HashMap<u32, usize>= HashMap::new(); // interrupt -> block hit
+                    //         // for i in 0..trace.intervals.len() {
+                    //         //     let curr = &trace.intervals[i];
+                    //         //     let m = interrupt_offsets[0..num_interrupts].iter().filter(|x| (curr.start_tick..curr.end_tick).contains(&((**x) as u64)));
+                    //         //     for k in m {
+                    //         //         marks.insert(*k,i);
+                    //         //     }
+                    //         // }
+                    //         // walk backwards trough the trace and try moving the interrupt to a block that does not have an outgoing interrupt edge or ist already hit by a predecessor
+                    //         for i in (0..num_interrupts).rev() {
+                    //             let mut lb = FIRST_INT;
+                    //             let mut ub : u32 = trace.intervals[trace.intervals.len()-1].end_tick.try_into().expect("ticks > u32");
+                    //             if i > 0 {
+                    //                 lb = u32::saturating_add(interrupt_offsets[i-1],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
+                    //             }
+                    //             if i < num_interrupts-1 {
+                    //                 ub = u32::saturating_sub(interrupt_offsets[i+1],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
+                    //             }
+                    //             let alternatives : Vec<_> = (0..trace.intervals.len()).filter(|x|
+                    //                 node_indices[*x].is_some() &&
+                    //                 (trace.intervals[*x].start_tick < (lb as u64) && (lb as u64) < trace.intervals[*x].end_tick
+                    //                 || trace.intervals[*x].start_tick > (lb as u64) && trace.intervals[*x].start_tick < (ub as u64))
+                    //             ).collect();
+                    //             let not_yet_hit : Vec<_> = alternatives.iter().filter(
+                    //                 |x| feedbackstate.graph.edges_directed(*node_indices[**x].unwrap(), petgraph::Direction::Outgoing).any(|y| y.weight().event != CaptureEvent::ISRStart)).collect();
+                    //             if not_yet_hit.len() > 0 {
+                    //                 let replacement = &trace.intervals[*myrand.choose(not_yet_hit)];
+                    //                 interrupt_offsets[i] = (myrand.between(replacement.start_tick,
+                    //                     replacement.end_tick)).try_into().expect("ticks > u32");
+                    //                 // println!("chose new alternative, i: {} {} -> {}",i,tmp, interrupt_offsets[i]);
+                    //                 do_rerun = true;
+                    //                 break;
+                    //             }
+                    //         }
+                    //     }
+                    // }
+                    // else {    // old version of the alternative search
+                    {
+                        let tmp = _input.metadata_map().get::<STGNodeMetadata>();
+                        if tmp.is_some() {
+                        let trace = tmp.expect("STGNodeMetadata not found");
+
+                        // calculate hits and identify snippets
+                        let mut last_m = false;
+                        let mut marks : Vec<(&ExecInterval, usize, usize)>= vec![]; // 1: got interrupted, 2: interrupt handler
+                        for i in 0..trace.intervals.len() {
+                            let curr = &trace.intervals[i];
+                            let m = interrupt_offsets[0..num_interrupts].iter().any(|x| (curr.start_tick..curr.end_tick).contains(&(*x as u64)));
+                            if m {
+                                marks.push((curr, i, 1));
+                                // println!("1: {}",curr.current_task.0.task_name);
+                            } else if last_m {
+                                marks.push((curr, i, 2));
+                                // println!("2: {}",curr.current_task.0.task_name);
+                            } else {
+                                marks.push((curr, i, 0));
+                            }
+                            last_m = m;
+                        }
+                        for i in 0..num_interrupts {
+                            // bounds based on minimum inter-arrival time
+                            let mut lb = FIRST_INT;
+                            let mut ub : u32 = marks[marks.len()-1].0.end_tick.try_into().expect("ticks > u32");
+                            if i > 0 {
+                                lb = u32::saturating_add(interrupt_offsets[i-1],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
+                            }
+                            if i < num_interrupts-1 {
+                                ub = u32::saturating_sub(interrupt_offsets[i+1],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
+                            }
+                            // get old hit and handler
+                            let old_hit = marks.iter().filter(
+                                |x| x.0.start_tick < (interrupt_offsets[i] as u64) && (interrupt_offsets[i] as u64) < x.0.end_tick
+                            ).next();
+                            let old_handler = match old_hit {
+                                Some(s) => if s.1 < num_interrupts-1 && s.1 < marks.len()-1 {
+                                    Some(marks[s.1+1])
+                                } else {None},
+                                None => None
+                            };
+                            // find reachable alternatives
+                            let alternatives : Vec<_> = marks.iter().filter(|x|
+                                x.2 != 2 &&
+                                (
+                                x.0.start_tick < (lb as u64) && (lb as u64) < x.0.end_tick
+                                || x.0.start_tick > (lb as u64) && x.0.start_tick < (ub as u64))
+                            ).collect();
+                            // in cases there are no alternatives
+                            if alternatives.len() == 0 {
+                                if old_hit.is_none() {
+                                    // choose something random
+                                    let untouched : Vec<_> = marks.iter().filter(
+                                        |x| x.2 == 0
+                                    ).collect();
+                                    if untouched.len() > 0 {
+                                        let tmp = interrupt_offsets[i];
+                                        let choice = myrand.choose(untouched);
+                                        interrupt_offsets[i] = myrand.between(choice.0.start_tick, choice.0.end_tick)
+                                            .try_into().expect("tick > u32");
+                                        do_rerun = true;
+                                    }
+                                    // println!("no alternatives, choose random i: {} {} -> {}",i,tmp,interrupt_offsets[i]);
+                                    continue;
+                                } else {
+                                    // do nothing
+                                    // println!("no alternatives, do nothing i: {} {}",i,interrupt_offsets[i]);
+                                    continue;
+                                }
+                            }
+                            let replacement = myrand.choose(alternatives);
+                            if (old_hit.map_or(false, |x| x == replacement)) {
+                                // use the old value
+                                // println!("chose old value, do nothing i: {} {}",i,interrupt_offsets[i]);
+                                continue;
+                            } else {
+                                let extra = if (old_hit.map_or(false, |x| x.1 < replacement.1)) {
+                                    // move futher back, respect old_handler
+                                    old_handler.map_or(0, |x| x.0.end_tick - x.0.start_tick)
+                                } else { 0 };
+                                let tmp = interrupt_offsets[i];
+                                interrupt_offsets[i] = (myrand.between(replacement.0.start_tick,
+                                    replacement.0.end_tick) + extra).try_into().expect("ticks > u32");
+                                // println!("chose new alternative, i: {} {} -> {}",i,tmp, interrupt_offsets[i]);
+                                do_rerun = true;
+                            }
+                        }
+                        let mut numbers : Vec<u32> = interrupt_offsets[0..num_interrupts].to_vec();
+                        numbers.sort();
+                        // println!("Mutator: {:?}", numbers);
+                        // let mut start : u32 = 0;
+                        // for i in 0..numbers.len() {
+                        //     let tmp = numbers[i];
+                        //     numbers[i] = numbers[i]-start;
+                        //     start = tmp;
+                        // }
+                        for i in 0..numbers.len() {
+                            prefix.push(u32::to_le_bytes(numbers[i]));
+                        }
+                        }
+                    }
+                }
+            }
+            #[cfg(not(feature = "trace_stg"))]
+            {
+                if myrand.between(1,100) <= 25 {  // we have no hint if interrupt times will change anything
+                    do_rerun = true;
+                    let metadata = state.metadata_map();
+                    let hist = metadata.get::<IcHist>().unwrap();
+                    let maxtick : u64 = hist.1.0;
+                    // let maxtick : u64 = (_input.exec_time().expect("No duration found").as_nanos() >> 4).try_into().unwrap();
+                    let mut numbers : Vec<u32> = vec![];
+                    for i in 0..num_interrupts {
+                        prefix.push(u32::to_le_bytes(myrand.between(0, min(maxtick, u32::MAX as u64)).try_into().expect("ticks > u32")));
+                    }
+                }
+            }
+
+            let mut n : Vec<u8> = vec![];
+            n = [prefix.concat(), suffix].concat();
+            newinput.bytes_mut().clear();
+            newinput.bytes_mut().append(&mut n);
+        }
+        // InterruptShifterMutator::mutate(&mut mymut, state, &mut input, 0)?;
+        if do_rerun {
+            let (_, corpus_idx) = fuzzer.evaluate_input(state, executor, manager, newinput)?;
+        }
+        Ok(())
+    }
+}
+
+impl<E, EM, Z> UsesState for InterruptShiftStage<E, EM, Z>
+where
+    E: UsesState<State = Z::State>,
+    EM: UsesState<State = Z::State>,
+    Z: Evaluator<E, EM>,
+    Z::State: MaybeHasClientPerfMonitor + HasCorpus + HasRand,
+{
+    type State = Z::State;
+}

fuzzers/FRET/src/qemustate.rs

@@ -0,0 +1,96 @@
+use libafl::prelude::UsesInput;
+use libafl_qemu::CPUArchState;
+use libafl_qemu::Emulator;
+use libafl_qemu::FastSnapshot;
+use libafl_qemu::QemuExecutor;
+use libafl_qemu::QemuHelper;
+use libafl_qemu::QemuHelperTuple;
+use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
+use libafl_qemu::QemuHooks;
+
+use libafl_qemu::{
+    emu,
+};
+// TODO be thread-safe maybe with https://amanieu.github.io/thread_local-rs/thread_local/index.html
+#[derive(Debug)]
+pub struct QemuStateRestoreHelper {
+    has_snapshot: bool,
+    use_snapshot: bool,
+    saved_cpu_states: Vec<CPUArchState>,
+    fastsnap: Option<FastSnapshot>
+}
+
+impl QemuStateRestoreHelper {
+    #[must_use]
+    pub fn new() -> Self {
+        Self {
+            has_snapshot: false,
+            use_snapshot: true,
+            saved_cpu_states: vec![],
+            fastsnap: None
+        }
+    }
+}
+
+impl Default for QemuStateRestoreHelper {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl<S> QemuHelper<S> for QemuStateRestoreHelper
+where
+    S: UsesInput,
+{
+    const HOOKS_DO_SIDE_EFFECTS: bool = true;
+
+    fn init_hooks<QT>(&self, _hooks: &QemuHooks<QT, S>)
+    where
+        QT: QemuHelperTuple<S>,
+    {
+    }
+
+    fn first_exec<QT>(&self, _hooks: &QemuHooks<QT, S>)
+    where
+        QT: QemuHelperTuple<S>,
+    {
+    }
+
+    fn post_exec<OT>(&mut self, emulator: &Emulator, _input: &S::Input, _observers: &mut OT, _exit_kind: &mut ExitKind) {
+        // unsafe { println!("snapshot post {}",emu::icount_get_raw()) };
+    }
+
+    fn pre_exec(&mut self, emulator: &Emulator, _input: &S::Input) {
+        // only restore in pre-exec, to preserve the post-execution state for inspection
+        #[cfg(feature = "snapshot_restore")]
+        {
+            #[cfg(feature = "snapshot_fast")]
+            match self.fastsnap {
+                Some(s) => emulator.restore_fast_snapshot(s),
+                None => {self.fastsnap = Some(emulator.create_fast_snapshot(true));},
+            }
+            #[cfg(not(feature = "snapshot_fast"))]
+            if !self.has_snapshot {
+                emulator.save_snapshot("Start", true);
+                self.has_snapshot = true;
+            }
+            else
+            {
+                emulator.load_snapshot("Start", true);
+            }
+        }
+        #[cfg(not(feature = "snapshot_restore"))]
+        if !self.has_snapshot {
+            self.saved_cpu_states = (0..emulator.num_cpus())
+                .map(|i| emulator.cpu_from_index(i).save_state())
+                .collect();
+            self.has_snapshot = true;
+        } else {
+            for (i, s) in self.saved_cpu_states.iter().enumerate() {
+                emulator.cpu_from_index(i).restore_state(s);
+            }
+        }
+
+        // unsafe { println!("snapshot pre {}",emu::icount_get_raw()) };
+    }
+}

fuzzers/FRET/src/systemstate/ARCH.md

@@ -0,0 +1,6 @@
+# System-state heuristics
+## Information flow
+- ``fuzzer.rs`` resolves symbols and creates ``api_ranges`` and ``isr_ranges``
+- ``helpers::QemuSystemStateHelper`` captures a series of ``RawFreeRTOSSystemState``
+- ``observers::QemuSystemStateObserver`` divides this into ``ReducedFreeRTOSSystemState`` and ``ExecInterval``, the first contains the raw states and the second contains information about the flow between states
+- ``stg::StgFeedback`` builds an stg from the intervals

fuzzers/FRET/src/systemstate/feedbacks.rs

@@ -0,0 +1,283 @@
+use libafl::SerdeAny;
+use libafl_bolts::ownedref::OwnedSlice;
+use libafl::inputs::BytesInput;
+use libafl::prelude::UsesInput;
+use libafl::state::HasNamedMetadata;
+use std::path::PathBuf;
+use crate::clock::QemuClockObserver;
+use libafl::corpus::Testcase;
+use libafl_bolts::tuples::MatchName;
+use std::collections::hash_map::DefaultHasher;
+use std::hash::Hasher;
+use std::hash::Hash;
+use libafl::events::EventFirer;
+use libafl::state::MaybeHasClientPerfMonitor;
+use libafl::prelude::State;
+use libafl::feedbacks::Feedback;
+use libafl_bolts::Named;
+use libafl::Error;
+use hashbrown::HashMap;
+use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
+use serde::{Deserialize, Serialize};
+
+use super::ExecInterval;
+use super::ReducedFreeRTOSSystemState;
+use super::FreeRTOSSystemStateMetadata;
+use super::observers::QemuSystemStateObserver;
+use petgraph::prelude::DiGraph;
+use petgraph::graph::NodeIndex;
+use petgraph::Direction;
+use std::cmp::Ordering;
+
+//============================= Feedback
+
+/// Shared Metadata for a systemstateFeedback
+#[derive(Debug, Serialize, Deserialize, SerdeAny, Clone, Default)]
+pub struct SystemStateFeedbackState
+{
+    known_traces: HashMap<u64,(u64,u64,usize)>, // encounters,ticks,length
+    longest: Vec<ReducedFreeRTOSSystemState>,
+}
+impl Named for SystemStateFeedbackState
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "systemstate"
+    }
+}
+
+/// A Feedback reporting novel System-State Transitions. Depends on [`QemuSystemStateObserver`]
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct NovelSystemStateFeedback
+{
+    last_trace: Option<Vec<ReducedFreeRTOSSystemState>>,
+    // known_traces: HashMap<u64,(u64,usize)>,
+}
+
+impl<S> Feedback<S> for NovelSystemStateFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor + HasNamedMetadata,
+{
+    fn is_interesting<EM, OT>(
+        &mut self,
+        state: &mut S,
+        manager: &mut EM,
+        input: &S::Input,
+        observers: &OT,
+        exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>
+    {
+        let observer = observers.match_name::<QemuSystemStateObserver>("systemstate")
+            .expect("QemuSystemStateObserver not found");
+        let clock_observer = observers.match_name::<QemuClockObserver>("clocktime")  //TODO not fixed
+            .expect("QemuClockObserver not found");
+        let feedbackstate = match state
+            .named_metadata_map_mut()
+            .get_mut::<SystemStateFeedbackState>("systemstate") {
+                Some(s) => s,
+                None => {
+                    let n=SystemStateFeedbackState::default();
+                    state.named_metadata_map_mut().insert(n, "systemstate");
+                    state.named_metadata_map_mut().get_mut::<SystemStateFeedbackState>("systemstate").unwrap()
+                }
+            };
+        // let feedbackstate = state
+        //     .feedback_states_mut()
+        //     .match_name_mut::<systemstateFeedbackState>("systemstate")
+        //     .unwrap();
+        // Do Stuff
+        let mut hasher = DefaultHasher::new();
+        observer.last_run.hash(&mut hasher);
+        let somehash = hasher.finish();
+        let mut is_novel = false;
+        let mut takes_longer = false;
+        match feedbackstate.known_traces.get_mut(&somehash) {
+            None => {
+                is_novel = true;
+                feedbackstate.known_traces.insert(somehash,(1,clock_observer.last_runtime(),observer.last_run.len()));
+            }
+            Some(s) => {
+                s.0+=1;
+                if s.1 < clock_observer.last_runtime() {
+                    s.1 = clock_observer.last_runtime();
+                    takes_longer = true;
+                }
+            }
+        }
+        if observer.last_run.len() > feedbackstate.longest.len() {
+            feedbackstate.longest=observer.last_run.clone();
+        }
+        self.last_trace = Some(observer.last_run.clone());
+        // if (!is_novel) { println!("not novel") };
+        Ok(is_novel | takes_longer)
+    }
+
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(&mut self, _state: &mut S, observers: &OT, testcase: &mut Testcase<S::Input>) -> Result<(), Error> {
+        let a = self.last_trace.take();
+        match a {
+            Some(s) => testcase.metadata_map_mut().insert(FreeRTOSSystemStateMetadata::new(s)),
+            None => (),
+        }
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        self.last_trace = None;
+        Ok(())
+    }
+}
+
+impl Named for NovelSystemStateFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "systemstate"
+    }
+}
+
+//=========================== Debugging Feedback
+/// A [`Feedback`] meant to dump the system-traces for debugging. Depends on [`QemuSystemStateObserver`]
+#[derive(Debug)]
+pub struct DumpSystraceFeedback
+{
+    dumpfile: Option<PathBuf>,
+    dump_metadata: bool,
+    last_states: Option<HashMap<u64, ReducedFreeRTOSSystemState>>,
+    last_trace: Option<Vec<ExecInterval>>,
+}
+
+impl<S> Feedback<S> for DumpSystraceFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+{
+    fn is_interesting<EM, OT>(
+        &mut self,
+        state: &mut S,
+        manager: &mut EM,
+        input: &S::Input,
+        observers: &OT,
+        exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>
+    {
+        if self.dumpfile.is_none() {return Ok(false)};
+        let observer = observers.match_name::<QemuSystemStateObserver>("systemstate")
+            .expect("QemuSystemStateObserver not found");
+        let names : Vec<String> = observer.last_run.iter().map(|x| x.current_task.task_name.clone()).collect();
+        match &self.dumpfile {
+            Some(s) => {
+                    std::fs::write(s,ron::to_string(&(&observer.last_trace,&observer.last_states)).expect("Error serializing hashmap")).expect("Can not dump to file");
+                    self.dumpfile = None
+                },
+            None => if self.dump_metadata {println!("{:?}\n{:?}",observer.last_run,names);}
+        };
+        // if self.dump_metadata {self.last_trace=Some(observer.last_trace.clone());}
+        Ok(false)
+    }
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(&mut self, _state: &mut S, observers: &OT, testcase: &mut Testcase<S::Input>) -> Result<(), Error> {
+        if !self.dump_metadata {return Ok(());}
+        // let a = self.last_trace.take();
+        // match a {
+        //     Some(s) => testcase.metadata_map_mut().insert(FreeRTOSSystemStateMetadata::new(s)),
+        //     None => (),
+        // }
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        self.last_trace = None;
+        Ok(())
+    }
+}
+
+impl Named for DumpSystraceFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "Dumpsystemstate"
+    }
+}
+
+impl DumpSystraceFeedback
+{
+    /// Creates a new [`DumpSystraceFeedback`]
+    #[must_use]
+    pub fn new() -> Self {
+        Self {dumpfile: None, dump_metadata: false, last_trace: None, last_states: None }
+    }
+    pub fn with_dump(dumpfile: Option<PathBuf>) -> Self {
+        Self {dumpfile: dumpfile, dump_metadata: false, last_trace: None, last_states: None}
+    }
+    pub fn metadata_only() -> Self {
+        Self {dumpfile: None, dump_metadata: true, last_trace: None, last_states: None}
+    }
+}
+
+
+#[derive(Debug, Default)]
+pub struct SystraceErrorFeedback
+{
+    dump_case: bool
+}
+
+impl<S> Feedback<S> for SystraceErrorFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+{
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>
+    {
+        let observer = observers.match_name::<QemuSystemStateObserver>("systemstate")
+            .expect("QemuSystemStateObserver not found");
+        Ok(self.dump_case&&!observer.success)
+    }
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(&mut self, _state: &mut S, _observers: &OT, _testcase: &mut Testcase<S::Input>) -> Result<(), Error> {
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        Ok(())
+    }
+}
+
+impl Named for SystraceErrorFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "SystraceErrorFeedback"
+    }
+}
+
+impl SystraceErrorFeedback
+{
+    #[must_use]
+    pub fn new(dump_case: bool) -> Self {
+        Self {dump_case}
+    }
+}

