afl++ 2.52c initial commit

1 files changed, 54 insertions, 0 deletions

diff --git a/qemu_mode/patches/cpu-exec.diff b/qemu_mode/patches/cpu-exec.diff
new file mode 100644
index 00000000..754bf9ef
--- /dev/null
+++ b/qemu_mode/patches/cpu-exec.diff
@@ -0,0 +1,54 @@
+--- qemu-2.10.0-clean/accel/tcg/cpu-exec.c	2017-08-30 18:50:40.000000000 +0200
++++ qemu-2.10.0/accel/tcg/cpu-exec.c	2018-09-22 13:21:23.612068407 +0200
+@@ -36,6 +36,8 @@
+ #include "sysemu/cpus.h"
+ #include "sysemu/replay.h"
+ 
++#include "../patches/afl-qemu-cpu-inl.h"
++
+ /* -icount align implementation. */
+ 
+ typedef struct SyncClocks {
+@@ -144,6 +146,8 @@
+     int tb_exit;
+     uint8_t *tb_ptr = itb->tc_ptr;
+ 
++    AFL_QEMU_CPU_SNIPPET2;
++
+     qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
+                            "Trace %p [%d: " TARGET_FMT_lx "] %s\n",
+                            itb->tc_ptr, cpu->cpu_index, itb->pc,
+@@ -337,7 +341,7 @@
+     TranslationBlock *tb;
+     target_ulong cs_base, pc;
+     uint32_t flags;
+-    bool have_tb_lock = false;
++    bool have_tb_lock = false, was_translated = false, was_chained = false;
+ 
+     /* we record a subset of the CPU state. It will
+        always be the same before a given translated block
+@@ -365,6 +369,7 @@
+             if (!tb) {
+                 /* if no translated code available, then translate it now */
+                 tb = tb_gen_code(cpu, pc, cs_base, flags, 0);
++                was_translated = true;
+             }
+ 
+             mmap_unlock();
+@@ -390,11 +395,16 @@
+         }
+         if (!tb->invalid) {
+             tb_add_jump(last_tb, tb_exit, tb);
++            was_chained = true;
+         }
+     }
+     if (have_tb_lock) {
+         tb_unlock();
+     }
++    if (was_translated || was_chained) {
++        afl_request_tsl(pc, cs_base, flags, was_chained ? last_tb : NULL,
++                        tb_exit);
++    }
+     return tb;
+ }
+