Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2245)

Unified Diff: third_party/afl/src/afl-as.h

Issue 2075883002: Add American Fuzzy Lop (afl) to third_party/afl/ (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix nits Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/afl/src/afl-analyze.c ('k') | third_party/afl/src/afl-as.c » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/afl/src/afl-as.h
diff --git a/third_party/afl/src/afl-as.h b/third_party/afl/src/afl-as.h
new file mode 100644
index 0000000000000000000000000000000000000000..1cca798612912870a1cfba7e9a3c6dc55b5aebb7
--- /dev/null
+++ b/third_party/afl/src/afl-as.h
@@ -0,0 +1,717 @@
+/*
+ american fuzzy lop - injectable parts
+ -------------------------------------
+
+ Written and maintained by Michal Zalewski <lcamtuf@google.com>
+
+ Forkserver design by Jann Horn <jannhorn@googlemail.com>
+
+ Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at:
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ This file houses the assembly-level instrumentation injected into fuzzed
+ programs. The instrumentation stores XORed pairs of data: identifiers of the
+ currently executing branch and the one that executed immediately before.
+
+ TL;DR: the instrumentation does shm_trace_map[cur_loc ^ prev_loc]++
+
+ The code is designed for 32-bit and 64-bit x86 systems. Both modes should
+ work everywhere except for Apple systems. Apple does relocations differently
+ from everybody else, so since their OSes have been 64-bit for a longer while,
+ I didn't go through the mental effort of porting the 32-bit code.
+
+ In principle, similar code should be easy to inject into any well-behaved
+ binary-only code (e.g., using DynamoRIO). Conditional jumps offer natural
+ targets for instrumentation, and should offer comparable probe density.
+
+ */
+
+#ifndef _HAVE_AFL_AS_H
+#define _HAVE_AFL_AS_H
+
+#include "config.h"
+#include "types.h"
+
+/*
+ ------------------
+ Performances notes
+ ------------------
+
+ Contributions to make this code faster are appreciated! Here are some
+ rough notes that may help with the task:
+
+ - Only the trampoline_fmt and the non-setup __afl_maybe_log code paths are
+ really worth optimizing; the setup / fork server stuff matters a lot less
+ and should be mostly just kept readable.
+
+ - We're aiming for modern CPUs with out-of-order execution and large
+ pipelines; the code is mostly follows intuitive, human-readable
+ instruction ordering, because "textbook" manual reorderings make no
+ substantial difference.
+
+ - Interestingly, instrumented execution isn't a lot faster if we store a
+ variable pointer to the setup, log, or return routine and then do a reg
+ call from within trampoline_fmt. It does speed up non-instrumented
+ execution quite a bit, though, since that path just becomes
+ push-call-ret-pop.
+
+ - There is also not a whole lot to be gained by doing SHM attach at a
+ fixed address instead of retrieving __afl_area_ptr. Although it allows us
+ to have a shorter log routine inserted for conditional jumps and jump
+ labels (for a ~10% perf gain), there is a risk of bumping into other
+ allocations created by the program or by tools such as ASAN.
+
+ - popf is *awfully* slow, which is why we're doing the lahf / sahf +
+ overflow test trick. Unfortunately, this forces us to taint eax / rax, but
+ this dependency on a commonly-used register still beats the alternative of
+ using pushf / popf.
+
+ One possible optimization is to avoid touching flags by using a circular
+ buffer that stores just a sequence of current locations, with the XOR stuff
+ happening offline. Alas, this doesn't seem to have a huge impact:
+
+ https://groups.google.com/d/msg/afl-users/MsajVf4fRLo/2u6t88ntUBIJ
+
+ - Preforking one child a bit sooner, and then waiting for the "go" command
+ from within the child, doesn't offer major performance gains; fork() seems
+ to be relatively inexpensive these days. Preforking multiple children does
+ help, but badly breaks the "~1 core per fuzzer" design, making it harder to
+ scale up. Maybe there is some middle ground.
