On 6/2/25 16:54, Jon Wilson wrote:
It would be good if we could have QEMU provide clean APIs to allow the sort of additional
instrumentation that fuzzing requires. I guess the qemu-libafl-bridge project show the
sort of modification which has been required so far...
https://github.com/AFLplusplus/qemu-libafl-bridge/tree/main/libafl <https://github.com/
AFLplusplus/qemu-libafl-bridge/tree/main/libafl>
I would like to conditionally call a helper, or even just insert a breakpoint instruction,
but like I say I don't seem to be able to make use of any sort of branches. Even if I add
a benign instrumentation that simply conditionally branches at a label and nothing else
(e.g. no actual functionality), I still have the same problem.
e.g.
////////////////////////////////////////////////////////////////////////////////
TCGLabel *done = gen_new_label();
TCGv addr_val = temp_tcgv_tl(addr);
TCGv zero = tcg_constant_tl(0);
tcg_gen_brcond_tl(TCG_COND_EQ, addr_val, zero, done);
gen_set_label(done);
////////////////////////////////////////////////////////////////////////////////
Hence the current implementation is a little clumsy!
This has not been a problem since 438e685b1, in qemu v8.0.
r~
