alwin.berger/FRET-qemu
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: alwin.berger:wcet_system
Branches Tags
alwin.berger:wcet_system
alwin.berger:fret_153
alwin.berger:fret_141
alwin.berger:fret_update_130
alwin.berger:standalone_icount_measure
alwin.berger:fret_update_112
alwin.berger:fret_update_111
alwin.berger:fret_v3
alwin.berger:fret_v2
alwin.berger:v6.1.1-libafl-backport
alwin.berger:6.1.1-instument
alwin.berger:6.2.0-instrum
alwin.berger:old_master_fix_insns
alwin.berger:eval_24-11-11
alwin.berger:working_0.10.1_port
alwin.berger:submitted
...
pull from: alwin.berger:6.1.1-instument
Branches Tags
alwin.berger:fret_153
alwin.berger:fret_141
alwin.berger:fret_update_130
alwin.berger:standalone_icount_measure
alwin.berger:fret_update_112
alwin.berger:fret_update_111
alwin.berger:fret_v3
alwin.berger:fret_v2
alwin.berger:wcet_system
alwin.berger:v6.1.1-libafl-backport
alwin.berger:6.1.1-instument
alwin.berger:6.2.0-instrum
alwin.berger:old_master_fix_insns
alwin.berger:eval_24-11-11
alwin.berger:working_0.10.1_port
alwin.berger:submitted

7 Commits
wcet_syste ... 6.1.1-inst

Author SHA1 Message Date
Alwin Berger
5288d4210f return success from snapshots 2022-01-03 23:39:05 +01:00
Alwin Berger
9658746a0c port libafl instrumentation 2022-01-03 16:36:09 +01:00
Alwin Berger
11e5d5be6a add physical memory access 2022-01-03 00:13:33 +01:00
Alwin Berger
18a87dfe40 config, renaming, no flush on load 2022-01-02 18:44:48 +01:00
Alwin Berger
1576aa029a build as shared lib 2022-01-01 20:59:57 +01:00
Alwin Berger
ae0e744998 demo break+snapshot workflow 2021-12-28 22:14:13 +01:00
Alwin Berger
c26a334f7a Nix boilerplate 2021-12-28 13:11:57 +01:00
15 changed files with 997 additions and 33 deletions
Show Stats Expand all files Collapse all files

1
.envrc Normal file
View File

@ -0,0 +1 @@
use_nix shell.nix

4
.gitignore vendored
View File

@ -15,3 +15,7 @@ GTAGS
*.depend_raw
*.swp
*.patch
.ccls*
.direnv
.vscode
.cache

30
accel/tcg/cpu-exec.c
View File

@ -851,6 +851,14 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
#endif
}
//// --- Begin LibAFL code ---
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags);
//// --- End LibAFL code ---
/* main execution loop */
int cpu_exec(CPUState *cpu)
@ -964,7 +972,27 @@ int cpu_exec(CPUState *cpu)
#endif
/* See if we can patch the calling TB. */
if (last_tb) {
tb_add_jump(last_tb, tb_exit, tb);
// tb_add_jump(last_tb, tb_exit, tb);
//// --- Begin LibAFL code ---
if (last_tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
mmap_lock();
TranslationBlock *edge = libafl_gen_edge(cpu, last_tb->pc, tb->pc,
cs_base, flags, cflags);
mmap_unlock();
if (edge) {
tb_add_jump(last_tb, tb_exit, edge);
tb_add_jump(edge, 0, tb);
} else {
tb_add_jump(last_tb, tb_exit, tb);
}
} else {
tb_add_jump(last_tb, tb_exit, tb);
}
//// --- End LibAFL code ---
}
cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);