fuzzers/FRET/src/systemstate/freertos.rs

@@ -0,0 +1,122 @@
+#![allow(non_camel_case_types,non_snake_case,non_upper_case_globals,deref_nullptr)]
+use serde::{Deserialize, Serialize};
+// Manual Types
+use libafl_qemu::Emulator;
+
+/*========== Start of generated Code =============*/
+pub type char_ptr = ::std::os::raw::c_uint;
+pub type ListItem_t_ptr = ::std::os::raw::c_uint;
+pub type StackType_t_ptr = ::std::os::raw::c_uint;
+pub type void_ptr = ::std::os::raw::c_uint;
+pub type tskTaskControlBlock_ptr = ::std::os::raw::c_uint;
+pub type xLIST_ptr = ::std::os::raw::c_uint;
+pub type xLIST_ITEM_ptr = ::std::os::raw::c_uint;
+/* automatically generated by rust-bindgen 0.59.2 */
+
+pub type __uint8_t = ::std::os::raw::c_uchar;
+pub type __uint16_t = ::std::os::raw::c_ushort;
+pub type __uint32_t = ::std::os::raw::c_uint;
+pub type StackType_t = u32;
+pub type UBaseType_t = ::std::os::raw::c_uint;
+pub type TickType_t = u32;
+#[repr(C)]
+#[derive(Debug, Copy, Clone, Default, Serialize, Deserialize)]
+pub struct xLIST_ITEM {
+    pub xItemValue: TickType_t,
+    pub pxNext: xLIST_ITEM_ptr,
+    pub pxPrevious: xLIST_ITEM_ptr,
+    pub pvOwner: void_ptr,
+    pub pvContainer: xLIST_ptr,
+}
+pub type ListItem_t = xLIST_ITEM;
+#[repr(C)]
+#[derive(Debug, Copy, Clone, Default, Serialize, Deserialize)]
+pub struct xMINI_LIST_ITEM {
+    pub xItemValue: TickType_t,
+    pub pxNext: xLIST_ITEM_ptr,
+    pub pxPrevious: xLIST_ITEM_ptr,
+}
+pub type MiniListItem_t = xMINI_LIST_ITEM;
+#[repr(C)]
+#[derive(Debug, Copy, Clone, Default, Serialize, Deserialize)]
+pub struct xLIST {
+    pub uxNumberOfItems: UBaseType_t,
+    pub pxIndex: ListItem_t_ptr,
+    pub xListEnd: MiniListItem_t,
+}
+pub type List_t = xLIST;
+pub type TaskHandle_t = tskTaskControlBlock_ptr;
+pub const eTaskState_eRunning: eTaskState = 0;
+pub const eTaskState_eReady: eTaskState = 1;
+pub const eTaskState_eBlocked: eTaskState = 2;
+pub const eTaskState_eSuspended: eTaskState = 3;
+pub const eTaskState_eDeleted: eTaskState = 4;
+pub const eTaskState_eInvalid: eTaskState = 5;
+pub type eTaskState = ::std::os::raw::c_uint;
+#[repr(C)]
+#[derive(Debug, Copy, Clone, Default, Serialize, Deserialize)]
+pub struct xTASK_STATUS {
+    pub xHandle: TaskHandle_t,
+    pub pcTaskName: char_ptr,
+    pub xTaskNumber: UBaseType_t,
+    pub eCurrentState: eTaskState,
+    pub uxCurrentPriority: UBaseType_t,
+    pub uxBasePriority: UBaseType_t,
+    pub ulRunTimeCounter: u32,
+    pub pxStackBase: StackType_t_ptr,
+    pub usStackHighWaterMark: u16,
+}
+pub type TaskStatus_t = xTASK_STATUS;
+#[repr(C)]
+#[derive(Debug, Copy, Clone, Default, Serialize, Deserialize)]
+pub struct tskTaskControlBlock {
+    pub pxTopOfStack: StackType_t_ptr,
+    pub xStateListItem: ListItem_t,
+    pub xEventListItem: ListItem_t,
+    pub uxPriority: UBaseType_t,
+    pub pxStack: StackType_t_ptr,
+    pub pcTaskName: [::std::os::raw::c_char; 10usize],
+    pub uxBasePriority: UBaseType_t,
+    pub uxMutexesHeld: UBaseType_t,
+    pub ulNotifiedValue: [u32; 1usize],
+    pub ucNotifyState: [u8; 1usize],
+    pub ucStaticallyAllocated: u8,
+    pub ucDelayAborted: u8,
+}
+pub type tskTCB = tskTaskControlBlock;
+pub type TCB_t = tskTCB;
+/*========== End of generated Code =============*/
+
+pub trait emu_lookup {
+    fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> Self;
+}
+
+
+#[derive(Debug, Copy, Clone, Serialize, Deserialize)]
+pub enum rtos_struct {
+    TCB_struct(TCB_t),
+    List_struct(List_t),
+    List_Item_struct(ListItem_t),
+    List_MiniItem_struct(MiniListItem_t),
+}
+
+#[macro_export]
+macro_rules! impl_emu_lookup {
+    ($struct_name:ident) => {
+        impl $crate::systemstate::freertos::emu_lookup for $struct_name {
+            fn lookup(emu: &Emulator, addr: ::std::os::raw::c_uint) -> $struct_name {
+                let mut tmp : [u8; std::mem::size_of::<$struct_name>()] = [0u8; std::mem::size_of::<$struct_name>()];
+                unsafe {
+                    emu.read_mem(addr.into(), &mut tmp);
+                    std::mem::transmute::<[u8; std::mem::size_of::<$struct_name>()], $struct_name>(tmp)
+                }
+            }
+        }
+    };
+}
+impl_emu_lookup!(TCB_t);
+impl_emu_lookup!(List_t);
+impl_emu_lookup!(ListItem_t);
+impl_emu_lookup!(MiniListItem_t);
+impl_emu_lookup!(void_ptr);
+impl_emu_lookup!(TaskStatus_t);

fuzzers/FRET/src/systemstate/graph.rs

@@ -0,0 +1,631 @@
+
+use libafl::SerdeAny;
+/// Feedbacks organizing SystemStates as a graph
+use libafl::inputs::HasBytesVec;
+use libafl_bolts::rands::RandomSeed;
+use libafl_bolts::rands::StdRand;
+use libafl::mutators::Mutator;
+use libafl::mutators::MutationResult;
+use libafl::prelude::HasTargetBytes;
+use libafl::prelude::UsesInput;
+use libafl::state::HasNamedMetadata;
+use libafl::state::UsesState;
+use libafl::prelude::State;
+use core::marker::PhantomData;
+use libafl::state::HasCorpus;
+use libafl::state::HasSolutions;
+use libafl::state::HasRand;
+use crate::worst::MaxExecsLenFavFactor;
+use crate::worst::MaxTimeFavFactor;
+use libafl::schedulers::MinimizerScheduler;
+use libafl_bolts::HasRefCnt;
+use libafl_bolts::AsSlice;
+use libafl_bolts::ownedref::OwnedSlice;
+use libafl::inputs::BytesInput;
+use std::path::PathBuf;
+use crate::clock::QemuClockObserver;
+use libafl::corpus::Testcase;
+use libafl_bolts::tuples::MatchName;
+use std::collections::hash_map::DefaultHasher;
+use std::hash::Hasher;
+use std::hash::Hash;
+use libafl::events::EventFirer;
+use libafl::state::MaybeHasClientPerfMonitor;
+use libafl::feedbacks::Feedback;
+use libafl_bolts::Named;
+use libafl::Error;
+use hashbrown::HashMap;
+use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
+use serde::{Deserialize, Serialize};
+
+use super::ExecInterval;
+use super::ReducedFreeRTOSSystemState;
+use super::FreeRTOSSystemStateMetadata;
+use super::observers::QemuSystemStateObserver;
+use petgraph::prelude::DiGraph;
+use petgraph::graph::NodeIndex;
+use petgraph::Direction;
+use std::cmp::Ordering;
+
+use libafl_bolts::rands::Rand;
+
+//============================= Data Structures
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Default)]
+pub struct VariantTuple
+{
+    pub start_tick: u64,
+    pub end_tick: u64,
+    input_counter: u32,
+    pub input: Vec<u8>, // in the end any kind of input are bytes, regardless of type and lifetime
+}
+impl VariantTuple {
+    fn from(other: &ReducedFreeRTOSSystemState,input: Vec<u8>) -> Self {
+        // VariantTuple{
+        //     start_tick: other.tick,
+        //     end_tick: other.end_tick,
+        //     input_counter: other.input_counter,
+        //     input: input,
+        // }
+        todo!()
+    }
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct SysGraphNode
+{
+    base: ReducedFreeRTOSSystemState,
+    pub variants: Vec<VariantTuple>,
+}
+impl SysGraphNode {
+    fn from(base: ReducedFreeRTOSSystemState, input: Vec<u8>) -> Self {
+        SysGraphNode{variants: vec![VariantTuple::from(&base, input)], base:base }
+    }
+    /// unites the variants of this value with another, draining the other if the bases are equal
+    fn unite(&mut self, other: &mut SysGraphNode) -> bool {
+        if self!=other {return false;}
+        self.variants.append(&mut other.variants);
+        self.variants.dedup();
+        return true;
+    }
+    /// add a Varint from a [`RefinedFreeRTOSSystemState`]
+    fn unite_raw(&mut self, other: &ReducedFreeRTOSSystemState, input: &Vec<u8>) -> bool {
+        if &self.base!=other {return false;}
+        self.variants.push(VariantTuple::from(other, input.clone()));
+        self.variants.dedup();
+        return true;
+    }
+    /// add a Varint from a [`RefinedFreeRTOSSystemState`], if it's interesting
+    fn unite_interesting(&mut self, other: &ReducedFreeRTOSSystemState, input: &Vec<u8>) -> bool {
+        // if &self.base!=other {return false;}
+        // let interesting =
+        //     self.variants.iter().all(|x| x.end_tick-x.start_tick<other.end_tick-other.tick) ||    // longest variant
+        //     self.variants.iter().all(|x| x.end_tick-x.start_tick>other.end_tick-other.tick) ||    // shortest variant
+        //     self.variants.iter().all(|x| x.input_counter>other.input_counter) ||                      // longest input
+        //     self.variants.iter().all(|x| x.input_counter<other.input_counter);                        // shortest input
+        // if interesting {
+        //     let var = VariantTuple::from(other, input.clone());
+        //     self.variants.push(var);
+        // }
+        // return interesting;
+        todo!()
+    }
+    pub fn get_taskname(&self) -> &str {
+        &self.base.current_task.task_name
+    }
+    pub fn get_input_counts(&self) -> Vec<u32> {
+        self.variants.iter().map(|x| x.input_counter).collect()
+    }
+    pub fn pretty_print(&self) -> String {
+        let mut ret = String::new();
+        ret.push_str(&format!("{}",&self.base.current_task.task_name));
+        ret.push_str(";Rl:");
+        for i in &self.base.ready_list_after {
+            ret.push_str(&format!(";{}",i.task_name));
+        }
+        ret.push_str(";Dl:");
+        for i in &self.base.delay_list_after {
+            ret.push_str(&format!(";{}",i.task_name));
+        }
+        // println!("{}",ret);
+        ret
+    }
+}
+impl PartialEq for SysGraphNode {
+    fn eq(&self, other: &SysGraphNode) -> bool {
+        self.base==other.base
+    }
+}
+
+// Wrapper around Vec<RefinedFreeRTOSSystemState> to attach as Metadata
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct SysGraphMetadata {
+    pub inner: Vec<NodeIndex>,
+    indices: Vec<usize>,
+    tcref: isize,
+}
+impl SysGraphMetadata {
+    pub fn new(inner: Vec<NodeIndex>) -> Self{
+        Self {indices: inner.iter().map(|x| x.index()).collect(), inner: inner, tcref: 0}
+    }
+}
+impl AsSlice for SysGraphMetadata {
+    /// Convert the slice of system-states to a slice of hashes over enumerated states
+    fn as_slice(&self) -> &[usize] {
+        self.indices.as_slice()
+    }
+
+    type Entry = usize;
+}
+
+impl HasRefCnt for SysGraphMetadata {
+    fn refcnt(&self) -> isize {
+        self.tcref
+    }
+
+    fn refcnt_mut(&mut self) -> &mut isize {
+        &mut self.tcref
+    }
+}
+
+libafl_bolts::impl_serdeany!(SysGraphMetadata);
+
+pub type GraphMaximizerCorpusScheduler<CS> =
+    MinimizerScheduler<CS, MaxTimeFavFactor<<CS as UsesState>::State>,SysGraphMetadata>;
+
+//============================= Graph Feedback
+
+/// Improved System State Graph
+#[derive(Serialize, Deserialize, Clone, Debug, SerdeAny)]
+pub struct SysGraphFeedbackState
+{
+    pub graph: DiGraph<SysGraphNode, ()>,
+    entrypoint: NodeIndex,
+    exit: NodeIndex,
+    name: String,
+}
+impl SysGraphFeedbackState
+{
+    pub fn new() -> Self {
+        let mut graph = DiGraph::<SysGraphNode, ()>::new();
+        let mut entry = SysGraphNode::default();
+        entry.base.current_task.task_name="Start".to_string();
+        let mut exit = SysGraphNode::default();
+        exit.base.current_task.task_name="End".to_string();
+        let entry = graph.add_node(entry);
+        let exit = graph.add_node(exit);
+        Self {graph: graph, entrypoint: entry, exit: exit, name: String::from("SysMap")}
+    }
+    fn insert(&mut self, list: Vec<ReducedFreeRTOSSystemState>, input: &Vec<u8>) {
+        let mut current_index = self.entrypoint;
+        for n in list {
+            let mut done = false;
+            for i in self.graph.neighbors_directed(current_index, Direction::Outgoing) {
+                if n == self.graph[i].base {
+                    done = true;
+                    current_index = i;
+                    break;
+                }
+            }
+            if !done {
+                let j = self.graph.add_node(SysGraphNode::from(n,input.clone()));
+                self.graph.add_edge(current_index, j, ());
+                current_index = j;
+            }
+        }
+    }
+    /// Try adding a system state path from a [Vec<RefinedFreeRTOSSystemState>], return true if the path was interesting
+    fn update(&mut self, list: &Vec<ReducedFreeRTOSSystemState>, input: &Vec<u8>) -> (bool, Vec<NodeIndex>) {
+        let mut current_index = self.entrypoint;
+        let mut novel = false;
+        let mut trace : Vec<NodeIndex> = vec![current_index];
+        for n in list {
+            let mut matching : Option<NodeIndex> = None;
+            for i in self.graph.node_indices() {
+                let tmp = &self.graph[i];
+                if n == &tmp.base {
+                    matching = Some(i);
+                    break;
+                }
+            }
+            match matching {
+                None => {
+                    novel = true;
+                    let j = self.graph.add_node(SysGraphNode::from(n.clone(),input.clone()));
+                    self.graph.update_edge(current_index, j, ());
+                    current_index = j;
+                },
+                Some(i) => {
+                    novel |= self.graph[i].unite_interesting(&n, input);
+                    self.graph.update_edge(current_index, i, ());
+                    current_index = i;
+                }
+            }
+            trace.push(current_index);
+        }
+        if current_index != self.entrypoint {
+            self.graph.update_edge(current_index, self.exit, ());  // every path ends in the exit noded
+        }
+        return (novel, trace);
+    }
+}
+impl Named for SysGraphFeedbackState
+{
+    #[inline]
+    fn name(&self) -> &str {
+        &self.name
+    }
+}
+impl Default for SysGraphFeedbackState {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+impl SysGraphFeedbackState
+{
+    fn reset(&mut self) -> Result<(), Error> {
+        self.graph.clear();
+        let mut entry = SysGraphNode::default();
+        entry.base.current_task.task_name="Start".to_string();
+        let mut exit = SysGraphNode::default();
+        exit.base.current_task.task_name="End".to_string();
+        self.entrypoint = self.graph.add_node(entry);
+        self.exit = self.graph.add_node(exit);
+        Ok(())
+    }
+}
+
+/// A Feedback reporting novel System-State Transitions. Depends on [`QemuSystemStateObserver`]
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct SysMapFeedback
+{
+    name: String,
+    last_trace: Option<Vec<NodeIndex>>,
+}
+impl SysMapFeedback {
+    pub fn new() -> Self {
+        Self {name: String::from("SysMapFeedback"), last_trace: None }
+    }
+}
+
+impl<S> Feedback<S> for SysMapFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor + HasNamedMetadata,
+    S::Input: HasTargetBytes,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = observers.match_name::<QemuSystemStateObserver>("systemstate")
+            .expect("QemuSystemStateObserver not found");
+        let feedbackstate = match state
+            .named_metadata_map_mut()
+            .get_mut::<SysGraphFeedbackState>("SysMap") {
+                Some(s) => s,
+                None => {
+                    let n=SysGraphFeedbackState::default();
+                    state.named_metadata_map_mut().insert(n, "SysMap");
+                    state.named_metadata_map_mut().get_mut::<SysGraphFeedbackState>("SysMap").unwrap()
+                }
+            };
+        let ret = feedbackstate.update(&observer.last_run, &observer.last_input);
+        self.last_trace = Some(ret.1);
+        Ok(ret.0)
+    }
+
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(&mut self, _state: &mut S, _observers: &OT, testcase: &mut Testcase<S::Input>) -> Result<(), Error> {
+        let a = self.last_trace.take();
+        match a {
+            Some(s) => testcase.metadata_map_mut().insert(SysGraphMetadata::new(s)),
+            None => (),
+        }
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        self.last_trace = None;
+        Ok(())
+    }
+}
+impl Named for SysMapFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        &self.name
+    }
+}
+
+//============================= Mutators
+//=============================== Snippets
+// pub struct RandGraphSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     phantom: PhantomData<(I, S)>,
+// }
+// impl<I, S> RandGraphSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     pub fn new() -> Self {
+//         RandGraphSnippetMutator{phantom: PhantomData}
+//     }
+// }
+// impl<I, S> Mutator<I, S> for RandGraphSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     fn mutate(
+//         &mut self, 
+//         state: &mut S, 
+//         input: &mut I, 
+//         _stage_idx: i32
+//     ) -> Result<MutationResult, Error>
+//     {
+//         // need our own random generator, because borrowing rules
+//         let mut myrand = StdRand::new();
+//         let tmp = &mut state.rand_mut();
+//         myrand.set_seed(tmp.next());   
+//         drop(tmp);
+
+//         let feedbackstate = state
+//             .feedback_states()
+//             .match_name::<SysGraphFeedbackState>("SysMap")
+//             .unwrap();
+//         let g = &feedbackstate.graph;
+//         let tmp = state.metadata().get::<SysGraphMetadata>();
+//         if tmp.is_none() {  // if there are no metadata it was probably not interesting anyways
+//             return Ok(MutationResult::Skipped);
+//         }
+//         let trace =tmp.expect("SysGraphMetadata not found");
+//         // follow the path, extract snippets from last reads, find common snippets.
+//         // those are likley keys parts. choose random parts from other sibling traces
+//         let sibling_inputs : Vec<&Vec<u8>>= g[*trace.inner.last().unwrap()].variants.iter().map(|x| &x.input).collect();
+//         let mut snippet_collector = vec![];
+//         let mut per_input_counters = HashMap::<&Vec<u8>,usize>::new(); // ugly workaround to track multiple inputs
+//         for t in &trace.inner {
+//             let node = &g[*t];
+//             let mut per_node_snippets = HashMap::<&Vec<u8>,&[u8]>::new();
+//             for v in &node.variants {
+//                 match per_input_counters.get_mut(&v.input) {
+//                     None => {
+//                         if sibling_inputs.iter().any(|x| *x==&v.input) {    // only collect info about siblin inputs from target
+//                             per_input_counters.insert(&v.input, v.input_counter.try_into().unwrap());
+//                         }
+//                     },
+//                     Some(x) => {
+//                         let x_u = *x;
+//                         if x_u<v.input_counter as usize {
+//                             *x=v.input_counter as usize;
+//                             per_node_snippets.insert(&v.input,&v.input[x_u..v.input_counter as usize]);
+//                         }
+//                     }
+//                 }
+//             }
+//             snippet_collector.push(per_node_snippets);
+//         }
+//         let mut new_input : Vec<u8> = vec![];
+//         for c in snippet_collector {
+//             new_input.extend_from_slice(myrand.choose(c).1);
+//         }
+//         for i in new_input.iter().enumerate() {
+//             input.bytes_mut()[i.0]=*i.1;
+//         }
+
+//         Ok(MutationResult::Mutated)
+//     }
+
+//     fn post_exec(
+//         &mut self, 
+//         _state: &mut S, 
+//         _stage_idx: i32, 
+//         _corpus_idx: Option<usize>
+//     ) -> Result<(), Error> {
+//         Ok(())
+//     }
+// }
+
+// impl<I, S> Named for RandGraphSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     fn name(&self) -> &str {
+//         "RandGraphSnippetMutator"
+//     }
+// }
+// //=============================== Snippets
+// pub struct RandInputSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     phantom: PhantomData<(I, S)>,
+// }
+// impl<I, S> RandInputSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     pub fn new() -> Self {
+//         RandInputSnippetMutator{phantom: PhantomData}
+//     }
+// }
+// impl<I, S> Mutator<I, S> for RandInputSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     fn mutate(
+//         &mut self, 
+//         state: &mut S, 
+//         input: &mut I, 
+//         _stage_idx: i32
+//     ) -> Result<MutationResult, Error>
+//     {
+//         // need our own random generator, because borrowing rules
+//         let mut myrand = StdRand::new();
+//         let tmp = &mut state.rand_mut();
+//         myrand.set_seed(tmp.next());   
+//         drop(tmp);
+
+//         let feedbackstate = state
+//             .feedback_states()
+//             .match_name::<SysGraphFeedbackState>("SysMap")
+//             .unwrap();
+//         let g = &feedbackstate.graph;
+//         let tmp = state.metadata().get::<SysGraphMetadata>();
+//         if tmp.is_none() {  // if there are no metadata it was probably not interesting anyways
+//             return Ok(MutationResult::Skipped);
+//         }
+//         let trace = tmp.expect("SysGraphMetadata not found");
+
+//         let mut collection : Vec<Vec<u8>> = Vec::new();
+//         let mut current_pointer : usize = 0;
+//         for t in &trace.inner {
+//             let node = &g[*t];
+//             for v in &node.variants {
+//                 if v.input == input.bytes() {
+//                     if v.input_counter > current_pointer.try_into().unwrap() {
+//                         collection.push(v.input[current_pointer..v.input_counter as usize].to_owned());
+//                         current_pointer = v.input_counter as usize;
+//                     }
+//                     break;
+//                 }
+//             }
+//         }
+//         let index_to_mutate = myrand.below(collection.len() as u64) as usize;
+//         for i in 0..collection[index_to_mutate].len() {
+//             collection[index_to_mutate][i] = myrand.below(0xFF) as u8;
+//         }
+//         for i in collection.concat().iter().enumerate() {
+//             input.bytes_mut()[i.0]=*i.1;
+//         }
+
+//         Ok(MutationResult::Mutated)
+//     }
+
+//     fn post_exec(
+//         &mut self, 
+//         _state: &mut S, 
+//         _stage_idx: i32, 
+//         _corpus_idx: Option<usize>
+//     ) -> Result<(), Error> {
+//         Ok(())
+//     }
+// }
+
+// impl<I, S> Named for RandInputSnippetMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     fn name(&self) -> &str {
+//         "RandInputSnippetMutator"
+//     }
+// }
+// //=============================== Suffix
+// pub struct RandGraphSuffixMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     phantom: PhantomData<(I, S)>,
+// }
+// impl<I, S> RandGraphSuffixMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     pub fn new() -> Self {
+//         RandGraphSuffixMutator{phantom: PhantomData}
+//     }
+// }
+// impl<I, S> Mutator<I, S> for RandGraphSuffixMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     fn mutate(
+//         &mut self, 
+//         state: &mut S, 
+//         input: &mut I, 
+//         _stage_idx: i32
+//     ) -> Result<MutationResult, Error>
+//     {
+//         // need our own random generator, because borrowing rules
+//         let mut myrand = StdRand::new();
+//         let tmp = &mut state.rand_mut();
+//         myrand.set_seed(tmp.next());   
+//         drop(tmp);
+
+//         let feedbackstate = state
+//             .feedback_states()
+//             .match_name::<SysGraphFeedbackState>("SysMap")
+//             .unwrap();
+//         let g = &feedbackstate.graph;
+//         let tmp = state.metadata().get::<SysGraphMetadata>();
+//         if tmp.is_none() {  // if there are no metadata it was probably not interesting anyways
+//             return Ok(MutationResult::Skipped);
+//         }
+//         let trace =tmp.expect("SysGraphMetadata not found");
+//         // follow the path, extract snippets from last reads, find common snippets.
+//         // those are likley keys parts. choose random parts from other sibling traces
+//         let inp_c_end = g[*trace.inner.last().unwrap()].base.input_counter;
+//         let mut num_to_reverse = myrand.below(trace.inner.len().try_into().unwrap());
+//         for t in trace.inner.iter().rev() {
+//             let int_c_prefix = g[*t].base.input_counter;
+//             if int_c_prefix < inp_c_end {
+//                 num_to_reverse-=1;
+//                 if num_to_reverse<=0 {
+//                     let mut new_input=input.bytes()[..(int_c_prefix as usize)].to_vec();
+//                     let mut ext : Vec<u8> = (int_c_prefix..inp_c_end).map(|_| myrand.next().to_le_bytes()).flatten().collect();
+//                     new_input.append(&mut ext);
+//                     for i in new_input.iter().enumerate() {
+//                         if input.bytes_mut().len()>i.0 {
+//                             input.bytes_mut()[i.0]=*i.1;
+//                         }
+//                         else { break };
+//                     }
+//                     break;
+//                 }
+//             }
+//         }
+//         Ok(MutationResult::Mutated)
+//     }
+
+//     fn post_exec(
+//         &mut self, 
+//         _state: &mut S, 
+//         _stage_idx: i32, 
+//         _corpus_idx: Option<usize>
+//     ) -> Result<(), Error> {
+//         Ok(())
+//     }
+// }
+
+// impl<I, S> Named for RandGraphSuffixMutator<I, S>
+// where
+//     I: Input + HasBytesVec,
+//     S: HasRand + HasMetadata + HasCorpus<I> + HasSolutions<I>,
+// {
+//     fn name(&self) -> &str {
+//         "RandGraphSuffixMutator"
+//     }
+// }

