From e31c01b2af6dc15d4ddd010382f8a61bf6a6c252 Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Wed, 13 Sep 2023 13:15:21 +0200
Subject: [PATCH] capture delay list

---
 fuzzers/FRET/src/fuzzer.rs              |  7 ++-
 fuzzers/FRET/src/systemstate/helpers.rs | 67 +++++++++++++++----------
 fuzzers/FRET/src/systemstate/mod.rs     |  1 +
 3 files changed, 47 insertions(+), 28 deletions(-)

diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs
index 4da2729888..1f7cfc1aae 100644
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@@ -127,6 +127,9 @@ pub fn fuzz() {
     let task_queue_addr = elf
         .resolve_symbol("pxReadyTasksLists", 0)
         .expect("Symbol pxReadyTasksLists not found");
+    let task_delay_addr = elf
+        .resolve_symbol("pxDelayedTaskList", 0)
+        .expect("Symbol pxDelayedTaskList not found");
     // let task_queue_addr = virt2phys(task_queue_addr,&elf.goblin());
     #[cfg(feature = "systemstate")]
     println!("Task Queue at {:#x}", task_queue_addr);
@@ -342,7 +345,7 @@ pub fn fuzz() {
         let qhelpers = tuple_list!(
                 QemuEdgeCoverageHelper::default(),
                 QemuStateRestoreHelper::new(),
-                QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone())
+                QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,task_delay_addr,input_counter_ptr,app_range.clone())
             );
         let mut hooks = QemuHooks::new(&emu,qhelpers);
 
@@ -615,7 +618,7 @@ pub fn fuzz() {
                         {
                             let mut gd = String::from(&td);
                             gd.push_str(".graph");
-                            if let Some(md) = state.named_metadata_mut().get_mut::<SysGraphFeedbackState>("SysMap") {
+                            if let Ok(md) = state.metadata_mut::<SysGraphFeedbackState>() {
                                 fs::write(&gd,ron::to_string(&md).expect("Failed to serialize graph")).expect("Failed to write graph");
                             }
                         }
diff --git a/fuzzers/FRET/src/systemstate/helpers.rs b/fuzzers/FRET/src/systemstate/helpers.rs
index b67fde61db..c662018a4b 100644
--- a/fuzzers/FRET/src/systemstate/helpers.rs
+++ b/fuzzers/FRET/src/systemstate/helpers.rs
@@ -38,6 +38,7 @@ pub struct QemuSystemStateHelper {
     kerneladdr: u32,
     tcb_addr: u32,
     ready_queues: u32,
+    delay_queue: u32,
     input_counter: Option<u64>,
     app_range: Range<u32>,
 }
@@ -48,6 +49,7 @@ impl QemuSystemStateHelper {
         kerneladdr: u32,
         tcb_addr: u32,
         ready_queues: u32,
+        delay_queue: u32,
         input_counter: Option<u64>,
         app_range: Range<u32>,
     ) -> Self {
@@ -55,6 +57,7 @@ impl QemuSystemStateHelper {
             kerneladdr,
             tcb_addr: tcb_addr,
             ready_queues: ready_queues,
+            delay_queue,
             input_counter: input_counter,
             app_range,
         }
@@ -88,6 +91,37 @@ where
     }
 }
 