+
+ Perhaps of note: in the 64-bit version for all platforms except for Apple,
+ the instrumentation is done slightly differently than on 32-bit, with
+ __afl_prev_loc and __afl_area_ptr being local to the object file (.lcomm),
+ rather than global (.comm). This is to avoid GOTRELPC lookups in the critical
+ code path, which AFAICT, are otherwise unavoidable if we want gcc -shared to
+ work; simple relocations between .bss and .text won't work on most 64-bit
+ platforms in such a case.
+
+ (Fun fact: on Apple systems, .lcomm can segfault the linker.)
+
+ The side effect is that state transitions are measured in a somewhat
+ different way, with previous tuple being recorded separately within the scope
+ of every .c file. This should have no impact in any practical sense.
+
+ Another side effect of this design is that getenv() will be called once per
+ every .o file when running in non-instrumented mode; an since getenv() tends
+ to be optimized in funny ways, we need to be very careful to save every
+ oddball register it may touch.
+
+ */
+
+static const u8* trampoline_fmt_32 =
+
+ "\n"
+ "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
+ "\n"
+ ".align 4\n"
+ "\n"
+ "leal -16(%%esp), %%esp\n"
+ "movl %%edi, 0(%%esp)\n"
+ "movl %%edx, 4(%%esp)\n"
+ "movl %%ecx, 8(%%esp)\n"
+ "movl %%eax, 12(%%esp)\n"
+ "movl $0x%08x, %%ecx\n"
+ "call __afl_maybe_log\n"
+ "movl 12(%%esp), %%eax\n"
+ "movl 8(%%esp), %%ecx\n"
+ "movl 4(%%esp), %%edx\n"
+ "movl 0(%%esp), %%edi\n"
+ "leal 16(%%esp), %%esp\n"
+ "\n"
+ "/* --- END --- */\n"
+ "\n";
+
+static const u8* trampoline_fmt_64 =
+
+ "\n"
+ "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
+ "\n"
+ ".align 4\n"
+ "\n"
+ "leaq -(128+24)(%%rsp), %%rsp\n"
+ "movq %%rdx, 0(%%rsp)\n"
+ "movq %%rcx, 8(%%rsp)\n"
+ "movq %%rax, 16(%%rsp)\n"
+ "movq $0x%08x, %%rcx\n"
+ "call __afl_maybe_log\n"
+ "movq 16(%%rsp), %%rax\n"
+ "movq 8(%%rsp), %%rcx\n"
+ "movq 0(%%rsp), %%rdx\n"
+ "leaq (128+24)(%%rsp), %%rsp\n"
+ "\n"
+ "/* --- END --- */\n"
+ "\n";
+
+static const u8* main_payload_32 =
+
+ "\n"
+ "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n"
+ "\n"
+ ".text\n"
+ ".att_syntax\n"
+ ".code32\n"
+ ".align 8\n"
+ "\n"
+
+ "__afl_maybe_log:\n"
+ "\n"
+ " lahf\n"
+ " seto %al\n"
+ "\n"
+ " /* Check if SHM region is already mapped. */\n"
+ "\n"
+ " movl __afl_area_ptr, %edx\n"
+ " testl %edx, %edx\n"
+ " je __afl_setup\n"
+ "\n"
+ "__afl_store:\n"
+ "\n"
+ " /* Calculate and store hit for the code location specified in ecx. There\n"
+ " is a double-XOR way of doing this without tainting another register,\n"
+ " and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n"
+ "\n"
+#ifndef COVERAGE_ONLY
+ " movl __afl_prev_loc, %edi\n"
+ " xorl %ecx, %edi\n"
+ " shrl $1, %ecx\n"