fuzzers/FRET/src/systemstate/helpers.rs

@@ -0,0 +1,393 @@
+use std::cell::UnsafeCell;
+use std::io::Write;
+use std::ops::Range;
+use hashbrown::HashMap;
+use libafl::prelude::ExitKind;
+use libafl::prelude::UsesInput;
+use libafl_qemu::read_user_reg_unchecked;
+use libafl_qemu::Emulator;
+use libafl_qemu::GuestAddr;
+use libafl_qemu::GuestPhysAddr;
+use libafl_qemu::GuestReg;
+use libafl_qemu::QemuHooks;
+use libafl_qemu::edges::QemuEdgesMapMetadata;
+use libafl_qemu::emu;
+use libafl_qemu::hooks;
+use libafl_qemu::Hook;
+// use crate::systemstate::extract_abbs_from_trace;
+use crate::systemstate::RawFreeRTOSSystemState;
+use crate::systemstate::CURRENT_SYSTEMSTATE_VEC;
+use crate::systemstate::NUM_PRIOS;
+use super::freertos::void_ptr;
+use super::freertos::TCB_t;
+use super::freertos::rtos_struct::List_Item_struct;
+use super::freertos::rtos_struct::*;
+use super::freertos;
+use super::CaptureEvent;
+
+use libafl_qemu::{
+    helper::{QemuHelper, QemuHelperTuple},
+    // edges::SAVED_JUMP,
+};
+
+//============================= Struct definitions
+
+pub static mut INTR_OFFSET : Option<u64> = None;
+pub static mut INTR_DONE : bool = true;
+
+// only used when inputs are injected
+pub static mut NEXT_INPUT : Vec<u8> = Vec::new();
+
+//============================= API symbols
+
+pub const ISR_SYMBOLS : &'static [&'static str] = &[
+// ISRs
+"Reset_Handler","Default_Handler","Default_Handler2","Default_Handler3","Default_Handler4","Default_Handler5","Default_Handler6","vPortSVCHandler","xPortPendSVHandler","xPortSysTickHandler","isr_starter"//,"vTaskGenericNotifyGiveFromISR"
+];
+
+//============================= Qemu Helper
+
+/// A Qemu Helper with reads FreeRTOS specific structs from Qemu whenever certain syscalls occur, also inject inputs
+#[derive(Debug)]
+pub struct QemuSystemStateHelper {
+    // Address of API functions
+    api_fn_addrs: HashMap<GuestAddr, String>,
+    api_fn_ranges: Vec<(String, std::ops::Range<GuestAddr>)>,
+    // Address of interrupt routines
+    isr_addrs: HashMap<GuestAddr, String>,
+    isr_ranges: Vec<(String, std::ops::Range<GuestAddr>)>,
+    tcb_addr: GuestAddr,
+    ready_queues: GuestAddr,
+    delay_queue: GuestAddr,
+    delay_queue_overflow: GuestAddr,
+    scheduler_lock_addr: GuestAddr,
+    scheduler_running_addr: GuestAddr,
+    critical_addr: GuestAddr,
+    input_counter: Option<GuestAddr>,
+    app_range: Range<GuestAddr>,
+}
+
+impl QemuSystemStateHelper {
+    #[must_use]
+    pub fn new(
+        api_fn_addrs: HashMap<GuestAddr, String>,
+        api_fn_ranges: Vec<(String, std::ops::Range<GuestAddr>)>,
+        isr_addrs: HashMap<GuestAddr, String>,
+        isr_ranges: Vec<(String, std::ops::Range<GuestAddr>)>,
+        tcb_addr: GuestAddr,
+        ready_queues: GuestAddr,
+        delay_queue: GuestAddr,
+        delay_queue_overflow: GuestAddr,
+        scheduler_lock_addr: GuestAddr,
+        scheduler_running_addr: GuestAddr,
+        critical_addr: GuestAddr,
+        input_counter: Option<GuestAddr>,
+        app_range: Range<GuestAddr>,
+    ) -> Self {
+        QemuSystemStateHelper {
+            api_fn_addrs,
+            api_fn_ranges,
+            isr_addrs,
+            isr_ranges,
+            tcb_addr: tcb_addr,
+            ready_queues: ready_queues,
+            delay_queue,
+            delay_queue_overflow,
+            scheduler_lock_addr,
+            scheduler_running_addr,
+            critical_addr,
+            input_counter: input_counter,
+            app_range,
+        }
+    }
+}
+
+impl<S> QemuHelper<S> for QemuSystemStateHelper
+where
+    S: UsesInput,
+{
+    fn first_exec<QT>(&self, _hooks: &QemuHooks<QT, S>)
+    where
+        QT: QemuHelperTuple<S>,
+    {
+        // for wp in self.api_fn_addrs.keys() {
+        //     _hooks.instruction(*wp, Hook::Function(exec_syscall_hook::<QT, S>), false);
+        // }
+        for wp in self.isr_addrs.keys() {
+            _hooks.instruction(*wp, Hook::Function(exec_isr_hook::<QT, S>), false);
+        }
+        _hooks.jmps(Hook::Function(gen_jmp_is_syscall::<QT, S>), Hook::Function(trace_jmp::<QT, S>));
+    }
+
+    // TODO: refactor duplicate code
+    fn pre_exec(&mut self, _emulator: &Emulator, _input: &S::Input) {
+        unsafe {
+            CURRENT_SYSTEMSTATE_VEC.clear();
+        }
+    }
+
+    fn post_exec<OT>(&mut self, emulator: &Emulator, _input: &S::Input, _observers: &mut OT, _exit_kind: &mut ExitKind) {
+        trigger_collection(emulator,(0, 0), CaptureEvent::End, self);
+        unsafe {
+            let c = emulator.cpu_from_index(0);
+            let pc = c.read_reg::<i32, u32>(15).unwrap();
+            CURRENT_SYSTEMSTATE_VEC[CURRENT_SYSTEMSTATE_VEC.len()-1].edge = (pc,0);
+            CURRENT_SYSTEMSTATE_VEC[CURRENT_SYSTEMSTATE_VEC.len()-1].capture_point = (CaptureEvent::End,"Breakpoint".to_string());
+        }
+        // Find the first ISREnd of vPortSVCHandler and drop anything before
+        unsafe {
+            let mut index = 0;
+            while index < CURRENT_SYSTEMSTATE_VEC.len() {
+                if CaptureEvent::ISREnd == CURRENT_SYSTEMSTATE_VEC[index].capture_point.0 && CURRENT_SYSTEMSTATE_VEC[index].capture_point.1 == "xPortPendSVHandler" {
+                    break;
+                }
+                index += 1;
+            }
+            CURRENT_SYSTEMSTATE_VEC.drain(..index);
+        }
+    }
+}
+
+fn read_freertos_list(systemstate : &mut RawFreeRTOSSystemState, emulator: &Emulator, target: GuestAddr) -> freertos::List_t {
+    let read : freertos::List_t = freertos::emu_lookup::lookup(emulator, target);
+    let listbytes : GuestAddr = GuestAddr::try_from(std::mem::size_of::<freertos::List_t>()).unwrap();
+
+    let mut next_index = read.pxIndex;
+    for _j in 0..read.uxNumberOfItems {
+        // always jump over the xListEnd marker
+        if (target..target+listbytes).contains(&next_index) {
+            let next_item : freertos::MiniListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
+            let new_next_index=next_item.pxNext;
+            systemstate.dumping_ground.insert(next_index,List_MiniItem_struct(next_item));
+            next_index = new_next_index;
+        }
+        let next_item : freertos::ListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
+        // println!("Item at {}: {:?}",next_index,next_item);
+        if next_item.pvContainer != target {
+            // the list is being modified, abort by setting the list empty
+            eprintln!("Warning: attempted to read a list that is being modified");
+            let mut read=read;
+            read.uxNumberOfItems = 0;
+            return read;
+        }
+        // assert_eq!(next_item.pvContainer,target);
+        let new_next_index=next_item.pxNext;
+        let next_tcb : TCB_t= freertos::emu_lookup::lookup(emulator,next_item.pvOwner);
+        // println!("TCB at {}: {:?}",next_item.pvOwner,next_tcb);
+        systemstate.dumping_ground.insert(next_item.pvOwner,TCB_struct(next_tcb.clone()));
+        systemstate.dumping_ground.insert(next_index,List_Item_struct(next_item));
+        next_index=new_next_index;
+    }
+    // Handle edge case where the end marker was not included yet
+    if (target..target+listbytes).contains(&next_index) {
+        let next_item : freertos::MiniListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
+        systemstate.dumping_ground.insert(next_index,List_MiniItem_struct(next_item));
+    }
+    return read;
+}
+
+#[inline]
+fn trigger_collection(emulator: &Emulator, edge: (GuestAddr, GuestAddr), event: CaptureEvent, h: &QemuSystemStateHelper) {
+    let listbytes : GuestAddr = GuestAddr::try_from(std::mem::size_of::<freertos::List_t>()).unwrap();
+    let mut systemstate = RawFreeRTOSSystemState::default();
+
+    match event {
+        CaptureEvent::APIStart => {
+            let s = h.api_fn_addrs.get(&edge.1).unwrap();
+            systemstate.capture_point=(CaptureEvent::APIStart, s.to_string());
+        },
+        CaptureEvent::APIEnd => {
+            let s = h.api_fn_addrs.get(&edge.0).unwrap();
+            systemstate.capture_point=(CaptureEvent::APIEnd, s.to_string());
+        },
+        CaptureEvent::ISRStart => {
+            let s = h.isr_addrs.get(&edge.1).unwrap();
+            systemstate.capture_point=(CaptureEvent::ISRStart, s.to_string());
+        },
+        CaptureEvent::ISREnd => {
+            let s = h.isr_addrs.get(&edge.0).unwrap();
+            systemstate.capture_point=(CaptureEvent::ISREnd, s.to_string());
+        },
+        CaptureEvent::End => {systemstate.capture_point=(CaptureEvent::End, "".to_string());},
+        CaptureEvent::Undefined => (),
+    }
+
+    if systemstate.capture_point.0 == CaptureEvent::Undefined {
+        // println!("Not found: {:#x} {:#x}", edge.0.unwrap_or(0), edge.1.unwrap_or(0));
+    }
+    systemstate.edge = ((edge.0),(edge.1));
+
+    systemstate.qemu_tick = get_icount(emulator);
+
+    let mut buf : [u8; 4] = [0,0,0,0];
+    match h.input_counter {
+        Some(s) => unsafe { emulator.read_mem(s, &mut buf); },
+        None => (),
+    };
+    systemstate.input_counter = GuestAddr::from_le_bytes(buf);
+
+    let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(emulator, h.tcb_addr);
+    if curr_tcb_addr == 0 {
+        return;
+    };
+
+    // println!("{:?}",std::str::from_utf8(&current_tcb.pcTaskName));
+    let critical : void_ptr = freertos::emu_lookup::lookup(emulator, h.critical_addr);
+    let suspended : void_ptr = freertos::emu_lookup::lookup(emulator, h.scheduler_lock_addr);
+    let running : void_ptr = freertos::emu_lookup::lookup(emulator, h.scheduler_running_addr);
+
+    systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
+    // During ISRs it is only safe to extract structs if they are not currently being modified
+    if systemstate.capture_point.0==CaptureEvent::APIStart || systemstate.capture_point.0==CaptureEvent::APIEnd || (critical == 0 && suspended == 0 )  { 
+        // Extract delay list
+        let mut target : GuestAddr = h.delay_queue;
+        target = freertos::emu_lookup::lookup(emulator, target);
+        systemstate.delay_list = read_freertos_list(&mut systemstate, emulator, target);
+
+        // Extract delay list overflow
+        let mut target : GuestAddr = h.delay_queue_overflow;
+        target = freertos::emu_lookup::lookup(emulator, target);
+        systemstate.delay_list_overflow = read_freertos_list(&mut systemstate, emulator, target);
+
+        // Extract priority lists
+        for i in 0..NUM_PRIOS {
+            let target : GuestAddr = listbytes*GuestAddr::try_from(i).unwrap()+h.ready_queues;
+            systemstate.prio_ready_lists[i] = read_freertos_list(&mut systemstate, emulator, target);
+        }
+    }
+
+    
+
+    unsafe { CURRENT_SYSTEMSTATE_VEC.push(systemstate); }
+}
+
+//============================= Trace interrupt service routines
+
+pub fn exec_isr_hook<QT, S>(
+    hooks: &mut QemuHooks<QT, S>,
+    _state: Option<&mut S>,
+    pc: GuestAddr,
+)
+where
+    S: UsesInput,
+    QT: QemuHelperTuple<S>,
+{
+    let emulator = hooks.emulator();
+    let h = hooks.helpers().match_first_type::<QemuSystemStateHelper>().expect("QemuSystemHelper not found in helper tupel");
+    let src = read_rec_return_stackframe(emulator, 0xfffffffc);
+    trigger_collection(emulator, (src, pc), CaptureEvent::ISRStart, h);
+    // println!("Exec ISR Call {:#x} {:#x} {}", src, pc, get_icount(emulator));
+}
+
+//============================= Trace syscalls and returns
+
+pub fn gen_jmp_is_syscall<QT, S>(
+    hooks: &mut QemuHooks<QT, S>,
+    _state: Option<&mut S>,
+    src: GuestAddr,
+    dest: GuestAddr,
+) -> Option<u64>
+where
+    S: UsesInput,
+    QT: QemuHelperTuple<S>,
+{
+    if let Some(h) = hooks.helpers().match_first_type::<QemuSystemStateHelper>() {
+        if h.app_range.contains(&src) && !h.app_range.contains(&dest) && in_any_range(&h.isr_ranges,src).is_none() {
+            if let Some(_) = in_any_range(&h.api_fn_ranges,dest) {
+                // println!("New jmp {:x} {:x}", src, dest);
+                // println!("API Call Edge {:x} {:x}", src, dest);
+                return Some(1);
+                // TODO: trigger collection right here
+                // otherwise there can be a race-condition, where LAST_API_CALL is set before the api starts, if the interrupt handler calls an api function, it will misidentify the callsite of that api call
+            }
+        } else if dest == 0 { // !h.app_range.contains(&src) &&
+            if let Some(_) = in_any_range(&h.api_fn_ranges, src) {
+                // println!("API Return Edge {:#x}", src);
+                return Some(2);
+            }
+            if let Some(_) = in_any_range(&h.isr_ranges, src) {
+                // println!("ISR Return Edge {:#x}", src);
+                return Some(3);
+            }
+        }
+    }
+    return None;
+}
+
+pub fn trace_jmp<QT, S>(
+    hooks: &mut QemuHooks<QT, S>,
+    _state: Option<&mut S>,
+    src: GuestAddr, mut dest: GuestAddr, id: u64
+)
+where
+    S: UsesInput,
+    QT: QemuHelperTuple<S>,
+{
+    let h = hooks.helpers().match_first_type::<QemuSystemStateHelper>().expect("QemuSystemHelper not found in helper tupel");
+    let emulator = hooks.emulator();
+    if id == 1 { // API call
+        trigger_collection(emulator, (src, dest), CaptureEvent::APIStart, h);
+        // println!("Exec API Call {:#x} {:#x} {}", src, dest, get_icount(emulator));
+    } else if id == 2 { // API return
+        // Ignore returns to other APIs or ISRs. We only account for the first call depth of API calls from user space.
+        if in_any_range(&h.api_fn_ranges, dest).is_none() && in_any_range(&h.isr_ranges, dest).is_none() {
+
+            let mut edge = (0, 0);
+            edge.0=in_any_range(&h.api_fn_ranges, src).unwrap().start;
+            edge.1=dest;
+
+            trigger_collection(emulator, edge, CaptureEvent::APIEnd, h);
+            // println!("Exec API Return Edge {:#x} {:#x} {}", src, dest, get_icount(emulator));
+        }
+    } else if id == 3 { // ISR return
+        dest = read_rec_return_stackframe(emulator, dest);
+
+        let mut edge = (0, 0);
+        edge.0=in_any_range(&h.isr_ranges, src).unwrap().start;
+        edge.1=dest;
+
+        trigger_collection(emulator, edge, CaptureEvent::ISREnd, h);
+        // println!("Exec ISR Return Edge {:#x} {:#x} {}", src, dest, get_icount(emulator));
+    }
+}
+
+//============================= Utility functions
+
+fn get_icount(emulator : &Emulator) -> u64 {
+    unsafe {
+        // TODO: investigate why can_do_io is not set sometimes, as this is just a workaround
+        let c = emulator.cpu_from_index(0);
+        let can_do_io = (*c.raw_ptr()).neg.can_do_io;
+        (*c.raw_ptr()).neg.can_do_io = true;
+        let r = emu::icount_get_raw();
+        (*c.raw_ptr()).neg.can_do_io = can_do_io;
+        r
+    }
+}
+
+fn read_rec_return_stackframe(emu : &Emulator, lr : GuestAddr) -> GuestAddr {
+    let lr_ = lr & u32::MAX-1;
+    if lr_ == 0xfffffffc || lr_ == 0xFFFFFFF8 || lr_ == 0xFFFFFFF0 {
+    unsafe {
+        // if 0xFFFFFFF0/1 0xFFFFFFF8/9 -> "main stack" MSP
+        let mut buf = [0u8; 4];
+        let sp : GuestAddr = if lr_ == 0xfffffffc || lr_ == 0xFFFFFFF0 {  // PSP
+            read_user_reg_unchecked(emu) as u32
+        } else {
+            emu.read_reg(13).unwrap()
+        };
+        let ret_pc = sp+0x18;   // https://developer.arm.com/documentation/dui0552/a/the-cortex-m3-processor/exception-model/exception-entry-and-return
+        emu.read_mem(ret_pc, buf.as_mut_slice());
+        return u32::from_le_bytes(buf);
+        // elseif 0xfffffffc/d
+    }} else {
+        return lr;
+    };
+}
+
+pub fn in_any_range<'a>(ranges: &'a Vec<(String, Range<u32>)>, addr : GuestAddr) -> Option<&'a std::ops::Range<GuestAddr>> {
+    for (_,r) in ranges {
+        if r.contains(&addr) {return Some(r);}
+    }
+    return None;
+}

