Add softmmu instumentation

Break up the control flow from softmmu/main.c:main to be called as a
library.
For now use gdb style breakpoints and native snapshots.
This keeps compatability with user-mode code.

softmmu/cpus.c

@@ -305,7 +305,10 @@ void cpu_handle_guest_debug(CPUState *cpu)
             cpu_single_step(cpu, 0);
         }
     } else {
-        gdb_set_stop_cpu(cpu);
+        /* Begin LibAFL changes */
+        // With LibAFL Breakpoints there is no gdb attached.
+        // gdb_set_stop_cpu(cpu);
+        /* End LibAFL changes */
         qemu_system_debug_request();
         cpu->stopped = true;
     }

softmmu/main.c

@@ -44,11 +44,88 @@ int main(int argc, char **argv)
 #define main qemu_main
 #endif /* CONFIG_COCOA */
 
+/* Begin LibAFL instrumentation */
+#include "sysemu/runstate.h"
+#include "migration/snapshot.h"
+#include "hw/core/cpu.h"
+#include "qapi/error.h"
+#include "exec/memory.h"
+void libafl_qemu_main_loop( void );
+void libafl_qemu_run( void );
+void libafl_qemu_sys_init(int argc, char **argv, char **envp);
+void libafl_qemu_cleanup( void );
+
+void libafl_qemu_sys_init(int argc, char **argv, char **envp) { qemu_init(argc, argv, envp); }
+void libafl_qemu_cleanup( void ) { qemu_cleanup(); }
+void libafl_qemu_set_native_breakpoint( vaddr );
+int libafl_snapshot_save( const char* );
+int libafl_snapshot_load( const char* );
+void libafl_phys_read(vaddr, uint8_t*, int);
+void libafl_phys_write(vaddr, uint8_t*, int);
+
+void libafl_qemu_main_loop( void )
+{
+    vm_start();
+    qemu_main_loop();
+}
+void libafl_qemu_run( void ) { libafl_qemu_main_loop(); }
+
+void libafl_qemu_set_native_breakpoint(vaddr pc)
+{
+    CPUState *cpu;
+    CPU_FOREACH(cpu) {
+        cpu_breakpoint_insert(cpu, pc, BP_GDB, NULL);
+    }
+}
+
+int libafl_snapshot_save( const char* name )
+{
+    Error *err = NULL;
+    save_snapshot(name, true, NULL, false, NULL, &err);
+    return err == 0;
+}
+
+int libafl_snapshot_load( const char* name )
+{
+    Error *err = NULL;
+    load_snapshot(name, NULL, false, NULL, &err);
+    return err == 0;
+}
+
+void libafl_phys_read(vaddr addr, uint8_t* buf, int len)
+{
+    cpu_physical_memory_read(addr, buf, len);
+}
+void libafl_phys_write(vaddr addr, uint8_t* buf, int len)
+{
+    cpu_physical_memory_write(addr, buf, len);
+}
+
+#ifndef AS_SHARED_LIB
 int main(int argc, char **argv, char **envp)
 {
     qemu_init(argc, argv, envp);
     qemu_main_loop();
     qemu_cleanup();
+    //LIBAFL Instrumentation Demo
+    /*
+    unsigned char buf[4096] = {3};
+    libafl_qemu_sys_init(argc, argv, envp);
+    libafl_phys_write(0x00006de4+0xc, buf,1);
+    libafl_phys_read(0x00006de4+0xc, buf,1);
+    printf("FUZZ_INPUT[0]: %x\n", buf[0]);
+    libafl_qemu_set_native_breakpoint(0x00004f5c);
+    libafl_snapshot_save("Start");
+    do {
+        libafl_qemu_main_loop();
+        libafl_snapshot_load("Start");
+        puts("Reload has occured");
+    } while (runstate_check(RUN_STATE_DEBUG));
+    libafl_qemu_cleanup();
+    */
 
     return 0;
 }
+#endif
+
+/* End LibAFL instrumentation */

softmmu/runstate.c

@@ -668,6 +668,10 @@ static bool main_loop_should_exit(void)
 
     if (qemu_debug_requested()) {
         vm_stop(RUN_STATE_DEBUG);
+        /* Begin LibAFL instrumentation */
+        // main loop will exit back to fuzzer
+        return true;
+        /* End LibAFL instrumentation */
     }
     if (qemu_suspend_requested()) {
         qemu_system_suspend();