+ " movl %ecx, __afl_prev_loc\n"
+#endif /* !COVERAGE_ONLY */
+ "\n"
+#ifdef SKIP_COUNTS
+ " orb $1, (%edx, %edi, 1)\n"
+#else
+ " incb (%edx, %edi, 1)\n"
+#endif /* ^SKIP_COUNTS */
+ "\n"
+ "__afl_return:\n"
+ "\n"
+ " addb $127, %al\n"
+ " sahf\n"
+ " ret\n"
+ "\n"
+ ".align 8\n"
+ "\n"
+ "__afl_setup:\n"
+ "\n"
+ " /* Do not retry setup if we had previous failures. */\n"
+ "\n"
+ " cmpb $0, __afl_setup_failure\n"
+ " jne __afl_return\n"
+ "\n"
+ " /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n"
+ " We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n"
+ " will notice this early in the game. */\n"
+ "\n"
+ " pushl %eax\n"
+ " pushl %ecx\n"
+ "\n"
+ " pushl $.AFL_SHM_ENV\n"
+ " call getenv\n"
+ " addl $4, %esp\n"
+ "\n"
+ " testl %eax, %eax\n"
+ " je __afl_setup_abort\n"
+ "\n"
+ " pushl %eax\n"
+ " call atoi\n"
+ " addl $4, %esp\n"
+ "\n"
+ " pushl $0 /* shmat flags */\n"
+ " pushl $0 /* requested addr */\n"
+ " pushl %eax /* SHM ID */\n"
+ " call shmat\n"
+ " addl $12, %esp\n"
+ "\n"
+ " cmpl $-1, %eax\n"
+ " je __afl_setup_abort\n"
+ "\n"
+ " /* Store the address of the SHM region. */\n"
+ "\n"
+ " movl %eax, __afl_area_ptr\n"
+ " movl %eax, %edx\n"
+ "\n"
+ " popl %ecx\n"
+ " popl %eax\n"
+ "\n"
+ "__afl_forkserver:\n"
+ "\n"
+ " /* Enter the fork server mode to avoid the overhead of execve() calls. */\n"
+ "\n"
+ " pushl %eax\n"
+ " pushl %ecx\n"
+ " pushl %edx\n"
+ "\n"
+ " /* Phone home and tell the parent that we're OK. (Note that signals with\n"
+ " no SA_RESTART will mess it up). If this fails, assume that the fd is\n"
+ " closed because we were execve()d from an instrumented binary, or because\n"
+ " the parent doesn't want to use the fork server. */\n"
+ "\n"
+ " pushl $4 /* length */\n"
+ " pushl $__afl_temp /* data */\n"
+ " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n"
+ " call write\n"
+ " addl $12, %esp\n"
+ "\n"
+ " cmpl $4, %eax\n"
+ " jne __afl_fork_resume\n"
+ "\n"
+ "__afl_fork_wait_loop:\n"
+ "\n"
+ " /* Wait for parent by reading from the pipe. Abort if read fails. */\n"
+ "\n"
+ " pushl $4 /* length */\n"
+ " pushl $__afl_temp /* data */\n"
+ " pushl $" STRINGIFY(FORKSRV_FD) " /* file desc */\n"
+ " call read\n"
+ " addl $12, %esp\n"
+ "\n"
+ " cmpl $4, %eax\n"
+ " jne __afl_die\n"
+ "\n"
+ " /* Once woken up, create a clone of our process. This is an excellent use\n"
+ " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n"
+ " caches getpid() results and offers no way to update the value, breaking\n"
+ " abort(), raise(), and a bunch of other things :-( */\n"
+ "\n"
+ " call fork\n"
+ "\n"
+ " cmpl $0, %eax\n"
+ " jl __afl_die\n"
+ " je __afl_fork_resume\n"
+ "\n"
+ " /* In parent process: write PID to pipe, then wait for child. */\n"
+ "\n"
+ " movl %eax, __afl_fork_pid\n"
+ "\n"