505
accel/tcg/translate-all.c
View File

@ -61,6 +61,375 @@
#include "tb-context.h"
#include "internal.h"
//// --- Begin LibAFL code ---
#include "tcg/tcg-op.h"
#include "tcg/tcg-internal.h"
#include "exec/helper-head.h"
void libafl_helper_table_add(TCGHelperInfo* info);
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags);
void libafl_gen_read(TCGv addr, MemOp ot);
void libafl_gen_read_N(TCGv addr, uint32_t size);
void libafl_gen_write(TCGv addr, MemOp ot);
void libafl_gen_write_N(TCGv addr, uint32_t size);
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
void (*libafl_exec_edge_hook)(uint64_t id);
uint64_t (*libafl_gen_edge_hook)(uint64_t src, uint64_t dst);
static TCGHelperInfo libafl_exec_edge_hook_info = {
.func = NULL, .name = "libafl_exec_edge_hook", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
};
static int exec_edge_hook_added = 0;
void (*libafl_exec_block_hook)(uint64_t id);
uint64_t (*libafl_gen_block_hook)(uint64_t pc);
static TCGHelperInfo libafl_exec_block_hook_info = {
.func = NULL, .name = "libafl_exec_block_hook", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
};
static int exec_block_hook_added = 0;
void (*libafl_exec_read_hook1)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hook2)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hook4)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hook8)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hookN)(uint64_t id, uint64_t addr, uint32_t size);
uint64_t (*libafl_gen_read_hook)(uint32_t size);
static TCGHelperInfo libafl_exec_read_hook1_info = {
.func = NULL, .name = "libafl_exec_read_hook1", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hook2_info = {
.func = NULL, .name = "libafl_exec_read_hook2", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hook4_info = {
.func = NULL, .name = "libafl_exec_read_hook4", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hook8_info = {
.func = NULL, .name = "libafl_exec_read_hook8", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hookN_info = {
.func = NULL, .name = "libafl_exec_read_hookN", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1) | dh_typemask(i32, 2)
};
static int exec_read_hook_added = 0;
void libafl_gen_read(TCGv addr, MemOp ot)
{
uint32_t size = 0;
void* func = NULL;
switch (ot & MO_SIZE) {
case MO_64:
size = 8;
func = libafl_exec_read_hook8;
break;
case MO_32:
size = 4;
func = libafl_exec_read_hook4;
break;
case MO_16:
size = 2;
func = libafl_exec_read_hook2;
break;
case MO_8:
size = 1;
func = libafl_exec_read_hook1;
break;
default:
return;
}
uint32_t libafl_id = 0;
if (libafl_gen_read_hook)
libafl_id = libafl_gen_read_hook(size);
if (func && libafl_id != (uint32_t)-1) {
if (!exec_read_hook_added) {
exec_read_hook_added = 1;
libafl_exec_read_hook1_info.func = libafl_exec_read_hook1;
libafl_helper_table_add(&libafl_exec_read_hook1_info);
libafl_exec_read_hook2_info.func = libafl_exec_read_hook2;
libafl_helper_table_add(&libafl_exec_read_hook2_info);
libafl_exec_read_hook4_info.func = libafl_exec_read_hook4;
libafl_helper_table_add(&libafl_exec_read_hook4_info);
libafl_exec_read_hook8_info.func = libafl_exec_read_hook8;
libafl_helper_table_add(&libafl_exec_read_hook8_info);
libafl_exec_read_hookN_info.func = libafl_exec_read_hookN;
libafl_helper_table_add(&libafl_exec_read_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[2] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr) };
#else
tcgv_i64_temp(addr) };
#endif
tcg_gen_callN(func, NULL, 2, tmp1);
tcg_temp_free_i64(tmp0);
}
}
void libafl_gen_read_N(TCGv addr, uint32_t size)
{
uint32_t libafl_id = 0;
if (libafl_gen_read_hook)
libafl_id = libafl_gen_read_hook(size);
if (libafl_id != (uint32_t)-1) {
if (!exec_read_hook_added) {
exec_read_hook_added = 1;
libafl_exec_read_hook1_info.func = libafl_exec_read_hook1;
libafl_helper_table_add(&libafl_exec_read_hook1_info);
libafl_exec_read_hook2_info.func = libafl_exec_read_hook2;
libafl_helper_table_add(&libafl_exec_read_hook2_info);
libafl_exec_read_hook4_info.func = libafl_exec_read_hook4;
libafl_helper_table_add(&libafl_exec_read_hook4_info);
libafl_exec_read_hook8_info.func = libafl_exec_read_hook8;
libafl_helper_table_add(&libafl_exec_read_hook8_info);
libafl_exec_read_hookN_info.func = libafl_exec_read_hookN;
libafl_helper_table_add(&libafl_exec_read_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGv_i32 tmp1 = tcg_const_i32(size);
TCGTemp *tmp2[3] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr),
#else
tcgv_i64_temp(addr),
#endif
tcgv_i32_temp(tmp1)
};
tcg_gen_callN(libafl_exec_read_hookN, NULL, 3, tmp2);
tcg_temp_free_i32(tmp1);
tcg_temp_free_i64(tmp0);
}
}
void (*libafl_exec_write_hook1)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hook2)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hook4)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hook8)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hookN)(uint64_t id, uint64_t addr, uint32_t size);
