diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-10-03 15:35:02 +0200 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-10-03 15:35:02 +0200 |
| commit | 4cf02a32a73e799f7a9fb032854117eb0d52d496 (patch) | |
| tree | a577d984a2f676754870596ef7ecb4a999f0cf02 | |
| parent | 6b3a9b9dc00c495f082f5800c38f462c8fefd682 (diff) | |
| download | afl++-4cf02a32a73e799f7a9fb032854117eb0d52d496.tar.gz | |
unicorn arm compcov
| -rw-r--r-- | docs/ChangeLog | 1 | ||||
| -rw-r--r-- | unicorn_mode/patches/compcov.diff | 138 |
2 files changed, 139 insertions, 0 deletions
diff --git a/docs/ChangeLog b/docs/ChangeLog index 0b945d36..f08085b7 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -38,6 +38,7 @@ Version ++2.54d (dev): - added man page for afl-clang-fast[++] - updated documentation - Wine mode to run Win32 binaries with the QEMU instrumentation (-W) + - CompareCoverage for ARM target in QEMU/Unicorn -------------------------- diff --git a/unicorn_mode/patches/compcov.diff b/unicorn_mode/patches/compcov.diff index 8ec867d1..4e71f465 100644 --- a/unicorn_mode/patches/compcov.diff +++ b/unicorn_mode/patches/compcov.diff @@ -15,6 +15,144 @@ index 22f494e..1aa7b3a 100644 }; // Metadata stub for the variable-size cpu context used with uc_context_*() +diff --git a/qemu/target-arm/translate.c b/qemu/target-arm/translate.c +index 4995eda..06c7e63 100644 +--- a/qemu/target-arm/translate.c ++++ b/qemu/target-arm/translate.c +@@ -63,6 +63,12 @@ static TCGv_i64 cpu_exclusive_test; + static TCGv_i32 cpu_exclusive_info; + #endif + ++#if defined(UNICORN_AFL) ++#include "../../afl-unicorn-cpu-translate-inl.h" ++#else ++#define afl_gen_compcov(a,b,c,d,e,f) do {} while (0) ++#endif ++ + + static const char *regnames[] = + { "r0", "r1", "r2", "r3", "r4", "r5", "r6", "r7", +@@ -8214,6 +8220,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) // qq + } else { + if (set_cc) { + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, insn & (1 << 25)); + } else { + tcg_gen_sub_i32(tcg_ctx, tmp, tmp, tmp2); + } +@@ -8223,6 +8230,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) // qq + case 0x03: + if (set_cc) { + gen_sub_CC(s, tmp, tmp2, tmp); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, insn & (1 << 25)); + } else { + tcg_gen_sub_i32(tcg_ctx, tmp, tmp2, tmp); + } +@@ -8277,6 +8285,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) // qq + case 0x0a: + if (set_cc) { + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, insn & (1 << 25)); + } + tcg_temp_free_i32(tcg_ctx, tmp); + break; +@@ -9148,7 +9157,7 @@ thumb2_logic_op(int op) + + static int + gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out, +- TCGv_i32 t0, TCGv_i32 t1) ++ TCGv_i32 t0, TCGv_i32 t1, int has_imm) + { + TCGContext *tcg_ctx = s->uc->tcg_ctx; + int logic_cc; +@@ -9195,15 +9204,17 @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out, + } + break; + case 13: /* sub */ +- if (conds) ++ if (conds) { + gen_sub_CC(s, t0, t0, t1); +- else ++ afl_gen_compcov(tcg_ctx, s->pc, t0, t1, MO_32, has_imm); ++ } else + tcg_gen_sub_i32(tcg_ctx, t0, t0, t1); + break; + case 14: /* rsb */ +- if (conds) ++ if (conds) { + gen_sub_CC(s, t0, t1, t0); +- else ++ afl_gen_compcov(tcg_ctx, s->pc, t0, t1, MO_32, has_imm); ++ } else + tcg_gen_sub_i32(tcg_ctx, t0, t1, t0); + break; + default: /* 5, 6, 7, 9, 12, 15. */ +@@ -9572,7 +9583,7 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw + conds = (insn & (1 << 20)) != 0; + logic_cc = (conds && thumb2_logic_op(op)); + gen_arm_shift_im(s, tmp2, shiftop, shift, logic_cc); +- if (gen_thumb2_data_op(s, op, conds, 0, tmp, tmp2)) ++ if (gen_thumb2_data_op(s, op, conds, 0, tmp, tmp2, insn & (1 << 10))) + goto illegal_op; + tcg_temp_free_i32(tcg_ctx, tmp2); + if (rd != 15) { +@@ -10215,7 +10226,7 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw + } + op = (insn >> 21) & 0xf; + if (gen_thumb2_data_op(s, op, (insn & (1 << 20)) != 0, +- shifter_out, tmp, tmp2)) ++ shifter_out, tmp, tmp2, insn & (1 << 10))) + goto illegal_op; + tcg_temp_free_i32(tcg_ctx, tmp2); + rd = (insn >> 8) & 0xf; +@@ -10471,8 +10482,10 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq + if (insn & (1 << 9)) { + if (s->condexec_mask) + tcg_gen_sub_i32(tcg_ctx, tmp, tmp, tmp2); +- else ++ else { + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, insn & (1 << 10)); ++ } + } else { + if (s->condexec_mask) + tcg_gen_add_i32(tcg_ctx, tmp, tmp, tmp2); +@@ -10509,6 +10522,7 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq + switch (op) { + case 1: /* cmp */ + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, 1); + tcg_temp_free_i32(tcg_ctx, tmp); + tcg_temp_free_i32(tcg_ctx, tmp2); + break; +@@ -10523,8 +10537,10 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq + case 3: /* sub */ + if (s->condexec_mask) + tcg_gen_sub_i32(tcg_ctx, tmp, tmp, tmp2); +- else ++ else { + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, 1); ++ } + tcg_temp_free_i32(tcg_ctx, tmp2); + store_reg(s, rd, tmp); + break; +@@ -10562,6 +10578,7 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq + tmp = load_reg(s, rd); + tmp2 = load_reg(s, rm); + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, 0); + tcg_temp_free_i32(tcg_ctx, tmp2); + tcg_temp_free_i32(tcg_ctx, tmp); + break; +@@ -10680,6 +10697,7 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq + break; + case 0xa: /* cmp */ + gen_sub_CC(s, tmp, tmp, tmp2); ++ afl_gen_compcov(tcg_ctx, s->pc, tmp, tmp2, MO_32, 0); + rd = 16; + break; + case 0xb: /* cmn */ diff --git a/qemu/target-i386/translate.c b/qemu/target-i386/translate.c index 36fae09..196d346 100644 --- a/qemu/target-i386/translate.c |