ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 04:38:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

persistent qemu mode arm/arm64 && compcov arm64

Browse Source
This commit is contained in:
Andrea Fioraldi
2020-02-08 18:07:31 +01:00
parent 0403f008e3
commit 5fa4f47bae
6 changed files with 194 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
qemu_mode/build_qemu_support.sh
View File

@ -153,6 +153,7 @@ patch -p1 <../patches/translate-all.diff || exit 1
patch -p1 <../patches/tcg.diff || exit 1
patch -p1 <../patches/i386-translate.diff || exit 1
patch -p1 <../patches/arm-translate.diff || exit 1
patch -p1 <../patches/arm-translate-a64.diff || exit 1
patch -p1 <../patches/i386-ops_sse.diff || exit 1
patch -p1 <../patches/i386-fpu_helper.diff || exit 1
patch -p1 <../patches/softfloat.diff || exit 1

10
qemu_mode/patches/afl-qemu-common.h
View File

@ -39,10 +39,14 @@
#define PERSISTENT_DEFAULT_MAX_CNT 1000
#ifndef CPU_NB_REGS
#define AFL_REGS_NUM 1000
#else
#ifdef CPU_NB_REGS
#define AFL_REGS_NUM CPU_NB_REGS
#elif TARGET_ARM
#define AFL_REGS_NUM 32
#elif TARGET_AARCH64
#define AFL_REGS_NUM 32
#else
#define AFL_REGS_NUM 100
#endif
/* NeverZero */

83
qemu_mode/patches/afl-qemu-cpu-translate-inl.h
View File

@ -258,9 +258,7 @@ static void callback_to_persistent_hook(void) {
}
static void i386_restore_state_for_persistent(TCGv *cpu_regs) {
if (persistent_save_gpr) {
static void gpr_saving(TCGv *cpu_regs, int regs_num) {
int i;
TCGv_ptr gpr_sv;
@ -273,8 +271,8 @@ static void i386_restore_state_for_persistent(TCGv *cpu_regs) {
TCGLabel *lbl_restore_gpr = gen_new_label();
tcg_gen_brcond_tl(TCG_COND_NE, first_pass, one, lbl_restore_gpr);
// save GRP registers
for (i = 0; i < AFL_REGS_NUM; ++i) {
// save GPR registers
for (i = 0; i < regs_num; ++i) {
gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]);
tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0);
@ -287,34 +285,45 @@ static void i386_restore_state_for_persistent(TCGv *cpu_regs) {
if (afl_persistent_hook_ptr) tcg_gen_afl_call0(callback_to_persistent_hook);
// restore GRP registers
for (i = 0; i < AFL_REGS_NUM; ++i) {
// restore GPR registers
for (i = 0; i < regs_num; ++i) {
gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]);
tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0);
}
tcg_temp_free_ptr(first_pass_ptr);
tcg_temp_free(first_pass);
tcg_temp_free(one);
}
static void restore_state_for_persistent(TCGv *cpu_regs, int regs_num, int sp) {
if (persistent_save_gpr) {
gpr_saving(cpu_regs, regs_num);
} else if (afl_persistent_ret_addr == 0) {
TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset);
TCGv stack_off = tcg_temp_new();
tcg_gen_ld_tl(stack_off, stack_off_ptr, 0);
tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off);
tcg_gen_sub_tl(cpu_regs[sp], cpu_regs[sp], stack_off);
tcg_temp_free(stack_off);
}
}
#define AFL_QEMU_TARGET_i386_SNIPPET \
#define AFL_QEMU_TARGET_I386_SNIPPET \
if (is_persistent) { \
\
if (s->pc == afl_persistent_addr) { \
\
i386_restore_state_for_persistent(cpu_regs); \
restore_state_for_persistent(cpu_regs, AFL_REGS_NUM, R_ESP); \
/*tcg_gen_afl_call0(log_x86_saved_gpr); \
tcg_gen_afl_call0(log_x86_sp_content);*/ \
\
@ -322,6 +331,7 @@ static void i386_restore_state_for_persistent(TCGv *cpu_regs) {
\
TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \
tcg_gen_st_tl(paddr, cpu_regs[R_ESP], persisent_retaddr_offset); \
tcg_temp_free_ptr(paddr); \
\
} \
\
@ -337,3 +347,56 @@ static void i386_restore_state_for_persistent(TCGv *cpu_regs) {
\
}
// SP = 13, LINK = 14
#define AFL_QEMU_TARGET_ARM_SNIPPET \
if (is_persistent) { \
\
if (dc->pc == afl_persistent_addr) { \
\
if (persistent_save_gpr) gpr_saving(cpu_R, AFL_REGS_NUM); \
\
if (afl_persistent_ret_addr == 0) { \
\
TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \
tcg_gen_mov_i32(cpu_R[14], paddr); \
tcg_temp_free_ptr(paddr); \
\
} \
\
if (!persistent_save_gpr) tcg_gen_afl_call0(&afl_persistent_loop); \
\
} else if (afl_persistent_ret_addr && dc->pc == afl_persistent_ret_addr) {\
\
gen_bx_im(dc, afl_persistent_addr); \
\
} \
\
}
// SP = 31, LINK = 30
#define AFL_QEMU_TARGET_ARM64_SNIPPET \
if (is_persistent) { \
\
if (s->pc == afl_persistent_addr) { \
\
if (persistent_save_gpr) gpr_saving(cpu_X, AFL_REGS_NUM); \
\
if (afl_persistent_ret_addr == 0) { \
\
TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \
tcg_gen_mov_i32(cpu_X[30], paddr); \
tcg_temp_free_ptr(paddr); \
\
} \
\
if (!persistent_save_gpr) tcg_gen_afl_call0(&afl_persistent_loop); \
\
} else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \
\
gen_goto_tb(s, 0, afl_persistent_addr); \
\
} \
\
}