uint64_t (*libafl_gen_write_hook)(uint32_t size);
static TCGHelperInfo libafl_exec_write_hook1_info = {
.func = NULL, .name = "libafl_exec_write_hook1", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hook2_info = {
.func = NULL, .name = "libafl_exec_write_hook2", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hook4_info = {
.func = NULL, .name = "libafl_exec_write_hook4", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hook8_info = {
.func = NULL, .name = "libafl_exec_write_hook8", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hookN_info = {
.func = NULL, .name = "libafl_exec_write_hookN", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1) | dh_typemask(i32, 2)
};
static int exec_write_hook_added = 0;
void libafl_gen_write(TCGv addr, MemOp ot)
{
uint32_t size = 0;
void* func = NULL;
switch (ot & MO_SIZE) {
case MO_64:
size = 8;
func = libafl_exec_write_hook8;
break;
case MO_32:
size = 4;
func = libafl_exec_write_hook4;
break;
case MO_16:
size = 2;
func = libafl_exec_write_hook2;
break;
case MO_8:
size = 1;
func = libafl_exec_write_hook1;
break;
default:
return;
}
uint32_t libafl_id = 0;
if (libafl_gen_write_hook)
libafl_id = libafl_gen_write_hook(size);
if (func && libafl_id != (uint32_t)-1) {
if (!exec_write_hook_added) {
exec_write_hook_added = 1;
libafl_exec_write_hook1_info.func = libafl_exec_write_hook1;
libafl_helper_table_add(&libafl_exec_write_hook1_info);
libafl_exec_write_hook2_info.func = libafl_exec_write_hook2;
libafl_helper_table_add(&libafl_exec_write_hook2_info);
libafl_exec_write_hook4_info.func = libafl_exec_write_hook4;
libafl_helper_table_add(&libafl_exec_write_hook4_info);
libafl_exec_write_hook8_info.func = libafl_exec_write_hook8;
libafl_helper_table_add(&libafl_exec_write_hook8_info);
libafl_exec_write_hookN_info.func = libafl_exec_write_hookN;
libafl_helper_table_add(&libafl_exec_write_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[2] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr) };
#else
tcgv_i64_temp(addr) };
#endif
tcg_gen_callN(func, NULL, 2, tmp1);
tcg_temp_free_i64(tmp0);
}
}
void libafl_gen_write_N(TCGv addr, uint32_t size)
{
uint32_t libafl_id = 0;
if (libafl_gen_write_hook)
libafl_id = libafl_gen_write_hook(size);
if (libafl_id != (uint32_t)-1) {
if (!exec_write_hook_added) {
exec_write_hook_added = 1;
libafl_exec_write_hook1_info.func = libafl_exec_write_hook1;
libafl_helper_table_add(&libafl_exec_write_hook1_info);
libafl_exec_write_hook2_info.func = libafl_exec_write_hook2;
libafl_helper_table_add(&libafl_exec_write_hook2_info);
libafl_exec_write_hook4_info.func = libafl_exec_write_hook4;
libafl_helper_table_add(&libafl_exec_write_hook4_info);
libafl_exec_write_hook8_info.func = libafl_exec_write_hook8;
libafl_helper_table_add(&libafl_exec_write_hook8_info);
libafl_exec_write_hookN_info.func = libafl_exec_write_hookN;
libafl_helper_table_add(&libafl_exec_write_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGv_i32 tmp1 = tcg_const_i32(size);
TCGTemp *tmp2[3] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr),
#else
tcgv_i64_temp(addr),
#endif
tcgv_i32_temp(tmp1)
};
tcg_gen_callN(libafl_exec_write_hookN, NULL, 3, tmp2);
tcg_temp_free_i32(tmp1);
tcg_temp_free_i64(tmp0);
}
}
void (*libafl_exec_cmp_hook1)(uint64_t id, uint8_t v0, uint8_t v1);
void (*libafl_exec_cmp_hook2)(uint64_t id, uint16_t v0, uint16_t v1);
void (*libafl_exec_cmp_hook4)(uint64_t id, uint32_t v0, uint32_t v1);
void (*libafl_exec_cmp_hook8)(uint64_t id, uint64_t v0, uint64_t v1);
uint64_t (*libafl_gen_cmp_hook)(uint64_t pc, uint32_t size);
static TCGHelperInfo libafl_exec_cmp_hook1_info = {
.func = NULL, .name = "libafl_exec_cmp_hook1", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static TCGHelperInfo libafl_exec_cmp_hook2_info = {
.func = NULL, .name = "libafl_exec_cmp_hook2", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static TCGHelperInfo libafl_exec_cmp_hook4_info = {
.func = NULL, .name = "libafl_exec_cmp_hook4", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static TCGHelperInfo libafl_exec_cmp_hook8_info = {
.func = NULL, .name = "libafl_exec_cmp_hook8", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static int exec_cmp_hook_added = 0;
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot)
{
uint32_t size = 0;
void* func = NULL;
switch (ot & MO_SIZE) {
case MO_64:
size = 8;
func = libafl_exec_cmp_hook8;
break;
case MO_32:
size = 4;
func = libafl_exec_cmp_hook4;
break;
case MO_16:
size = 2;
func = libafl_exec_cmp_hook2;
break;
case MO_8:
size = 1;
func = libafl_exec_cmp_hook1;
break;
default:
return;
}
uint32_t libafl_id = 0;
if (libafl_gen_cmp_hook)
libafl_id = libafl_gen_cmp_hook((uint64_t)pc, size);
if (func && libafl_id != (uint32_t)-1) {
if (!exec_cmp_hook_added) {
exec_cmp_hook_added = 1;
libafl_exec_cmp_hook1_info.func = libafl_exec_cmp_hook1;
