add instrumentation call after breakpoint

2022-05-26 16:11:30 +02:00 · 2022-05-26 16:11:30 +02:00 · 517b3d3da7
commit 517b3d3da7
parent 86ca7863ca
3 changed files with 10 additions and 5 deletions
--- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
@ -78,7 +78,7 @@ use libafl_qemu::{
    edges,
    edges::QemuEdgeCoverageHelper,
    elf::EasyElf,
-    emu::Emulator, filter_qemu_args, libafl_int_offset,
+    emu::Emulator, filter_qemu_args, libafl_int_offset, libafl_exec_block_hook,
    snapshot_sys::QemuSysSnapshotHelper,
    QemuExecutor,
    clock,
@ -450,12 +450,14 @@ fn fuzz(
            emu.write_mem(input_addr,buf);

            emu.run();
+            // since the breakpoint interrupted the last task the last state needs to be recorded
+            libafl_exec_block_hook(check_breakpoint);
        }

        ExitKind::Ok
    };

-    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1]);
+    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1,check_breakpoint..check_breakpoint+1]);
    let mut executor = QemuExecutor::new(
        &mut harness,
        &emu,
--- a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs
@ -40,7 +40,7 @@ use libafl::{
 use libafl_qemu::{
    edges,
    edges::QemuEdgeCoverageHelper,
-    emu::Emulator, filter_qemu_args, libafl_int_offset,
+    emu::Emulator, filter_qemu_args, libafl_int_offset, libafl_exec_block_hook,
    elf::EasyElf,
    snapshot_sys::QemuSysSnapshotHelper,
    clock::{QemuClockObserver},
@ -359,12 +359,15 @@ fn fuzz(
            emu.write_mem(input_addr,buf);

            emu.run();
+            // since the breakpoint interrupted the last task the last state needs to be recorded
+            libafl_exec_block_hook(check_breakpoint);
+            println!("Qemu Ticks: {}",emu.get_ticks());
        }

        ExitKind::Ok
    };
    //======= Set System-State watchpoints
-    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1]);
+    let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1,check_breakpoint..check_breakpoint+1]);

    //======= Construct the executor, including the Helpers. The edges_observer still contains the ref to EDGES_MAP
    let mut executor = QemuExecutor::new(
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@ -234,7 +234,7 @@ extern "C" {
    static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64);
    #[cfg(feature = "systemmode")]
    static mut libafl_gen_jmp_hook: unsafe extern "C" fn(u64, u64) -> u64;
-    static mut libafl_exec_block_hook: unsafe extern "C" fn(u64);
+    pub static mut libafl_exec_block_hook: unsafe extern "C" fn(u64);
    static mut libafl_gen_block_hook: unsafe extern "C" fn(u64) -> u64;

    static mut libafl_exec_read_hook1: unsafe extern "C" fn(u64, u64);