fix capture in api calls

2024-03-27 15:24:44 +01:00 · 2024-03-27 15:24:44 +01:00 · 730fbcf6d4
commit 730fbcf6d4
parent 7e79f4051d
3 changed files with 13 additions and 10 deletions
--- a/fuzzers/FRET/benchmark/target_symbols.csv
+++ b/fuzzers/FRET/benchmark/target_symbols.csv
@ -23,3 +23,4 @@ micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
 micro_int,main_int,FUZZ_INPUT,16,trigger_Qemu_break
 micro_longint,main_micro_longint,FUZZ_INPUT,16,trigger_Qemu_break
 minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
+gen3,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break
--- a/fuzzers/FRET/src/systemstate/helpers.rs
+++ b/fuzzers/FRET/src/systemstate/helpers.rs
@ -235,7 +235,7 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
            }
        },
        Some(dest) => {
-            if let Some(src) = edge.0 { // Bot set, can be API Call/Ret
+            if let Some(src) = edge.0 { // Both set, can be API Call/Ret
                if let Some(s) = h.api_fn_addrs.get(&src) { // API End
                    systemstate.capture_point=(CaptureEvent::APIEnd, s);
                } else if let Some(s) = h.api_fn_addrs.get(&dest) { // API Call
@ -282,9 +282,9 @@ fn trigger_collection(emulator: &Emulator, edge: (Option<GuestAddr>,Option<Guest
    let critical : void_ptr = freertos::emu_lookup::lookup(emulator, h.critical_addr);
    let suspended : void_ptr = freertos::emu_lookup::lookup(emulator, h.scheduler_lock_addr);

-    // During ISRs it is only safe to extract structs if they are not currently being modified
-    if (systemstate.capture_point.0==CaptureEvent::ISRStart || systemstate.capture_point.0==CaptureEvent::ISREnd) && critical == 0 && suspended == 0 {
    systemstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr);
+    // During ISRs it is only safe to extract structs if they are not currently being modified
+    if (systemstate.capture_point.0==CaptureEvent::APIStart || systemstate.capture_point.0==CaptureEvent::APIEnd) || (critical == 0 && suspended == 0) {
        // Extract delay list
        let mut target : GuestAddr = h.delay_queue;
        target = freertos::emu_lookup::lookup(emulator, target);
@ -371,7 +371,7 @@ where
        if h.app_range.contains(&src) && !h.app_range.contains(&dest) {
            if let Some(_) = in_any_range(&h.api_fn_ranges,dest) {
                // println!("New jmp {:x} {:x}", src, dest);
-                // println!("API Call Edge");
+                // println!("API Call Edge {:x} {:x}", src, dest);
                return Some(1);
            }
        } else if !h.app_range.contains(&src) && dest == 0 {
--- a/fuzzers/FRET/src/systemstate/observers.rs
+++ b/fuzzers/FRET/src/systemstate/observers.rs
@ -173,6 +173,8 @@ fn refine_system_states(input: &mut Vec<RawFreeRTOSSystemState>) -> Vec<RefinedF

 fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<RefinedFreeRTOSSystemState> {
    // remove subsequent pairs of equal states where an ISRStart follows an ISREnd
+    let mut ret : Vec<RefinedFreeRTOSSystemState> = Vec::new();
+    ret.push(trace[0].clone());
    let mut i = 1;
    while i < trace.len() - 1 {
        if trace[i] == trace[i + 1] &&
@ -181,13 +183,13 @@ fn post_process_trace(mut trace: Vec<RefinedFreeRTOSSystemState>) -> Vec<Refined
            trace[i].capture_point.1 == trace[i + 1].capture_point.1
        {
            // extend the end of the last ABB until the end of the next one
-            trace[i-1].end_tick = trace[i+1].end_tick;
+            ret.last_mut().unwrap().end_tick = trace[i+1].end_tick;

-            trace.remove(i + 1);
-            trace.remove(i);
+            i+=2;
        } else {
+            ret.push(trace[i].clone());
            i+=1;
        }
    }
-    trace
+    ret
 }