fix build

libafl/src/stages/mutational.rs

@@ -146,7 +146,7 @@ where
             // Time is measured directly the `evaluate_input` function
             let (untransformed, post) = input.try_transform_into(state)?;
             let (_, corpus_id) = fuzzer.evaluate_input(state, executor, manager, untransformed)?;
-            if corpus_idx.is_some() { unsafe {MUTATION_STAGE_SUCCESS += 1;}} // count successful mutations
+            if corpus_id.is_some() { unsafe {MUTATION_STAGE_SUCCESS += 1;}} // count successful mutations
 
             start_timer!(state);
             self.mutator_mut().post_exec(state, corpus_id)?;

libafl_qemu/libafl_qemu_build/src/bindings.rs

@@ -88,6 +88,7 @@ const WRAPPER_HEADER: &str = r#"
 #include "libafl/exit.h"
 #include "libafl/jit.h"
 #include "libafl/utils.h"
+#include "libafl/interrupt_injection.h"
 
 #include "libafl/hook.h"
 
@@ -97,6 +98,7 @@ const WRAPPER_HEADER: &str = r#"
 #include "libafl/hooks/tcg/edge.h"
 #include "libafl/hooks/tcg/instruction.h"
 #include "libafl/hooks/tcg/read_write.h"
+#include "libafl/hooks/tcg/jmp.h"
 #include "libafl/hooks/cpu_run.h"
 #include "libafl/hooks/thread.h"
 

libafl_qemu/libafl_qemu_sys/src/systemmode.rs

@@ -1,19 +0,0 @@
-use paste::paste;
-
-use crate::{extern_c_checked, CPUStatePtr, GuestPhysAddr};
-
-extern_c_checked! {
-    pub fn qemu_init(argc: i32, argv: *const *const u8, envp: *const *const u8);
-
-    pub fn vm_start();
-    pub fn qemu_main_loop();
-    pub fn qemu_cleanup();
-
-    pub fn libafl_save_qemu_snapshot(name: *const u8, sync: bool);
-    pub fn libafl_load_qemu_snapshot(name: *const u8, sync: bool);
-
-    pub fn libafl_qemu_current_paging_id(cpu: CPUStatePtr) -> GuestPhysAddr;
-
-    pub fn icount_get_raw() -> u64;
-    pub fn libafl_start_int_timer();
-}

libafl_qemu/src/emu/hooks.rs

@@ -29,15 +29,16 @@ use crate::{
         read_1_exec_hook_wrapper, read_2_exec_hook_wrapper, read_3_exec_hook_wrapper,
         read_4_exec_hook_wrapper, read_gen_hook_wrapper, write_0_exec_hook_wrapper,
         write_1_exec_hook_wrapper, write_2_exec_hook_wrapper, write_3_exec_hook_wrapper,
-        write_4_exec_hook_wrapper, write_gen_hook_wrapper, BackdoorHook, BackdoorHookClosure,
+        write_4_exec_hook_wrapper, write_gen_hook_wrapper, jmp_0_exec_hook_wrapper, BackdoorHook, BackdoorHookClosure,
         BackdoorHookFn, BackdoorHookId, BlockExecHook, BlockGenHook, BlockHookId, BlockPostGenHook,
         CmpExecHook, CmpGenHook, CmpHookId, EdgeExecHook, EdgeGenHook, EdgeHookId, Hook, HookRepr,
         InstructionHook, InstructionHookClosure, InstructionHookFn, InstructionHookId,
         NewThreadHook, NewThreadHookClosure, NewThreadHookId, QemuHooks, ReadExecHook,
         ReadExecNHook, ReadGenHook, ReadHookId, TcgHookState, WriteExecHook, WriteExecNHook,
-        WriteGenHook, WriteHookId,
+        WriteGenHook, WriteHookId, JmpHookId,
     },
     CpuPostRunHook, CpuPreRunHook, CpuRunHookId, HookState, MemAccessInfo, Qemu,
+    jmp_gen_hook_wrapper
 };
 
 macro_rules! get_raw_hook {
@@ -121,6 +122,7 @@ where
     read_hooks: Vec<Pin<Box<TcgHookState<5, ReadHookId>>>>,
     write_hooks: Vec<Pin<Box<TcgHookState<5, WriteHookId>>>>,
     cmp_hooks: Vec<Pin<Box<TcgHookState<4, CmpHookId>>>>,
+    jmp_hooks: Vec<Pin<Box<TcgHookState<1, JmpHookId>>>>,
 
     cpu_run_hooks: Vec<Pin<Box<HookState<CpuRunHookId>>>>,
 
@@ -154,6 +156,7 @@ where
             read_hooks: Vec::new(),
             write_hooks: Vec::new(),
             cmp_hooks: Vec::new(),
+            jmp_hooks: Vec::new(),
 
             cpu_run_hooks: Vec::new(),
 
@@ -761,7 +764,7 @@ where
     }
 
     pub fn jmps(
-        &self,
+        &mut self,
         generation_hook: Hook<
             fn(&mut Self, Option<&mut S>, src: GuestAddr, dest: GuestAddr) -> Option<u64>,
             Box<
@@ -783,32 +786,44 @@ where
         unsafe {
             let gen = get_raw_hook!(
                 generation_hook,
-                jmp_gen_hook_wrapper::<QT, S>,
+                jmp_gen_hook_wrapper::<ET, S>,
-                unsafe extern "C" fn(&mut HookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr) -> u64
+                unsafe extern "C" fn(&mut TcgHookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr) -> u64
             );
             let exec = get_raw_hook!(
                 execution_hook,
-                jmp_0_exec_hook_wrapper::<QT, S>,
+                jmp_0_exec_hook_wrapper::<ET, S>,
-                unsafe extern "C" fn(&mut HookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr, id: u64)
+                unsafe extern "C" fn(&mut TcgHookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr, id: u64)
             );
-            JMP_HOOKS.push(Box::pin(HookState {
+
-                id: JmpHookId(0),
+            self.jmp_hooks.push(Box::pin(TcgHookState::new(
-                gen: hook_to_repr!(generation_hook),
+                JmpHookId::invalid(),
-                post_gen: HookRepr::Empty,
+                hook_to_repr!(generation_hook),
-                execs: [hook_to_repr!(execution_hook)],
+                HookRepr::Empty,
-            }));
+                [
+                    hook_to_repr!(execution_hook),
+                ],
+            )));
+
+            let hook_state = &mut *ptr::from_mut::<TcgHookState<1, JmpHookId>>(
+                self
+                .jmp_hooks
+                .last_mut()
+                .unwrap()
+                .as_mut()
+                .get_unchecked_mut());
+
             let id = self
-                .qemu
+                .qemu_hooks
-                .add_jmp_hooks(JMP_HOOKS.last_mut().unwrap().as_mut().get_unchecked_mut(),
+                .add_jmp_hooks(&mut *hook_state,
                 gen,
                 exec
             );
-            JMP_HOOKS
+            self.jmp_hooks
                 .last_mut()
                 .unwrap()
                 .as_mut()
                 .get_unchecked_mut()
-                .id = id;
+                .set_id(id);
             id
         }
     }