libafl_helper_table_add(&libafl_exec_cmp_hook1_info);
libafl_exec_cmp_hook2_info.func = libafl_exec_cmp_hook2;
libafl_helper_table_add(&libafl_exec_cmp_hook2_info);
libafl_exec_cmp_hook4_info.func = libafl_exec_cmp_hook4;
libafl_helper_table_add(&libafl_exec_cmp_hook4_info);
libafl_exec_cmp_hook8_info.func = libafl_exec_cmp_hook8;
libafl_helper_table_add(&libafl_exec_cmp_hook8_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[3] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(op0), tcgv_i32_temp(op1) };
#else
tcgv_i64_temp(op0), tcgv_i64_temp(op1) };
#endif
tcg_gen_callN(func, NULL, 3, tmp1);
tcg_temp_free_i64(tmp0);
}
}
//// --- End LibAFL code ---
/* #define DEBUG_TB_INVALIDATE */
/* #define DEBUG_TB_FLUSH */
/* make various TB consistency checks */
@ -1400,6 +1769,122 @@ tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
return tb;
}
//// --- Begin LibAFL code ---
/* Called with mmap_lock held for user mode emulation. */
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags)
{
CPUArchState *env = cpu->env_ptr;
TranslationBlock *tb;
tcg_insn_unit *gen_code_buf;
int gen_code_size, search_size;
assert_memory_lock();
uint32_t libafl_id = 0;
if (libafl_gen_edge_hook)
libafl_id = libafl_gen_edge_hook((uint64_t)src_block, (uint64_t)dst_block);
if (!libafl_exec_edge_hook || libafl_id == (uint32_t)-1)
return NULL;
if (!exec_edge_hook_added) {
exec_edge_hook_added = 1;
libafl_exec_edge_hook_info.func = libafl_exec_edge_hook;
libafl_helper_table_add(&libafl_exec_edge_hook_info);
}
buffer_overflow1:
tb = tcg_tb_alloc(tcg_ctx);
if (unlikely(!tb)) {
/* flush must be done */
tb_flush(cpu);
mmap_unlock();
/* Make the execution loop process the flush as soon as possible. */
cpu->exception_index = EXCP_INTERRUPT;
cpu_loop_exit(cpu);
}
libafl_exec_edge_hook(libafl_id);
gen_code_buf = tcg_ctx->code_gen_ptr;
tb->tc.ptr = gen_code_buf;
tb->pc = 0;
tb->cs_base = cs_base;
tb->flags = flags;
tb->cflags = cflags;
tb->trace_vcpu_dstate = *cpu->trace_dstate;
tcg_ctx->tb_cflags = 0;
tcg_func_start(tcg_ctx);
tcg_ctx->cpu = env_cpu(env);
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
tcg_gen_callN(libafl_exec_edge_hook, NULL, 1, tmp1);
tcg_temp_free_i64(tmp0);
tcg_gen_goto_tb(0);
tcg_gen_exit_tb(tb, 0);
tcg_ctx->cpu = NULL;
trace_translate_block(tb, tb->pc, tb->tc.ptr);
/* generate machine code */
tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID;
tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID;
tcg_ctx->tb_jmp_reset_offset = tb->jmp_reset_offset;
if (TCG_TARGET_HAS_direct_jump) {
tcg_ctx->tb_jmp_insn_offset = tb->jmp_target_arg;
tcg_ctx->tb_jmp_target_addr = NULL;
} else {
tcg_ctx->tb_jmp_insn_offset = NULL;
tcg_ctx->tb_jmp_target_addr = tb->jmp_target_arg;
}
/* ??? Overflow could be handled better here. In particular, we
don't need to re-do gen_intermediate_code, nor should we re-do
the tcg optimization currently hidden inside tcg_gen_code. All
that should be required is to flush the TBs, allocate a new TB,
re-initialize it per above, and re-do the actual code generation. */
gen_code_size = tcg_gen_code(tcg_ctx, tb);
if (unlikely(gen_code_size < 0)) {
goto buffer_overflow1;
}
search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
if (unlikely(search_size < 0)) {
goto buffer_overflow1;
}
tb->tc.size = gen_code_size;
qatomic_set(&tcg_ctx->code_gen_ptr, (void *)
ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
CODE_GEN_ALIGN));
/* init jump list */
qemu_spin_init(&tb->jmp_lock);
tb->jmp_list_head = (uintptr_t)NULL;
tb->jmp_list_next[0] = (uintptr_t)NULL;
tb->jmp_list_next[1] = (uintptr_t)NULL;
tb->jmp_dest[0] = (uintptr_t)NULL;
tb->jmp_dest[1] = (uintptr_t)NULL;
/* init original jump addresses which have been set during tcg_gen_code() */
if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
tb_reset_jump(tb, 0);
}
if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
tb_reset_jump(tb, 1);
}
return tb;
}
//// --- End LibAFL code ---
/* Called with mmap_lock held for user mode emulation. */
TranslationBlock *tb_gen_code(CPUState *cpu,
target_ulong pc, target_ulong cs_base,
@ -1467,6 +1952,26 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
tcg_func_start(tcg_ctx);
tcg_ctx->cpu = env_cpu(env);
//// --- Begin LibAFL code ---
uint32_t libafl_id = 0;
if (libafl_gen_block_hook)
libafl_id = libafl_gen_block_hook((uint64_t)pc);
if (libafl_exec_block_hook && libafl_id != (uint32_t)-1) {
if (!exec_block_hook_added) {
exec_block_hook_added = 1;
libafl_exec_block_hook_info.func = libafl_exec_block_hook;
libafl_helper_table_add(&libafl_exec_block_hook_info);
}
TCGv_i64 tmp0 = tcg_const_i64((uint64_t)pc);
TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
tcg_gen_callN(libafl_exec_block_hook, NULL, 1, tmp1);
tcg_temp_free_i64(tmp0);
}
//// --- End LibAFL code ---
gen_intermediate_code(cpu, tb, max_insns);
assert(tb->size != 0);
tcg_ctx->cpu = NULL;

