Text file
src/runtime/libfuzzer_arm64.s
1 // Copyright 2019 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 //go:build libfuzzer
6
7 #include "go_asm.h"
8 #include "textflag.h"
9
10 // Based on race_arm64.s; see commentary there.
11
12 #define RARG0 R0
13 #define RARG1 R1
14 #define RARG2 R2
15 #define RARG3 R3
16
17 #define REPEAT_2(a) a a
18 #define REPEAT_8(a) REPEAT_2(REPEAT_2(REPEAT_2(a)))
19 #define REPEAT_128(a) REPEAT_2(REPEAT_8(REPEAT_8(a)))
20
21 // void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
22 // Calls C function fn from libFuzzer and passes 2 arguments to it after
23 // manipulating the return address so that libfuzzer's integer compare hooks
24 // work.
25 // The problem statement and solution are documented in detail in libfuzzer_amd64.s.
26 // See commentary there.
27 TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $8-32
28 MOVD fn+0(FP), R9
29 MOVD arg0+8(FP), RARG0
30 MOVD arg1+16(FP), RARG1
31 MOVD fakePC+24(FP), R8
32 // Save the original return address in a local variable
33 MOVD R30, savedRetAddr-8(SP)
34
35 MOVD g_m(g), R10
36
37 // Switch to g0 stack.
38 MOVD RSP, R19 // callee-saved, preserved across the CALL
39 MOVD m_g0(R10), R11
40 CMP R11, g
41 BEQ call // already on g0
42 MOVD (g_sched+gobuf_sp)(R11), R12
43 MOVD R12, RSP
44 call:
45 // Load address of the ret sled into the default register for the return
46 // address.
47 ADR ret_sled, R30
48 // Clear the lowest 2 bits of fakePC. All ARM64 instructions are four
49 // bytes long, so we cannot get better return address granularity than
50 // multiples of 4.
51 AND $-4, R8, R8
52 // Add the offset of the fake_pc-th ret.
53 ADD R8, R30, R30
54 // Call the function by jumping to it and reusing all registers except
55 // for the modified return address register R30.
56 JMP (R9)
57
58 // The ret sled for ARM64 consists of 128 br instructions jumping to the
59 // end of the function. Each instruction is 4 bytes long. The sled thus
60 // has the same byte length of 4 * 128 = 512 as the x86_64 sled, but
61 // coarser granularity.
62 #define RET_SLED \
63 JMP end_of_function;
64
65 ret_sled:
66 REPEAT_128(RET_SLED);
67
68 end_of_function:
69 MOVD R19, RSP
70 MOVD savedRetAddr-8(SP), R30
71 RET
72
73 // void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr)
74 // Calls C function fn from libFuzzer and passes 4 arguments to it.
75 TEXT runtime·libfuzzerCall4(SB), NOSPLIT, $0-40
76 MOVD fn+0(FP), R9
77 MOVD hookId+8(FP), RARG0
78 MOVD s1+16(FP), RARG1
79 MOVD s2+24(FP), RARG2
80 MOVD result+32(FP), RARG3
81
82 MOVD g_m(g), R10
83
84 // Switch to g0 stack.
85 MOVD RSP, R19 // callee-saved, preserved across the CALL
86 MOVD m_g0(R10), R11
87 CMP R11, g
88 BEQ call // already on g0
89 MOVD (g_sched+gobuf_sp)(R11), R12
90 MOVD R12, RSP
91 call:
92 BL R9
93 MOVD R19, RSP
94 RET
95
96 // void runtime·libfuzzerCallWithTwoByteBuffers(fn, start, end *byte)
97 // Calls C function fn from libFuzzer and passes 2 arguments of type *byte to it.
98 TEXT runtime·libfuzzerCallWithTwoByteBuffers(SB), NOSPLIT, $0-24
99 MOVD fn+0(FP), R9
100 MOVD start+8(FP), R0
101 MOVD end+16(FP), R1
102
103 MOVD g_m(g), R10
104
105 // Switch to g0 stack.
106 MOVD RSP, R19 // callee-saved, preserved across the CALL
107 MOVD m_g0(R10), R11
108 CMP R11, g
109 BEQ call // already on g0
110 MOVD (g_sched+gobuf_sp)(R11), R12
111 MOVD R12, RSP
112 call:
113 BL R9
114 MOVD R19, RSP
115 RET
116
View as plain text