From 0cf10fb0ffa6dfc5b58bb8ff54f1bf08d5959805 Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Mon, 11 Apr 2022 22:56:11 +0200
Subject: [PATCH] add jmp instrumentation

---
 accel/tcg/translate-all.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index 67588ef947..89567300b9 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -81,6 +81,8 @@ void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
 
 void (*libafl_exec_edge_hook)(uint64_t id);
 uint64_t (*libafl_gen_edge_hook)(uint64_t src, uint64_t dst);
+void (*libafl_exec_jmp_hook)(uint64_t src, uint64_t dst);
+uint64_t (*libafl_gen_jmp_hook)(uint64_t src, uint64_t dst);
 
 static TCGHelperInfo libafl_exec_edge_hook_info = {
     .func = NULL, .name = "libafl_exec_edge_hook", \
@@ -89,6 +91,13 @@ static TCGHelperInfo libafl_exec_edge_hook_info = {
 };
 static int exec_edge_hook_added = 0;
 
+static TCGHelperInfo libafl_exec_jmp_hook_info = {
+    .func = NULL, .name = "libafl_exec_jmp_hook", \
+    .flags = dh_callflag(void), \
+    .typemask = dh_typemask(void, 0) | dh_typemask(i64, 2)
+};
+static int exec_jmp_hook_added = 0;
+
 void (*libafl_exec_block_hook)(uint64_t id);
 uint64_t (*libafl_gen_block_hook)(uint64_t pc);
 
@@ -1791,17 +1800,18 @@ void libafl_gen_jmp(target_ulong src, target_ulong dst)
 {
     uint32_t libafl_id = 0;
     if (libafl_gen_edge_hook)
-        libafl_id = libafl_gen_edge_hook((uint64_t)src, (uint64_t)dst);
-    if (!libafl_exec_edge_hook || libafl_id == (uint32_t)-1)
+        libafl_id = libafl_gen_jmp_hook((uint64_t)src, (uint64_t)dst);
+    if (!libafl_exec_jmp_hook || libafl_id == (uint32_t)-1)
         return;
-    if (!exec_edge_hook_added) {
-        exec_edge_hook_added = 1;
-        libafl_exec_edge_hook_info.func = libafl_exec_edge_hook;
-        libafl_helper_table_add(&libafl_exec_edge_hook_info);
+    if (!exec_jmp_hook_added) {
+        exec_jmp_hook_added = 1;
+        libafl_exec_jmp_hook_info.func = libafl_exec_jmp_hook;
+        libafl_helper_table_add(&libafl_exec_jmp_hook_info);
     }
-    TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
-    TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
-    tcg_gen_callN(libafl_exec_edge_hook, NULL, 1, tmp1);
+    TCGv_i64 tmp0 = tcg_const_i64(src);
+    TCGv_i64 tmp1 = tcg_const_i64(dst);
+    TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1) };
+    tcg_gen_callN(libafl_exec_jmp_hook, NULL, 2, tmp2);
     tcg_temp_free_i64(tmp0);
 }