wtdcode
commented
2 weeks ago Thanks for the report and investigation. Your version seems pretty old, how about current dev branch?
Open futhewo opened 2 weeks ago
wtdcode
commented
2 weeks ago Thanks for the report and investigation. Your version seems pretty old, how about current dev branch?
1144822034
commented
6 days ago I have also encountered the same problem, and this issue has been very helpful to me
futhewo
commented
3 days ago Unfortunately, I cannot try on a newer unicorn version, sorry. I am using unicorn as part of unicornafl++ and it uses the version I pointed out.
wtdcode
commented
3 days ago unicornafl++
What is that? Are you mentioning unicornafl?
futhewo
commented
3 days ago Yes, the one that is part of afl++, that you may find here: https://github.com/AFLplusplus/unicornafl
wtdcode
commented
3 days ago Yes, the one that is part of afl++, that you may find here: https://github.com/AFLplusplus/unicornafl
Okay, unicornafl will bump to 2.1.2 once I fixed it.
futhewo
commented
3 days ago That would be great! Thanks.
In a very long emulation, I have a segfault (dereferencing null pointer) in qemu/tcg/aarch64/tcg-target.inc.c:tb_target_set_jmp_target.
In qemu/accel/tcg/cpu-exec.c, the function tb_set_jmp_target calls the previous function tb_target_set_jmp_target with parameters tc_ptr = 0 and tc_ptr + offset = 0.
Then tb_target_set_jmp_target calls atomic_set((uint64_t*)jmpaddr, pair) with jmp_addr = tc_ptr + offset = 0, which segfaults.
I patched it (dirty) by adding the following code in tb_set_jmp_target: if (TCG_TARGET_HAS_direct_jump && tb->tc.ptr) { […] }
I do not know what this patch may break, but it solves the crash. I am on commit 6ae0c97.
Feel free to ask me anything.