From 93663809156a33475ade972cdd5b1301b9310687 Mon Sep 17 00:00:00 2001 From: Romain Malmain Date: Tue, 29 Apr 2025 14:29:00 +0200 Subject: [PATCH] format --- include/libafl/tcg-helper.h | 8 +- include/libafl/tcg.h | 1 - libafl/tcg-helper.c | 14 +-- libafl/tcg.c | 174 +++++++++++++++++++----------------- 4 files changed, 103 insertions(+), 94 deletions(-) diff --git a/include/libafl/tcg-helper.h b/include/libafl/tcg-helper.h index 050356a460..b5da9e6273 100644 --- a/include/libafl/tcg-helper.h +++ b/include/libafl/tcg-helper.h @@ -1,4 +1,4 @@ -DEF_HELPER_FLAGS_2(libafl_qemu_handle_breakpoint, TCG_CALL_NO_RWG, - void, env, i64) -DEF_HELPER_FLAGS_3(libafl_qemu_handle_custom_insn, TCG_CALL_NO_RWG, - void, env, i64, i32) +DEF_HELPER_FLAGS_2(libafl_qemu_handle_breakpoint, TCG_CALL_NO_RWG, void, env, + i64) +DEF_HELPER_FLAGS_3(libafl_qemu_handle_custom_insn, TCG_CALL_NO_RWG, void, env, + i64, i32) diff --git a/include/libafl/tcg.h b/include/libafl/tcg.h index 372419c1a7..5bdb373c4c 100644 --- a/include/libafl/tcg.h +++ b/include/libafl/tcg.h @@ -5,4 +5,3 @@ void tcg_gen_callN(void* func, TCGHelperInfo* info, TCGTemp* ret, TCGTemp** args); - diff --git a/libafl/tcg-helper.c b/libafl/tcg-helper.c index 48e522403b..484dfd46fb 100644 --- a/libafl/tcg-helper.c +++ b/libafl/tcg-helper.c @@ -5,18 +5,20 @@ #include "libafl/exit.h" -#define HELPER_H "libafl/tcg-helper.h" +#define HELPER_H "libafl/tcg-helper.h" #include "exec/helper-info.c.inc" -#undef HELPER_H +#undef HELPER_H -void HELPER(libafl_qemu_handle_breakpoint)(CPUArchState *env, uint64_t pc) +void HELPER(libafl_qemu_handle_breakpoint)(CPUArchState* env, uint64_t pc) { CPUState* cpu = env_cpu(env); - libafl_exit_request_breakpoint(cpu, (target_ulong) pc); + libafl_exit_request_breakpoint(cpu, (target_ulong)pc); } -void HELPER(libafl_qemu_handle_custom_insn)(CPUArchState *env, uint64_t pc, uint32_t kind) +void HELPER(libafl_qemu_handle_custom_insn)(CPUArchState* env, uint64_t pc, + uint32_t kind) { CPUState* cpu = env_cpu(env); - libafl_exit_request_custom_insn(cpu, (target_ulong) pc, (enum libafl_custom_insn_kind) kind); + libafl_exit_request_custom_insn(cpu, (target_ulong)pc, + (enum libafl_custom_insn_kind)kind); } diff --git a/libafl/tcg.c b/libafl/tcg.c index a8ac8aaa25..da66e6543c 100644 --- a/libafl/tcg.c +++ b/libafl/tcg.c @@ -19,12 +19,11 @@ static target_ulong reverse_bits(target_ulong num) target_ulong reverse_num = num; num >>= 1; - while(num) - { - reverse_num <<= 1; - reverse_num |= num & 1; - num >>= 1; - count--; + while (num) { + reverse_num <<= 1; + reverse_num |= num & 1; + num >>= 1; + count--; } reverse_num <<= count; return reverse_num; @@ -34,9 +33,9 @@ static target_ulong reverse_bits(target_ulong num) * Isolate the portion of code gen which can setjmp/longjmp. * Return the size of the generated code, or negative on error. */ -static int libafl_setjmp_gen_code(CPUArchState *env, TranslationBlock *tb, - vaddr pc, void *host_pc, - int *max_insns, int64_t *ti) +static int libafl_setjmp_gen_code(CPUArchState* env, TranslationBlock* tb, + vaddr pc, void* host_pc, int* max_insns, + int64_t* ti) { int ret = sigsetjmp(tcg_ctx->jmp_trans, 0); if (unlikely(ret != 0)) { @@ -48,7 +47,8 @@ static int libafl_setjmp_gen_code(CPUArchState *env, TranslationBlock *tb, tcg_ctx->cpu = env_cpu(env); // -- start gen_intermediate_code - const int num_insns = 1; // do "as-if" we were translating a single target instruction + const int num_insns = + 1; // do "as-if" we were translating a single target instruction #ifndef TARGET_INSN_START_EXTRA_WORDS tcg_gen_insn_start(pc); @@ -66,10 +66,13 @@ static int libafl_setjmp_gen_code(CPUArchState *env, TranslationBlock *tb, tcg_gen_goto_tb(0); tcg_gen_exit_tb(tb, 0); - // This is obviously wrong, but it is required that the number / size of target instruction translated - // is at least 1. For now, we make it so that no problem occurs later on. - tb->icount = num_insns; // number of target instructions translated in the TB. - tb->size = num_insns; // size (in target bytes) of target instructions translated in the TB. + // This is obviously wrong, but it is required that the number / size of + // target instruction translated is at least 1. For now, we make it so that + // no problem occurs later on. + tb->icount = + num_insns; // number of target instructions translated in the TB. + tb->size = num_insns; // size (in target bytes) of target instructions + // translated in the TB. // -- end gen_intermediate_code assert(tb->size != 0); @@ -80,18 +83,18 @@ static int libafl_setjmp_gen_code(CPUArchState *env, TranslationBlock *tb, } /* Called with mmap_lock held for user mode emulation. */ -TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, +TranslationBlock* libafl_gen_edge(CPUState* cpu, target_ulong src_block, target_ulong dst_block, int exit_n, target_ulong cs_base, uint32_t flags, int cflags) { - CPUArchState *env = cpu_env(cpu); - TranslationBlock *tb; + CPUArchState* env = cpu_env(cpu); + TranslationBlock* tb; tb_page_addr_t phys_pc; - tcg_insn_unit *gen_code_buf; + tcg_insn_unit* gen_code_buf; int gen_code_size, search_size, max_insns; int64_t ti; - void *host_pc; + void* host_pc; // edge hooks generation callbacks // early check if it should be skipped or not @@ -106,7 +109,8 @@ TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, assert_memory_lock(); qemu_thread_jit_write(); - // TODO: this (get_page_addr_code_hostp) is a bottleneck in systemmode, investigate why + // TODO: this (get_page_addr_code_hostp) is a bottleneck in systemmode, + // investigate why phys_pc = get_page_addr_code_hostp(env, src_block, &host_pc); phys_pc ^= reverse_bits((tb_page_addr_t)exit_n); @@ -125,7 +129,7 @@ TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, } QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS); - buffer_overflow: +buffer_overflow: assert_no_pages_locked(); tb = tcg_tb_alloc(tcg_ctx); if (unlikely(!tb)) { @@ -167,77 +171,80 @@ TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, tcg_ctx->guest_mo = TCG_MO_ALL; #endif - restart_translate: +restart_translate: trace_translate_block(tb, pc, tb->tc.ptr); - gen_code_size = libafl_setjmp_gen_code(env, tb, pc, host_pc, &max_insns, &ti); + gen_code_size = + libafl_setjmp_gen_code(env, tb, pc, host_pc, &max_insns, &ti); if (unlikely(gen_code_size < 0)) { switch (gen_code_size) { - case -1: - /* - * Overflow of code_gen_buffer, or the current slice of it. - * - * TODO: We don't need to re-do gen_intermediate_code, nor - * should we re-do the tcg optimization currently hidden - * inside tcg_gen_code. All that should be required is to - * flush the TBs, allocate a new TB, re-initialize it per - * above, and re-do the actual code generation. - */ - qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT, - "Restarting code generation for " - "code_gen_buffer overflow\n"); - tb_unlock_pages(tb); - tcg_ctx->gen_tb = NULL; - goto buffer_overflow; + case -1: + /* + * Overflow of code_gen_buffer, or the current slice of it. + * + * TODO: We don't need to re-do gen_intermediate_code, nor + * should we re-do the tcg optimization currently hidden + * inside tcg_gen_code. All that should be required is to + * flush the TBs, allocate a new TB, re-initialize it per + * above, and re-do the actual code generation. + */ + qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT, + "Restarting code generation for " + "code_gen_buffer overflow\n"); + tb_unlock_pages(tb); + tcg_ctx->gen_tb = NULL; + goto buffer_overflow; - case -2: - assert(false && "This should never happen for edge code. There must be a bug."); - /* - * The code generated for the TranslationBlock is too large. - * The maximum size allowed by the unwind info is 64k. - * There may be stricter constraints from relocations - * in the tcg backend. - * - * Try again with half as many insns as we attempted this time. - * If a single insn overflows, there's a bug somewhere... - */ - assert(max_insns > 1); - max_insns /= 2; - qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT, - "Restarting code generation with " - "smaller translation block (max %d insns)\n", - max_insns); + case -2: + assert( + false && + "This should never happen for edge code. There must be a bug."); + /* + * The code generated for the TranslationBlock is too large. + * The maximum size allowed by the unwind info is 64k. + * There may be stricter constraints from relocations + * in the tcg backend. + * + * Try again with half as many insns as we attempted this time. + * If a single insn overflows, there's a bug somewhere... + */ + assert(max_insns > 1); + max_insns /= 2; + qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT, + "Restarting code generation with " + "smaller translation block (max %d insns)\n", + max_insns); - /* - * The half-sized TB may not cross pages. - * TODO: Fix all targets that cross pages except with - * the first insn, at which point this can't be reached. - */ - // phys_p2 = tb_page_addr1(tb); - // if (unlikely(phys_p2 != -1)) { - // tb_unlock_page1(phys_pc, phys_p2); - // tb_set_page_addr1(tb, -1); - // } - goto restart_translate; + /* + * The half-sized TB may not cross pages. + * TODO: Fix all targets that cross pages except with + * the first insn, at which point this can't be reached. + */ + // phys_p2 = tb_page_addr1(tb); + // if (unlikely(phys_p2 != -1)) { + // tb_unlock_page1(phys_pc, phys_p2); + // tb_set_page_addr1(tb, -1); + // } + goto restart_translate; - case -3: - /* - * We had a page lock ordering problem. In order to avoid - * deadlock we had to drop the lock on page0, which means - * that everything we translated so far is compromised. - * Restart with locks held on both pages. - */ - qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT, - "Restarting code generation with re-locked pages"); - goto restart_translate; + case -3: + /* + * We had a page lock ordering problem. In order to avoid + * deadlock we had to drop the lock on page0, which means + * that everything we translated so far is compromised. + * Restart with locks held on both pages. + */ + qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT, + "Restarting code generation with re-locked pages"); + goto restart_translate; - default: - g_assert_not_reached(); + default: + g_assert_not_reached(); } } tcg_ctx->gen_tb = NULL; - search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size); + search_size = encode_search(tb, (void*)gen_code_buf + gen_code_size); if (unlikely(search_size < 0)) { tb_unlock_pages(tb); goto buffer_overflow; @@ -250,9 +257,10 @@ TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block, */ perf_report_code(pc, tb, tcg_splitwx_to_rx(gen_code_buf)); - qatomic_set(&tcg_ctx->code_gen_ptr, (void *) - ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size, - CODE_GEN_ALIGN)); + qatomic_set( + &tcg_ctx->code_gen_ptr, + (void*)ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size, + CODE_GEN_ALIGN)); /* init jump list */ qemu_spin_init(&tb->jmp_lock);