fuzzers/FRET/src/systemstate/mod.rs

@@ -0,0 +1,355 @@
+//! systemstate referes to the State of a FreeRTOS fuzzing target
+use std::collections::hash_map::DefaultHasher;
+use std::fmt;
+use hashbrown::HashSet;
+use libafl_bolts::HasRefCnt;
+use libafl_bolts::AsSlice;
+use libafl_qemu::GuestAddr;
+use std::hash::Hasher;
+use std::hash::Hash;
+use hashbrown::HashMap;
+use serde::{Deserialize, Serialize};
+use std::rc::Rc;
+
+use freertos::TCB_t;
+
+pub mod freertos;
+pub mod helpers;
+pub mod observers;
+pub mod feedbacks;
+pub mod graph;
+pub mod schedulers;
+pub mod stg;
+
+// Constants
+const NUM_PRIOS: usize = 5;
+
+//============================= Struct definitions
+
+#[derive(Debug, Default, Serialize, Deserialize, Clone, Copy, PartialEq, Eq, Hash)]
+pub enum CaptureEvent {
+    APIStart, /// src,dst
+    APIEnd, /// src,dst
+    ISRStart, /// _,dst
+    ISREnd, /// src,_
+    End, /// src,_
+    #[default]
+    Undefined,
+}
+
+
+/// Raw info Dump from Qemu
+#[derive(Debug, Default)]
+pub struct RawFreeRTOSSystemState {
+    qemu_tick: u64,
+    current_tcb: TCB_t,
+    prio_ready_lists: [freertos::List_t; NUM_PRIOS],
+    delay_list: freertos::List_t,
+    delay_list_overflow: freertos::List_t,
+    dumping_ground: HashMap<u32,freertos::rtos_struct>,
+    input_counter: u32,
+    edge: (GuestAddr,GuestAddr),
+    capture_point: (CaptureEvent,String)
+}
+/// List of system state dumps from QemuHelpers
+static mut CURRENT_SYSTEMSTATE_VEC: Vec<RawFreeRTOSSystemState> = vec![];
+
+/// A reduced version of freertos::TCB_t
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct RefinedTCB {
+    pub task_name: String,
+    pub priority: u32,
+    pub base_priority: u32,
+    mutexes_held: u32,
+    // notify_value: u32,
+    notify_state: u8,
+}
+
+impl PartialEq for RefinedTCB {
+    fn eq(&self, other: &Self) -> bool {
+        let ret = self.task_name == other.task_name &&
+        self.priority == other.priority &&
+        self.base_priority == other.base_priority;
+        #[cfg(feature = "do_hash_notify_state")]
+        let ret = ret && self.notify_state == other.notify_state;
+        ret
+    }
+}
+
+impl Hash for RefinedTCB {
+    fn hash<H: Hasher>(&self, state: &mut H) {
+        self.task_name.hash(state);
+        self.priority.hash(state);
+        self.mutexes_held.hash(state);
+        #[cfg(feature = "do_hash_notify_state")]
+        self.notify_state.hash(state);
+        // self.notify_value.hash(state);
+    }
+}
+
+impl RefinedTCB {
+    pub fn from_tcb(input: &TCB_t) -> Self {
+        unsafe {
+            let tmp = std::mem::transmute::<[i8; 10],[u8; 10]>(input.pcTaskName);
+            let name : String = std::str::from_utf8(&tmp).expect("TCB name was not utf8").chars().filter(|x| *x != '\0').collect::<String>();
+            Self {
+                task_name: name,
+                priority: input.uxPriority,
+                base_priority: input.uxBasePriority,
+                mutexes_held: input.uxMutexesHeld,
+                // notify_value: input.ulNotifiedValue[0],
+                notify_state: input.ucNotifyState[0],
+            }
+        }
+    }
+    pub fn from_tcb_owned(input: TCB_t) -> Self {
+        unsafe {
+            let tmp = std::mem::transmute::<[i8; 10],[u8; 10]>(input.pcTaskName);
+            let name : String = std::str::from_utf8(&tmp).expect("TCB name was not utf8").chars().filter(|x| *x != '\0').collect::<String>();
+            Self {
+                task_name: name,
+                priority: input.uxPriority,
+                base_priority: input.uxBasePriority,
+                mutexes_held: input.uxMutexesHeld,
+                // notify_value: input.ulNotifiedValue[0],
+                notify_state: input.ucNotifyState[0],
+            }
+        }
+    }
+}
+
+/// Reduced information about a systems state, without any execution context
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct ReducedFreeRTOSSystemState {
+    // pub tick: u64,
+    pub current_task: RefinedTCB,
+    ready_list_after: Vec<RefinedTCB>,
+    delay_list_after: Vec<RefinedTCB>,
+    // edge: (Option<GuestAddr>,Option<GuestAddr>),
+    // pub capture_point: (CaptureEvent,String),
+    // input_counter: u32
+}
+impl PartialEq for ReducedFreeRTOSSystemState {
+    fn eq(&self, other: &Self) -> bool {
+        self.current_task == other.current_task && self.ready_list_after == other.ready_list_after &&
+            self.delay_list_after == other.delay_list_after
+            // && self.edge == other.edge
+            // && self.capture_point == other.capture_point
+    }
+}
+
+impl Hash for ReducedFreeRTOSSystemState {
+    fn hash<H: Hasher>(&self, state: &mut H) {
+        self.current_task.hash(state);
+        self.ready_list_after.hash(state);
+        self.delay_list_after.hash(state);
+    }
+}
+impl ReducedFreeRTOSSystemState {
+    // fn get_tick(&self) -> u64 {
+    //     self.tick
+    // }
+
+    pub fn print_lists(&self) -> String {
+        let mut ret = String::from("+");
+        for j in self.ready_list_after.iter() {
+            ret.push_str(format!(" {}", j.task_name).as_str());
+        }
+        ret.push_str("\n-");
+        for j in self.delay_list_after.iter() {
+            ret.push_str(format!(" {}", j.task_name).as_str());
+        }
+        ret
+    }
+    pub fn get_hash(&self) -> u64 {
+        let mut h = DefaultHasher::new();
+        self.hash(&mut h);
+        h.finish()
+    }
+}
+
+// #[derive(Debug, Default, Serialize, Deserialize, Clone, PartialEq, Eq, Hash)]
+// pub enum ExecLevel {
+//     APP = 0,
+//     API = 1,
+//     ISR = 2,
+// }
+
+#[derive(Debug, Default, Serialize, Deserialize, Clone, PartialEq, Eq, Hash)]
+pub struct ExecInterval {
+    pub start_tick: u64,
+    pub end_tick: u64,
+    pub start_state: u64,
+    pub end_state: u64,
+    pub start_capture: (CaptureEvent, String),
+    pub end_capture: (CaptureEvent, String),
+    pub level: u8,
+    tick_spend_preempted: u64,
+    pub abb: Option<AtomicBasicBlock>
+}
+
+impl ExecInterval {
+    pub fn get_exec_time(&self) -> u64 {
+        self.end_tick-self.start_tick-self.tick_spend_preempted
+    }
+    pub fn is_valid(&self) -> bool {
+        self.start_tick != 0 || self.end_tick != 0
+    }
+    pub fn invaildate(&mut self) {
+        self.start_tick = 0;
+        self.end_tick = 0;
+    }
+
+    /// Attach this interval to the later one, keep a record of the time spend preempted
+    pub fn try_unite_with_later_interval(&mut self, later_interval : &mut Self) -> bool {
+        if self.end_state!=later_interval.start_state || self.abb!=later_interval.abb || !self.is_valid() || !later_interval.is_valid() {
+            return false;
+        }
+        // assert_eq!(self.end_state, later_interval.start_state);
+        // assert_eq!(self.abb, later_interval.abb);
+        later_interval.tick_spend_preempted += self.tick_spend_preempted + (later_interval.start_tick-self.end_tick);
+        later_interval.start_tick = self.start_tick;
+        later_interval.start_state = self.start_state;
+        self.invaildate();
+        return true;
+    }
+
+    pub fn get_hash_index(&self) -> (u64, u64) {
+        return (self.start_state, self.abb.as_ref().expect("ABB not set").get_hash())
+    }
+}
+
+// Wrapper around Vec<RefinedFreeRTOSSystemState> to attach as Metadata
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct FreeRTOSSystemStateMetadata {
+    pub inner: Vec<ReducedFreeRTOSSystemState>,
+    trace_length: usize,
+    indices: Vec<usize>,    // Hashed enumeration of States
+    tcref: isize,
+}
+impl FreeRTOSSystemStateMetadata {
+    pub fn new(inner: Vec<ReducedFreeRTOSSystemState>) -> Self{
+        let tmp = inner.iter().enumerate().map(|x| compute_hash(x) as usize).collect();
+        Self {trace_length: inner.len(), inner: inner, indices: tmp, tcref: 0}
+    }
+}
+pub fn compute_hash<T>(obj: T) -> u64 
+where
+    T: Hash
+{
+    let mut s = DefaultHasher::new();
+    obj.hash(&mut s);
+    s.finish()
+}
+
+impl AsSlice for FreeRTOSSystemStateMetadata {
+    /// Convert the slice of system-states to a slice of hashes over enumerated states
+    fn as_slice(&self) -> &[usize] {
+        self.indices.as_slice()
+    }
+
+    type Entry = usize;
+}
+
+impl HasRefCnt for FreeRTOSSystemStateMetadata {
+    fn refcnt(&self) -> isize {
+        self.tcref
+    }
+
+    fn refcnt_mut(&mut self) -> &mut isize {
+        &mut self.tcref
+    }
+}
+
+libafl_bolts::impl_serdeany!(FreeRTOSSystemStateMetadata);
+
+#[derive(Default, Serialize, Deserialize, Clone, PartialEq, Eq)]
+pub struct AtomicBasicBlock {
+    start: GuestAddr,
+    ends: HashSet<GuestAddr>,
+    level: u8,
+}
+
+impl Hash for AtomicBasicBlock {
+    fn hash<H: Hasher>(&self, state: &mut H) {
+        // Use a combination of the start address and the set of ending addresses to compute the hash value
+        self.start.hash(state);
+        let mut keys : Vec<_> = self.ends.iter().collect();
+        keys.sort();
+        self.level.hash(state);
+        keys.hash(state);
+    }
+}
+
+impl fmt::Display for AtomicBasicBlock {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        let mut ends_str = String::new();
+        for end in &self.ends {
+            ends_str.push_str(&format!("0x{:#x}, ", end));
+        }
+        write!(f, "ABB {{ level: {}, start: 0x{:#x}, ends: [{}]}}", self.level, self.start, ends_str.trim().trim_matches(','))
+    }
+}
+impl fmt::Debug for AtomicBasicBlock {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        let mut ends_str = String::new();
+        for end in &self.ends {
+            ends_str.push_str(&format!("{:#x}, ", end));
+        }
+        write!(f, "ABB {{ level: {}, start: {:#x}, ends: [{}]}}", self.level, self.start, ends_str.trim().trim_matches(','))
+    }
+}
+
+impl PartialOrd for AtomicBasicBlock {
+    fn partial_cmp(&self, other: &AtomicBasicBlock) -> Option<std::cmp::Ordering> {
+        Some(self.cmp(other))
+    }
+}
+
+impl Ord for AtomicBasicBlock {
+    fn cmp(&self, other: &AtomicBasicBlock) -> std::cmp::Ordering {
+        if self.start.cmp(&other.start) == std::cmp::Ordering::Equal {
+            if self.level.cmp(&other.level) != std::cmp::Ordering::Equal {
+                return self.level.cmp(&other.level);
+            }
+            // If the start addresses are equal, compare by 'ends'
+            let end1 = if self.ends.len() == 1 { *self.ends.iter().next().unwrap() as u64 } else {
+                let mut temp = self.ends.iter().collect::<Vec<_>>().into_iter().collect::<Vec<&GuestAddr>>();
+                temp.sort_unstable();
+                let mut h = DefaultHasher::new();
+                temp.hash(&mut h);
+                h.finish()
+            };
+            let end2 = if other.ends.len() == 1 { *self.ends.iter().next().unwrap() as u64 } else {
+                let mut temp = other.ends.iter().collect::<Vec<_>>().into_iter().collect::<Vec<&GuestAddr>>();
+                temp.sort_unstable();
+                let mut h = DefaultHasher::new();
+                temp.hash(&mut h);
+                h.finish()
+            };
+            end1.cmp(&end2)
+        } else {
+            // If the start addresses are not equal, compare by 'start'
+            self.start.cmp(&other.start)
+        }
+    }
+}
+
+impl AtomicBasicBlock {
+    pub fn get_hash(&self) -> u64 {
+        let mut s = DefaultHasher::new();
+        self.hash(&mut s);
+        s.finish()
+    }
+}
+
+
+fn get_task_names(trace: &Vec<ReducedFreeRTOSSystemState>) -> HashSet<String> {
+    let mut ret: HashSet<_, _> = HashSet::new();
+    for state in trace {
+        ret.insert(state.current_task.task_name.to_string());
+    }
+    ret
+}
+
+libafl_bolts::impl_serdeany!(AtomicBasicBlock);

