fix jump instrumentation

2024-03-25 08:02:50 +01:00 · 2024-03-25 08:02:50 +01:00 · 8e14d45910
commit 8e14d45910
parent 0cda19cbcf
2 changed files with 39 additions and 3 deletions
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@ -129,6 +129,31 @@ void libafl_gen_jmp(target_ulong src, target_ulong dst)
    }
 }

+// Use an indirect jump target
+void libafl_gen_jmp_dynamic(target_ulong src, TCGv_i32 dst);
+void libafl_gen_jmp_dynamic(target_ulong src, TCGv_i32 dst)
+{
+    struct libafl_jmp_hook* hook = libafl_jmp_hooks;
+    while (hook) {
+        uint64_t cur_id = 0;
+        if (hook->gen)
+            cur_id = hook->gen(hook->data, src, 0);   // target is not statically known, signal with 0
+        if (cur_id != (uint64_t)-1 && hook->exec) {
+            TCGv_i64 tmp0 = tcg_constant_i64(hook->data);
+            TCGv_i64 tmp1 = tcg_constant_i64(src);
+           // TCGv_i32 tmp2 = dst;
+            TCGv_i64 tmp3 = tcg_constant_i64(cur_id);
+            TCGTemp *tmp4[4] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1), tcgv_i32_temp(dst), tcgv_i64_temp(tmp3) };
+            tcg_gen_callN(&hook->helper_info, NULL, tmp4);
+            tcg_temp_free_i64(tmp0);
+            tcg_temp_free_i64(tmp1);
+            //tcg_temp_free_i64(tmp2);
+            tcg_temp_free_i64(tmp3);
+        }
+        hook = hook->next;
+    }
+}
+
 //// --- End LibAFL code ---

 TBContext tb_ctx;
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@ -28,6 +28,7 @@
 #include "semihosting/semihost.h"
 #include "cpregs.h"
 #include "exec/helper-proto.h"
+#include <stdio.h>

 #define HELPER_H "helper.h"
 #include "exec/helper-info.c.inc"
@ -751,11 +752,19 @@ void gen_update_pc(DisasContext *s, target_long diff)
    s->pc_save = s->pc_curr + diff;
 }

+//// --- Begin LibAFL code ---
+void libafl_gen_jmp(target_ulong src, target_ulong dst); // see translate-all.c
+void libafl_gen_jmp_dynamic(target_ulong src, TCGv_i32 dst);
+//// --- End LibAFL code ---
 /* Set PC and Thumb state from var.  var is marked as dead.  */
 static inline void gen_bx(DisasContext *s, TCGv_i32 var)
 {
    s->base.is_jmp = DISAS_JUMP;
    tcg_gen_andi_i32(cpu_R[15], var, ~1);
+//// --- Begin LibAFL code ---
+// printf("gen_bx %x\n", s->pc_curr);
+libafl_gen_jmp_dynamic(s->pc_curr, cpu_R[15]);
+//// --- End LibAFL code ---
    tcg_gen_andi_i32(var, var, 1);
    store_cpu_field(var, thumb);
    s->pc_save = -1;
@ -2602,9 +2611,6 @@ static void gen_jmp_tb(DisasContext *s, target_long diff, int tbno)
    }
 }

-//// --- Begin LibAFL code ---
-void libafl_gen_jmp(target_ulong src, target_ulong dst); // see translate-all.c
-//// --- End LibAFL code ---
 static inline void gen_jmp(DisasContext *s, target_long diff)
 {
 //// --- Begin LibAFL code ---
@ -2895,6 +2901,11 @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
 */
 static void store_pc_exc_ret(DisasContext *s, TCGv_i32 pc)
 {
+//// --- Begin LibAFL code ---
+// Note: Test concluded that this never executes
+//printf("store_pc_exc_ret %x\n", s->pc_curr);
+//libafl_gen_jmp_dynamic(s->pc_curr, pc);
+//// --- End LibAFL code ---
    tcg_gen_mov_i32(cpu_R[15], pc);
 }