From 89cf096b9d3e4a4117291696934dc738843450f9 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Tue, 15 Mar 2022 16:47:00 +0100 Subject: [PATCH] add input_counter to system state --- fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs | 11 +++++++++- fuzzers/wcet_qemu_sys/src/bin/showmap.rs | 11 +++++++++- fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs | 20 ++++++++++++++++--- fuzzers/wcet_qemu_sys/src/sysstate/mod.rs | 2 ++ .../wcet_qemu_sys/src/sysstate/observers.rs | 1 + 5 files changed, 40 insertions(+), 5 deletions(-) diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs index 1a44424d69..75ccd07dc7 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs @@ -252,6 +252,11 @@ fn fuzz( .expect("Symbol FUZZ_LENGTH not found"); let test_length_ptr = virt2phys(test_length_ptr,&elf.goblin()); println!("FUZZ_LENGTH @ {:#x}", test_length_ptr); + let input_counter = elf + .resolve_symbol("FUZZ_POINTER", 0) + .expect("Symbol FUZZ_POINTER not found"); + // let input_counter = virt2phys(input_counter,&elf.goblin()); + println!("FUZZ_LENGTH @ {:#x}", test_length_ptr); let check_breakpoint = elf .resolve_symbol("trigger_Qemu_break", 0) .expect("Symbol trigger_Qemu_break not found"); @@ -423,7 +428,11 @@ fn fuzz( QemuCmpLogHelper::new(), //QemuAsanHelper::new(), QemuSysSnapshotHelper::new(), - QemuSystemStateHelper::with_instrumentation_filter(system_state_filter,curr_tcb_pointer.try_into().unwrap(),task_queue_addr.try_into().unwrap()) + QemuSystemStateHelper::with_instrumentation_filter( + system_state_filter,curr_tcb_pointer.try_into().unwrap(), + task_queue_addr.try_into().unwrap(), + input_counter.try_into().unwrap() + ) ), tuple_list!(edges_observer, clock_observer,sysstate_observer), &mut fuzzer, diff --git a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs index 4180be6eeb..ab30216796 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/showmap.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/showmap.rs @@ -234,6 +234,11 @@ fn fuzz( .expect("Symbol FUZZ_LENGTH not found"); let test_length_ptr = virt2phys(test_length_ptr,&elf.goblin()); println!("FUZZ_LENGTH @ {:#x}", test_length_ptr); + let input_counter = elf + .resolve_symbol("FUZZ_POINTER", 0) + .expect("Symbol FUZZ_POINTER not found"); + // let input_counter = virt2phys(input_counter,&elf.goblin()); + println!("FUZZ_LENGTH @ {:#x}", test_length_ptr); let check_breakpoint = elf .resolve_symbol("trigger_Qemu_break", 0) .expect("Symbol trigger_Qemu_break not found"); @@ -348,7 +353,11 @@ fn fuzz( // QemuCmpLogHelper::new(), // QemuAsanHelper::new(), QemuSysSnapshotHelper::new(), - QemuSystemStateHelper::with_instrumentation_filter(system_state_filter,curr_tcb_pointer.try_into().unwrap(),task_queue_addr.try_into().unwrap()) + QemuSystemStateHelper::with_instrumentation_filter( + system_state_filter,curr_tcb_pointer.try_into().unwrap(), + task_queue_addr.try_into().unwrap(), + input_counter.try_into().unwrap() + ) ), tuple_list!(edges_observer,clock_observer,QemuSysStateObserver::new()), &mut fuzzer, diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs b/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs index 8513a778b3..ab84191108 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/helpers.rs @@ -24,21 +24,32 @@ pub struct QemuSystemStateHelper { filter: QemuInstrumentationFilter, tcb_addr: u32, ready_queues: u32, + input_counter: u32, } impl QemuSystemStateHelper { #[must_use] - pub fn new(tcb_addr: u32, ready_queues: u32) -> Self { + pub fn new( + tcb_addr: u32, + ready_queues: u32, + input_counter: u32 + ) -> Self { Self { filter: QemuInstrumentationFilter::None, tcb_addr: tcb_addr, ready_queues: ready_queues, + input_counter: input_counter, } } #[must_use] - pub fn with_instrumentation_filter(filter: QemuInstrumentationFilter, tcb_addr: u32, ready_queues: u32) -> Self { - Self { filter, tcb_addr, ready_queues} + pub fn with_instrumentation_filter( + filter: QemuInstrumentationFilter, + tcb_addr: u32, + ready_queues: u32, + input_counter: u32 + ) -> Self { + Self { filter, tcb_addr, ready_queues, input_counter} } #[must_use] @@ -82,6 +93,9 @@ where let listbytes : u32 = u32::try_from(std::mem::size_of::()).unwrap(); let mut sysstate = FreeRTOSSystemStateRaw::default(); sysstate.qemu_tick = emulator.get_ticks(); + let mut buf : [u8; 4] = [0,0,0,0]; + unsafe { emulator.read_mem(h.input_counter.into(), &mut buf) }; + sysstate.input_counter = u32::from_le_bytes(buf); let curr_tcb_addr : freertos::void_ptr = freertos::emu_lookup::lookup(emulator, h.tcb_addr); sysstate.current_tcb = freertos::emu_lookup::lookup(emulator,curr_tcb_addr); diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs b/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs index af2ca9b0ae..ea04918788 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/mod.rs @@ -25,6 +25,7 @@ pub struct FreeRTOSSystemStateRaw { current_tcb: TCB_t, prio_ready_lists: [freertos::List_t; NUM_PRIOS], dumping_ground: HashMap, + input_counter: u32, } /// List of system state dumps from QemuHelpers static mut CURRENT_SYSSTATE_VEC: Vec = vec![]; @@ -86,6 +87,7 @@ impl MiniTCB { pub struct MiniFreeRTOSSystemState { start_tick: u64, end_tick: u64, + input_counter: u32, current_task: MiniTCB, ready_list_after: Vec, } diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs b/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs index 8c5fdb12eb..76f762ed85 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/observers.rs @@ -124,6 +124,7 @@ for mut i in input.drain(..) { start_tick: start_tick, end_tick: i.qemu_tick, ready_list_after: collector, + input_counter: i.input_counter, }); start_tick=i.qemu_tick; }