add delay list overflow

fuzzers/FRET/src/fuzzer.rs

@@ -130,6 +130,9 @@ pub fn fuzz() {
     let task_delay_addr = elf
         .resolve_symbol("pxDelayedTaskList", 0)
         .expect("Symbol pxDelayedTaskList not found");
+    let task_delay_overflow_addr = elf
+        .resolve_symbol("pxOverflowDelayedTaskList", 0)
+        .expect("Symbol pxOverflowDelayedTaskList not found");
     // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
     #[cfg(feature = "systemstate")]
     println!("Task Queue at {:#x}", task_queue_addr);
@@ -345,7 +348,7 @@ pub fn fuzz() {
         let qhelpers = tuple_list!(
                 QemuEdgeCoverageHelper::default(),
                 QemuStateRestoreHelper::new(),
-                QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,task_delay_addr,input_counter_ptr,app_range.clone())
+                QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,task_delay_addr,task_delay_overflow_addr,input_counter_ptr,app_range.clone())
             );
         let mut hooks = QemuHooks::new(&emu,qhelpers);
 

fuzzers/FRET/src/systemstate/graph.rs

@@ -114,6 +114,10 @@ impl SysGraphNode {
         let mut ret = String::new();
         ret.push_str(&format!("{}#{}",&self.base.current_task.0.task_name,&self.base.current_task.1));
         ret.push_str("\nRl:");
+        for i in &self.base.ready_list_after {
+            ret.push_str(&format!("\n{}#{}",i.0.task_name,i.1));
+        }
+        ret.push_str("\nDl:");
         for i in &self.base.delay_list_after {
             ret.push_str(&format!("\n{}#{}",i.0.task_name,i.1));
         }

fuzzers/FRET/src/systemstate/helpers.rs

@@ -39,6 +39,7 @@ pub struct QemuSystemStateHelper {
     tcb_addr: u32,
     ready_queues: u32,
     delay_queue: u32,
+    delay_queue_overflow: u32,
     input_counter: Option<u64>,
     app_range: Range<u32>,
 }
@@ -50,6 +51,7 @@ impl QemuSystemStateHelper {
         tcb_addr: u32,
         ready_queues: u32,
         delay_queue: u32,
+        delay_queue_overflow: u32,
         input_counter: Option<u64>,
         app_range: Range<u32>,
     ) -> Self {
@@ -58,6 +60,7 @@ impl QemuSystemStateHelper {
             tcb_addr: tcb_addr,
             ready_queues: ready_queues,
             delay_queue,
+            delay_queue_overflow,
             input_counter: input_counter,
             app_range,
         }
@@ -164,6 +167,11 @@ fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) {
     target = freertos::emu_lookup::lookup(emulator, target);
     systemstate.delay_list = read_freertos_list(&mut systemstate, emulator, target);
 
+    // Extract delay list overflow
+    let mut target : u32 = h.delay_queue_overflow;
+    target = freertos::emu_lookup::lookup(emulator, target);
+    systemstate.delay_list_overflow = read_freertos_list(&mut systemstate, emulator, target);
+
     // Extract priority lists
     for i in 0..NUM_PRIOS {
         let target : u32 = listbytes*u32::try_from(i).unwrap()+h.ready_queues;

fuzzers/FRET/src/systemstate/observers.rs

@@ -125,6 +125,8 @@ fn refine_system_states(input: &mut Vec<RawFreeRTOSSystemState>) -> Vec<RefinedF
         }
         // collect delay list
         let mut delay_list : Vec::<RefinedTCB> = tcb_list_to_vec_cached(i.delay_list, &mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect();
+        let mut delay_list_overflow : Vec::<RefinedTCB> = tcb_list_to_vec_cached(i.delay_list_overflow, &mut i.dumping_ground).iter().map(|x| RefinedTCB::from_tcb(x)).collect();
+        delay_list.append(&mut delay_list_overflow);
         delay_list.sort_by(|a,b| a.task_name.cmp(&b.task_name));
 
         // keep counts for all tasks