Add systemmode hw_breakpoint libafl set/remove fns #93
Conversation
|
@rmalmain this should be ready |
libafl/system.c
Outdated
| } | ||
|
|
||
| // let's add/remove the breakpoint on every CPU | ||
| CPU_FOREACH(cs) { |
There was a problem hiding this comment.
i don't think it's a good idea to insert the hw bp for each CPU. better to take CPUState* as parameter and use it.
There was a problem hiding this comment.
Why? :)
Most likely we are going to have just one cpu anyway, so most of the times the parameter would just be annoying ?
There was a problem hiding this comment.
multiple reasons:
- most of our api does not make assumption about CPU, and takes a CPU as parameter when necessary
- it's not so straightforward to say we will always have to handle a single CPU, there are more tricky cases that could require multiple CPUs for a single fuzzing instance (think of a system using a coprocessor for instance).
There was a problem hiding this comment.
most of our api does not make assumption about CPU, and takes a CPU as parameter when necessary
It doesn't look like it is the case for sw breakpoints int libafl_qemu_set_breakpoint(target_ulong pc);, do we want to have different signatures between hw and sw breakpoints?
it's not so straightforward to say we will always have to handle a single CPU, there are more tricky cases that could require multiple CPUs for a single fuzzing instance (think of a system using a coprocessor for instance).
mmm, are you sure the coprocessor would be included by the CPU_FOREACH macro? it looked more like a main cpu(s) cores iterator to me
There was a problem hiding this comment.
It doesn't look like it is the case for sw breakpoints
int libafl_qemu_set_breakpoint(target_ulong pc);, do we want to have different signatures between hw and sw breakpoints?
for sw breakpoints, it's a bit different. since we are not changing the architectural state of the CPU (we check if we triggered a breakpoint address or not independently of the core triggering the bp), we only need to call the bp callback whenever it gets hit (we give the CPUState of the core that triggered the bp there).
for hw breakpoint, we actually change the state of the CPU(s) to select when a breakpoint should be triggered.
so in theory, we could choose which core should stop when the breakpoint is reached.
nonetheless, qemu seems to inject the hw breakpoint to every running core as well. in that case, i guess we can keep the same behavior.
mmm, are you sure the coprocessor would be included by the
CPU_FOREACHmacro? it looked more like a main cpu(s) cores iterator to me
i think so, cpus are always added to the global list when they get realized. in any case, if qemu sets the hw breakpoints using CPU_FOREACH, it should be fine.
There was a problem hiding this comment.
nonetheless, qemu seems to inject the hw breakpoint to every running core as well. in that case, i guess we can keep the same behavior.
Good catch, this can actually be problematic, I removed my loop
reserve hw breakpoints for LibAFL, using them with GDB will return a graceful error. So far they are implemented only for kvm.