qemu_mode/patches/arm-translate-a64.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index fd36425..992bf17 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -39,6 +39,8 @@
 #include "translate-a64.h"
 #include "qemu/atomic128.h"
 
+#include "../patches/afl-qemu-cpu-translate-inl.h"
+
 static TCGv_i64 cpu_X[32];
 static TCGv_i64 cpu_pc;
 
@@ -3365,6 +3367,12 @@ static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
         return;
     }
 
+    if (rd == 31 && sub_op) { // cmp xX, imm
+      TCGv_i64 tcg_imm = tcg_const_i64(imm);
+      afl_gen_compcov(s->pc, tcg_rn, tcg_imm, is_64bit ? MO_64 : MO_32, 1);
+      tcg_temp_free_i64(tcg_imm);
+    }
+
     tcg_result = tcg_temp_new_i64();
     if (!setflags) {
         if (sub_op) {
@@ -3972,6 +3980,9 @@ static void disas_add_sub_ext_reg(DisasContext *s, uint32_t insn)
 
     tcg_rm = read_cpu_reg(s, rm, sf);
     ext_and_shift_reg(tcg_rm, tcg_rm, option, imm3);
+    
+    if (rd == 31 && sub_op) // cmp xX, xY
+      afl_gen_compcov(s->pc, tcg_rn, tcg_rm, sf ? MO_64 : MO_32, 0);
 
     tcg_result = tcg_temp_new_i64();
 
@@ -4037,6 +4048,9 @@ static void disas_add_sub_reg(DisasContext *s, uint32_t insn)
 
     shift_reg_imm(tcg_rm, tcg_rm, sf, shift_type, imm6);
 
+    if (rd == 31 && sub_op) // cmp xX, xY
+      afl_gen_compcov(s->pc, tcg_rn, tcg_rm, sf ? MO_64 : MO_32, 0);
+
     tcg_result = tcg_temp_new_i64();
 
     if (!setflags) {
@@ -4246,6 +4260,8 @@ static void disas_cc(DisasContext *s, uint32_t insn)
         tcg_y = cpu_reg(s, y);
     }
     tcg_rn = cpu_reg(s, rn);
+    
+    afl_gen_compcov(s->pc, tcg_rn, tcg_y, sf ? MO_64 : MO_32, is_imm);
 
     /* Set the flags for the new comparison.  */
     tcg_tmp = tcg_temp_new_i64();
@@ -13317,6 +13333,8 @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
 static void disas_a64_insn(CPUARMState *env, DisasContext *s)
 {
     uint32_t insn;
+    
+    AFL_QEMU_TARGET_ARM64_SNIPPET
 
     insn = arm_ldl_code(env, s->pc, s->sctlr_b);
     s->insn = insn;