31
accel/tcg/translator.c
View File

@ -18,6 +18,22 @@
#include "exec/plugin-gen.h"
#include "sysemu/replay.h"
//// --- Begin LibAFL code ---
#include "tcg/tcg-internal.h"
struct libafl_hook {
target_ulong addr;
void (*callback)(uint64_t);
uint64_t value;
TCGHelperInfo helper_info;
struct libafl_hook* next;
};
extern struct libafl_hook* libafl_qemu_hooks;
//// --- End LibAFL code ---
/* Pairs with tcg_clear_temp_count.
To be called by #TranslatorOps.{translate_insn,tb_stop} if
(1) the target is sufficiently clean to support reporting,
@ -79,6 +95,21 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
plugin_gen_insn_start(cpu, db);
}
//// --- Begin LibAFL code ---
struct libafl_hook* hk = libafl_qemu_hooks;
while (hk) {
if (hk->addr == db->pc_next) {
TCGv_i64 tmp0 = tcg_const_i64(hk->value);
TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
tcg_gen_callN(hk->callback, NULL, 1, tmp1);
tcg_temp_free_i64(tmp0);
}
hk = hk->next;
}
//// --- End LibAFL code ---
/* Disassemble one instruction. The translate_insn hook should
update db->pc_next and db->is_jmp to indicate what should be
done next -- either exiting this loop or locate the start of

19
configure vendored
View File

@ -835,6 +835,8 @@ if test "$mingw32" = "yes" ; then
fi
werror=""
as_shared_lib="no"
as_static_lib="no"
for opt do
optarg=$(expr "x$opt" : 'x[^=]*=\(.*\)')
@ -1581,6 +1583,16 @@ for opt do
;;
--disable-slirp-smbd) slirp_smbd=no
;;
--as-shared-lib)
as_shared_lib="yes"
QEMU_CFLAGS="$QEMU_CFLAGS -fPIC -DAS_LIB=1"
QEMU_CXXFLAGS="$QEMU_CXXFLAGS -fPIC -DAS_LIB=1"
;;
--as-static-lib)
as_static_lib="yes"
QEMU_CFLAGS="$QEMU_CFLAGS -fPIC -DAS_LIB=1"
QEMU_CXXFLAGS="$QEMU_CXXFLAGS -fPIC -DAS_LIB=1"
;;
*)
echo "ERROR: unknown option $opt"
echo "Try '$0 --help' for more information"
@ -4919,6 +4931,13 @@ if test "$secret_keyring" = "yes" ; then
echo "CONFIG_SECRET_KEYRING=y" >> $config_host_mak
fi
if test "$as_shared_lib" = "yes" ; then
echo "AS_SHARED_LIB=y" >> $config_host_mak
fi
if test "$as_static_lib" = "yes" ; then
echo "AS_STATIC_LIB=y" >> $config_host_mak
fi
echo "ROMS=$roms" >> $config_host_mak
echo "MAKE=$make" >> $config_host_mak
echo "PYTHON=$python" >> $config_host_mak

154
cpu.c
View File

@ -40,6 +40,140 @@
#include "hw/core/accel-cpu.h"
#include "trace/trace-root.h"
//// --- Begin LibAFL code ---
#include "tcg/tcg-op.h"
#include "tcg/tcg-internal.h"
#include "exec/helper-head.h"
struct libafl_hook {
target_ulong addr;
void (*callback)(uint64_t);
uint64_t value;
TCGHelperInfo helper_info;
struct libafl_hook* next;
};
struct libafl_hook* libafl_qemu_hooks = NULL;
__thread CPUArchState *libafl_qemu_env;
void libafl_helper_table_add(TCGHelperInfo* info);
static GByteArray *libafl_qemu_mem_buf = NULL;
int libafl_qemu_write_reg(int reg, uint8_t* val);
int libafl_qemu_read_reg(int reg, uint8_t* val);
int libafl_qemu_num_regs(void);
int libafl_qemu_set_hook(uint64_t addr, void (*callback)(uint64_t), uint64_t value);
int libafl_qemu_remove_hook(uint64_t addr);
int libafl_qemu_write_reg(int reg, uint8_t* val)
{
CPUState *cpu = current_cpu;
if (!cpu) {
cpu = env_cpu(libafl_qemu_env);
if (!cpu) {
return 0;
}
}
CPUClass *cc = CPU_GET_CLASS(cpu);
if (reg < cc->gdb_num_core_regs) {
return cc->gdb_write_register(cpu, val, reg);
}
return 0;
}
int libafl_qemu_read_reg(int reg, uint8_t* val)
{
CPUState *cpu = current_cpu;
if (!cpu) {
cpu = env_cpu(libafl_qemu_env);
if (!cpu) {
return 0;
}
}
if (libafl_qemu_mem_buf == NULL) {
libafl_qemu_mem_buf = g_byte_array_sized_new(64);
}
CPUClass *cc = CPU_GET_CLASS(cpu);
if (reg < cc->gdb_num_core_regs) {
g_byte_array_set_size(libafl_qemu_mem_buf, 0);
int len = cc->gdb_read_register(cpu, libafl_qemu_mem_buf, reg);
if (len > 0) {
memcpy(val, libafl_qemu_mem_buf->data, len);
}
return len;
}
return 0;
}
int libafl_qemu_num_regs(void)
{
CPUState *cpu = current_cpu;
if (!cpu) {
cpu = env_cpu(libafl_qemu_env);
if (!cpu) {
return 0;
}
}
CPUClass *cc = CPU_GET_CLASS(cpu);
return cc->gdb_num_core_regs;
}
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc);
int libafl_qemu_set_hook(uint64_t addr, void (*callback)(uint64_t), uint64_t value)
{
CPUState *cpu;
target_ulong pc = (target_ulong) addr;
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
struct libafl_hook* hk = malloc(sizeof(struct libafl_hook));
hk->addr = pc;
hk->callback = callback;
hk->value = value;
hk->helper_info.func = callback;
hk->helper_info.name = "libafl_hook";
hk->helper_info.flags = dh_callflag(void);
hk->helper_info.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1);
hk->next = libafl_qemu_hooks;
libafl_qemu_hooks = hk;
libafl_helper_table_add(&hk->helper_info);
return 1;
}
int libafl_qemu_remove_hook(uint64_t addr)
{
CPUState *cpu;
int r = 0;
target_ulong pc = (target_ulong) addr;
struct libafl_hook** hk = &libafl_qemu_hooks;
while (*hk) {
if ((*hk)->addr == pc) {
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
*hk = (*hk)->next;
r = 1;
} else {
hk = &(*hk)->next;
}
}
return r;
}
//// --- End LibAFL code ---
uintptr_t qemu_host_page_size;
intptr_t qemu_host_page_mask;
@ -58,7 +192,7 @@ static int cpu_common_post_load(void *opaque, int version_id)
* memory we've translated code from. So we must flush all TBs,
* which will now be stale.
*/
tb_flush(cpu);
// tb_flush(cpu);
return 0;
}
@ -225,6 +359,15 @@ void tb_invalidate_phys_addr(target_ulong addr)
tb_invalidate_phys_page_range(addr, addr + 1);
mmap_unlock();
}
//// --- Begin LibAFL code ---
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc)
{
tb_invalidate_phys_addr(pc);
}
//// --- End LibAFL code ---
#else
void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
{
@ -245,6 +388,15 @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
ram_addr = memory_region_get_ram_addr(mr) + addr;
tb_invalidate_phys_page_range(ram_addr, ram_addr + 1);
}
//// --- Begin LibAFL code ---
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc)
{
tb_flush(cpu);
}
//// --- End LibAFL code ---
#endif
/* Add a breakpoint. */