fuzzers/FRET/src/systemstate/observers.rs

@@ -0,0 +1,388 @@
+// use crate::systemstate::IRQ_INPUT_BYTES_NUMBER;
+use libafl::prelude::ExitKind;
+use libafl::{inputs::HasTargetBytes, prelude::UsesInput};
+use libafl_bolts::HasLen;
+use libafl_bolts::Named;
+use libafl_bolts::AsSlice;
+use libafl::Error;
+use libafl::observers::Observer;
+use serde::{Deserialize, Serialize};
+use hashbrown::{HashMap, HashSet};
+use crate::systemstate::CaptureEvent;
+use std::rc::Rc;
+use std::cell::RefCell;
+use std::collections::VecDeque;
+
+use super::{ AtomicBasicBlock, ExecInterval};
+use super::{
+    CURRENT_SYSTEMSTATE_VEC,
+    RawFreeRTOSSystemState,
+    RefinedTCB,
+    ReducedFreeRTOSSystemState,
+    freertos::{List_t, TCB_t, rtos_struct, rtos_struct::*},
+};
+
+//============================= Observer
+
+/// The Qemusystemstate Observer retrieves the systemstate
+/// that will get updated by the target.
+#[derive(Serialize, Deserialize, Debug, Default)]
+#[allow(clippy::unsafe_derive_deserialize)]
+pub struct QemuSystemStateObserver
+{
+    pub last_run: Vec<ReducedFreeRTOSSystemState>,
+    pub last_states: HashMap<u64, ReducedFreeRTOSSystemState>,
+    pub last_trace: Vec<ExecInterval>,
+    pub last_input: Vec<u8>,
+    pub success: bool,
+    name: String,
+}
+
+impl<S> Observer<S> for QemuSystemStateObserver
+where
+    S: UsesInput,
+    S::Input : HasTargetBytes,
+{
+    #[inline]
+    fn pre_exec(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        unsafe {CURRENT_SYSTEMSTATE_VEC.clear(); }
+        Ok(())
+    }
+
+    #[inline]
+    fn post_exec(&mut self, _state: &mut S, _input: &S::Input, _exit_kind: &ExitKind) -> Result<(), Error> {
+        // unsafe {self.last_run = invalidate_ineffective_isr(refine_system_states(&mut CURRENT_SYSTEMSTATE_VEC));}
+        unsafe {
+            let mut temp = refine_system_states(&mut CURRENT_SYSTEMSTATE_VEC);
+            // fix_broken_trace(&mut temp.1);
+            self.last_run = temp.0.clone();
+            // println!("{:?}",temp);
+            let mut temp = states2intervals(temp.0, temp.1);
+            self.last_trace = temp.0;
+            self.last_states = temp.1;
+            self.success = temp.2;
+            // println!("{:?}",temp);
+        }
+        // let abbs = extract_abbs_from_trace(&self.last_run);
+        // println!("{:?}",abbs);
+        // let abbs = trace_to_state_abb(&self.last_run);
+        // println!("{:?}",abbs);
+        self.last_input=_input.target_bytes().as_slice().to_owned();
+        Ok(())
+    }
+}
+
+impl Named for QemuSystemStateObserver
+{
+    #[inline]
+    fn name(&self) -> &str {
+        self.name.as_str()
+    }
+}
+
+impl HasLen for QemuSystemStateObserver
+{
+    #[inline]
+    fn len(&self) -> usize {
+        self.last_run.len()
+    }
+}
+
+impl QemuSystemStateObserver {
+    pub fn new() -> Self {
+        Self{last_run: vec![], last_trace: vec![], last_input: vec![], name: "systemstate".to_string(), last_states: HashMap::new(), success: false }
+    }
+
+}
+
+//============================= Parsing helpers
+
+/// Parse a List_t containing TCB_t into Vec<TCB_t> from cache. Consumes the elements from cache
+fn tcb_list_to_vec_cached(list: List_t, dump: &mut HashMap<u32,rtos_struct>) -> Vec<TCB_t>
+{
+    let mut ret : Vec<TCB_t> = Vec::new();
+    if list.uxNumberOfItems == 0 {return ret;}
+    let last_list_item = match dump.remove(&list.pxIndex).expect("List_t entry was not in Hashmap") {
+        List_Item_struct(li) => li,
+        List_MiniItem_struct(mli) => match dump.remove(&mli.pxNext).expect("MiniListItem pointer invaild") {
+                List_Item_struct(li) => li,
+                _ => panic!("MiniListItem of a non empty List does not point to ListItem"),
+            },
+        _ => panic!("List_t entry was not a ListItem"),
+    };
+    let mut next_index = last_list_item.pxNext;
+    let last_tcb = match dump.remove(&last_list_item.pvOwner).expect("ListItem Owner not in Hashmap") {
+        TCB_struct(t) => t,
+        _ => panic!("List content does not equal type"),
+    };
+    for _ in 0..list.uxNumberOfItems-1 {
+        let next_list_item = match dump.remove(&next_index).expect("List_t entry was not in Hashmap") {
+            List_Item_struct(li) => li,
+            List_MiniItem_struct(mli) => match dump.remove(&mli.pxNext).expect("MiniListItem pointer invaild") {
+                    List_Item_struct(li) => li,
+                    _ => panic!("MiniListItem of a non empty List does not point to ListItem"),
+                },
+            _ => panic!("List_t entry was not a ListItem"),
+        };
+        match dump.remove(&next_list_item.pvOwner).expect("ListItem Owner not in Hashmap") {
+            TCB_struct(t) => {ret.push(t)},
+            _ => panic!("List content does not equal type"),
+        }
+        next_index=next_list_item.pxNext;
+    }
+    ret.push(last_tcb);
+    ret
+}
+/// Drains a List of raw SystemStates to produce a refined trace
+fn refine_system_states(input: &mut Vec<RawFreeRTOSSystemState>) -> (Vec<ReducedFreeRTOSSystemState>, Vec<(u64, CaptureEvent, String, (u32, u32))>) {
+    let mut ret = (Vec::<_>::new(), Vec::<_>::new());
+    for mut i in input.drain(..) {
+        let cur = RefinedTCB::from_tcb_owned(i.current_tcb);
+        // println!("Refine: {} {:?} {:?} {:x}-{:x}", cur.task_name, i.capture_point.0, i.capture_point.1.to_string(), i.edge.0, i.edge.1);
+        // collect ready list
+        let mut collector = Vec::<RefinedTCB>::new();
+        for j in i.prio_ready_lists.into_iter().rev() {
+            let mut tmp = tcb_list_to_vec_cached(j,&mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect();
+            collector.append(&mut tmp);
+        }
+        // collect delay list
+        let mut delay_list : Vec::<RefinedTCB> = tcb_list_to_vec_cached(i.delay_list, &mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect();
+        let mut delay_list_overflow : Vec::<RefinedTCB> = tcb_list_to_vec_cached(i.delay_list_overflow, &mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect();
+        delay_list.append(&mut delay_list_overflow);
+        delay_list.sort_by(|a,b| a.task_name.cmp(&b.task_name));
+
+        ret.0.push(ReducedFreeRTOSSystemState {
+            current_task: cur,
+            ready_list_after: collector,
+            delay_list_after: delay_list,
+            // input_counter: i.input_counter,//+IRQ_INPUT_BYTES_NUMBER,
+        });
+        ret.1.push((i.qemu_tick, i.capture_point.0, i.capture_point.1.to_string(), i.edge));
+    }
+    return ret;
+}
+
+/// Transform the states and metadata into a list of ExecIntervals
+fn states2intervals(trace: Vec<ReducedFreeRTOSSystemState>, meta: Vec<(u64, CaptureEvent, String, (u32, u32))>) -> (Vec<ExecInterval>, HashMap<u64, ReducedFreeRTOSSystemState>, bool) {
+    if trace.len() == 0 {return (Vec::new(), HashMap::new(), true);}
+    let mut isr_stack : VecDeque<u8> = VecDeque::from([]);  // 2+ = ISR, 1 = systemcall, 0 = APP. Trace starts with an ISREnd and executes the app
+
+
+    let mut level_of_task : HashMap<&str, u8> = HashMap::new();
+
+    let mut ret: Vec<ExecInterval> = vec![];
+    let mut edges: Vec<(u32, u32)> = vec![];
+    let mut last_hash : u64 = trace[0].get_hash();
+    let mut table : HashMap<u64, ReducedFreeRTOSSystemState> = HashMap::new();
+    table.insert(last_hash, trace[0].clone());
+    for i in 0..trace.len()-1 {
+        let curr_name = trace[i].current_task.task_name.as_str();
+        let level = match meta[i].1 {
+            CaptureEvent::APIEnd => { // API end always exits towards the app
+                if !level_of_task.contains_key(curr_name) {
+                    level_of_task.insert(curr_name, 0);
+                }
+                *level_of_task.get_mut(curr_name).unwrap()=0;
+                0
+            },
+            CaptureEvent::APIStart => { // API start can only be called in the app
+                if !level_of_task.contains_key(curr_name) { // Should not happen, apps start from an ISR End. Some input exibited this behavior for unknown reasons
+                    level_of_task.insert(curr_name, 0);
+                }
+                *level_of_task.get_mut(curr_name).unwrap()=1;
+                1
+            },
+            CaptureEvent::ISREnd => {
+                // special case where the next block is an app start
+                if !level_of_task.contains_key(curr_name) {
+                    level_of_task.insert(curr_name, 0);
+                }
+                // nested isr, TODO: Test level > 2
+                if isr_stack.len() > 1 {
+                    isr_stack.pop_back().unwrap();
+                    *isr_stack.back().unwrap()
+                } else {
+                    isr_stack.pop_back();
+                    // possibly go back to an api call that is still running for this task
+                    *level_of_task.get(curr_name).unwrap()
+                }
+            },
+            CaptureEvent::ISRStart => {
+                // special case for isrs which do not capture their end
+                // if meta[i].2 == "isr_starter" {
+                //     &2
+                // } else {
+                // regular case
+                if isr_stack.len() > 0 {
+                    let l = *isr_stack.back().unwrap();
+                    isr_stack.push_back(l+1);
+                    l+1
+                } else {
+                    isr_stack.push_back(2);
+                    2
+                }
+            // }
+            }
+            _ => 100
+        };
+        // if trace[i].2 == CaptureEvent::End {break;}
+        let next_hash=trace[i+1].get_hash();
+        if !table.contains_key(&next_hash) {
+            table.insert(next_hash, trace[i+1].clone());
+        }
+        ret.push(ExecInterval{
+            start_tick: meta[i].0,
+            end_tick: meta[i+1].0,
+            start_state: last_hash,
+            end_state: next_hash,
+            start_capture: (meta[i].1, meta[i].2.clone()),
+            end_capture: (meta[i+1].1, meta[i+1].2.clone()),
+            level: level,
+            tick_spend_preempted: 0,
+            abb: None
+        });
+        last_hash = next_hash;
+        edges.push((meta[i].3.1, meta[i+1].3.0));
+    }
+    let t = add_abb_info(&mut ret, &table, &edges);
+    (ret, table, t)
+}
+
+fn add_abb_info(trace: &mut Vec<ExecInterval>, table: &HashMap<u64, ReducedFreeRTOSSystemState>, edges: &Vec<(u32, u32)>) -> bool {
+    let mut ret = true;
+    let mut task_has_started : HashSet<String> = HashSet::new();
+    let mut wip_abb_trace : Vec<Rc<RefCell<AtomicBasicBlock>>> = vec![];
+    // let mut open_abb_at_this_task_or_level : HashMap<(u8,&str),usize> = HashMap::new();
+    let mut open_abb_at_this_ret_addr_and_task : HashMap<(u32,&str),usize> = HashMap::new();
+
+    for i in 0..trace.len() {
+        let curr_name = &table[&trace[i].start_state].current_task.task_name;
+        // let last : Option<&usize> = last_abb_start_of_task.get(&curr_name);
+
+        // let open_abb = open_abb_at_this_task_or_level.get(&(trace[i].level, if trace[i].level<2 {&curr_name} else {""})).to_owned();  // apps/apis are differentiated by task name, isrs by nested level
+        let open_abb = open_abb_at_this_ret_addr_and_task.get(&(edges[i].0, if trace[i].level<2 {&curr_name} else {""})).to_owned();  // apps/apis are differentiated by task name, isrs by nested level
+
+        // println!("Edge {:x}-{:x}", edges[i].0.unwrap_or(0xffff), edges[i].1.unwrap_or(0xffff));
+
+        match trace[i].start_capture.0 {
+            // generic api abb start
+            CaptureEvent::APIStart => {
+                // assert_eq!(open_abb, None);
+                ret &= open_abb.is_none();
+                open_abb_at_this_ret_addr_and_task.insert((edges[i].1, if trace[i].level<2 {&curr_name} else {""}), i);
+                wip_abb_trace.push(Rc::new(RefCell::new(AtomicBasicBlock{start: edges[i].0, ends: HashSet::new(), level: if trace[i].level<2 {trace[i].level} else {2}})));
+            },
+            // generic isr abb start
+            CaptureEvent::ISRStart => {
+                // assert_eq!(open_abb, None);
+                ret &= open_abb.is_none();
+                open_abb_at_this_ret_addr_and_task.insert((edges[i].1, if trace[i].level<2 {&curr_name} else {""}), i);
+                wip_abb_trace.push(Rc::new(RefCell::new(AtomicBasicBlock{start: edges[i].0, ends: HashSet::new(), level: if trace[i].level<2 {trace[i].level} else {2}})));
+            },
+            // generic app abb start
+            CaptureEvent::APIEnd => {
+                // assert_eq!(open_abb, None);
+                ret &= open_abb.is_none();
+                open_abb_at_this_ret_addr_and_task.insert((edges[i].1, if trace[i].level<2 {&curr_name} else {""}), i);
+                wip_abb_trace.push(Rc::new(RefCell::new(AtomicBasicBlock{start: edges[i].0, ends: HashSet::new(), level: if trace[i].level<2 {trace[i].level} else {2}})));
+            },
+            // generic continued blocks
+            CaptureEvent::ISREnd => {
+                // special case app abb start
+                if trace[i].start_capture.1=="xPortPendSVHandler" && !task_has_started.contains(curr_name) {
+                    // assert_eq!(open_abb, None);
+                    ret &= open_abb.is_none();
+                    wip_abb_trace.push(Rc::new(RefCell::new(AtomicBasicBlock{start: 0, ends: HashSet::new(), level: if trace[i].level<2 {trace[i].level} else {2}})));
+                    open_abb_at_this_ret_addr_and_task.insert((edges[i].1, if trace[i].level<2 {&curr_name} else {""}), i);
+                    task_has_started.insert(curr_name.clone());
+                } else {
+                    if let Some(last) = open_abb_at_this_ret_addr_and_task.get(&(edges[i].0, if trace[i].level<2 {&curr_name} else {""})) {
+                        let last = last.clone(); // required to drop immutable reference
+                        wip_abb_trace.push(wip_abb_trace[last].clone());
+                        // if the abb is interrupted again, it will need to continue at edge[i].1
+                        open_abb_at_this_ret_addr_and_task.remove(&(edges[i].0, if trace[i].level<2 {&curr_name} else {""}));
+                        open_abb_at_this_ret_addr_and_task.insert((edges[i].1, if trace[i].level<2 {&curr_name} else {""}), last);  // order matters!
+                    } else {
+                        // panic!();
+                        // println!("Continued block with no start {} {} {:?} {:?} {:x}-{:x} {} {}", curr_name, trace[i].start_tick, trace[i].start_capture, trace[i].end_capture, edges[i].0, edges[i].1, task_has_started.contains(curr_name),trace[i].level);
+                        // println!("{:x?}", open_abb_at_this_ret_addr_and_task);
+                        ret = false;
+                        wip_abb_trace.push(Rc::new(RefCell::new(AtomicBasicBlock{start: edges[i].1, ends: HashSet::new(), level: if trace[i].level<2 {trace[i].level} else {2}})))
+                    }
+                }
+            },
+            _ => panic!("Undefined block start")
+        }
+        match trace[i].end_capture.0 {
+            // generic app abb end
+            CaptureEvent::APIStart => {
+                let _t = &wip_abb_trace[i];
+                RefCell::borrow_mut(&*wip_abb_trace[i]).ends.insert(edges[i].1);
+                open_abb_at_this_ret_addr_and_task.remove(&(edges[i].1, if trace[i].level<2 {&curr_name} else {""}));
+            },
+            // generic api abb end
+            CaptureEvent::APIEnd => {
+                RefCell::borrow_mut(&*wip_abb_trace[i]).ends.insert(edges[i].1);
+                open_abb_at_this_ret_addr_and_task.remove(&(edges[i].1, if trace[i].level<2 {&curr_name} else {""}));
+            },
+            // generic isr abb end
+            CaptureEvent::ISREnd => {
+                RefCell::borrow_mut(&*wip_abb_trace[i]).ends.insert(edges[i].1);
+                open_abb_at_this_ret_addr_and_task.remove(&(edges[i].1, if trace[i].level<2 {&curr_name} else {""}));
+            },
+            // end anything
+            CaptureEvent::End => {
+                RefCell::borrow_mut(&*wip_abb_trace[i]).ends.insert(edges[i].1);
+                open_abb_at_this_ret_addr_and_task.remove(&(edges[i].1, if trace[i].level<2 {&curr_name} else {""}));
+            },
+            CaptureEvent::ISRStart => (),
+            _ => panic!("Undefined block end")
+        }
+        // println!("{} {} {:x}-{:x} {:x}-{:x} {:?} {:?} {}",curr_name, trace[i].level, edges[i].0, edges[i].1, ((*wip_abb_trace[i])).borrow().start, ((*wip_abb_trace[i])).borrow().ends.iter().next().unwrap_or(&0xffff), trace[i].start_capture, trace[i].end_capture, trace[i].start_tick);
+        // println!("{:x?}", open_abb_at_this_ret_addr_and_task);
+    }
+    // drop(open_abb_at_this_task_or_level);
+
+    for i in 0..trace.len() {
+        trace[i].abb = Some((*wip_abb_trace[i]).borrow().clone());
+    }
+    return ret;
+}
+
+
+/// restore the isr/api begin/end invariant
+fn fix_broken_trace(meta: &mut Vec<(u64, CaptureEvent, String, (Option<u32>, Option<u32>))>) {
+    for i in meta.iter_mut() {
+        if i.1 == CaptureEvent::APIStart && i.2.ends_with("FromISR") {
+            i.1 = CaptureEvent::ISREnd;
+            i.2 = "isr_starter".to_string();
+        }
+    }
+}
+
+/// invalidate subsequent intervals of equal states where an ISREnd follows an ISRStart. If the interrupt had no effect on the system we, are not interested.
+fn invalidate_ineffective_isr(trace: &mut Vec<ExecInterval>) {
+    let mut i = 0;
+    while i < trace.len() - 1 {
+        if trace[i].is_valid() &&
+            matches!(trace[i].start_capture.0, CaptureEvent::ISRStart) && matches!(trace[i].end_capture.0, CaptureEvent::ISREnd) &&
+            trace[i].start_capture.1 == trace[i].end_capture.1 && trace[i].start_state == trace[i].end_state
+        {
+            trace[i].invaildate();
+        }
+    }
+}
+
+/// merge a sequence of intervals of the same state+abb. jump over all invalid blocks.
+fn merge_subsequent_abbs(trace: &mut Vec<ExecInterval>) {
+    let mut i = 1;
+    let mut lst_valid=0;
+    while i < trace.len() - 1 {
+        if trace[i].is_valid() {
+            let mut temp = trace[i].clone();
+            trace[lst_valid].try_unite_with_later_interval(&mut temp);
+            trace[i] = temp;
+            lst_valid = i;
+        }
+    }
+}