+ " pushl $4 /* length */\n"
+ " pushl $__afl_fork_pid /* data */\n"
+ " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n"
+ " call write\n"
+ " addl $12, %esp\n"
+ "\n"
+ " pushl $0 /* no flags */\n"
+ " pushl $__afl_temp /* status */\n"
+ " pushl __afl_fork_pid /* PID */\n"
+ " call waitpid\n"
+ " addl $12, %esp\n"
+ "\n"
+ " cmpl $0, %eax\n"
+ " jle __afl_die\n"
+ "\n"
+ " /* Relay wait status to pipe, then loop back. */\n"
+ "\n"
+ " pushl $4 /* length */\n"
+ " pushl $__afl_temp /* data */\n"
+ " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n"
+ " call write\n"
+ " addl $12, %esp\n"
+ "\n"
+ " jmp __afl_fork_wait_loop\n"
+ "\n"
+ "__afl_fork_resume:\n"
+ "\n"
+ " /* In child process: close fds, resume execution. */\n"
+ "\n"
+ " pushl $" STRINGIFY(FORKSRV_FD) "\n"
+ " call close\n"
+ "\n"
+ " pushl $" STRINGIFY((FORKSRV_FD + 1)) "\n"
+ " call close\n"
+ "\n"
+ " addl $8, %esp\n"
+ "\n"
+ " popl %edx\n"
+ " popl %ecx\n"
+ " popl %eax\n"
+ " jmp __afl_store\n"
+ "\n"
+ "__afl_die:\n"
+ "\n"
+ " xorl %eax, %eax\n"
+ " call _exit\n"
+ "\n"
+ "__afl_setup_abort:\n"
+ "\n"
+ " /* Record setup failure so that we don't keep calling\n"
+ " shmget() / shmat() over and over again. */\n"
+ "\n"
+ " incb __afl_setup_failure\n"
+ " popl %ecx\n"
+ " popl %eax\n"
+ " jmp __afl_return\n"
+ "\n"
+ ".AFL_VARS:\n"
+ "\n"
+ " .comm __afl_area_ptr, 4, 32\n"
+ " .comm __afl_setup_failure, 1, 32\n"
+#ifndef COVERAGE_ONLY
+ " .comm __afl_prev_loc, 4, 32\n"
+#endif /* !COVERAGE_ONLY */
+ " .comm __afl_fork_pid, 4, 32\n"
+ " .comm __afl_temp, 4, 32\n"
+ "\n"
+ ".AFL_SHM_ENV:\n"
+ " .asciz \"" SHM_ENV_VAR "\"\n"
+ "\n"
+ "/* --- END --- */\n"
+ "\n";
+
+/* The OpenBSD hack is due to lahf and sahf not being recognized by some
+ versions of binutils: http://marc.info/?l=openbsd-cvs&m=141636589924400
+
+ The Apple code is a bit different when calling libc functions because
+ they are doing relocations differently from everybody else. We also need
+ to work around the crash issue with .lcomm and the fact that they don't
+ recognize .string. */
+
+#ifdef __APPLE__
+# define CALL_L64(str) "call _" str "\n"
+#else
+# define CALL_L64(str) "call " str "@PLT\n"
+#endif /* ^__APPLE__ */
+
+static const u8* main_payload_64 =
+
+ "\n"
+ "/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n"
+ "\n"
+ ".text\n"
+ ".att_syntax\n"
+ ".code64\n"
+ ".align 8\n"
+ "\n"
+ "__afl_maybe_log:\n"
+ "\n"
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
+ " .byte 0x9f /* lahf */\n"
+#else
+ " lahf\n"
+#endif /* ^__OpenBSD__, etc */
+ " seto %al\n"
+ "\n"
+ " /* Check if SHM region is already mapped. */\n"
+ "\n"
+ " movq __afl_area_ptr(%rip), %rdx\n"
+ " testq %rdx, %rdx\n"
+ " je __afl_setup\n"
+ "\n"
+ "__afl_store:\n"
+ "\n"
