From 730fbcf6d4d2b2c2856c97af1cd8306491ed24f7 Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Wed, 27 Mar 2024 15:24:44 +0100
Subject: [PATCH] fix capture in api calls

---
 fuzzers/FRET/benchmark/target_symbols.csv |  3 ++-
 fuzzers/FRET/src/systemstate/helpers.rs   |  8 ++++----
 fuzzers/FRET/src/systemstate/observers.rs | 12 +++++++-----
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/fuzzers/FRET/benchmark/target_symbols.csv b/fuzzers/FRET/benchmark/target_symbols.csv
index c42ba19ae7..6412c8f547 100644
--- a/fuzzers/FRET/benchmark/target_symbols.csv
+++ b/fuzzers/FRET/benchmark/target_symbols.csv
@@ -22,4 +22,5 @@ watersv2_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
 micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
 micro_int,main_int,FUZZ_INPUT,16,trigger_Qemu_break
 micro_longint,main_micro_longint,FUZZ_INPUT,16,trigger_Qemu_break
-minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
\ No newline at end of file
+minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
+gen3,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
diff --git a/fuzzers/FRET/src/systemstate/helpers.rs b/fuzzers/FRET/src/systemstate/helpers.rs
index b3ddaa24e4..bf65068056 100644
--- a/fuzzers/FRET/src/systemstate/helpers.rs
+++ b/fuzzers/FRET/src/systemstate/helpers.rs
@@ -235,7 +235,7 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
             }
         },
         Some(dest) => {
-            if let Some(src) = edge.0 { // Bot set, can be API Call/Ret
+            if let Some(src) = edge.0 { // Both set, can be API Call/Ret
                 if let Some(s) = h.api_fn_addrs.get(&src) { // API End
                     systemstate.capture_point=(CaptureEvent::APIEnd, s);
                 } else if let Some(s) = h.api_fn_addrs.get(&dest) { // API Call
@@ -282,9 +282,9 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
     let critical : void_ptr = freertos::emu_lookup::lookup(emulator, h.critical_addr);
     let suspended : void_ptr = freertos::emu_lookup::lookup(emulator, h.scheduler_lock_addr);
 
+    systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
     // During ISRs it is only safe to extract structs if they are not currently being modified
-    if (systemstate.capture_point.0==CaptureEvent::ISRStart || systemstate.capture_point.0==CaptureEvent::ISREnd) && critical == 0 && suspended == 0 {
-        systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
+    if (systemstate.capture_point.0==CaptureEvent::APIStart || systemstate.capture_point.0==CaptureEvent::APIEnd) || (critical == 0 && suspended == 0) {
         // Extract delay list
         let mut target : GuestAddr = h.delay_queue;
         target = freertos::emu_lookup::lookup(emulator, target);
@@ -371,7 +371,7 @@ where
         if h.app_range.contains(&src) && !h.app_range.contains(&dest) {
             if let Some(_) = in_any_range(&h.api_fn_ranges,dest) {
                 // println!("New jmp {:x} {:x}", src, dest);
-                // println!("API Call Edge");
+                // println!("API Call Edge {:x} {:x}", src, dest);
                 return Some(1);
             }
         } else if !h.app_range.contains(&src) && dest == 0 {
diff --git a/fuzzers/FRET/src/systemstate/observers.rs b/fuzzers/FRET/src/systemstate/observers.rs
index b5a08b1360..8091a5845f 100644
--- a/fuzzers/FRET/src/systemstate/observers.rs
+++ b/fuzzers/FRET/src/systemstate/observers.rs
@@ -173,6 +173,8 @@ fn refine_system_states(input: &mut Vec<RawFreeRTOSSystemState>) -> Vec<RefinedF
 
 fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<RefinedFreeRTOSSystemState> {
     // remove subsequent pairs of equal states where an ISRStart follows an ISREnd
+    let mut ret : Vec<RefinedFreeRTOSSystemState> = Vec::new();
+    ret.push(trace[0].clone());
     let mut i = 1;
     while i < trace.len() - 1 {
         if trace[i] == trace[i + 1] &&
@@ -181,13 +183,13 @@ fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<Refined
             trace[i].capture_point.1 == trace[i + 1].capture_point.1
         {
             // extend the end of the last ABB until the end of the next one
-            trace[i-1].end_tick = trace[i+1].end_tick;
-            
-            trace.remove(i + 1);
-            trace.remove(i);
+            ret.last_mut().unwrap().end_tick = trace[i+1].end_tick;
+
+            i+=2;
         } else {
+            ret.push(trace[i].clone());
             i+=1;
         }
     }
-    trace
+    ret
 }