fuzzers/FRET/src/systemstate/schedulers.rs

@@ -0,0 +1,275 @@
+//! The Minimizer schedulers are a family of corpus schedulers that feed the fuzzer
+//! with testcases only from a subset of the total corpus.
+
+use core::{marker::PhantomData};
+use std::{cmp::{max, min}, mem::swap, borrow::BorrowMut};
+
+use serde::{Deserialize, Serialize};
+
+use libafl_bolts::{rands::Rand, serdeany::SerdeAny, AsSlice, HasRefCnt, HasLen};
+use libafl::{
+    corpus::{Corpus, Testcase},
+    inputs::UsesInput,
+    schedulers::{Scheduler, TestcaseScore, minimizer::DEFAULT_SKIP_NON_FAVORED_PROB },
+    state::{HasCorpus, HasMetadata, HasRand, UsesState, State},
+    Error, SerdeAny, prelude::CorpusId,
+    
+};
+
+use crate::worst::MaxTimeFavFactor;
+
+use super::{stg::STGNodeMetadata, FreeRTOSSystemStateMetadata};
+
+/// A state metadata holding a map of favoreds testcases for each map entry
+#[derive(Debug, Serialize, Deserialize, SerdeAny, Default)]
+pub struct LongestTracesMetadata {
+    /// map index -> corpus index
+    pub max_trace_length: usize,
+}
+
+impl LongestTracesMetadata {
+    fn new(l : usize) -> Self {
+        Self {max_trace_length: l}
+    }
+}
+
+/// The [`MinimizerScheduler`] employs a genetic algorithm to compute a subset of the
+/// corpus that exercise all the requested features (e.g. all the coverage seen so far)
+/// prioritizing [`Testcase`]`s` using [`TestcaseScore`]
+#[derive(Debug, Clone)]
+pub struct LongestTraceScheduler<CS> {
+    base: CS,
+    skip_non_favored_prob: u64,
+}
+
+impl<CS> UsesState for LongestTraceScheduler<CS>
+where
+    CS: UsesState,
+{
+    type State = CS::State;
+}
+
+impl<CS> Scheduler for LongestTraceScheduler<CS>
+where
+    CS: Scheduler,
+    CS::State: HasCorpus + HasMetadata + HasRand,
+{
+    /// Add an entry to the corpus and return its index
+    fn on_add(&mut self, state: &mut CS::State, idx: CorpusId) -> Result<(), Error> {
+        let l = state.corpus()
+                .get(idx)?
+                .borrow()
+                .metadata_map()
+                .get::<FreeRTOSSystemStateMetadata>().map_or(0, |x| x.trace_length);
+        self.get_update_trace_length(state,l);
+        self.base.on_add(state, idx)
+    }
+
+    /// Replaces the testcase at the given idx
+    // fn on_replace(
+    //     &mut self,
+    //     state: &mut CS::State,
+    //     idx: CorpusId,
+    //     testcase: &Testcase<<CS::State as UsesInput>::Input>,
+    // ) -> Result<(), Error> {
+    //     let l = state.corpus()
+    //             .get(idx)?
+    //             .borrow()
+    //             .metadata()
+    //             .get::<FreeRTOSSystemStateMetadata>().map_or(0, |x| x.trace_length);
+    //     self.get_update_trace_length(state, l);
+    //     self.base.on_replace(state, idx, testcase)
+    // }
+
+    /// Removes an entry from the corpus, returning M if M was present.
+    // fn on_remove(
+    //     &self,
+    //     state: &mut CS::State,
+    //     idx: usize,
+    //     testcase: &Option<Testcase<<CS::State as UsesInput>::Input>>,
+    // ) -> Result<(), Error> {
+    //     self.base.on_remove(state, idx, testcase)?;
+    //     Ok(())
+    // }
+
+    /// Gets the next entry
+    fn next(&mut self, state: &mut CS::State) -> Result<CorpusId, Error> {
+        let mut idx = self.base.next(state)?;
+        while {
+            let l = state.corpus()
+                    .get(idx)?
+                    .borrow()
+                    .metadata_map()
+                    .get::<STGNodeMetadata>().map_or(0, |x| x.nodes.len());
+            let m = self.get_update_trace_length(state,l);
+            state.rand_mut().below(m) > l as u64 
+        } && state.rand_mut().below(100) < self.skip_non_favored_prob
+        {
+            idx = self.base.next(state)?;
+        }
+        Ok(idx)
+    }
+}
+
+impl<CS> LongestTraceScheduler<CS>
+where
+    CS: Scheduler,
+    CS::State: HasCorpus + HasMetadata + HasRand,
+{
+    pub fn get_update_trace_length(&self, state: &mut CS::State, par: usize) -> u64 {
+        // Create a new top rated meta if not existing
+        if let Some(td) = state.metadata_map_mut().get_mut::<LongestTracesMetadata>() {
+            let m = max(td.max_trace_length, par);
+            td.max_trace_length = m;
+            m as u64
+        } else {
+            state.add_metadata(LongestTracesMetadata::new(par));
+            par as u64
+        }
+    }
+    pub fn new(base: CS) -> Self {
+        Self {
+            base,
+            skip_non_favored_prob: DEFAULT_SKIP_NON_FAVORED_PROB,
+        }
+    }
+}
+
+//==========================================================================================
+
+/// A state metadata holding a map of favoreds testcases for each map entry
+#[derive(Debug, Serialize, Deserialize, SerdeAny, Default)]
+pub struct GeneticMetadata {
+    pub current_gen: Vec<(usize, f64)>,
+    pub current_cursor: usize,
+    pub next_gen: Vec<(usize, f64)>,
+    pub gen: usize
+}
+
+impl GeneticMetadata {
+    fn new(current_gen: Vec<(usize, f64)>, next_gen: Vec<(usize, f64)>) -> Self {
+        Self {current_gen, current_cursor: 0, next_gen, gen: 0}
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct GenerationScheduler<S> {
+    phantom: PhantomData<S>,
+    gen_size: usize,
+}
+
+impl<S> UsesState for GenerationScheduler<S>
+where
+    S: State + UsesInput,
+{
+    type State = S;
+}
+
+impl<S> Scheduler for GenerationScheduler<S>
+where
+    S: State + HasCorpus + HasMetadata,
+    S::Input: HasLen,
+{
+    /// get first element in current gen,
+    /// if current_gen is empty, swap lists, sort by FavFactor, take top k and return first
+    fn next(&mut self, state: &mut Self::State) -> Result<CorpusId, Error> {
+        let mut to_remove : Vec<(usize, f64)> = vec![];
+        let mut to_return : usize = 0;
+        let corpus_len = state.corpus().count();
+        let mut current_len = 0;
+        let gm = state.metadata_map_mut().get_mut::<GeneticMetadata>().expect("Corpus Scheduler empty");
+        // println!("index: {} curr: {:?} next: {:?} gen: {} corp: {}", gm.current_cursor, gm.current_gen.len(), gm.next_gen.len(), gm.gen,
+        // c);
+        match gm.current_gen.get(gm.current_cursor) {
+            Some(c) => {
+                current_len = gm.current_gen.len();
+                gm.current_cursor+=1;
+                // println!("normal next: {}", (*c).0);
+                return Ok((*c).0.into())
+            },
+            None => {
+                swap(&mut to_remove, &mut gm.current_gen);
+                swap(&mut gm.next_gen, &mut gm.current_gen);
+                gm.current_gen.sort_by(|a, b| a.1.partial_cmp(&b.1).unwrap());
+                // gm.current_gen.reverse();
+                if gm.current_gen.len() == 0 {panic!("Corpus is empty");}
+                let d : Vec<(usize, f64)> = gm.current_gen.drain(min(gm.current_gen.len(), self.gen_size)..).collect();
+                to_remove.extend(d);
+                // move all indices to the left, since all other indices will be deleted
+                gm.current_gen.sort_by(|a,b| a.0.cmp(&(*b).0)); // in order of the corpus index
+                // for i in 0..gm.current_gen.len() {
+                //     gm.current_gen[i] = (i, gm.current_gen[i].1);
+                // }
+                to_return = gm.current_gen.get(0).unwrap().0;
+                // assert_eq!(to_return, 0);
+                gm.current_cursor=1;
+                gm.gen+=1;
+                current_len = gm.current_gen.len();
+            }
+        };
+        // removing these elements will move all indices left by to_remove.len()
+        // to_remove.sort_by(|x,y| x.0.cmp(&(*y).0));
+        // to_remove.reverse();
+        let cm = state.corpus_mut();
+        assert_eq!(corpus_len-to_remove.len(), current_len);
+        assert_ne!(current_len,0);
+        for i in to_remove {
+            cm.remove(i.0.into()).unwrap();
+        }
+        assert_eq!(cm.get(to_return.into()).is_ok(),true);
+        // println!("switch next: {to_return}");
+        return Ok(to_return.into());
+    }
+
+    /// Add the new input to the next generation
+    fn on_add(
+        &mut self,
+        state: &mut Self::State,
+        idx: CorpusId
+    ) -> Result<(), Error> {
+        // println!("On Add {idx}");
+        let mut tc = state.corpus_mut().get(idx).expect("Newly added testcase not found by index").borrow_mut().clone();
+        let ff = MaxTimeFavFactor::compute(state, &mut tc).unwrap();
+        if let Some(gm) = state.metadata_map_mut().get_mut::<GeneticMetadata>() {
+            gm.next_gen.push((idx.into(),ff));
+        } else {
+            state.add_metadata(GeneticMetadata::new(vec![], vec![(idx.into(),ff)]));
+        }
+        Ok(())
+    }
+    // fn on_replace(
+    //     &self,
+    //     _state: &mut Self::State,
+    //     _idx: usize,
+    //     _prev: &Testcase<<Self::State as UsesInput>::Input>
+    // ) -> Result<(), Error> {
+    //     // println!("On Replace {_idx}");
+    //     Ok(())
+    // }
+
+    // fn on_remove(
+    //     &self,
+    //     state: &mut Self::State,
+    //     idx: usize,
+    //     _testcase: &Option<Testcase<<Self::State as UsesInput>::Input>>
+    // ) -> Result<(), Error> {
+    //     // println!("On Remove {idx}");
+    //     if let Some(gm) = state.metadata_mut().get_mut::<GeneticMetadata>() {
+    //         gm.next_gen = gm.next_gen.drain(..).into_iter().filter(|x| (*x).0 != idx).collect::<Vec<(usize, f64)>>();
+    //         gm.current_gen = gm.current_gen.drain(..).into_iter().filter(|x| (*x).0 != idx).collect::<Vec<(usize, f64)>>();
+    //     } else {
+    //         state.add_metadata(GeneticMetadata::new(vec![], vec![]));
+    //     }
+    //     Ok(())
+    // }
+}
+
+impl<S> GenerationScheduler<S>
+{
+    pub fn new() -> Self {
+        Self {
+            phantom: PhantomData,
+            gen_size: 100,
+        }
+    }
+}

fuzzers/FRET/src/systemstate/stg.rs

@@ -0,0 +1,590 @@
+
+use hashbrown::HashSet;
+use libafl::SerdeAny;
+/// Feedbacks organizing SystemStates as a graph
+use libafl::inputs::HasBytesVec;
+use libafl_bolts::ownedref::OwnedMutSlice;
+use petgraph::graph::EdgeIndex;
+use std::fs;
+use libafl_bolts::rands::RandomSeed;
+use libafl_bolts::rands::StdRand;
+use libafl::mutators::Mutator;
+use libafl::mutators::MutationResult;
+use libafl::prelude::HasTargetBytes;
+use libafl::prelude::UsesInput;
+use libafl::state::HasNamedMetadata;
+use libafl::state::UsesState;
+use libafl::prelude::State;
+use petgraph::dot::Config;
+use petgraph::dot::Dot;
+use core::marker::PhantomData;
+use libafl::state::HasCorpus;
+use libafl::state::HasSolutions;
+use libafl::state::HasRand;
+use crate::worst::MaxExecsLenFavFactor;
+use crate::worst::MaxTimeFavFactor;
+use libafl::schedulers::MinimizerScheduler;
+use libafl_bolts::HasRefCnt;
+use libafl_bolts::AsSlice;
+use libafl_bolts::ownedref::OwnedSlice;
+use libafl::inputs::BytesInput;
+use std::path::PathBuf;
+use crate::clock::QemuClockObserver;
+use libafl::corpus::Testcase;
+use libafl_bolts::tuples::MatchName;
+use std::collections::hash_map::DefaultHasher;
+use std::hash::Hasher;
+use std::hash::Hash;
+use libafl::events::EventFirer;
+use libafl::state::MaybeHasClientPerfMonitor;
+use libafl::feedbacks::Feedback;
+use libafl_bolts::Named;
+use libafl::Error;
+use libafl_qemu::edges::EDGES_MAP_SIZE;
+use hashbrown::HashMap;
+use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
+use serde::{Deserialize, Serialize};
+
+use super::feedbacks::SystemStateFeedbackState;
+use super::AtomicBasicBlock;
+use super::CaptureEvent;
+use super::ExecInterval;
+use super::ReducedFreeRTOSSystemState;
+use super::FreeRTOSSystemStateMetadata;
+use super::observers::QemuSystemStateObserver;
+use petgraph::prelude::DiGraph;
+use petgraph::graph::NodeIndex;
+use petgraph::Direction;
+use std::cmp::Ordering;
+use std::rc::Rc;
+
+use libafl_bolts::rands::Rand;
+
+use crate::clock::FUZZ_START_TIMESTAMP;
+use std::time::SystemTime;
+use std::{fs::OpenOptions, io::Write};
+
+//============================= Data Structures
+#[derive(Serialize, Deserialize, Clone, Debug, Default, Hash)]
+pub struct STGNode
+{
+    base: ReducedFreeRTOSSystemState,
+    abb: AtomicBasicBlock,
+}
+impl STGNode {
+    pub fn pretty_print(&self) -> String {
+        format!("{}\nl{} {:x}-{:x}\n{}", self.base.current_task.task_name, self.abb.level, self.abb.start, self.abb.ends.iter().next().unwrap_or_else(||&0xFFFF), self.base.print_lists())
+    }
+    pub fn color_print(&self) -> String {
+        let color = match self.abb.level {
+            1 => "\", shape=box, style=filled, fillcolor=\"lightblue",
+            2 => "\", shape=box, style=filled, fillcolor=\"yellow",
+            0 => "\", shape=box, style=filled, fillcolor=\"white",
+            _ => "\", style=filled, fillcolor=\"lightgray",
+        };
+        let message = match self.abb.level {
+            1 => format!("API Call"),
+            2 => format!("ISR"),
+            0 => format!("Task: {}",self.base.current_task.task_name),
+            _ => format!(""),
+        };
+        let mut label = format!("{}\nABB: {:x}-{:x}\n{}", message, self.abb.start, self.abb.ends.iter().next().unwrap_or_else(||&0xFFFF), self.base.print_lists());
+        label.push_str(color);
+        label
+    }
+    fn get_hash(&self) -> u64 {
+        let mut s = DefaultHasher::new();
+        self.base.hash(&mut s);
+        self.abb.hash(&mut s);
+        s.finish()
+    }
+}
+impl PartialEq for STGNode {
+    fn eq(&self, other: &STGNode) -> bool {
+        self.base==other.base
+    }
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default, Hash, PartialEq, Eq)]
+pub struct STGEdge
+{
+    // is_interrupt: bool,
+    pub event: CaptureEvent,
+    pub name: String
+}
+
+impl STGEdge {
+    pub fn pretty_print(&self) -> String {
+        let mut short = match self.event {
+            CaptureEvent::APIStart => "Call: ",
+            CaptureEvent::APIEnd => "Ret: ",
+            CaptureEvent::ISRStart => "Int: ",
+            CaptureEvent::ISREnd => "IRet: ",
+            CaptureEvent::End => "End: ",
+            CaptureEvent::Undefined => "",
+        }.to_string();
+        short.push_str(&self.name);
+        short
+    }
+    pub fn color_print(&self) -> String {
+        let mut short = self.name.clone();
+        short.push_str(match self.event {
+            CaptureEvent::APIStart => "\", color=\"blue",
+            CaptureEvent::APIEnd => "\", color=\"black",
+            CaptureEvent::ISRStart => "\", color=red, style=\"dashed",
+            CaptureEvent::ISREnd => "\", color=red, style=\"solid",
+            CaptureEvent::End => "",
+            CaptureEvent::Undefined => "",
+        });
+        short
+    }
+}
+
+/// Shared Metadata for a systemstateFeedback
+#[derive(Debug, Serialize, Deserialize, SerdeAny, Clone)]
+pub struct STGFeedbackState
+{
+    // aggregated traces as a graph
+    pub graph: DiGraph<STGNode, STGEdge>,
+    systemstate_index: HashMap<u64, ReducedFreeRTOSSystemState>,
+    pub state_abb_hash_index: HashMap<(u64, u64), NodeIndex>,
+    stgnode_index: HashMap<u64, NodeIndex>,
+    entrypoint: NodeIndex,
+    exitpoint: NodeIndex,
+    // Metadata about aggregated traces. aggegated meaning, order has been removed
+    worst_observed_per_aggegated_path: HashMap<Vec<AtomicBasicBlock>,u64>,
+    worst_observed_per_abb_path: HashMap<u64,u64>,
+    worst_observed_per_stg_path: HashMap<u64,u64>,
+    worst_abb_exec_count: HashMap<AtomicBasicBlock, usize>
+}
+
+impl Default for STGFeedbackState {
+    fn default() -> STGFeedbackState {
+        let mut graph = DiGraph::new();
+        let mut entry = STGNode::default();
+        entry.base.current_task.task_name="Start".to_string();
+        let mut exit = STGNode::default();
+        exit.base.current_task.task_name="End".to_string();
+
+        let systemstate_index = HashMap::from([(entry.base.get_hash(), entry.base.clone()), (exit.base.get_hash(), exit.base.clone())]);
+
+        let h_entry = entry.get_hash();
+        let h_exit = exit.get_hash();
+
+        let entrypoint = graph.add_node(entry.clone());
+        let exitpoint = graph.add_node(exit.clone());
+
+        let state_abb_hash_index = HashMap::from([((entry.base.get_hash(), entry.abb.get_hash()), entrypoint), ((exit.base.get_hash(), exit.abb.get_hash()), exitpoint)]);
+
+        let index = HashMap::from([(h_entry, entrypoint), (h_exit, exitpoint)]);
+
+        STGFeedbackState {
+            graph,
+            stgnode_index: index,
+            entrypoint,
+            exitpoint,
+            worst_observed_per_aggegated_path: HashMap::new(),
+            worst_observed_per_abb_path: HashMap::new(),
+            worst_observed_per_stg_path: HashMap::new(),
+            worst_abb_exec_count: HashMap::new(),
+            systemstate_index,
+            state_abb_hash_index
+        }
+    }
+}
+
+impl Named for STGFeedbackState
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "stgfeedbackstate"
+    }
+}
+
+// Wrapper around Vec<RefinedFreeRTOSSystemState> to attach as Metadata
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct STGNodeMetadata {
+    pub nodes: Vec<NodeIndex>,
+    pub edges: Vec<EdgeIndex>,
+    pub abbs: u64,
+    pub aggregate: u64,
+    pub top_abb_counts: Vec<u64>,
+    pub intervals: Vec<ExecInterval>,
+    indices: Vec<usize>,
+    tcref: isize,
+}
+impl STGNodeMetadata {
+    pub fn new(nodes: Vec<NodeIndex>, edges: Vec<EdgeIndex>, abbs: u64, aggregate: u64, top_abb_counts: Vec<u64>, intervals: Vec<ExecInterval>) -> Self{
+        let mut indices : Vec<_> = vec![];
+        #[cfg(all(feature = "sched_stg",not(any(feature = "sched_stg_pathhash",feature = "sched_stg_abbhash",feature = "sched_stg_aggregatehash"))))]
+        {
+            indices = edges.iter().map(|x| x.index()).collect();
+            indices.sort_unstable();
+            indices.dedup();
+        }
+        #[cfg(feature = "sched_stg_pathhash")]
+        {
+            indices.push(get_generic_hash(&edges) as usize);
+        }
+        #[cfg(feature = "sched_stg_abbhash")]
+        {
+            indices.push(abbs as usize);
+        }
+        #[cfg(feature = "sched_stg_aggregatehash")]
+        {
+            // indices.push(aggregate as usize);
+            indices = top_abb_counts.iter().map(|x| (*x) as usize).collect();
+        }
+        Self {indices, intervals, nodes, abbs, aggregate, top_abb_counts, edges, tcref: 0}
+    }
+}
+impl AsSlice for STGNodeMetadata {
+    /// Convert the slice of system-states to a slice of hashes over enumerated states
+    fn as_slice(&self) -> &[usize] {
+        self.indices.as_slice()
+    }
+
+    type Entry = usize;
+}
+
+impl HasRefCnt for STGNodeMetadata {
+    fn refcnt(&self) -> isize {
+        self.tcref
+    }
+
+    fn refcnt_mut(&mut self) -> &mut isize {
+        &mut self.tcref
+    }
+}
+
+libafl_bolts::impl_serdeany!(STGNodeMetadata);
+
+pub type GraphMaximizerCorpusScheduler<CS> =
+    MinimizerScheduler<CS, MaxTimeFavFactor<<CS as UsesState>::State>,STGNodeMetadata>;
+
+// AI generated, human verified
+fn count_occurrences<T>(vec: &Vec<T>) -> HashMap<&T, usize>
+where
+    T: PartialEq + Eq + Hash + Clone,
+{
+    let mut counts = HashMap::new();
+    
+    if vec.is_empty() {
+        return counts;
+    }
+    
+    let mut current_obj = &vec[0];
+    let mut current_count = 1;
+    
+    for obj in vec.iter().skip(1) {
+        if obj == current_obj {
+            current_count += 1;
+        } else {
+            counts.insert(current_obj, current_count);
+            current_obj = obj;
+            current_count = 1;
+        }
+    }
+    
+    // Insert the count of the last object
+    counts.insert(current_obj, current_count);
+    
+    counts
+}
+
+//============================= Graph Feedback
+
+pub static mut STG_MAP: [u16; EDGES_MAP_SIZE] = [0; EDGES_MAP_SIZE];
+pub static mut MAX_STG_NUM: usize = 0;
+pub unsafe fn stg_map_mut_slice<'a>() -> OwnedMutSlice<'a, u16> {
+    OwnedMutSlice::from_raw_parts_mut(STG_MAP.as_mut_ptr(), STG_MAP.len())
+}
+
+/// A Feedback reporting novel System-State Transitions. Depends on [`QemuSystemStateObserver`]
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct StgFeedback
+{
+    name: String,
+    last_node_trace: Option<Vec<NodeIndex>>,
+    last_edge_trace: Option<Vec<EdgeIndex>>,
+    last_intervals: Option<Vec<ExecInterval>>,
+    last_abbs_hash: Option<u64>,    // only set, if it was interesting
+    last_aggregate_hash: Option<u64>, // only set, if it was interesting
+    last_top_abb_hashes: Option<Vec<u64>>, // only set, if it was interesting
+    dump_path: Option<PathBuf>
+}
+#[cfg(feature = "feed_stg")]
+const INTEREST_EDGE : bool = true;
+#[cfg(feature = "feed_stg")]
+const INTEREST_NODE : bool = true;
+#[cfg(feature = "feed_stg_pathhash")]
+const INTEREST_PATH : bool = true;
+#[cfg(feature = "feed_stg_abbhash")]
+const INTEREST_ABBPATH : bool = true;
+#[cfg(feature = "feed_stg_aggregatehash")]
+const INTEREST_AGGREGATE : bool = true;
+
+#[cfg(not(feature = "feed_stg"))]
+const INTEREST_EDGE : bool = false;
+#[cfg(not(feature = "feed_stg"))]
+const INTEREST_NODE : bool = false;
+#[cfg(not(feature = "feed_stg_pathhash"))]
+const INTEREST_PATH : bool = false;
+#[cfg(not(feature = "feed_stg_abbhash"))]
+const INTEREST_ABBPATH : bool = false;
+#[cfg(not(feature = "feed_stg_aggregatehash"))]
+const INTEREST_AGGREGATE : bool = false;
+fn set_observer_map(trace : &Vec<EdgeIndex>) {
+    unsafe {
+        for i in 0..MAX_STG_NUM {
+            STG_MAP[i] = 0;
+        }
+        for i in trace {
+            if MAX_STG_NUM < i.index() {
+                MAX_STG_NUM = i.index();
+            }
+            STG_MAP[i.index()]+=1;
+        }
+    }
+}
+
+fn get_generic_hash<H>(input: &H) -> u64
+    where
+        H: Hash,
+{
+    let mut s = DefaultHasher::new();
+    input.hash(&mut s);
+    s.finish()
+}
+
+impl StgFeedback {
+    pub fn new(dump_name: Option<PathBuf>) -> Self {
+        // Self {name: String::from("STGFeedback"), last_node_trace: None, last_edge_trace: None, last_intervals: None }
+        let mut s = Self::default();
+        s.dump_path = dump_name.map(|x| x.with_extension("stgsize"));
+        s
+    }
+
+    /// params:
+    /// tarce of intervals
+    /// hashtable of states
+    /// feedbackstate
+    /// produces:
+    /// tarce of node indexes representing the path trough the graph
+    /// newly discovered node?
+    /// side effect:
+    /// the graph gets new nodes and edge
+    fn update_stg_interval(trace: &Vec<ExecInterval>, table: &HashMap<u64, ReducedFreeRTOSSystemState>, fbs: &mut STGFeedbackState) -> (Vec<NodeIndex>, Vec<EdgeIndex>, bool, bool) {
+        let mut return_node_trace = vec![fbs.entrypoint];
+        let mut return_edge_trace = vec![];
+        let mut interesting = false;
+        let mut updated = false;
+        // add all missing state+abb combinations to the graph
+        for (i,interval) in trace.iter().enumerate() { // Iterate intervals
+            let node = STGNode {base: table[&interval.start_state].clone(), abb: interval.abb.as_ref().unwrap().clone()};
+            let h_node = node.get_hash();
+            let next_idx = if let Some(idx) = fbs.stgnode_index.get(&h_node) {
+                // alredy present
+                *idx
+            } else {
+                // not present
+                let h = (node.base.get_hash(), node.abb.get_hash());
+                let idx = fbs.graph.add_node(node);
+                fbs.stgnode_index.insert(h_node, idx);
+                fbs.state_abb_hash_index.insert(h, idx);
+                interesting |= INTEREST_NODE;
+                updated = true;
+                idx
+            };
+            // connect in graph if edge not present
+            let e = fbs.graph.edges_directed(return_node_trace[return_node_trace.len()-1],Direction::Outgoing).find(|x| petgraph::visit::EdgeRef::target(x) == next_idx);
+            if let Some(e_) = e {
+                return_edge_trace.push(petgraph::visit::EdgeRef::id(&e_));
+            } else {
+                let e_ = fbs.graph.add_edge(return_node_trace[return_node_trace.len()-1], next_idx, STGEdge{event: interval.start_capture.0, name: interval.start_capture.1.clone()});
+                return_edge_trace.push(e_);
+                interesting |= INTEREST_EDGE;
+                updated = true;
+            }
+            return_node_trace.push(next_idx);
+            /*
+            Ideas:
+            Mark edges triggered by interrupts
+            Specify path with edges instead of nodes?
+            Form a coverage map over edges?
+            Sum up execution time per ABB
+            */
+        }
+        // every path terminates at the end
+        if !fbs.graph.neighbors_directed(return_node_trace[return_node_trace.len()-1],Direction::Outgoing).any(|x| x == fbs.exitpoint) {
+            let e_ = fbs.graph.add_edge(return_node_trace[return_node_trace.len()-1], fbs.exitpoint, STGEdge { event: CaptureEvent::End, name: String::from("End") });
+            return_edge_trace.push(e_);
+            interesting |= INTEREST_EDGE;
+            updated = true;
+        }
+        return_node_trace.push(fbs.exitpoint);
+        #[cfg(feature = "feed_stg")]
+        set_observer_map(&return_edge_trace);
+        (return_node_trace, return_edge_trace, interesting, updated)
+    }
+
+    fn abbs_in_exec_order(trace: &Vec<ExecInterval>) -> Vec<AtomicBasicBlock> {
+        let mut ret = Vec::new();
+        for i in 0..trace.len() {
+            if trace[i].abb != None &&
+            (trace[i].end_capture.0 == CaptureEvent::APIStart || trace[i].end_capture.0 == CaptureEvent::APIEnd || trace[i].end_capture.0 == CaptureEvent::End  || trace[i].end_capture.0 == CaptureEvent::ISREnd) {
+                ret.push(trace[i].abb.as_ref().unwrap().clone());
+            }
+        }
+        ret
+    }
+}
+
+impl<S> Feedback<S> for StgFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor + HasNamedMetadata,
+    S::Input: HasTargetBytes,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = observers.match_name::<QemuSystemStateObserver>("systemstate")
+            .expect("QemuSystemStateObserver not found");
+        let clock_observer = observers.match_name::<QemuClockObserver>("clocktime")
+            .expect("QemuClockObserver not found");
+        let feedbackstate = match state
+            .named_metadata_map_mut()
+            .get_mut::<STGFeedbackState>("stgfeedbackstate") {
+                Some(s) => s,
+                None => {
+                    let n=STGFeedbackState::default();
+                    state.named_metadata_map_mut().insert(n, "stgfeedbackstate");
+                    state.named_metadata_map_mut().get_mut::<STGFeedbackState>("stgfeedbackstate").unwrap()
+                }
+            };
+
+        let (nodetrace, edgetrace, mut interesting, mut updated) = StgFeedback::update_stg_interval(&observer.last_trace, &observer.last_states, feedbackstate);
+
+        {
+            let h = get_generic_hash(&edgetrace);
+            if let Some(x) = feedbackstate.worst_observed_per_stg_path.get_mut(&h) {
+                let t = clock_observer.last_runtime();
+                if t > *x {
+                    *x = t;
+                    interesting |= INTEREST_PATH;
+                }
+            } else {
+                feedbackstate.worst_observed_per_stg_path.insert(h, clock_observer.last_runtime());
+                updated = true;
+                interesting |= INTEREST_PATH;
+            }
+        }
+
+        let mut tmp = StgFeedback::abbs_in_exec_order(&observer.last_trace);
+        if INTEREST_AGGREGATE || INTEREST_ABBPATH {
+            if INTEREST_ABBPATH {
+                let h = get_generic_hash(&tmp);
+                self.last_abbs_hash = Some(h);
+                // order of execution is relevant
+                if let Some(x) = feedbackstate.worst_observed_per_abb_path.get_mut(&h) {
+                    let t = clock_observer.last_runtime();
+                    if t > *x {
+                        *x = t;
+                        interesting |= INTEREST_ABBPATH;
+                    }
+                } else {
+                    feedbackstate.worst_observed_per_abb_path.insert(h, clock_observer.last_runtime());
+                    interesting |= INTEREST_ABBPATH;
+                }
+            }
+            if INTEREST_AGGREGATE {
+                // aggegation by sorting, order of states is not relevant
+                let mut _tmp = tmp.clone();
+                _tmp.sort();
+                let counts = count_occurrences(&_tmp);
+                let mut top_indices = Vec::new();
+                for (k,c) in counts {
+                    if let Some(reference) = feedbackstate.worst_abb_exec_count.get_mut(k) {
+                        if *reference < c {
+                            *reference = c;
+                            top_indices.push(get_generic_hash(k));
+                        }
+                    } else {
+                        top_indices.push(get_generic_hash(k));
+                        feedbackstate.worst_abb_exec_count.insert(k.clone(), c);
+                    }
+                }
+                self.last_top_abb_hashes = Some(top_indices);
+
+                self.last_aggregate_hash = Some(get_generic_hash(&_tmp));
+                if let Some(x) = feedbackstate.worst_observed_per_aggegated_path.get_mut(&_tmp) {
+                    let t = clock_observer.last_runtime();
+                    if t > *x {
+                        *x = t;
+                        interesting |= INTEREST_AGGREGATE;
+                    }
+                } else {
+                    feedbackstate.worst_observed_per_aggegated_path.insert(_tmp, clock_observer.last_runtime());
+                    interesting |= INTEREST_AGGREGATE;
+                }
+            }
+        }
+
+        // let out = feedbackstate.graph.map(|i,x| x.pretty_print(), |_,_| "");
+        // let outs = Dot::with_config(&out, &[Config::EdgeNoLabel]).to_string();
+        // let outs = outs.replace(';',"\\n");
+        // fs::write("./mystg.dot",outs).expect("Failed to write graph");
+        self.last_node_trace = Some(nodetrace);
+        self.last_edge_trace = Some(edgetrace);
+        self.last_intervals = Some(observer.last_trace.clone());
+
+        if let Some(dp) = &self.dump_path {
+            if updated {
+                let timestamp = SystemTime::now().duration_since(unsafe {FUZZ_START_TIMESTAMP}).unwrap().as_millis();
+                let mut file = OpenOptions::new()
+                    .read(true)
+                    .write(true)
+                    .create(true)
+                    .append(true)
+                    .open(dp).expect("Could not open stgsize");
+                    writeln!(file, "{},{},{},{},{}", feedbackstate.graph.edge_count(), feedbackstate.graph.node_count(), feedbackstate.worst_observed_per_aggegated_path.len(),feedbackstate.worst_observed_per_stg_path.len(), timestamp).expect("Write to dump failed");
+            }
+        }
+        Ok(interesting)
+    }
+
+    /// Append to the testcase the generated metadata in case of a new corpus item
+    #[inline]
+    fn append_metadata<OT>(&mut self, _state: &mut S, _observers: &OT, testcase: &mut Testcase<S::Input>) -> Result<(), Error> {
+        let nodes = self.last_node_trace.take();
+        let edges = self.last_edge_trace.take();
+        match nodes {
+            Some(s) => testcase.metadata_map_mut().insert(STGNodeMetadata::new(s, edges.unwrap(), self.last_abbs_hash.take().unwrap_or_default(), self.last_aggregate_hash.take().unwrap_or_default(), self.last_top_abb_hashes.take().unwrap_or_default(), self.last_intervals.take().unwrap())),
+            None => (),
+        }
+        Ok(())
+    }
+
+    /// Discard the stored metadata in case that the testcase is not added to the corpus
+    #[inline]
+    fn discard_metadata(&mut self, _state: &mut S, _input: &S::Input) -> Result<(), Error> {
+        Ok(())
+    }
+}
+impl Named for StgFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        &self.name
+    }
+}

