From 7b31bbbc6b10fd4198124a2ede901fbef0d82529 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 21 Nov 2022 12:11:48 +0100 Subject: [PATCH] Reset rr ops and always set TARGET_TB_PCREL to 0 (#14) * Restore rr and mttcg ops to vanilla QEMU * kill -9 TARGET_TB_PCREL * Clean the code --- accel/tcg/tcg-accel-ops-mttcg.c | 10 --- accel/tcg/tcg-accel-ops-rr.c | 119 +------------------------------- accel/tcg/tcg-runtime.c | 1 + softmmu/runstate.c | 4 ++ target/arm/cpu-param.h | 7 ++ target/i386/cpu-param.h | 7 ++ 6 files changed, 20 insertions(+), 128 deletions(-) diff --git a/accel/tcg/tcg-accel-ops-mttcg.c b/accel/tcg/tcg-accel-ops-mttcg.c index f8e0be3215..d50239e0e2 100644 --- a/accel/tcg/tcg-accel-ops-mttcg.c +++ b/accel/tcg/tcg-accel-ops-mttcg.c @@ -95,16 +95,6 @@ static void *mttcg_cpu_thread_fn(void *arg) r = tcg_cpus_exec(cpu); qemu_mutex_lock_iothread(); switch (r) { - -//// --- Begin LibAFL code --- - -#define EXCP_LIBAFL_BP 0xf4775747 - - case EXCP_LIBAFL_BP: - break; - -//// --- End LibAFL code --- - case EXCP_DEBUG: cpu_handle_guest_debug(cpu); break; diff --git a/accel/tcg/tcg-accel-ops-rr.c b/accel/tcg/tcg-accel-ops-rr.c index 40e74fc1ed..290833a37f 100644 --- a/accel/tcg/tcg-accel-ops-rr.c +++ b/accel/tcg/tcg-accel-ops-rr.c @@ -139,111 +139,6 @@ static void rr_force_rcu(Notifier *notify, void *data) rr_kick_next_cpu(); } -//// --- Begin LibAFL code --- - -#define EXCP_LIBAFL_BP 0xf4775747 - -void libafl_cpu_thread_fn(CPUState *cpu); - -static void default_libafl_start_vcpu(CPUState *cpu) { - libafl_cpu_thread_fn(cpu); -} - -void (*libafl_start_vcpu)(CPUState *cpu) = default_libafl_start_vcpu; - -void libafl_cpu_thread_fn(CPUState *cpu) -{ - rr_start_kick_timer(); - - while (1) { - qemu_mutex_unlock_iothread(); - replay_mutex_lock(); - qemu_mutex_lock_iothread(); - - if (icount_enabled()) { - /* Account partial waits to QEMU_CLOCK_VIRTUAL. */ - icount_account_warp_timer(); - /* - * Run the timers here. This is much more efficient than - * waking up the I/O thread and waiting for completion. - */ - icount_handle_deadline(); - } - - replay_mutex_unlock(); - - if (!cpu) { - cpu = first_cpu; - } - - while (cpu && cpu_work_list_empty(cpu) && !cpu->exit_request) { - - qatomic_mb_set(&rr_current_cpu, cpu); - current_cpu = cpu; - - qemu_clock_enable(QEMU_CLOCK_VIRTUAL, - (cpu->singlestep_enabled & SSTEP_NOTIMER) == 0); - - if (cpu_can_run(cpu)) { - int r; - - qemu_mutex_unlock_iothread(); - if (icount_enabled()) { - icount_prepare_for_run(cpu); - } - r = tcg_cpus_exec(cpu); - if (icount_enabled()) { - icount_process_data(cpu); - } - qemu_mutex_lock_iothread(); - - // TODO(libafl) should we have the iothread lock on? - if (r == EXCP_LIBAFL_BP) { - rr_stop_kick_timer(); - return; - } - - if (r == EXCP_DEBUG) { - cpu_handle_guest_debug(cpu); - break; - } else if (r == EXCP_ATOMIC) { - qemu_mutex_unlock_iothread(); - cpu_exec_step_atomic(cpu); - qemu_mutex_lock_iothread(); - break; - } - } else if (cpu->stop) { - if (cpu->unplug) { - cpu = CPU_NEXT(cpu); - } - break; - } - - cpu = CPU_NEXT(cpu); - } /* while (cpu && !cpu->exit_request).. */ - - /* Does not need qatomic_mb_set because a spurious wakeup is okay. */ - qatomic_set(&rr_current_cpu, NULL); - - if (cpu && cpu->exit_request) { - qatomic_mb_set(&cpu->exit_request, 0); - } - - if (icount_enabled() && all_cpu_threads_idle()) { - /* - * When all cpus are sleeping (e.g in WFI), to avoid a deadlock - * in the main_loop, wake it up in order to start the warp timer. - */ - qemu_notify_event(); - } - - rr_wait_io_event(); - rr_deal_with_unplugged_cpus(); - } -} - -//// --- End LibAFL code --- - /* * In the single-threaded case each vCPU is simulated in turn. If * there is more than a single vCPU we create a simple timer to kick @@ -282,25 +177,13 @@ static void *rr_cpu_thread_fn(void *arg) } } - // rr_start_kick_timer(); + rr_start_kick_timer(); cpu = first_cpu; /* process any pending work */ cpu->exit_request = 1; - //// --- Begin LibAFL code --- - - libafl_start_vcpu(cpu); - - rcu_remove_force_rcu_notifier(&force_rcu); - rcu_unregister_thread(); - return NULL; - - //// --- End LibAFL code --- - - // The following dead code is from the original QEMU codebase - while (1) { qemu_mutex_unlock_iothread(); replay_mutex_lock(); diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c index 95a03a590d..5460a8fa45 100644 --- a/accel/tcg/tcg-runtime.c +++ b/accel/tcg/tcg-runtime.c @@ -134,6 +134,7 @@ void libafl_qemu_trigger_breakpoint(CPUState* cpu) { #ifndef CONFIG_USER_ONLY qemu_system_debug_request(); + cpu->stopped = true; #else if (cpu->running) { cpu->exception_index = EXCP_LIBAFL_BP; diff --git a/softmmu/runstate.c b/softmmu/runstate.c index bbd05d7c39..a3c8226406 100644 --- a/softmmu/runstate.c +++ b/softmmu/runstate.c @@ -675,9 +675,13 @@ static bool main_loop_should_exit(int *status) if (qemu_debug_requested()) { vm_stop(RUN_STATE_DEBUG); + //// --- Begin LibAFL code --- + return true; // exit back to fuzzing harness + //// --- End LibAFL code --- + } if (qemu_suspend_requested()) { qemu_system_suspend(); diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h index 53cac9c89b..349d0aba38 100644 --- a/target/arm/cpu-param.h +++ b/target/arm/cpu-param.h @@ -49,4 +49,11 @@ #define NB_MMU_MODES 12 +//// --- Begin LibAFL code --- + +#undef TARGET_TB_PCREL +# define TARGET_TB_PCREL 0 + +//// --- End LibAFL code --- + #endif diff --git a/target/i386/cpu-param.h b/target/i386/cpu-param.h index f579b16bd2..527f7fa496 100644 --- a/target/i386/cpu-param.h +++ b/target/i386/cpu-param.h @@ -29,4 +29,11 @@ # define TARGET_TB_PCREL 1 #endif +//// --- Begin LibAFL code --- + +#undef TARGET_TB_PCREL +# define TARGET_TB_PCREL 0 + +//// --- End LibAFL code --- + #endif