+ " /* Calculate and store hit for the code location specified in rcx. */\n"
+ "\n"
+#ifndef COVERAGE_ONLY
+ " xorq __afl_prev_loc(%rip), %rcx\n"
+ " xorq %rcx, __afl_prev_loc(%rip)\n"
+ " shrq $1, __afl_prev_loc(%rip)\n"
+#endif /* ^!COVERAGE_ONLY */
+ "\n"
+#ifdef SKIP_COUNTS
+ " orb $1, (%rdx, %rcx, 1)\n"
+#else
+ " incb (%rdx, %rcx, 1)\n"
+#endif /* ^SKIP_COUNTS */
+ "\n"
+ "__afl_return:\n"
+ "\n"
+ " addb $127, %al\n"
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
+ " .byte 0x9e /* sahf */\n"
+#else
+ " sahf\n"
+#endif /* ^__OpenBSD__, etc */
+ " ret\n"
+ "\n"
+ ".align 8\n"
+ "\n"
+ "__afl_setup:\n"
+ "\n"
+ " /* Do not retry setup if we had previous failures. */\n"
+ "\n"
+ " cmpb $0, __afl_setup_failure(%rip)\n"
+ " jne __afl_return\n"
+ "\n"
+ " /* Check out if we have a global pointer on file. */\n"
+ "\n"
+#ifndef __APPLE__
+ " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
+ " movq (%rdx), %rdx\n"
+#else
+ " movq __afl_global_area_ptr(%rip), %rdx\n"
+#endif /* !^__APPLE__ */
+ " testq %rdx, %rdx\n"
+ " je __afl_setup_first\n"
+ "\n"
+ " movq %rdx, __afl_area_ptr(%rip)\n"
+ " jmp __afl_store\n"
+ "\n"
+ "__afl_setup_first:\n"
+ "\n"
+ " /* Save everything that is not yet saved and that may be touched by\n"
+ " getenv() and several other libcalls we'll be relying on. */\n"
+ "\n"
+ " leaq -352(%rsp), %rsp\n"
+ "\n"
+ " movq %rax, 0(%rsp)\n"
+ " movq %rcx, 8(%rsp)\n"
+ " movq %rdi, 16(%rsp)\n"
+ " movq %rsi, 32(%rsp)\n"
+ " movq %r8, 40(%rsp)\n"
+ " movq %r9, 48(%rsp)\n"
+ " movq %r10, 56(%rsp)\n"
+ " movq %r11, 64(%rsp)\n"
+ "\n"
+ " movq %xmm0, 96(%rsp)\n"
+ " movq %xmm1, 112(%rsp)\n"
+ " movq %xmm2, 128(%rsp)\n"
+ " movq %xmm3, 144(%rsp)\n"
+ " movq %xmm4, 160(%rsp)\n"
+ " movq %xmm5, 176(%rsp)\n"
+ " movq %xmm6, 192(%rsp)\n"
+ " movq %xmm7, 208(%rsp)\n"
+ " movq %xmm8, 224(%rsp)\n"
+ " movq %xmm9, 240(%rsp)\n"
+ " movq %xmm10, 256(%rsp)\n"
+ " movq %xmm11, 272(%rsp)\n"
+ " movq %xmm12, 288(%rsp)\n"
+ " movq %xmm13, 304(%rsp)\n"
+ " movq %xmm14, 320(%rsp)\n"
+ " movq %xmm15, 336(%rsp)\n"
+ "\n"
+ " /* Map SHM, jumping to __afl_setup_abort if something goes wrong. */\n"
+ "\n"
+ " /* The 64-bit ABI requires 16-byte stack alignment. We'll keep the\n"
+ " original stack ptr in the callee-saved r12. */\n"
+ "\n"
+ " pushq %r12\n"
+ " movq %rsp, %r12\n"
+ " subq $16, %rsp\n"
+ " andq $0xfffffffffffffff0, %rsp\n"
+ "\n"
+ " leaq .AFL_SHM_ENV(%rip), %rdi\n"
+ CALL_L64("getenv")
+ "\n"
+ " testq %rax, %rax\n"
+ " je __afl_setup_abort\n"
+ "\n"
+ " movq %rax, %rdi\n"
+ CALL_L64("atoi")
+ "\n"
+ " xorq %rdx, %rdx /* shmat flags */\n"
+ " xorq %rsi, %rsi /* requested addr */\n"
+ " movq %rax, %rdi /* SHM ID */\n"
+ CALL_L64("shmat")
+ "\n"
+ " cmpq $-1, %rax\n"
+ " je __afl_setup_abort\n"
+ "\n"
+ " /* Store the address of the SHM region. */\n"
