qemuafl icon indicating copy to clipboard operation
qemuafl copied to clipboard

Published 20 hours ago verified publisher icon AFLplusplus

*** DO NOT MERGE *** - Tcg cov

Open WorksButNotTested opened this issue 1 year ago • 5 comments

WorksButNotTested avatar Aug 08 '23 05:08 WorksButNotTested

Inlined TCG is not thread safe, that's why the map update is in the helper

andreafioraldi avatar Aug 08 '23 19:08 andreafioraldi

Does QEMU serialize the execution of helpers between threads?

WorksButNotTested avatar Aug 08 '23 21:08 WorksButNotTested

Does QEMU serialize the execution of helpers between threads?

no, but the helper is native code and so we can use the TLS for prev loc

andreafioraldi avatar Aug 09 '23 21:08 andreafioraldi

Ah gotcha, so map access is concurrent (and possibly racy if two threads happen to update the same map offset at the same time), but the issue is that each thread should have its own prev_loc (thread local storage) and my TCG code is using the address of prev_loc calculated when the block is compiled and compiled blocks are shared between threads?

So a TCG implementation is possible, (since it can successfully emulate multithreaded apps with TLS), but my implementation is naive and should instead determine the location of the TLS prev_loc at runtime?

WorksButNotTested avatar Aug 09 '23 23:08 WorksButNotTested

Fuzzbench results:

  • https://www.fuzzbench.com/reports/experimental/2023-09-02-aflpp/index.html

  • aflplusplus_qemu_tcgcov

  • aflplusplus_qemu

WorksButNotTested avatar Sep 07 '23 08:09 WorksButNotTested