Merge branch 'AFLplusplus:master' into master

Author: wlingze

accel/tcg/tcg-runtime.c

@@ -734,13 +734,13 @@ target_long qasan_actions_dispatcher(void *cpu_env,
 #ifdef ASAN_GIOVESE
         case QASAN_ACTION_CHECK_LOAD:
         if (asan_giovese_guest_loadN(arg1, arg2)) {
-          asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, arg1, arg2, PC_GET(env), BP_GET(env), SP_GET(env));
+          asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, arg1, arg2, env);
         }
         break;
 
         case QASAN_ACTION_CHECK_STORE:
         if (asan_giovese_guest_storeN(arg1, arg2)) {
-          asan_giovese_report_and_crash(ACCESS_TYPE_STORE, arg1, arg2, PC_GET(env), BP_GET(env), SP_GET(env));
+          asan_giovese_report_and_crash(ACCESS_TYPE_STORE, arg1, arg2, env);
         }
         break;
 
@@ -849,7 +849,7 @@ void HELPER(qasan_load1)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load1(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 1, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 1, env);
   }
 #else
   __asan_load1(ptr);
@@ -867,7 +867,7 @@ void HELPER(qasan_load2)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load2(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 2, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 2, env);
   }
 #else
   __asan_load2(ptr);
@@ -885,7 +885,7 @@ void HELPER(qasan_load4)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load4(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 4, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 4, env);
   }
 #else
   __asan_load4(ptr);
@@ -903,7 +903,7 @@ void HELPER(qasan_load8)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_load8(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 8, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, addr, 8, env);
   }
 #else
   __asan_load8(ptr);
@@ -921,7 +921,7 @@ void HELPER(qasan_store1)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store1(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 1, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 1, env);
   }
 #else
   __asan_store1(ptr);
@@ -939,7 +939,7 @@ void HELPER(qasan_store2)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store2(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 2, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 2, env);
   }
 #else
   __asan_store2(ptr);
@@ -957,7 +957,7 @@ void HELPER(qasan_store4)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store4(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 4, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 4, env);
   }
 #else
   __asan_store4(ptr);
@@ -975,7 +975,7 @@ void HELPER(qasan_store8)(CPUArchState *env, target_ulong addr) {
 
 #ifdef ASAN_GIOVESE
   if (asan_giovese_store8(ptr)) {
-    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 8, PC_GET(env), BP_GET(env), SP_GET(env));
+    asan_giovese_report_and_crash(ACCESS_TYPE_STORE, addr, 8, env);
   }
 #else
   __asan_store8(ptr);

qemuafl/asan-giovese-inl.h

@@ -1294,9 +1294,11 @@ static void print_alloc_location(target_ulong addr, target_ulong fault_addr) {
 }
 
 int asan_giovese_report_and_crash(int access_type, target_ulong addr, size_t n,
-                                  target_ulong pc, target_ulong bp,
-                                  target_ulong sp) {
+                                  CPUArchState *env) {
 
+  target_ulong pc= PC_GET(env);
+  target_ulong bp= BP_GET(env);
+  target_ulong sp= SP_GET(env);
   struct call_context ctx;
   asan_giovese_populate_context(&ctx, pc);
   target_ulong fault_addr = 0;
@@ -1367,9 +1369,53 @@ int asan_giovese_report_and_crash(int access_type, target_ulong addr, size_t n,
       "==%d==ABORTING\n",
       getpid());
 
-  signal(SIGABRT, SIG_DFL);
-  abort();
+  /* 
+   * Rather than aborting this host, we signal a DATA ABORT in the guest and
+   * abort the cpu_loop. This results in the generation of a SIGSEGV and 
+   * subsequent generation (if configured) of a core-file for the guest which is
+   * much more useful for debugging purposes.
+   * 
+   * However, it should be noted that there are a few limitations to these core 
+   * files. Firstly the CPU program counter is set to the start of the basic 
+   * block rather that to the faulting instruction (hence the context printed 
+   * above and the core file do not have an up to date instruction pointer) and 
+   * secondly the core file does not include the address of fault (this is a 
+   * limitation of the core file format).
+   * 
+   * When translating basic blocks the DisasContext structure carries the 
+   * instruction pointer thereby allowing RIP-relative instructions to be 
+   * properly translated. However, during execution, it is the CPUArchState 
+   * state which carries the register context (including the instruction 
+   * pointer). However, since the instruction pointer at the point of execution
+   * is fixed for any given instruction, its value can be incorporated at 
+   * instrumentation time rather than execution. This therefore avoids the 
+   * overhead of updating the CPUArchState at the completion of each 
+   * instruction. However, this state is required to be updated at the start of
+   * each block to allow functionality such as execution tracing (the -d exec
+   * argument)to work properly.
+   */
+
+  /*
+   * Queue a SIGSEGV representing our fault.
+   */
+  target_siginfo_t info = {
+    .si_signo = TARGET_SIGSEGV,
+    .si_errno = 0,
+    .si_code = TARGET_SEGV_MAPERR,
+    ._sifields._sigfault._addr = fault_addr
+  };
+  queue_signal(env, info.si_signo, QEMU_SI_FAULT, &info);
+
+  /*
+   * Set the CPU state to represent an interrupt. This is suffient to cause the
+   * cpu_loop to break out and handle the queued exceptions.
+   */
+  CPUState *cs = env_cpu(env);
+  cs->exception_index = EXCP_INTERRUPT;
+  cpu_loop_exit(cs);
 
+
+  return 0;
 }
 
 static const char* singal_to_string[] = {

qemuafl/asan-giovese.h

@@ -140,8 +140,7 @@ int asan_giovese_unpoison_guest_region(target_ulong addr, size_t n);
 // addr is a guest pointer
 
 int asan_giovese_report_and_crash(int access_type, target_ulong addr, size_t n,
-                                  target_ulong pc, target_ulong bp,
-                                  target_ulong sp);
+                                  CPUArchState *env);
 
 int asan_giovese_deadly_signal(int signum, target_ulong addr, target_ulong pc,
                                target_ulong bp, target_ulong sp);