Skip to content

Commit

Permalink
Add a static instruction filter during dynamic tracing for aarch64.
Browse files Browse the repository at this point in the history 
PiperOrigin-RevId: 718075916
  • Loading branch information
@hanyangtay @copybara-github
hanyangtay authored and copybara-github committed Jan 21, 2025
1 parent 7786990 commit 50ef7fd
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
1 change: 1 addition & 0 deletions runner/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,7 @@ cc_library(
"@com_google_absl//absl/strings",
] + select({
"@silifuzz//build_defs/platform:aarch64": [
"@silifuzz//instruction:static_insn_filter",
],
"@silifuzz//build_defs/platform:x86_64": [
"@silifuzz//instruction:decoded_insn",
Expand Down
19 changes: 15 additions & 4 deletions runner/aarch64/disassembling_snap_tracer.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
#include "absl/status/statusor.h"
#include "absl/strings/str_cat.h"
#include "./common/harness_tracer.h"
#include "./instruction/static_insn_filter.h"
#include "./util/checks.h"
#include "./util/itoa.h"

Expand Down Expand Up @@ -59,10 +60,6 @@ uint64_t DisassemblingSnapTracer::GetInstructionPointer(
return regs.pc;
}

// Unlike the x86 counterpart, StepInstruction() does not perform any
// instruction filtering except for the instruction count limit. On aarch64,
// we use a static instruction filter to filter out inputs with unwanted
// instructions.
HarnessTracer::ContinuationMode
DisassemblingSnapTracer::SnapshotStepper::StepInstruction(
pid_t pid, const struct user_regs_struct& regs,
Expand All @@ -83,6 +80,20 @@ DisassemblingSnapTracer::SnapshotStepper::StepInstruction(
return HarnessTracer::kKeepTracing;
}

// Reapply the static instruction filter.
//
// This filter should already be applied in the fuzzing process, but old
// snapshots may bypass it if they were fed as side inputs to generate the
// corpus (e.g. old false positives that were not removed).
//
// This step should have minimal overhead, and thus we opt to apply it here
// too for defense in depth (as opposed to relying on us remembering to delete
// bad snapshots from the corpus).
if (!StaticInstructionFilter<AArch64>(*insn_or)) {
trace_result_.early_termination_reason = "Has problematic instructions.";
return HarnessTracer::kInjectSigusr1;
}

// Disassemble the instruction.
disassembler_.Disassemble(
addr, reinterpret_cast<const uint8_t*>(insn_or->data()), insn_or->size());
Expand Down

0 comments on commit 50ef7fd

Please sign in to comment.