From d179343a632802ef4c0029ea86a131e0053340e1 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Mon, 2 Oct 2023 15:35:18 +0200 Subject: [PATCH] add delay list overflow --- fuzzers/FRET/src/fuzzer.rs | 5 ++++- fuzzers/FRET/src/systemstate/graph.rs | 4 ++++ fuzzers/FRET/src/systemstate/helpers.rs | 8 ++++++++ fuzzers/FRET/src/systemstate/observers.rs | 2 ++ 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index ae4f501dd6..02b150a17d 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -130,6 +130,9 @@ pub fn fuzz() { let task_delay_addr = elf .resolve_symbol("pxDelayedTaskList", 0) .expect("Symbol pxDelayedTaskList not found"); + let task_delay_overflow_addr = elf + .resolve_symbol("pxOverflowDelayedTaskList", 0) + .expect("Symbol pxOverflowDelayedTaskList not found"); // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin()); #[cfg(feature = "systemstate")] println!("Task Queue at {:#x}", task_queue_addr); @@ -345,7 +348,7 @@ pub fn fuzz() { let qhelpers = tuple_list!( QemuEdgeCoverageHelper::default(), QemuStateRestoreHelper::new(), - QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,task_delay_addr,input_counter_ptr,app_range.clone()) + QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,task_delay_addr,task_delay_overflow_addr,input_counter_ptr,app_range.clone()) ); let mut hooks = QemuHooks::new(&emu,qhelpers); diff --git a/fuzzers/FRET/src/systemstate/graph.rs b/fuzzers/FRET/src/systemstate/graph.rs index 81a628918e..64c28599d9 100644 --- a/fuzzers/FRET/src/systemstate/graph.rs +++ b/fuzzers/FRET/src/systemstate/graph.rs @@ -114,6 +114,10 @@ impl SysGraphNode { let mut ret = String::new(); ret.push_str(&format!("{}#{}",&self.base.current_task.0.task_name,&self.base.current_task.1)); ret.push_str("\nRl:"); + for i in &self.base.ready_list_after { + ret.push_str(&format!("\n{}#{}",i.0.task_name,i.1)); + } + ret.push_str("\nDl:"); for i in &self.base.delay_list_after { ret.push_str(&format!("\n{}#{}",i.0.task_name,i.1)); } diff --git a/fuzzers/FRET/src/systemstate/helpers.rs b/fuzzers/FRET/src/systemstate/helpers.rs index c662018a4b..3766ff320c 100644 --- a/fuzzers/FRET/src/systemstate/helpers.rs +++ b/fuzzers/FRET/src/systemstate/helpers.rs @@ -39,6 +39,7 @@ pub struct QemuSystemStateHelper { tcb_addr: u32, ready_queues: u32, delay_queue: u32, + delay_queue_overflow: u32, input_counter: Option, app_range: Range, } @@ -50,6 +51,7 @@ impl QemuSystemStateHelper { tcb_addr: u32, ready_queues: u32, delay_queue: u32, + delay_queue_overflow: u32, input_counter: Option, app_range: Range, ) -> Self { @@ -58,6 +60,7 @@ impl QemuSystemStateHelper { tcb_addr: tcb_addr, ready_queues: ready_queues, delay_queue, + delay_queue_overflow, input_counter: input_counter, app_range, } @@ -164,6 +167,11 @@ fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) { target = freertos::emu_lookup::lookup(emulator, target); systemstate.delay_list = read_freertos_list(&mut systemstate, emulator, target); + // Extract delay list overflow + let mut target : u32 = h.delay_queue_overflow; + target = freertos::emu_lookup::lookup(emulator, target); + systemstate.delay_list_overflow = read_freertos_list(&mut systemstate, emulator, target); + // Extract priority lists for i in 0..NUM_PRIOS { let target : u32 = listbytes*u32::try_from(i).unwrap()+h.ready_queues; diff --git a/fuzzers/FRET/src/systemstate/observers.rs b/fuzzers/FRET/src/systemstate/observers.rs index 5382a057be..351d4ec9c0 100644 --- a/fuzzers/FRET/src/systemstate/observers.rs +++ b/fuzzers/FRET/src/systemstate/observers.rs @@ -125,6 +125,8 @@ fn refine_system_states(input: &mut Vec) -> Vec = tcb_list_to_vec_cached(i.delay_list, &mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect(); + let mut delay_list_overflow : Vec:: = tcb_list_to_vec_cached(i.delay_list_overflow, &mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect(); + delay_list.append(&mut delay_list_overflow); delay_list.sort_by(|a,b| a.task_name.cmp(&b.task_name)); // keep counts for all tasks