91
meson.build
View File

@ -1797,7 +1797,8 @@ if capstone_opt == 'internal'
build_by_default: false,
sources: capstone_files,
c_args: capstone_cargs,
include_directories: 'capstone/include')
include_directories: 'capstone/include',
pic: 'AS_SHARED_LIB' in config_host)
capstone = declare_dependency(link_with: libcapstone,
include_directories: 'capstone/include/capstone')
endif
@ -1877,7 +1878,8 @@ if have_system
build_by_default: false,
sources: slirp_files,
c_args: slirp_cargs,
include_directories: slirp_inc)
include_directories: slirp_inc,
pic: 'AS_SHARED_LIB' in config_host)
slirp = declare_dependency(link_with: libslirp,
dependencies: slirp_deps,
include_directories: slirp_inc)
@ -1934,7 +1936,8 @@ if have_system
libfdt = static_library('fdt',
build_by_default: false,
sources: fdt_files,
include_directories: fdt_inc)
include_directories: fdt_inc,
pic: 'AS_SHARED_LIB' in config_host)
fdt = declare_dependency(link_with: libfdt,
include_directories: fdt_inc)
endif
@ -2202,7 +2205,8 @@ util_ss.add_all(trace_ss)
util_ss = util_ss.apply(config_all, strict: false)
libqemuutil = static_library('qemuutil',
sources: util_ss.sources() + stub_ss.sources() + genh,
dependencies: [util_ss.dependencies(), libm, threads, glib, socket, malloc, pixman])
dependencies: [util_ss.dependencies(), libm, threads, glib, socket, malloc, pixman],
pic: 'AS_SHARED_LIB' in config_host)
qemuutil = declare_dependency(link_with: libqemuutil,
sources: genh + version_res)
@ -2267,7 +2271,8 @@ if get_option('b_lto')
pagevary_flags += '-fno-sanitize=cfi-icall'
endif
pagevary = static_library('page-vary-common', sources: pagevary,
c_args: pagevary_flags)
c_args: pagevary_flags,
pic: 'AS_SHARED_LIB' in config_host)
pagevary = declare_dependency(link_with: pagevary)
endif
common_ss.add(pagevary)
@ -2393,7 +2398,8 @@ if enable_modules
input: modinfo_files,
command: [modinfo_generate, '@INPUT@'],
capture: true)
modinfo_lib = static_library('modinfo', modinfo_src)
modinfo_lib = static_library('modinfo', modinfo_src,
pic: 'AS_SHARED_LIB' in config_host)
modinfo_dep = declare_dependency(link_whole: modinfo_lib)
softmmu_ss.add(modinfo_dep)
endif
@ -2412,7 +2418,8 @@ qemu_syms = custom_target('qemu.syms', output: 'qemu.syms',
qom_ss = qom_ss.apply(config_host, strict: false)
libqom = static_library('qom', qom_ss.sources() + genh,
dependencies: [qom_ss.dependencies()],
name_suffix: 'fa')
name_suffix: 'fa',
pic: 'AS_SHARED_LIB' in config_host)
qom = declare_dependency(link_whole: libqom)
@ -2420,7 +2427,8 @@ authz_ss = authz_ss.apply(config_host, strict: false)
libauthz = static_library('authz', authz_ss.sources() + genh,
dependencies: [authz_ss.dependencies()],
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
authz = declare_dependency(link_whole: libauthz,
dependencies: qom)
@ -2429,7 +2437,8 @@ crypto_ss = crypto_ss.apply(config_host, strict: false)
libcrypto = static_library('crypto', crypto_ss.sources() + genh,
dependencies: [crypto_ss.dependencies()],
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
crypto = declare_dependency(link_whole: libcrypto,
dependencies: [authz, qom])
@ -2439,13 +2448,15 @@ libio = static_library('io', io_ss.sources() + genh,
dependencies: [io_ss.dependencies()],
link_with: libqemuutil,
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
io = declare_dependency(link_whole: libio, dependencies: [crypto, qom])
libmigration = static_library('migration', sources: migration_files + genh,
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
migration = declare_dependency(link_with: libmigration,
dependencies: [zlib, qom, io])
softmmu_ss.add(migration)
@ -2455,7 +2466,8 @@ libblock = static_library('block', block_ss.sources() + genh,
dependencies: block_ss.dependencies(),
link_depends: block_syms,
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
block = declare_dependency(link_whole: [libblock],
link_args: '@block.syms',
@ -2465,7 +2477,8 @@ blockdev_ss = blockdev_ss.apply(config_host, strict: false)
libblockdev = static_library('blockdev', blockdev_ss.sources() + genh,
