From d118eeacbdf8c559d342a13012da3613ecec4d8d Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Mon, 13 Mar 2023 12:19:24 +0100
Subject: [PATCH] switch to native breakpoints

---
 fuzzers/FRET/src/fuzzer.rs              | 11 ++++++-----
 fuzzers/FRET/src/systemstate/helpers.rs |  2 +-
 libafl_qemu/src/emu.rs                  |  3 +++
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs
index b922ce804d..a375f08841 100644
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@@ -33,6 +33,7 @@ use libafl::{
 use libafl_qemu::{
     edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
     QemuHooks, Regs, QemuInstrumentationFilter, GuestAddr,
+    emu::libafl_qemu_set_native_breakpoint, emu::libafl_qemu_remove_native_breakpoint,
 };
 use rand::{SeedableRng, StdRng, Rng};
 use crate::{
@@ -167,14 +168,14 @@ pub fn fuzz() {
         let emu = Emulator::new(&args, &env);
 
         if let Some(main_addr) = main_addr {
-            emu.set_breakpoint(main_addr);
             unsafe {
+                libafl_qemu_set_native_breakpoint(main_addr);
                 emu.run();
+                libafl_qemu_remove_native_breakpoint(main_addr);
             }
-            emu.remove_breakpoint(main_addr);
         }
 
-        emu.set_breakpoint(breakpoint); // BREAKPOINT
+        unsafe { libafl_qemu_set_native_breakpoint(breakpoint); }// BREAKPOINT 
 
         // The wrapped harness function, calling out to the LLVM-style harness
         let mut harness = |input: &BytesInput| {
@@ -276,7 +277,7 @@ pub fn fuzz() {
         let mut state = state.unwrap_or_else(|| {
             StdState::new(
                 // RNG
-                StdRand::with_seed(RNG_SEED),
+                unsafe {StdRand::with_seed(RNG_SEED) },
                 // Corpus that will be evolved, we keep it in memory for performance
                 InMemoryCorpus::new(),
                 // Corpus in which we store solutions (crashes in this example),
@@ -492,7 +493,7 @@ pub fn fuzz() {
         let emu = Emulator::new(&args, &env);
 
         if let Some(main_addr) = main_addr {
-            emu.set_breakpoint(main_addr);
+            unsafe { libafl_qemu_set_native_breakpoint(main_addr); }// BREAKPOINT 
         }
         unsafe {
             emu.run();
diff --git a/fuzzers/FRET/src/systemstate/helpers.rs b/fuzzers/FRET/src/systemstate/helpers.rs
index 612aa0e297..a64f11c074 100644
--- a/fuzzers/FRET/src/systemstate/helpers.rs
+++ b/fuzzers/FRET/src/systemstate/helpers.rs
@@ -93,7 +93,7 @@ fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) {
     let mut systemstate = RawFreeRTOSSystemState::default();
     unsafe {
         // TODO: investigate why can_do_io is not set sometimes, as this is just a workaround
-        let c = emulator.current_cpu().unwrap();
+        let c = emulator.cpu_from_index(0);
         let can_do_io = (*c.raw_ptr()).can_do_io;
         (*c.raw_ptr()).can_do_io = 1;
         systemstate.qemu_tick = emu::icount_get_raw();
diff --git a/libafl_qemu/src/emu.rs b/libafl_qemu/src/emu.rs
index b62a5444e2..e1799aa422 100644
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@@ -314,6 +314,9 @@ extern "C" {
 
     fn libafl_qemu_set_breakpoint(addr: u64) -> i32;
     fn libafl_qemu_remove_breakpoint(addr: u64) -> i32;
+    pub fn libafl_qemu_set_native_breakpoint(addr: u32);
+    pub fn libafl_qemu_remove_native_breakpoint(addr: u32);
+    
     fn libafl_flush_jit();
     fn libafl_qemu_trigger_breakpoint(cpu: CPUStatePtr);