fuzzers/FRET/src/worst.rs

@@ -0,0 +1,396 @@
+use core::fmt::Debug;
+use core::cmp::Ordering::{Greater,Less,Equal};
+use libafl::inputs::BytesInput;
+use libafl::inputs::HasTargetBytes;
+use libafl::feedbacks::MapIndexesMetadata;
+use libafl::corpus::Testcase;
+use libafl::prelude::{UsesInput};
+use core::marker::PhantomData;
+use libafl::schedulers::{MinimizerScheduler, TestcaseScore};
+use std::path::PathBuf;
+use std::fs;
+use hashbrown::{HashMap};
+use libafl::observers::ObserversTuple;
+use libafl::executors::ExitKind;
+use libafl::events::EventFirer;
+use libafl::state::{MaybeHasClientPerfMonitor, HasCorpus, UsesState};
+use libafl::prelude::State;
+use libafl::inputs::Input;
+use libafl::feedbacks::Feedback;
+use libafl::state::HasMetadata;
+use libafl_qemu::edges::QemuEdgesMapMetadata;
+use libafl::observers::MapObserver;
+use serde::{Deserialize, Serialize};
+use std::cmp;
+
+use libafl_bolts::{
+    Named,
+    HasLen,
+    AsSlice,
+};
+use libafl::{
+    observers::Observer,
+    Error,
+};
+
+use crate::clock::QemuClockObserver;
+use crate::systemstate::FreeRTOSSystemStateMetadata;
+//=========================== Scheduler
+
+pub type TimeMaximizerCorpusScheduler<CS> =
+    MinimizerScheduler<CS, MaxTimeFavFactor<<CS as UsesState>::State>, MapIndexesMetadata>;
+
+/// Multiply the testcase size with the execution time.
+/// This favors small and quick testcases.
+#[derive(Debug, Clone)]
+pub struct MaxTimeFavFactor<S>
+where
+    S: HasCorpus + HasMetadata,
+    S::Input: HasLen,
+{
+    phantom: PhantomData<S>,
+}
+
+impl<S> TestcaseScore<S> for MaxTimeFavFactor<S>
+where
+    S: HasCorpus + HasMetadata,
+    S::Input: HasLen,
+{
+    fn compute(state: &S, entry: &mut Testcase<<S as UsesInput>::Input>) -> Result<f64, Error> {
+        // TODO maybe enforce entry.exec_time().is_some()
+        let et = entry.exec_time().expect("testcase.exec_time is needed for scheduler");
+        let tns : i64 = et.as_nanos().try_into().expect("failed to convert time");
+        Ok(-tns as f64)
+    }
+}
+
+pub type LenTimeMaximizerCorpusScheduler<CS> =
+    MinimizerScheduler<CS, MaxExecsLenFavFactor<<CS as UsesState>::State>, MapIndexesMetadata>;
+
+pub type TimeStateMaximizerCorpusScheduler<CS> =
+    MinimizerScheduler<CS, MaxTimeFavFactor<<CS as UsesState>::State>, FreeRTOSSystemStateMetadata>;
+
+/// Multiply the testcase size with the execution time.
+/// This favors small and quick testcases.
+#[derive(Debug, Clone)]
+pub struct MaxExecsLenFavFactor<S>
+where
+    S: HasCorpus + HasMetadata,
+    S::Input: HasLen,
+{
+    phantom: PhantomData<S>,
+}
+
+impl<S> TestcaseScore<S> for MaxExecsLenFavFactor<S>
+where
+    S: HasCorpus + HasMetadata,
+    S::Input: HasLen,
+{
+    fn compute( state: &S, entry: &mut Testcase<S::Input>) -> Result<f64, Error> {
+        let execs_per_hour = (3600.0/entry.exec_time().expect("testcase.exec_time is needed for scheduler").as_secs_f64());
+        let execs_times_length_per_hour = execs_per_hour*entry.load_len(state.corpus()).unwrap() as f64;
+        Ok(execs_times_length_per_hour)
+    }
+}
+
+//===================================================================
+
+/// A Feedback reporting if the Input consists of strictly decreasing bytes.
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct SortedFeedback {
+}
+
+impl<S> Feedback<S> for SortedFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+    S::Input: HasTargetBytes,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let t = _input.target_bytes();
+        let tmp = t.as_slice();
+        if tmp.len()<32 {return Ok(false);}
+        let tmp = Vec::<u8>::from(&tmp[0..32]);
+        // tmp.reverse();
+        // if tmp.is_sorted_by(|a,b| match a.partial_cmp(b).unwrap_or(Less) {
+        //     Less => Some(Greater),
+        //     Equal => Some(Greater),
+        //     Greater => Some(Less),
+        // }) {return Ok(true)};
+        let mut is_sorted = true;
+        if tmp[0]<tmp[1] {
+            for i in 1..tmp.len() {
+                is_sorted &= tmp[i-1]<=tmp[i];
+                if !is_sorted {break;}
+            }
+        } else {
+            for i in 1..tmp.len() {
+                is_sorted &= tmp[i-1]>=tmp[i];
+                if !is_sorted {break;}
+            }
+        }
+        return Ok(is_sorted);
+    }
+}
+
+impl Named for SortedFeedback {
+    #[inline]
+    fn name(&self) -> &str {
+        "Sorted"
+    }
+}
+
+impl SortedFeedback {
+    /// Creates a new [`HitFeedback`]
+    #[must_use]
+    pub fn new() -> Self {
+        Self {}
+    }
+}
+
+impl Default for SortedFeedback {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+//===================================================================
+/// A Feedback which expects a certain minimum execution time
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct ExecTimeReachedFeedback
+{
+    target_time: u64,
+}
+
+impl<S> Feedback<S> for ExecTimeReachedFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = observers.match_name::<QemuClockObserver>("clock")
+            .expect("QemuClockObserver not found");
+        Ok(observer.last_runtime() >= self.target_time)
+    }
+}
+
+impl Named for ExecTimeReachedFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "ExecTimeReachedFeedback"
+    }
+}
+
+impl ExecTimeReachedFeedback
+where
+{
+    /// Creates a new [`ExecTimeReachedFeedback`]
+    #[must_use]
+    pub fn new(target_time : u64) -> Self {
+        Self {target_time: target_time}
+    }
+}
+
+pub static mut EXEC_TIME_COLLECTION : Vec<u32> = Vec::new();
+
+/// A Noop Feedback which records a list of all execution times
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct ExecTimeCollectorFeedback
+{
+}
+
+impl<S> Feedback<S> for ExecTimeCollectorFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = observers.match_name::<QemuClockObserver>("clock")
+            .expect("QemuClockObserver not found");
+        unsafe { EXEC_TIME_COLLECTION.push(observer.last_runtime().try_into().unwrap()); }
+        Ok(false)
+    }
+}
+
+impl Named for ExecTimeCollectorFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "ExecTimeCollectorFeedback"
+    }
+}
+
+impl ExecTimeCollectorFeedback
+where
+{
+    /// Creates a new [`ExecTimeCollectorFeedback`]
+    #[must_use]
+    pub fn new() -> Self {
+        Self {}
+    }
+}
+
+/// Shared Metadata for a SysStateFeedback
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct ExecTimeCollectorFeedbackState
+{
+    collection: Vec<u32>,
+}
+impl Named for ExecTimeCollectorFeedbackState
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "ExecTimeCollectorFeedbackState"
+    }
+}
+
+//===================================================================
+/// A Feedback which expects a certain minimum execution time
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct ExecTimeIncFeedback
+{
+    longest_time: u64,
+    last_is_longest: bool
+}
+
+impl<S> Feedback<S> for ExecTimeIncFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        let observer = observers.match_name::<QemuClockObserver>("clocktime")
+            .expect("QemuClockObserver not found");
+        if observer.last_runtime() > self.longest_time {
+            self.longest_time = observer.last_runtime();
+            self.last_is_longest = true;
+            Ok(true)
+        } else {
+            self.last_is_longest = false;
+            Ok(false)
+        }
+    }
+    fn append_metadata<OT>(
+        &mut self,
+        _state: &mut S,
+        observers: &OT,
+        testcase: &mut Testcase<<S as UsesInput>::Input>,
+    ) -> Result<(), Error> {
+        #[cfg(feature = "feed_afl")]
+        if self.last_is_longest {
+            let mim : Option<&mut MapIndexesMetadata>= testcase.metadata_map_mut().get_mut();
+            // pretend that the longest input alone excercises some non-existing edge, to keep it relevant
+            mim.unwrap().list.push(usize::MAX);
+        };
+        Ok(())
+    }
+}
+
+impl Named for ExecTimeIncFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "ExecTimeReachedFeedback"
+    }
+}
+
+impl ExecTimeIncFeedback
+where
+{
+    /// Creates a new [`ExecTimeReachedFeedback`]
+    #[must_use]
+    pub fn new() -> Self {
+        Self {longest_time: 0, last_is_longest: false}
+    }
+}
+
+/// A Noop Feedback which records a list of all execution times
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct AlwaysTrueFeedback
+{
+}
+
+impl<S> Feedback<S> for AlwaysTrueFeedback
+where
+    S: State + UsesInput + MaybeHasClientPerfMonitor,
+{
+    #[allow(clippy::wrong_self_convention)]
+    fn is_interesting<EM, OT>(
+        &mut self,
+        _state: &mut S,
+        _manager: &mut EM,
+        _input: &S::Input,
+        _observers: &OT,
+        _exit_kind: &ExitKind,
+    ) -> Result<bool, Error>
+    where
+        EM: EventFirer<State = S>,
+        OT: ObserversTuple<S>,
+    {
+        Ok(true)
+    }
+}
+
+impl Named for AlwaysTrueFeedback
+{
+    #[inline]
+    fn name(&self) -> &str {
+        "AlwaysTrueFeedback"
+    }
+}
+
+impl AlwaysTrueFeedback
+where
+{
+    /// Creates a new [`ExecTimeCollectorFeedback`]
+    #[must_use]
+    pub fn new() -> Self {
+        Self {
+        }
+    }
+}

fuzzers/FRET/tests/.gitignore

@@ -0,0 +1,5 @@
+dump
+demo*
+*.dot
+*.time
+*.case

fuzzers/FRET/tests/run_test.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# cargo build --no-default-features --features std,snapshot_restore,singlecore,feed_afl,observer_hitcounts
+
+# Test basic fuzzing loop
+../target/debug/fret -k ../benchmark/build/waters.elf -c ../benchmark/target_symbols.csv -n ./dump/waters -tar fuzz -t 10 -s 123
+
+# Test reprodcibility
+rm -f ./dump/demo.case.time
+../target/debug/fret -k ../benchmark/build/waters.elf -c ../benchmark/target_symbols.csv -n ./dump/demo -tr showmap -i ./demo.case
+if [[ $(cut -d, -f1 ./dump/demo.case.time) != $(cut -d, -f1 ./demo.example.time) ]]; then echo "Not reproducible!" && exit 1; else echo "Reproducible"; fi
+
+# Test state dump
+# cargo build --no-default-features --features std,snapshot_restore,singlecore,feed_afl,observer_hitcounts,systemstate
+if [[ -n "$(diff -q demo.example.state.ron dump/demo.trace.ron)" ]]; then echo "State not reproducible!"; else echo "State Reproducible"; fi
+
+# Test abb traces
+# cargo build --no-default-features --features std,snapshot_restore,singlecore,feed_afl,observer_hitcounts,systemstate,trace_abbs
+if [[ -n "$(diff -q demo.example.abb.ron dump/demo.trace.ron)" ]]; then echo "ABB not reproducible!"; else echo "ABB Reproducible"; fi
+
+# ../target/debug/fret -k ../benchmark/build/minimal.elf -c ../benchmark/target_symbols.csv -n ./dump/minimal -tar fuzz -t 20 -s 123
+# ../target/debug/fret -k ../benchmark/build/minimal.elf -c ../benchmark/target_symbols.csv -n ./dump/minimal_worst -tr showmap -i ./dump/minimal.case
+
+# Test fuzzing using systemtraces
+cargo build --no-default-features --features std,snapshot_restore,singlecore,feed_systemtrace
+
+../target/debug/fret -k ../benchmark/build/waters.elf -c ../benchmark/target_symbols.csv -n ./dump/waters -tar fuzz -t 10 -s 123

fuzzers/baby_fuzzer/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "baby_fuzzer"
-version = "0.7.1"
+version = "0.10.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2021"
 
@@ -21,3 +21,4 @@ debug = true
 
 [dependencies]
 libafl = { path = "../../libafl/" }
+libafl_bolts = { path = "../../libafl_bolts/" }

fuzzers/baby_fuzzer/README.md

@@ -5,4 +5,6 @@ This is a minimalistic example about how to create a libafl based fuzzer.
 It runs on a single core until a crash occurs and then exits.
 