dependencies: blockdev_ss.dependencies(),
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
blockdev = declare_dependency(link_whole: [libblockdev],
dependencies: [block])
@ -2474,20 +2487,23 @@ qmp_ss = qmp_ss.apply(config_host, strict: false)
libqmp = static_library('qmp', qmp_ss.sources() + genh,
dependencies: qmp_ss.dependencies(),
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
qmp = declare_dependency(link_whole: [libqmp])
libchardev = static_library('chardev', chardev_ss.sources() + genh,
name_suffix: 'fa',
dependencies: [gnutls],
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
chardev = declare_dependency(link_whole: libchardev)
libhwcore = static_library('hwcore', sources: hwcore_files + genh,
name_suffix: 'fa',
build_by_default: false)
build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
hwcore = declare_dependency(link_whole: libhwcore)
common_ss.add(hwcore)
@ -2515,7 +2531,8 @@ common_all = static_library('common',
sources: common_all.sources() + genh,
implicit_include_directories: false,
dependencies: common_all.dependencies(),
name_suffix: 'fa')
name_suffix: 'fa',
pic: 'AS_SHARED_LIB' in config_host)
feature_to_c = find_program('scripts/feature_to_c.sh')
@ -2609,7 +2626,8 @@ foreach target : target_dirs
include_directories: target_inc,
c_args: c_args,
build_by_default: false,
name_suffix: 'fa')
name_suffix: 'fa',
pic: 'AS_SHARED_LIB' in config_host)
if target.endswith('-softmmu')
execs = [{
@ -2649,15 +2667,34 @@ foreach target : target_dirs
exe_name += '-unsigned'
endif
emulator = executable(exe_name, exe['sources'],
install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
link_language: link_language,
link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
link_args: link_args,
gui_app: exe['gui'])
if 'AS_SHARED_LIB' not in config_host and 'AS_STATIC_LIB' not in config_host
emulator = executable(exe_name, exe['sources'],
install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
link_language: link_language,
link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
link_args: link_args,
gui_app: exe['gui'])
else
if 'AS_SHARED_LIB' in config_host
emulator = shared_library(exe_name, exe['sources'],
install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
link_language: link_language,
link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
link_args: link_args)
endif
if 'AS_STATIC_LIB' in config_host
emulator = static_library(exe_name, exe['sources'],
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true))
endif
endif
if targetos == 'darwin'
icon = 'pc-bios/qemu.rsrc'

70
myconfigure.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/sh
cd "$(dirname "$0")"
mkdir -p build
cd build
../configure --target-list=arm-linux-user,arm-softmmu,x86_64-linux-user,x86_64-softmmu \
--audio-drv-list= \
--disable-blobs \
--disable-bochs \
--disable-brlapi \
--disable-bsd-user \
--disable-bzip2 \
--disable-cap-ng \
--disable-cloop \
--disable-curl \
--disable-curses \
--disable-dmg \
--enable-fdt \
--disable-gcrypt \
--disable-glusterfs \
--disable-gnutls \
--disable-gtk \
--disable-guest-agent \
--disable-iconv \
--disable-libiscsi \
--disable-libnfs \
--disable-libssh \
--disable-libusb \
--disable-linux-aio \
--disable-live-block-migration \
--disable-lzo \
--disable-nettle \
--disable-numa \
--disable-opengl \
--disable-parallels \
--disable-plugins \
--disable-qcow1 \
--disable-qed \
--disable-rbd \
--disable-rdma \
--disable-replication \
--disable-sdl \
--disable-seccomp \
--disable-smartcard \
--disable-snappy \
--disable-spice \
--enable-system \
--disable-tools \
--disable-tpm \
--disable-usb-redir \
--disable-vde \
--disable-vdi \
--disable-vhost-crypto \
--disable-vhost-kernel \
--disable-vhost-net \
--disable-vhost-scsi \
--disable-vhost-user \
--disable-vhost-vdpa \
--disable-vhost-vsock \
--disable-virglrenderer \
--disable-virtfs \
--disable-vnc \
--disable-vnc-jpeg \
--disable-vnc-png \
--disable-vnc-sasl \
--disable-vte \
--disable-vvfat \
--disable-xen \
--disable-xen-pci-passthrough \
--disable-xfsctl \
--as-shared-lib