+fn read_freertos_list(systemstate : &mut RawFreeRTOSSystemState, emulator: &Emulator, target: u32) -> freertos::List_t {
+    let read : freertos::List_t = freertos::emu_lookup::lookup(emulator, target);
+    let listbytes : u32 = u32::try_from(std::mem::size_of::<freertos::List_t>()).unwrap();
+
+    let mut next_index = read.pxIndex;
+    for _j in 0..read.uxNumberOfItems {
+        // always jump over the xListEnd marker
+        if (target..target+listbytes).contains(&next_index) {
+            let next_item : freertos::MiniListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
+            let new_next_index=next_item.pxNext;
+            systemstate.dumping_ground.insert(next_index,List_MiniItem_struct(next_item));
+            next_index = new_next_index;
+        }
+        let next_item : freertos::ListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
+        // println!("Item at {}: {:?}",next_index,next_item);
+        assert_eq!(next_item.pvContainer,target);
+        let new_next_index=next_item.pxNext;
+        let next_tcb : TCB_t= freertos::emu_lookup::lookup(emulator,next_item.pvOwner);
+        // println!("TCB at {}: {:?}",next_item.pvOwner,next_tcb);
+        systemstate.dumping_ground.insert(next_item.pvOwner,TCB_struct(next_tcb.clone()));
+        systemstate.dumping_ground.insert(next_index,List_Item_struct(next_item));
+        next_index=new_next_index;
+    }
+    // Handle edge case where the end marker was not included yet
+    if (target..target+listbytes).contains(&next_index) {
+        let next_item : freertos::MiniListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
+        systemstate.dumping_ground.insert(next_index,List_MiniItem_struct(next_item));
+    }
+    return read;
+}
+
 #[inline]
 fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) {
     let listbytes : u32 = u32::try_from(std::mem::size_of::<freertos::List_t>()).unwrap();
@@ -124,35 +158,16 @@ fn trigger_collection(emulator: &Emulator, h: &QemuSystemStateHelper) {
         );
     }
     // println!("{:?}",std::str::from_utf8(&current_tcb.pcTaskName));
+    
+    // Extract delay list
+    let mut target : u32 = h.delay_queue;
+    target = freertos::emu_lookup::lookup(emulator, target);
+    systemstate.delay_list = read_freertos_list(&mut systemstate, emulator, target);
 
+    // Extract priority lists
     for i in 0..NUM_PRIOS {
         let target : u32 = listbytes*u32::try_from(i).unwrap()+h.ready_queues;
-        systemstate.prio_ready_lists[i] = freertos::emu_lookup::lookup(emulator, target);
-        // println!("List at {}: {:?}",target, systemstate.prio_ready_lists[i]);
-        let mut next_index = systemstate.prio_ready_lists[i].pxIndex;
-        for _j in 0..systemstate.prio_ready_lists[i].uxNumberOfItems {
-            // always jump over the xListEnd marker
-            if (target..target+listbytes).contains(&next_index) {
-                let next_item : freertos::MiniListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
-                let new_next_index=next_item.pxNext;
-                systemstate.dumping_ground.insert(next_index,List_MiniItem_struct(next_item));
-                next_index = new_next_index;
-            }
-            let next_item : freertos::ListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
-            // println!("Item at {}: {:?}",next_index,next_item);
-            assert_eq!(next_item.pvContainer,target);
-            let new_next_index=next_item.pxNext;
-            let next_tcb : TCB_t= freertos::emu_lookup::lookup(emulator,next_item.pvOwner);
-            // println!("TCB at {}: {:?}",next_item.pvOwner,next_tcb);
-            systemstate.dumping_ground.insert(next_item.pvOwner,TCB_struct(next_tcb.clone()));
-            systemstate.dumping_ground.insert(next_index,List_Item_struct(next_item));
-            next_index=new_next_index;
-        }
-        // Handle edge case where the end marker was not included yet
-        if (target..target+listbytes).contains(&next_index) {
-            let next_item : freertos::MiniListItem_t = freertos::emu_lookup::lookup(emulator, next_index);
-            systemstate.dumping_ground.insert(next_index,List_MiniItem_struct(next_item));
-        }
+        systemstate.prio_ready_lists[i] = read_freertos_list(&mut systemstate, emulator, target);
     }
 
     unsafe { CURRENT_SYSTEMSTATE_VEC.push(systemstate); }
diff --git a/fuzzers/FRET/src/systemstate/mod.rs b/fuzzers/FRET/src/systemstate/mod.rs
index 59d4833976..7ea65715bc 100644
--- a/fuzzers/FRET/src/systemstate/mod.rs
+++ b/fuzzers/FRET/src/systemstate/mod.rs
@@ -32,6 +32,7 @@ pub struct RawFreeRTOSSystemState {
     qemu_tick: u64,
     current_tcb: TCB_t,
     prio_ready_lists: [freertos::List_t; NUM_PRIOS],
+    delay_list: freertos::List_t,
     dumping_ground: HashMap<u32,freertos::rtos_struct>,
     input_counter: u32,
     last_pc: Option<u64>,