From 517b3d3da755b3bd90d24c83d389f050575757c6 Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Thu, 26 May 2022 16:11:30 +0200
Subject: [PATCH] add instrumentation call after breakpoint

---
 fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs  | 6 ++++--
 fuzzers/wcet_qemu_sys/src/bin/showmap.rs | 7 +++++--
 libafl_qemu/src/emu.rs                   | 2 +-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
index 3b8cb330ac..036bf9175c 100644
--- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
@@ -78,7 +78,7 @@ use libafl_qemu::{
     edges,
     edges::QemuEdgeCoverageHelper,
     elf::EasyElf,
-    emu::Emulator, filter_qemu_args, libafl_int_offset,
+    emu::Emulator, filter_qemu_args, libafl_int_offset, libafl_exec_block_hook,
     snapshot_sys::QemuSysSnapshotHelper,
     QemuExecutor,
     clock,
@@ -450,12 +450,14 @@ fn fuzz(
             emu.write_mem(input_addr,buf);
 
             emu.run();
+            // since the breakpoint interrupted the last task the last state needs to be recorded
+            libafl_exec_block_hook(check_breakpoint);
         }
 
         ExitKind::Ok
     };
 
-    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1]);
+    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1,check_breakpoint..check_breakpoint+1]);
     let mut executor = QemuExecutor::new(
         &mut harness,
         &emu,
diff --git a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
index bcb0d16734..7ae8a95d47 100644
--- a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
@@ -40,7 +40,7 @@ use libafl::{
 use libafl_qemu::{
     edges,
     edges::QemuEdgeCoverageHelper,
-    emu::Emulator, filter_qemu_args, libafl_int_offset,
+    emu::Emulator, filter_qemu_args, libafl_int_offset, libafl_exec_block_hook,
     elf::EasyElf,
     snapshot_sys::QemuSysSnapshotHelper,
     clock::{QemuClockObserver},
@@ -359,12 +359,15 @@ fn fuzz(
             emu.write_mem(input_addr,buf);
 
             emu.run();
+            // since the breakpoint interrupted the last task the last state needs to be recorded
+            libafl_exec_block_hook(check_breakpoint);
+            println!("Qemu Ticks: {}",emu.get_ticks());
         }
 
         ExitKind::Ok
     };
     //======= Set System-State watchpoints
-    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1]);
+    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1,check_breakpoint..check_breakpoint+1]);
 
     //======= Construct the executor, including the Helpers. The edges_observer still contains the ref to EDGES_MAP
     let mut executor = QemuExecutor::new(
diff --git a/libafl_qemu/src/emu.rs b/libafl_qemu/src/emu.rs
index 1dcc12c6ad..faf83ce2ca 100644
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@@ -234,7 +234,7 @@ extern "C" {
     static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64);
     #[cfg(feature = "systemmode")]
     static mut libafl_gen_jmp_hook: unsafe extern "C" fn(u64, u64) -> u64;
-    static mut libafl_exec_block_hook: unsafe extern "C" fn(u64);
+    pub static mut libafl_exec_block_hook: unsafe extern "C" fn(u64);
     static mut libafl_gen_block_hook: unsafe extern "C" fn(u64) -> u64;
 
     static mut libafl_exec_read_hook1: unsafe extern "C" fn(u64, u64);