17
shell.nix Normal file
View File

@ -0,0 +1,17 @@
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
stdenv.mkDerivation {
name = "tccboot-1";
hardeningDisable = [ "all" ];
src = ./.;
buildInputs = [
glib
python3
pkg-config
ninja
meson
pixman
gcc-arm-embedded
];
}

5
softmmu/cpus.c
View File

@ -305,7 +305,10 @@ void cpu_handle_guest_debug(CPUState *cpu)
cpu_single_step(cpu, 0);
}
} else {
gdb_set_stop_cpu(cpu);
/* Begin LibAFL changes */
// With LibAFL Breakpoints there is no gdb attached.
// gdb_set_stop_cpu(cpu);
/* End LibAFL changes */
qemu_system_debug_request();
cpu->stopped = true;
}

79
softmmu/main.c
View File

@ -44,11 +44,84 @@ int main(int argc, char **argv)
#define main qemu_main
#endif /* CONFIG_COCOA */
/* Begin LibAFL instrumentation */
#include "sysemu/runstate.h"
#include "migration/snapshot.h"
#include "hw/core/cpu.h"
#include "qapi/error.h"
#include "exec/memory.h"
void libafl_qemu_main_loop( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp);
void libafl_qemu_cleanup( void );
void libafl_qemu_sys_init(int argc, char **argv, char **envp) { qemu_init(argc, argv, envp); }
void libafl_qemu_cleanup( void ) { qemu_cleanup(); }
void libafl_qemu_set_breakpoint( vaddr );
int libafl_snapshot_save( const char* );
int libafl_snapshot_load( const char* );
void libafl_phys_read(vaddr, uint8_t*, int);
void libafl_phys_write(vaddr, uint8_t*, int);
void libafl_qemu_main_loop( void )
{
vm_start();
qemu_main_loop();
}
void libafl_qemu_set_breakpoint(vaddr pc)
{
CPUState *cpu;
CPU_FOREACH(cpu) {
cpu_breakpoint_insert(cpu, pc, BP_GDB, NULL);
}
}
int libafl_snapshot_save( const char* name )
{
Error *err = NULL;
save_snapshot(name, true, NULL, false, NULL, &err);
return err == 0;
}
int libafl_snapshot_load( const char* name )
{
Error *err = NULL;
load_snapshot(name, NULL, false, NULL, &err);
return err == 0;
}
void libafl_phys_read(vaddr addr, uint8_t* buf, int len)
{
cpu_physical_memory_read(addr, buf, len);
}
void libafl_phys_write(vaddr addr, uint8_t* buf, int len)
{
cpu_physical_memory_write(addr, buf, len);
}
#ifndef AS_SHARED_LIB
int main(int argc, char **argv, char **envp)
{
qemu_init(argc, argv, envp);
qemu_main_loop();
qemu_cleanup();
// qemu_init(argc, argv, envp);
// qemu_main_loop();
// qemu_cleanup();
// 2000010c
unsigned char buf[4096] = {3};
libafl_qemu_sys_init(argc, argv, envp);
libafl_phys_write(0x00006de4+0xc, buf,1);
libafl_phys_read(0x00006de4+0xc, buf,1);
printf("FUZZ_INPUT[0]: %x\n", buf[0]);
libafl_qemu_set_breakpoint(0x00004f5c);
libafl_snapshot_save("Start");
do {
libafl_qemu_main_loop();
libafl_snapshot_load("Start");
puts("Reload has occured");
} while (runstate_check(RUN_STATE_DEBUG));
libafl_qemu_cleanup();
return 0;
}
#endif
/* End LibAFL instrumentation */

4
softmmu/runstate.c
View File

@ -668,6 +668,10 @@ static bool main_loop_should_exit(void)
if (qemu_debug_requested()) {
vm_stop(RUN_STATE_DEBUG);
/* Begin LibAFL instrumentation */
// main loop will exit back to fuzzer
return true;
/* End LibAFL instrumentation */
}
if (qemu_suspend_requested()) {
qemu_system_suspend();

10
starter.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
if [ ! -f dummy.qcow2 ]; then
qemu-img create -f qcow2 dummy.qcow2 32M
fi
build/qemu-system-arm -machine mps2-an385 -monitor null -semihosting \
--semihosting-config enable=on,target=native \
-kernel $1 \
-serial stdio -nographic \
-snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \
-S

10
tcg/tcg.c
View File

@ -566,6 +566,16 @@ static void process_op_defs(TCGContext *s);
static TCGTemp *tcg_global_reg_new_internal(TCGContext *s, TCGType type,
TCGReg reg, const char *name);
//// --- Begin LibAFL code ---
void libafl_helper_table_add(TCGHelperInfo* info);
void libafl_helper_table_add(TCGHelperInfo* info) {
g_hash_table_insert(helper_table, (gpointer)info->func,
(gpointer)info);
}
//// --- End LibAFL code ---
static void tcg_context_init(unsigned max_cpus)
{
TCGContext *s = &tcg_init_ctx;