+ "\n"
+ " movq %rax, %rdx\n"
+ " movq %rax, __afl_area_ptr(%rip)\n"
+ "\n"
+#ifdef __APPLE__
+ " movq %rax, __afl_global_area_ptr(%rip)\n"
+#else
+ " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
+ " movq %rax, (%rdx)\n"
+#endif /* ^__APPLE__ */
+ " movq %rax, %rdx\n"
+ "\n"
+ "__afl_forkserver:\n"
+ "\n"
+ " /* Enter the fork server mode to avoid the overhead of execve() calls. We\n"
+ " push rdx (area ptr) twice to keep stack alignment neat. */\n"
+ "\n"
+ " pushq %rdx\n"
+ " pushq %rdx\n"
+ "\n"
+ " /* Phone home and tell the parent that we're OK. (Note that signals with\n"
+ " no SA_RESTART will mess it up). If this fails, assume that the fd is\n"
+ " closed because we were execve()d from an instrumented binary, or because\n"
+ " the parent doesn't want to use the fork server. */\n"
+ "\n"
+ " movq $4, %rdx /* length */\n"
+ " leaq __afl_temp(%rip), %rsi /* data */\n"
+ " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
+ CALL_L64("write")
+ "\n"
+ " cmpq $4, %rax\n"
+ " jne __afl_fork_resume\n"
+ "\n"
+ "__afl_fork_wait_loop:\n"
+ "\n"
+ " /* Wait for parent by reading from the pipe. Abort if read fails. */\n"
+ "\n"
+ " movq $4, %rdx /* length */\n"
+ " leaq __afl_temp(%rip), %rsi /* data */\n"
+ " movq $" STRINGIFY(FORKSRV_FD) ", %rdi /* file desc */\n"
+ CALL_L64("read")
+ " cmpq $4, %rax\n"
+ " jne __afl_die\n"
+ "\n"
+ " /* Once woken up, create a clone of our process. This is an excellent use\n"
+ " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n"
+ " caches getpid() results and offers no way to update the value, breaking\n"
+ " abort(), raise(), and a bunch of other things :-( */\n"
+ "\n"
+ CALL_L64("fork")
+ " cmpq $0, %rax\n"
+ " jl __afl_die\n"
+ " je __afl_fork_resume\n"
+ "\n"
+ " /* In parent process: write PID to pipe, then wait for child. */\n"
+ "\n"
+ " movl %eax, __afl_fork_pid(%rip)\n"
+ "\n"
+ " movq $4, %rdx /* length */\n"
+ " leaq __afl_fork_pid(%rip), %rsi /* data */\n"
+ " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
+ CALL_L64("write")
+ "\n"
+ " movq $0, %rdx /* no flags */\n"
+ " leaq __afl_temp(%rip), %rsi /* status */\n"
+ " movq __afl_fork_pid(%rip), %rdi /* PID */\n"
+ CALL_L64("waitpid")
+ " cmpq $0, %rax\n"
+ " jle __afl_die\n"
+ "\n"
+ " /* Relay wait status to pipe, then loop back. */\n"
+ "\n"
+ " movq $4, %rdx /* length */\n"
+ " leaq __afl_temp(%rip), %rsi /* data */\n"
+ " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n"
+ CALL_L64("write")
+ "\n"
+ " jmp __afl_fork_wait_loop\n"
+ "\n"
+ "__afl_fork_resume:\n"
+ "\n"
+ " /* In child process: close fds, resume execution. */\n"
+ "\n"
+ " movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n"
+ CALL_L64("close")
+ "\n"
+ " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n"
+ CALL_L64("close")
