neverzero qemu for x86/x86_64

2 files changed, 20 insertions, 2 deletions

diff --git a/config.h b/config.h
index 37a2a794..29c33d46 100644
--- a/config.h
+++ b/config.h
@@ -339,6 +339,10 @@
 #define  CTEST_CORE_TRG_MS  1000
 #define  CTEST_BUSY_CYCLES  (10 * 1000 * 1000)
 
+/* Enable NeverZero counters in QEMU mode */
+
+#define AFL_QEMU_NOT_ZERO
+
 /* Uncomment this to use inferior block-coverage-based instrumentation. Note
    that you need to recompile the target binary for this to have any effect: */
 
diff --git a/qemu_mode/patches/afl-qemu-translate-inl.h b/qemu_mode/patches/afl-qemu-translate-inl.h
index bfb2897e..9c3580e5 100644
--- a/qemu_mode/patches/afl-qemu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-translate-inl.h
@@ -42,11 +42,25 @@ extern abi_ulong afl_start_code, afl_end_code;
 
 void tcg_gen_afl_maybe_log_call(target_ulong cur_loc);
 
-void afl_maybe_log(target_ulong cur_loc) { 
+void afl_maybe_log(target_ulong cur_loc) {
 
   static __thread abi_ulong prev_loc;
 
-  afl_area_ptr[cur_loc ^ prev_loc]++;
+  register target_ulong afl_idx = cur_loc ^ prev_loc;
+
+#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO)
+  asm volatile (
+    "incb (%0, %1, 1)\n"
+    "seto %%al\n"
+    "addb %%al, (%0, %1, 1)\n"
+    : /* no out */
+    : "r" (afl_area_ptr), "r" (afl_idx)
+    : "memory", "eax"
+  );
+#else
+  afl_area_ptr[afl_idx]++;
+#endif
+
   prev_loc = cur_loc >> 1;
 
 }