qemu-libafl-bridge icon indicating copy to clipboard operation
qemu-libafl-bridge copied to clipboard
verified publisher icon AFLplusplus

Use of `syx_snapshot_dirty_list_add_hostaddr` in cputlb.c

Open enisrat opened this issue 9 months ago • 2 comments

I noticed that this access type check in cputlb.c has been commented out:

https://github.com/AFLplusplus/qemu-libafl-bridge/blob/a86bd6bbcb3e4adefaca2bc264b1235971890bca/accel/tcg/cputlb.c#L1750-L1753

I don't see why this check would not work?

Also, pages with flags like TLB_MMIO and TLB_DISCARD_WRITE would not need to be considered for snapshot. Would it not make sense to check those as well?

enisrat avatar Mar 07 '25 13:03 enisrat

it's true. i remember doing tests with complex targets and getting snapshotting errors if not commenting this out. ideally, we should check for those flags. i can try to re-run a linux target and see if i still get those issues.

rmalmain avatar Mar 14 '25 16:03 rmalmain

Ok, would be great to be able to reproduce this with your command line. I am on a debug branch with some additional HMP commands in monitor, trying to verify everything for my custom board.

enisrat avatar Mar 19 '25 07:03 enisrat

@rmalmain : Did you get some errors I could reproduce?

enisrat avatar Apr 05 '25 07:04 enisrat

Ok, found a fix (I think):

  • Use memory_region_reset_dirty on each RAM region in syx_snapshot_new and syx_snapshot_root_restore
  • This marks all RAM as notdirty, so a WRITE will not be missed
  • Additionally CPUTLB should be flushed completely in syx_snapshot_new (it is implicitely flushed in syx_snapshot_root_restore)

enisrat avatar Apr 05 '25 11:04 enisrat

I created a PR for this (and other features): https://github.com/AFLplusplus/qemu-libafl-bridge/pull/112

enisrat avatar Apr 08 '25 06:04 enisrat

hey @enisrat, sorry for the late reply, very busy times. thanks for the PR, I'll check now

rmalmain avatar May 15 '25 21:05 rmalmain