+ "\n"
+ " popq %rdx\n"
+ " popq %rdx\n"
+ "\n"
+ " movq %r12, %rsp\n"
+ " popq %r12\n"
+ "\n"
+ " movq 0(%rsp), %rax\n"
+ " movq 8(%rsp), %rcx\n"
+ " movq 16(%rsp), %rdi\n"
+ " movq 32(%rsp), %rsi\n"
+ " movq 40(%rsp), %r8\n"
+ " movq 48(%rsp), %r9\n"
+ " movq 56(%rsp), %r10\n"
+ " movq 64(%rsp), %r11\n"
+ "\n"
+ " movq 96(%rsp), %xmm0\n"
+ " movq 112(%rsp), %xmm1\n"
+ " movq 128(%rsp), %xmm2\n"
+ " movq 144(%rsp), %xmm3\n"
+ " movq 160(%rsp), %xmm4\n"
+ " movq 176(%rsp), %xmm5\n"
+ " movq 192(%rsp), %xmm6\n"
+ " movq 208(%rsp), %xmm7\n"
+ " movq 224(%rsp), %xmm8\n"
+ " movq 240(%rsp), %xmm9\n"
+ " movq 256(%rsp), %xmm10\n"
+ " movq 272(%rsp), %xmm11\n"
+ " movq 288(%rsp), %xmm12\n"
+ " movq 304(%rsp), %xmm13\n"
+ " movq 320(%rsp), %xmm14\n"
+ " movq 336(%rsp), %xmm15\n"
+ "\n"
+ " leaq 352(%rsp), %rsp\n"
+ "\n"
+ " jmp __afl_store\n"
+ "\n"
+ "__afl_die:\n"
+ "\n"
+ " xorq %rax, %rax\n"
+ CALL_L64("_exit")
+ "\n"
+ "__afl_setup_abort:\n"
+ "\n"
+ " /* Record setup failure so that we don't keep calling\n"
+ " shmget() / shmat() over and over again. */\n"
+ "\n"
+ " incb __afl_setup_failure(%rip)\n"
+ "\n"
+ " movq %r12, %rsp\n"
+ " popq %r12\n"
+ "\n"
+ " movq 0(%rsp), %rax\n"
+ " movq 8(%rsp), %rcx\n"
+ " movq 16(%rsp), %rdi\n"
+ " movq 32(%rsp), %rsi\n"
+ " movq 40(%rsp), %r8\n"
+ " movq 48(%rsp), %r9\n"
+ " movq 56(%rsp), %r10\n"
+ " movq 64(%rsp), %r11\n"
+ "\n"
+ " movq 96(%rsp), %xmm0\n"
+ " movq 112(%rsp), %xmm1\n"
+ " movq 128(%rsp), %xmm2\n"
+ " movq 144(%rsp), %xmm3\n"
+ " movq 160(%rsp), %xmm4\n"
+ " movq 176(%rsp), %xmm5\n"
+ " movq 192(%rsp), %xmm6\n"
+ " movq 208(%rsp), %xmm7\n"
+ " movq 224(%rsp), %xmm8\n"
+ " movq 240(%rsp), %xmm9\n"
+ " movq 256(%rsp), %xmm10\n"
+ " movq 272(%rsp), %xmm11\n"
+ " movq 288(%rsp), %xmm12\n"
+ " movq 304(%rsp), %xmm13\n"
+ " movq 320(%rsp), %xmm14\n"
+ " movq 336(%rsp), %xmm15\n"
+ "\n"
+ " leaq 352(%rsp), %rsp\n"
+ "\n"
+ " jmp __afl_return\n"
+ "\n"
+ ".AFL_VARS:\n"
+ "\n"
+
+#ifdef __APPLE__
+
+ " .comm __afl_area_ptr, 8\n"
+#ifndef COVERAGE_ONLY
+ " .comm __afl_prev_loc, 8\n"
+#endif /* !COVERAGE_ONLY */
+ " .comm __afl_fork_pid, 4\n"
+ " .comm __afl_temp, 4\n"
+ " .comm __afl_setup_failure, 1\n"
+
+#else
+
+ " .lcomm __afl_area_ptr, 8\n"
+#ifndef COVERAGE_ONLY
+ " .lcomm __afl_prev_loc, 8\n"
+#endif /* !COVERAGE_ONLY */
+ " .lcomm __afl_fork_pid, 4\n"
+ " .lcomm __afl_temp, 4\n"
+ " .lcomm __afl_setup_failure, 1\n"
+
+#endif /* ^__APPLE__ */
+
+ " .comm __afl_global_area_ptr, 8, 8\n"
+ "\n"
+ ".AFL_SHM_ENV:\n"
+ " .asciz \"" SHM_ENV_VAR "\"\n"
+ "\n"
+ "/* --- END --- */\n"
+ "\n";
+
+#endif /* !_HAVE_AFL_AS_H */
« no previous file with comments | « third_party/afl/src/afl-analyze.c ('k') | third_party/afl/src/afl-as.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698