 The tested program is a simple Rust function without any instrumentation.
-For real fuzzing, you will want to add some sort to add coverage or other feedback.
+For real fuzzing, you will want to add some sort to add coverage or other feedback.
+
+You can run this example using `cargo run`, and you can enable the TUI feature by running `cargo run --features tui`.

fuzzers/baby_fuzzer/baby_fuzzer.py

@@ -4,67 +4,86 @@ from pylibafl import libafl
 
 def map_observer_wrapper(map_observer):
     if type(map_observer).__name__ == "OwnedMapObserverI32":
-        return libafl.MapObserverI32.new_from_owned(map_observer)
+        return libafl.MapObserverI32.new_owned(map_observer)
 
 def executor_wrapper(executor):
-    if type(executor).__name__ == "OwnedInProcessExecutorI32":
-        return libafl.ExecutorI32.new_from_inprocess(executor)
+    if type(executor).__name__ == "InProcessExecutor":
+        return libafl.Executor.new_inprocess(executor)
+
+def generator_wrapper(generator):
+    if type(generator).__name__ == "RandPrintablesGenerator":
+        return libafl.Generator.new_rand_printables(generator)
 
 def monitor_wrapper(monitor):
-    if type(monitor).__name__ == "SimpleMonitor":
-        return libafl.Monitor.new_from_simple(monitor)
+    return monitor.as_monitor()
 
 def event_manager_wrapper(event_manager):
-    if type(event_manager).__name__ == "SimpleEventManager":
-        return libafl.EventManagerI32.new_from_simple(event_manager)
+    return event_manager.as_manager()
 
 def corpus_wrapper(corpus):
     if type(corpus).__name__ == "InMemoryCorpus":
-        return libafl.Corpus.new_from_in_memory(corpus)
+        return libafl.Corpus.new_in_memory(corpus)
     if type(corpus).__name__ == "OnDiskCorpus":
-        return libafl.Corpus.new_from_on_disk(corpus)
+        return libafl.Corpus.new_on_disk(corpus)
 
 def rand_wrapper(rand):
     if type(rand).__name__ == "StdRand":
-        return libafl.Rand.new_from_std(rand)
+        return libafl.Rand.new_std(rand)
+
+def mutator_wrapper(mutator):
+    if type(mutator).__name__ == "StdHavocMutator":
+        return libafl.Mutator.new_std_havoc(mutator)
 
 def stage_wrapper(stage):
-    if type(stage).__name__ == "StdScheduledHavocMutationsStageI32":
-        return libafl.StageI32.new_from_std_scheduled(stage)
+    if type(stage).__name__ == "StdMutationalStage":
+        return libafl.Stage.new_std_mutational(stage)
 
 # CODE WRITTEN BY USER
-
-def harness(inp):
-    if len(inp.hex()) >= 2 and inp.hex()[:2] == '61':
-        raise Exception("NOOOOOO =)")
+import logging
+logging.basicConfig(level=logging.INFO)
 
 map_observer = libafl.OwnedMapObserverI32("signals", [0] * 16)
 
-feedback_state = libafl.MapFeedbackStateI32.with_observer(map_observer_wrapper(map_observer))
+def harness(inp):
+    #print(inp)
+    map_observer[0] = 1
+    if len(inp) > 0 and inp[0] == ord('a'):
+        map_observer[1] = 1
+        if len(inp) > 1 and inp[1] == ord('b'):
+            map_observer[2] = 1
+            if len(inp) > 2 and inp[2] == ord('c'):
+                map_observer[3] = 1
+                raise Exception("NOOOOOO =)")
 
-feedback = libafl.MaxMapFeedbackI32(feedback_state, map_observer_wrapper(map_observer))
+feedback = libafl.MaxMapFeedbackI32(map_observer_wrapper(map_observer))
+objective = libafl.CrashFeedback()
 
-state = libafl.StdStateI32(
+state = libafl.StdState(
     rand_wrapper(libafl.StdRand.with_current_nanos()), 
     corpus_wrapper(libafl.InMemoryCorpus()), 
     corpus_wrapper(libafl.OnDiskCorpus("./crashes")), 
-    feedback_state
+    feedback.as_feedback(),
+    objective.as_feedback(),
 )
 
-monitor = libafl.SimpleMonitor()
+monitor = libafl.SimpleMonitor(lambda x: print(x))
 
 mgr = libafl.SimpleEventManager(monitor_wrapper(monitor))
 
-fuzzer = libafl.StdFuzzerI32(feedback)
+fuzzer = libafl.StdFuzzer(feedback.as_feedback(), objective.as_feedback())
 
-executor = libafl.OwnedInProcessExecutorI32(harness, map_observer_wrapper(map_observer), fuzzer, state, event_manager_wrapper(mgr))
+observers = libafl.ObserversTuple([libafl.Observer.new_map_i32(map_observer_wrapper(map_observer))])
 
-generator = libafl.RandPrintablesGeneratorI32(32)
+executor = libafl.InProcessExecutor(harness, observers, fuzzer, state, event_manager_wrapper(mgr))
 
-state.generate_initial_inputs(fuzzer, executor_wrapper(executor), generator, event_manager_wrapper(mgr), 8)
+generator = libafl.RandPrintablesGenerator(32)
 
-stage = libafl.StdScheduledHavocMutationsStageI32.new_from_scheduled_havoc_mutations()
+state.generate_initial_inputs(fuzzer, executor_wrapper(executor), generator_wrapper(generator), event_manager_wrapper(mgr), 3)
 
-stage_tuple_list = libafl.StagesOwnedListI32(stage_wrapper(stage))
+mutator = libafl.StdHavocMutator()
 
-fuzzer.fuzz_loop(executor_wrapper(executor), state, event_manager_wrapper(mgr), stage_tuple_list)
+stage = libafl.StdMutationalStage(mutator_wrapper(mutator))
+
+stages = libafl.StagesTuple([stage_wrapper(stage)])
+
+fuzzer.fuzz_loop(executor_wrapper(executor), state, event_manager_wrapper(mgr), stages)

fuzzers/baby_fuzzer/src/main.rs

@@ -1,13 +1,12 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};
 
 #[cfg(feature = "tui")]
-use libafl::monitors::tui::TuiMonitor;
+use libafl::monitors::tui::{ui::TuiUI, TuiMonitor};
 #[cfg(not(feature = "tui"))]
 use libafl::monitors::SimpleMonitor;
 use libafl::{
-    bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
     corpus::{InMemoryCorpus, OnDiskCorpus},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
@@ -21,16 +20,18 @@ use libafl::{
     stages::mutational::StdMutationalStage,
     state::StdState,
 };
+use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice};
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
-#[allow(clippy::similar_names)]
+#[allow(clippy::similar_names, clippy::manual_assert)]
 pub fn main() {
     // The closure that we want to fuzz
     let mut harness = |input: &BytesInput| {
@@ -60,8 +61,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer =
-        unsafe { StdMapObserver::new_from_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);
@@ -88,9 +88,11 @@ pub fn main() {
 
     // The Monitor trait define how the fuzzer stats are displayed to the user
     #[cfg(not(feature = "tui"))]
-    let mon = SimpleMonitor::new(|s| println!("{}", s));
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
     #[cfg(feature = "tui")]
-    let mon = TuiMonitor::new(String::from("Baby Fuzzer"), false);
+    let ui = TuiUI::with_version(String::from("Baby Fuzzer"), String::from("0.0.1"), false);
+    #[cfg(feature = "tui")]
+    let mon = TuiMonitor::new(ui);
 
     // The event manager handle the various events generated during the fuzzing loop
     // such as the notification of the addition of a new item to the corpus

fuzzers/baby_fuzzer_gramatron/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "baby_fuzzer_gramatron"
-version = "0.8.2"
+version = "0.11.2"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2021"
 
@@ -20,4 +20,5 @@ debug = true
 
 [dependencies]
 libafl = { path = "../../libafl/" }
-postcard = "0.7"
+libafl_bolts = { path = "../../libafl_bolts/" }
+postcard = { version = "1.0", features = ["alloc"], default-features = false } # no_std compatible serde serialization format

fuzzers/baby_fuzzer_gramatron/src/main.rs

@@ -7,7 +7,6 @@ use std::{
 };
 
 use libafl::{
-    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
     corpus::{InMemoryCorpus, OnDiskCorpus},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
@@ -25,13 +24,15 @@ use libafl::{
     stages::mutational::StdMutationalStage,
     state::StdState,
 };
+use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list};
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { std::ptr::write(SIGNALS_PTR.add(idx), 1) };
 }
 */
 
@@ -57,7 +58,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = StdMapObserver::new("signals", unsafe { &mut SIGNALS });
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);
@@ -83,7 +84,7 @@ pub fn main() {
     .unwrap();
 
     // The Monitor trait define how the fuzzer stats are reported to the user
-    let monitor = SimpleMonitor::new(|s| println!("{}", s));
+    let monitor = SimpleMonitor::new(|s| println!("{s}"));
 
     // The event manager handle the various events generated during the fuzzing loop
     // such as the notification of the addition of a new item to the corpus
@@ -122,7 +123,7 @@ pub fn main() {
     }
 
     let mut set = HashSet::new();
-    let st = libafl::bolts::current_milliseconds();
+    let st = libafl_bolts::current_milliseconds();
     let mut b = vec![];
     let mut c = 0;
     for _ in 0..100000 {
@@ -131,7 +132,7 @@ pub fn main() {
         set.insert(calculate_hash(&b));
         c += b.len();
     }
-    println!("{} / {}", c, libafl::bolts::current_milliseconds() - st);
+    println!("{} / {}", c, libafl_bolts::current_milliseconds() - st);
     println!("{} / 100000", set.len());
 
     return;

fuzzers/baby_fuzzer_grimoire/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "baby_fuzzer_grimoire"
-version = "0.8.2"
+version = "0.11.2"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2021"
 
@@ -20,3 +20,4 @@ debug = true
 
 [dependencies]
 libafl = { path = "../../libafl/" }
+libafl_bolts = { path = "../../libafl_bolts/" }

fuzzers/baby_fuzzer_grimoire/src/main.rs

@@ -1,15 +1,14 @@
 #[cfg(windows)]
 use std::ptr::write_volatile;
-use std::{fs, io::Read, path::PathBuf};
+use std::{fs, io::Read, path::PathBuf, ptr::write};
 
 use libafl::{
-    bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
     corpus::{InMemoryCorpus, OnDiskCorpus},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
     feedbacks::{CrashFeedback, MaxMapFeedback},
     fuzzer::{Evaluator, Fuzzer, StdFuzzer},
-    inputs::{GeneralizedInput, HasTargetBytes},
+    inputs::{BytesInput, HasTargetBytes},
     monitors::SimpleMonitor,
     mutators::{
         havoc_mutations, scheduled::StdScheduledMutator, GrimoireExtensionMutator,
@@ -21,13 +20,14 @@ use libafl::{
     stages::{mutational::StdMutationalStage, GeneralizationStage},
     state::{HasMetadata, StdState},
 };
+use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice};
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
-
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
 fn is_sub<T: PartialEq>(mut haystack: &[T], needle: &[T]) -> bool {
@@ -59,13 +59,13 @@ pub fn main() {
             let mut file = fs::File::open(path).expect("no file found");
             let mut buffer = vec![];
             file.read_to_end(&mut buffer).expect("buffer overflow");
-            let input = GeneralizedInput::new(buffer);
+            let input = BytesInput::new(buffer);
             initial_inputs.push(input);
         }
     }
 
     // The closure that we want to fuzz
-    let mut harness = |input: &GeneralizedInput| {
+    let mut harness = |input: &BytesInput| {
         let target_bytes = input.target_bytes();
         let bytes = target_bytes.as_slice();
 
@@ -77,21 +77,14 @@ pub fn main() {
             signals_set(3);
         }
 
-        unsafe {
-            if input.grimoire_mutated {
-                // println!(">>> {:?}", input.generalized());
-                println!(">>> {:?}", std::str::from_utf8_unchecked(bytes));
-            }
-        }
         signals_set(1);
         ExitKind::Ok
     };
 
     // Create an observation channel using the signals map
-    let observer = StdMapObserver::new("signals", unsafe { &mut SIGNALS });
-
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
     // Feedback to rate the interestingness of an input
-    let mut feedback = MaxMapFeedback::new_tracking(&observer, false, true);
+    let mut feedback = MaxMapFeedback::tracking(&observer, false, true);
 
     // A feedback to choose if an input is a solution or not
     let mut objective = CrashFeedback::new();
@@ -113,12 +106,12 @@ pub fn main() {
     )
     .unwrap();
 
-    if state.metadata().get::<Tokens>().is_none() {
+    if state.metadata_map().get::<Tokens>().is_none() {
         state.add_metadata(Tokens::from([b"FOO".to_vec(), b"BAR".to_vec()]));
     }
 
     // The Monitor trait define how the fuzzer stats are reported to the user
-    let monitor = SimpleMonitor::new(|s| println!("{}", s));
+    let monitor = SimpleMonitor::new(|s| println!("{s}"));
 
     // The event manager handle the various events generated during the fuzzing loop
     // such as the notification of the addition of a new item to the corpus
@@ -158,7 +151,7 @@ pub fn main() {
     let mut stages = tuple_list!(
         generalization,
         StdMutationalStage::new(mutator),
-        StdMutationalStage::new(grimoire_mutator)
+        StdMutationalStage::transforming(grimoire_mutator)
     );
 
     for input in initial_inputs {

fuzzers/baby_fuzzer_minimizing/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "baby_fuzzer_minimizing"
-version = "0.8.2"
+version = "0.11.2"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>", "Addison Crump <research@addisoncrump.info>"]
 edition = "2021"
 
@@ -21,3 +21,4 @@ debug = true
 
 [dependencies]
 libafl = { path = "../../libafl/", features = ["prelude"] }
+libafl_bolts = { path = "../../libafl_bolts/", features = ["prelude"] }

fuzzers/baby_fuzzer_minimizing/src/main.rs

@@ -1,15 +1,17 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};
 
 use libafl::prelude::*;
+use libafl_bolts::prelude::*;
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
 #[allow(clippy::similar_names)]
@@ -32,10 +34,9 @@ pub fn main() -> Result<(), Error> {
     };
 
     // Create an observation channel using the signals map
-    let observer =
-        unsafe { StdMapObserver::new_from_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
-    let factory = MapEqualityFactory::new_from_observer(&observer);
+    let factory = MapEqualityFactory::with_observer(&observer);
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);
@@ -44,7 +45,7 @@ pub fn main() -> Result<(), Error> {
     let mut objective = CrashFeedback::new();
 
     // The Monitor trait define how the fuzzer stats are displayed to the user
-    let mon = SimpleMonitor::new(|s| println!("{}", s));
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
 
     let mut mgr = SimpleEventManager::new(mon);
 
@@ -56,7 +57,7 @@ pub fn main() -> Result<(), Error> {
         // RNG
         StdRand::with_seed(current_nanos()),
         // Corpus that will be evolved, we keep it in memory for performance
-        OnDiskCorpus::new(&corpus_dir).unwrap(),
+        InMemoryOnDiskCorpus::new(&corpus_dir).unwrap(),
         // Corpus in which we store solutions (crashes in this example),
         // on disk so the user can get them after stopping the fuzzer
         OnDiskCorpus::new(&solution_dir).unwrap(),
@@ -108,7 +109,7 @@ pub fn main() -> Result<(), Error> {
 
     let mut state = StdState::new(
         StdRand::with_seed(current_nanos()),
-        OnDiskCorpus::new(&minimized_dir).unwrap(),
+        InMemoryOnDiskCorpus::new(minimized_dir).unwrap(),
         InMemoryCorpus::new(),
         &mut (),
         &mut (),
@@ -116,7 +117,7 @@ pub fn main() -> Result<(), Error> {
     .unwrap();
 
     // The Monitor trait define how the fuzzer stats are displayed to the user
-    let mon = SimpleMonitor::new(|s| println!("{}", s));
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
 
     let mut mgr = SimpleEventManager::new(mon);
 
@@ -136,7 +137,13 @@ pub fn main() -> Result<(), Error> {
     let mut executor = InProcessExecutor::new(&mut harness, (), &mut fuzzer, &mut state, &mut mgr)?;
 
     state.load_initial_inputs_forced(&mut fuzzer, &mut executor, &mut mgr, &[solution_dir])?;
-    stages.perform_all(&mut fuzzer, &mut executor, &mut state, &mut mgr, 0)?;
+    stages.perform_all(
+        &mut fuzzer,
+        &mut executor,
+        &mut state,
+        &mut mgr,
+        CorpusId::from(0_usize),
+    )?;
 
     Ok(())
 }

fuzzers/baby_fuzzer_nautilus/Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "baby_fuzzer_nautilus"
-version = "0.8.2"
+version = "0.11.2"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
-edition = "2018"
+edition = "2021"
 
 [features]
 default = ["std"]
@@ -20,3 +20,4 @@ debug = true
 
 [dependencies]
 libafl = { path = "../../libafl/", features = ["default", "nautilus"] }
+libafl_bolts = { path = "../../libafl_bolts/" }

fuzzers/baby_fuzzer_nautilus/src/main.rs

@@ -3,7 +3,6 @@ use std::path::PathBuf;
 use std::ptr::write_volatile;
 
 use libafl::{
-    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
     corpus::{InMemoryCorpus, OnDiskCorpus},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
@@ -21,13 +20,15 @@ use libafl::{
     stages::mutational::StdMutationalStage,
     state::{HasMetadata, StdState},
 };
+use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list};
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { str::ptr::write(SIGNALS_PTR.add(idx), 1) };
 }
 */
 
@@ -46,7 +47,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = StdMapObserver::new("signals", unsafe { &mut SIGNALS });
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = feedback_or!(
@@ -74,12 +75,16 @@ pub fn main() {
     )
     .unwrap();
 
-    if state.metadata().get::<NautilusChunksMetadata>().is_none() {
+    if state
+        .metadata_map()
+        .get::<NautilusChunksMetadata>()
+        .is_none()
+    {
         state.add_metadata(NautilusChunksMetadata::new("/tmp/".into()));
     }
 
     // The Monitor trait define how the fuzzer stats are reported to the user
-    let monitor = SimpleMonitor::new(|s| println!("{}", s));
+    let monitor = SimpleMonitor::new(|s| println!("{s}"));
 
     // The event manager handle the various events generated during the fuzzing loop
     // such as the notification of the addition of a new item to the corpus
@@ -117,7 +122,7 @@ pub fn main() {
     }
 
     let mut set = HashSet::new();
-    let st = libafl::bolts::current_milliseconds();
+    let st = libafl_bolts::current_milliseconds();
     let mut b = vec![];
     let mut c = 0;
     for _ in 0..100000 {
@@ -126,7 +131,7 @@ pub fn main() {
         set.insert(calculate_hash(&b));
         c += b.len();
     }
-    println!("{} / {}", c, libafl::bolts::current_milliseconds() - st);
+    println!("{} / {}", c, libafl_bolts::current_milliseconds() - st);
     println!("{} / 100000", set.len());
 
     return;