64
qemu_mode/patches/arm-translate-a64.diff Normal file
View File

@ -0,0 +1,64 @@
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index fd36425..992bf17 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -39,6 +39,8 @@
#include "translate-a64.h"
#include "qemu/atomic128.h"
+#include "../patches/afl-qemu-cpu-translate-inl.h"
+
static TCGv_i64 cpu_X[32];
static TCGv_i64 cpu_pc;
@@ -3365,6 +3367,12 @@ static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
return;
}
+ if (rd == 31 && sub_op) { // cmp xX, imm
+ TCGv_i64 tcg_imm = tcg_const_i64(imm);
+ afl_gen_compcov(s->pc, tcg_rn, tcg_imm, is_64bit ? MO_64 : MO_32, 1);
+ tcg_temp_free_i64(tcg_imm);
+ }
+
tcg_result = tcg_temp_new_i64();
if (!setflags) {
if (sub_op) {
@@ -3972,6 +3980,9 @@ static void disas_add_sub_ext_reg(DisasContext *s, uint32_t insn)
tcg_rm = read_cpu_reg(s, rm, sf);
ext_and_shift_reg(tcg_rm, tcg_rm, option, imm3);
+
+ if (rd == 31 && sub_op) // cmp xX, xY
+ afl_gen_compcov(s->pc, tcg_rn, tcg_rm, sf ? MO_64 : MO_32, 0);
tcg_result = tcg_temp_new_i64();
@@ -4037,6 +4048,9 @@ static void disas_add_sub_reg(DisasContext *s, uint32_t insn)
shift_reg_imm(tcg_rm, tcg_rm, sf, shift_type, imm6);
+ if (rd == 31 && sub_op) // cmp xX, xY
+ afl_gen_compcov(s->pc, tcg_rn, tcg_rm, sf ? MO_64 : MO_32, 0);
+
tcg_result = tcg_temp_new_i64();
if (!setflags) {
@@ -4246,6 +4260,8 @@ static void disas_cc(DisasContext *s, uint32_t insn)
tcg_y = cpu_reg(s, y);
}
tcg_rn = cpu_reg(s, rn);
+
+ afl_gen_compcov(s->pc, tcg_rn, tcg_y, sf ? MO_64 : MO_32, is_imm);
/* Set the flags for the new comparison. */
tcg_tmp = tcg_temp_new_i64();
@@ -13317,6 +13333,8 @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
static void disas_a64_insn(CPUARMState *env, DisasContext *s)
{
uint32_t insn;
+
+ AFL_QEMU_TARGET_ARM64_SNIPPET
insn = arm_ldl_code(env, s->pc, s->sctlr_b);
s->insn = insn;

20
qemu_mode/patches/arm-translate.diff
View File

@ -1,5 +1,5 @@
diff --git a/target/arm/translate.c b/target/arm/translate.c
index 7c4675ff..0f0928b6 100644
index 7c4675f..e3d999a 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -59,6 +59,8 @@
@ -132,3 +132,21 @@ index 7c4675ff..0f0928b6 100644
rd = 16;
break;
case 0xb: /* cmn */
@@ -13233,6 +13247,8 @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
return;
}
+ AFL_QEMU_TARGET_ARM_SNIPPET
+
insn = arm_ldl_code(env, dc->pc, dc->sctlr_b);
dc->insn = insn;
dc->pc += 4;
@@ -13301,6 +13317,8 @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
return;
}
+ AFL_QEMU_TARGET_ARM_SNIPPET
+
insn = arm_lduw_code(env, dc->pc, dc->sctlr_b);
is_16bit = thumb_insn_is_16bit(dc, insn);
dc->pc += 2;

2
qemu_mode/patches/i386-translate.diff
View File

@ -35,7 +35,7 @@ index 0dd5fbe4..a23da128 100644
rex_w = -1;
rex_r = 0;
+ AFL_QEMU_TARGET_i386_SNIPPET
+ AFL_QEMU_TARGET_I386_SNIPPET
+
next_byte:
b = x86_ldub_code(env, s);