fix capture in api calls

fuzzers/FRET/benchmark/target_symbols.csv

@@ -23,3 +23,4 @@ micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
 micro_int,main_int,FUZZ_INPUT,16,trigger_Qemu_break
 micro_longint,main_micro_longint,FUZZ_INPUT,16,trigger_Qemu_break
 minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
+gen3,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break

fuzzers/FRET/src/systemstate/helpers.rs

@@ -235,7 +235,7 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
             }
         },
         Some(dest) => {
-            if let Some(src) = edge.0 { // Bot set, can be API Call/Ret
+            if let Some(src) = edge.0 { // Both set, can be API Call/Ret
                 if let Some(s) = h.api_fn_addrs.get(&src) { // API End
                     systemstate.capture_point=(CaptureEvent::APIEnd, s);
                 } else if let Some(s) = h.api_fn_addrs.get(&dest) { // API Call
@@ -282,9 +282,9 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
     let critical : void_ptr = freertos::emu_lookup::lookup(emulator, h.critical_addr);
     let suspended : void_ptr = freertos::emu_lookup::lookup(emulator, h.scheduler_lock_addr);
 
+    systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
     // During ISRs it is only safe to extract structs if they are not currently being modified
-    if (systemstate.capture_point.0==CaptureEvent::ISRStart || systemstate.capture_point.0==CaptureEvent::ISREnd) && critical == 0 && suspended == 0 {
+    if (systemstate.capture_point.0==CaptureEvent::APIStart || systemstate.capture_point.0==CaptureEvent::APIEnd) || (critical == 0 && suspended == 0) {
-        systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
         // Extract delay list
         let mut target : GuestAddr = h.delay_queue;
         target = freertos::emu_lookup::lookup(emulator, target);
@@ -371,7 +371,7 @@ where
         if h.app_range.contains(&src) && !h.app_range.contains(&dest) {
             if let Some(_) = in_any_range(&h.api_fn_ranges,dest) {
                 // println!("New jmp {:x} {:x}", src, dest);
-                // println!("API Call Edge");
+                // println!("API Call Edge {:x} {:x}", src, dest);
                 return Some(1);
             }
         } else if !h.app_range.contains(&src) && dest == 0 {

fuzzers/FRET/src/systemstate/observers.rs

@@ -173,6 +173,8 @@ fn refine_system_states(input: &mut Vec<RawFreeRTOSSystemState>) -> Vec<RefinedF
 
 fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<RefinedFreeRTOSSystemState> {
     // remove subsequent pairs of equal states where an ISRStart follows an ISREnd
+    let mut ret : Vec<RefinedFreeRTOSSystemState> = Vec::new();
+    ret.push(trace[0].clone());
     let mut i = 1;
     while i < trace.len() - 1 {
         if trace[i] == trace[i + 1] &&
@@ -181,13 +183,13 @@ fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<Refined
             trace[i].capture_point.1 == trace[i + 1].capture_point.1
         {
             // extend the end of the last ABB until the end of the next one
-            trace[i-1].end_tick = trace[i+1].end_tick;
+            ret.last_mut().unwrap().end_tick = trace[i+1].end_tick;
 
-            trace.remove(i + 1);
+            i+=2;
-            trace.remove(i);
         } else {
+            ret.push(trace[i].clone());
             i+=1;
         }
     }
-    trace
+    ret
 }