SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix jump instrumentation

Browse Source
This commit is contained in:
Alwin Berger 2024-03-25 08:02:50 +01:00
parent 84b71625c3
commit 5d197af578
2 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
accel/tcg/translate-all.c
View File

@ -129,6 +129,31 @@ void libafl_gen_jmp(target_ulong src, target_ulong dst)
} }
} }
// Use an indirect jump target
void libafl_gen_jmp_dynamic(target_ulong src, TCGv_i32 dst);
void libafl_gen_jmp_dynamic(target_ulong src, TCGv_i32 dst)
{
struct libafl_jmp_hook* hook = libafl_jmp_hooks;
while (hook) {
uint64_t cur_id = 0;
if (hook->gen)
cur_id = hook->gen(hook->data, src, 0); // target is not statically known, signal with 0
if (cur_id != (uint64_t)-1 && hook->exec) {
TCGv_i64 tmp0 = tcg_constant_i64(hook->data);
TCGv_i64 tmp1 = tcg_constant_i64(src);
// TCGv_i32 tmp2 = dst;
TCGv_i64 tmp3 = tcg_constant_i64(cur_id);
TCGTemp *tmp4[4] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1), tcgv_i32_temp(dst), tcgv_i64_temp(tmp3) };
tcg_gen_callN(&hook->helper_info, NULL, tmp4);
tcg_temp_free_i64(tmp0);
tcg_temp_free_i64(tmp1);
//tcg_temp_free_i64(tmp2);
tcg_temp_free_i64(tmp3);
}
hook = hook->next;
}
}
//// --- End LibAFL code --- //// --- End LibAFL code ---
TBContext tb_ctx; TBContext tb_ctx;

17
target/arm/tcg/translate.c
View File

@ -28,6 +28,7 @@
#include "semihosting/semihost.h" #include "semihosting/semihost.h"
#include "cpregs.h" #include "cpregs.h"
#include "exec/helper-proto.h" #include "exec/helper-proto.h"
#include <stdio.h>
#define HELPER_H "helper.h" #define HELPER_H "helper.h"
#include "exec/helper-info.c.inc" #include "exec/helper-info.c.inc"
@ -751,11 +752,19 @@ void gen_update_pc(DisasContext *s, target_long diff)
s->pc_save = s->pc_curr + diff; s->pc_save = s->pc_curr + diff;
} }
//// --- Begin LibAFL code ---
void libafl_gen_jmp(target_ulong src, target_ulong dst); // see translate-all.c
void libafl_gen_jmp_dynamic(target_ulong src, TCGv_i32 dst);
//// --- End LibAFL code ---
/* Set PC and Thumb state from var. var is marked as dead. */ /* Set PC and Thumb state from var. var is marked as dead. */
static inline void gen_bx(DisasContext *s, TCGv_i32 var) static inline void gen_bx(DisasContext *s, TCGv_i32 var)
{ {
s->base.is_jmp = DISAS_JUMP; s->base.is_jmp = DISAS_JUMP;
tcg_gen_andi_i32(cpu_R[15], var, ~1); tcg_gen_andi_i32(cpu_R[15], var, ~1);
//// --- Begin LibAFL code ---
// printf("gen_bx %x\n", s->pc_curr);
libafl_gen_jmp_dynamic(s->pc_curr, cpu_R[15]);
//// --- End LibAFL code ---
tcg_gen_andi_i32(var, var, 1); tcg_gen_andi_i32(var, var, 1);
store_cpu_field(var, thumb); store_cpu_field(var, thumb);
s->pc_save = -1; s->pc_save = -1;
@ -2596,9 +2605,6 @@ static void gen_jmp_tb(DisasContext *s, target_long diff, int tbno)
} }
} }
//// --- Begin LibAFL code ---
void libafl_gen_jmp(target_ulong src, target_ulong dst); // see translate-all.c
//// --- End LibAFL code ---
static inline void gen_jmp(DisasContext *s, target_long diff) static inline void gen_jmp(DisasContext *s, target_long diff)
{ {
//// --- Begin LibAFL code --- //// --- Begin LibAFL code ---
@ -2896,6 +2902,11 @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
*/ */
static void store_pc_exc_ret(DisasContext *s, TCGv_i32 pc) static void store_pc_exc_ret(DisasContext *s, TCGv_i32 pc)
{ {
//// --- Begin LibAFL code ---
// Note: Test concluded that this never executes
//printf("store_pc_exc_ret %x\n", s->pc_curr);
//libafl_gen_jmp_dynamic(s->pc_curr, pc);
//// --- End LibAFL code ---
tcg_gen_mov_i32(cpu_R[15], pc); tcg_gen_mov_i32(cpu_R[15], pc);
} }