From 7a9cca9e1bb910251cdf411f41be731032e9b3fa Mon Sep 17 00:00:00 2001
From: lazymio <mio@lazym.io>
Date: Fri, 16 May 2025 19:29:49 +0800
Subject: [PATCH] Expose AFL++ style extended cmplog for unicornafl (#3238)

* expose afl++ style extended cmplog for unicornafl

* also update map ptr

* fix imports

* fix naming

* feature dep
---
 libafl_cc/src/no-link-rt.c       | 9 +++++++++
 libafl_targets/Cargo.toml        | 1 +
 libafl_targets/src/cmplog.c      | 6 ++++++
 libafl_targets/src/cmplog.h      | 3 ++-
 libafl_targets/src/cmps/mod.rs   | 8 ++++++++
 libafl_targets/src/forkserver.rs | 7 +++++++
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/libafl_cc/src/no-link-rt.c b/libafl_cc/src/no-link-rt.c
index e1cc59e55e..82aef7ca9b 100644
--- a/libafl_cc/src/no-link-rt.c
+++ b/libafl_cc/src/no-link-rt.c
@@ -16,6 +16,15 @@ void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
   (void)arg2;
 }
 
+void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
+                                                   uint64_t arg1,
+                                                   uint64_t arg2) {
+  (void)k;
+  (void)shape;
+  (void)arg1;
+  (void)arg2;
+}
+
 void __cmplog_ins_hook1_extended(uint8_t arg1, uint8_t arg2, uint8_t attr) {
   (void)arg1;
   (void)arg2;
diff --git a/libafl_targets/Cargo.toml b/libafl_targets/Cargo.toml
index 0f870354d7..ed8426efb7 100644
--- a/libafl_targets/Cargo.toml
+++ b/libafl_targets/Cargo.toml
@@ -67,6 +67,7 @@ forkserver = [
 windows_asan = ["common"] # Compile C code for ASAN on Windows
 whole_archive = [] # use +whole-archive to ensure the presence of weak symbols
 cmplog_extended_instrumentation = [
+  "cmplog", # without `cmplog`, extended instrumentation won't compile
 ] # support for aflpp cmplog map, we will remove this once aflpp and libafl cmplog shares the same LLVM passes.
 function-logging = ["common"]
 track_hit_feedbacks = ["libafl/track_hit_feedbacks"]
diff --git a/libafl_targets/src/cmplog.c b/libafl_targets/src/cmplog.c
index 675cf7171d..909daada0c 100644
--- a/libafl_targets/src/cmplog.c
+++ b/libafl_targets/src/cmplog.c
@@ -102,6 +102,12 @@ void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
   cmplog_instructions_checked(k, shape, arg1, arg2, 0);
 }
 
+// Very generic afl++ style cmplog instructions callback
+void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
+  uint64_t arg1, uint64_t arg2) {
+  cmplog_instructions_extended_checked(k, shape, arg1, arg2, 0);
+}
+
 // Very generic cmplog routines callback
 void __libafl_targets_cmplog_routines(uintptr_t k, const uint8_t *ptr1,
                                       const uint8_t *ptr2) {
diff --git a/libafl_targets/src/cmplog.h b/libafl_targets/src/cmplog.h
index 2750a85fde..837f690394 100644
--- a/libafl_targets/src/cmplog.h
+++ b/libafl_targets/src/cmplog.h
@@ -234,7 +234,8 @@ static inline void cmplog_routines_checked_extended(uintptr_t      k,
 
 void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
                                           uint64_t arg1, uint64_t arg2);
-
+void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
+                                          uint64_t arg1, uint64_t arg2);
 void __libafl_targets_cmplog_routines(uintptr_t k, const uint8_t *ptr1,
                                       const uint8_t *ptr2);
 
diff --git a/libafl_targets/src/cmps/mod.rs b/libafl_targets/src/cmps/mod.rs
index 039db83c54..64a52d116a 100644
--- a/libafl_targets/src/cmps/mod.rs
+++ b/libafl_targets/src/cmps/mod.rs
@@ -51,15 +51,23 @@ unsafe extern "C" {
     /// Logs an instruction for feedback during fuzzing
     pub fn __libafl_targets_cmplog_instructions(k: usize, shape: u8, arg1: u64, arg2: u64);
 
+    /// Logs an AFL++ style instruction for feedback during fuzzing
+    pub fn __libafl_targets_cmplog_instructions_extended(k: usize, shape: u8, arg1: u64, arg2: u64);
+
     /// Logs a routine for feedback during fuzzing
     pub fn __libafl_targets_cmplog_routines(k: usize, ptr1: *const u8, ptr2: *const u8);
 
     /// Pointer to the `CmpLog` map
     pub static mut libafl_cmplog_map_ptr: *mut CmpLogMap;
+
+    /// Pointer to the extended `CmpLog` map
+    pub static mut libafl_cmplog_map_extended_ptr: *mut CmpLogMap;
 }
 
 #[cfg(feature = "cmplog")]
 pub use libafl_cmplog_map_ptr as CMPLOG_MAP_PTR;
+#[cfg(feature = "cmplog_extended_instrumentation")]
+pub use libafl_cmplog_map_extended_ptr as EXTENDED_CMPLOG_MAP_PTR;
 
 /// Value indicating if cmplog is enabled.
 #[unsafe(no_mangle)]
diff --git a/libafl_targets/src/forkserver.rs b/libafl_targets/src/forkserver.rs
index b2c1f18b78..3c9d8e41be 100644
--- a/libafl_targets/src/forkserver.rs
+++ b/libafl_targets/src/forkserver.rs
@@ -22,6 +22,9 @@ use nix::{
 
 #[cfg(feature = "cmplog")]
 use crate::cmps::CMPLOG_MAP_PTR;
+#[cfg(feature = "cmplog_extended_instrumentation")]
+use crate::cmps::EXTENDED_CMPLOG_MAP_PTR;
+
 use crate::coverage::{__afl_map_size, EDGES_MAP_PTR, INPUT_LENGTH_PTR, INPUT_PTR, SHM_FUZZING};
 #[cfg(any(target_os = "linux", target_vendor = "apple"))]
 use crate::coverage::{__token_start, __token_stop};
@@ -201,6 +204,10 @@ fn map_cmplog_shared_memory_internal() -> Result<(), Error> {
     unsafe {
         CMPLOG_MAP_PTR = map.cast();
     }
+    #[cfg(feature = "cmplog_extended_instrumentation")]
+    unsafe {
+        EXTENDED_CMPLOG_MAP_PTR = map.cast();
+    }
     Ok(())
 }