add interrupts

fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs

@@ -1,5 +1,6 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.
 
+use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET;
 use wcet_qemu_sys::sysstate::graph::RandGraphSnippetMutator;
 use wcet_qemu_sys::sysstate::graph::GraphMaximizerCorpusScheduler;
 use wcet_qemu_sys::sysstate::graph::SysMapFeedback;
@@ -415,12 +416,21 @@ fn fuzz(
         let target = input.target_bytes();
         let mut buf = target.as_slice();
         let mut len = buf.len();
-        if len > 32 {
+        let mut int_tick : Option<u64> = None;
+        if len > 4 {
+            let mut t : [u8; 4] = [0,0,0,0];    // 4 extra bytes determine the tick to execute an interrupt
+            t.copy_from_slice(&buf[0..4]);
+            int_tick = Some(u32::from_le_bytes(t) as u64);
+            buf = &buf[4..];
+            len = buf.len();
+        }
+        if len >= 32 {
             buf = &buf[0..32];
             len = 32;
         }
 
         unsafe {
+            INTR_OFFSET = int_tick;
             emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
             emu.write_mem(input_addr,buf);
 

fuzzers/wcet_qemu_sys/src/bin/showmap.rs

@@ -1,5 +1,6 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.
 
+use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET;
 use std::io::Read;
 use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver;
 use wcet_qemu_sys::sysstate::feedbacks::DumpSystraceFeedback;
@@ -337,12 +338,21 @@ fn fuzz(
         let target = input.target_bytes();
         let mut buf = target.as_slice();
         let mut len = buf.len();
-        if len > 32 {
+        let mut int_tick : Option<u64> = None;
+        if len > 4 {
+            let mut t : [u8; 4] = [0,0,0,0];    // 4 extra bytes determine the tick to execute an interrupt
+            t.copy_from_slice(&buf[0..4]);
+            int_tick = Some(u32::from_le_bytes(t) as u64);
+            buf = &buf[4..];
+            len = buf.len();
+        }
+        if len >= 32 {
             buf = &buf[0..32];
             len = 32;
         }
 
         unsafe {
+            INTR_OFFSET = int_tick;
             emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
             emu.write_mem(input_addr,buf);
 

fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs

@@ -17,6 +17,8 @@ use libafl_qemu::{
 
 //============================= Struct definitions
 
+pub static mut INTR_OFFSET : Option<u64> = None;
+pub static mut INTR_DONE : bool = true;
 
 //============================= Qemu Helper
 
@@ -88,6 +90,21 @@ where
     I: Input,
     QT: QemuHelperTuple<I, S>,
 {
+    unsafe {
+        match INTR_OFFSET {
+            None => (),
+            Some(off) => {
+                if emulator.get_ticks() > off {
+                    if !INTR_DONE {
+                        libafl_qemu::emu::libafl_send_irq(0);
+                        INTR_DONE = true;
+                    }
+                } else {
+                    INTR_DONE = false;
+                }
+            },
+        }
+    }
     let h = helpers.match_first_type::<QemuSystemStateHelper>().expect("QemuSystemHelper not found in helper tupel");
     if !h.must_instrument(pc) {
         return;

libafl_qemu/src/emu.rs

@@ -218,6 +218,10 @@ extern "C" {
 
     fn libafl_maps_next(map_info: *const c_void, ret: *mut MapInfo) -> *const c_void;
 
+    #[cfg(feature = "systemmode")]
+    #[cfg(feature = "arm")]
+    pub fn libafl_send_irq(irqn: u32);
+
     static exec_path: *const u8;
     static guest_base: usize;