1// Copyright 2019 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5//go:build libfuzzer
6
7#include "go_asm.h"
8#include "go_tls.h"
9#include "textflag.h"
10
11// Based on race_amd64.s; see commentary there.
12
13#ifdef GOOS_windows
14#define RARG0 CX
15#define RARG1 DX
16#define RARG2 R8
17#define RARG3 R9
18#else
19#define RARG0 DI
20#define RARG1 SI
21#define RARG2 DX
22#define RARG3 CX
23#endif
24
25// void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr)
26// Calls C function fn from libFuzzer and passes 4 arguments to it.
27TEXT	runtime·libfuzzerCall4(SB), NOSPLIT, $0-40
28	MOVQ	fn+0(FP), AX
29	MOVQ	hookId+8(FP), RARG0
30	MOVQ	s1+16(FP), RARG1
31	MOVQ	s2+24(FP), RARG2
32	MOVQ	result+32(FP), RARG3
33
34	get_tls(R12)
35	MOVQ	g(R12), R14
36	MOVQ	g_m(R14), R13
37
38	// Switch to g0 stack.
39	MOVQ	SP, R12		// callee-saved, preserved across the CALL
40	MOVQ	m_g0(R13), R10
41	CMPQ	R10, R14
42	JE	call	// already on g0
43	MOVQ	(g_sched+gobuf_sp)(R10), SP
44call:
45	ANDQ	$~15, SP	// alignment for gcc ABI
46	CALL	AX
47	MOVQ	R12, SP
48	RET
49
50// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
51// Calls C function fn from libFuzzer and passes 2 arguments to it after
52// manipulating the return address so that libfuzzer's integer compare hooks
53// work
54// libFuzzer's compare hooks obtain the caller's address from the compiler
55// builtin __builtin_return_address. Since we invoke the hooks always
56// from the same native function, this builtin would always return the same
57// value. Internally, the libFuzzer hooks call through to the always inlined
58// HandleCmp and thus can't be mimicked without patching libFuzzer.
59//
60// We solve this problem via an inline assembly trampoline construction that
61// translates a runtime argument `fake_pc` in the range [0, 512) into a call to
62// a hook with a fake return address whose lower 9 bits are `fake_pc` up to a
63// constant shift. This is achieved by pushing a return address pointing into
64// 512 ret instructions at offset `fake_pc` onto the stack and then jumping
65// directly to the address of the hook.
66//
67// Note: We only set the lowest 9 bits of the return address since only these
68// bits are used by the libFuzzer value profiling mode for integer compares, see
69// https://github.com/llvm/llvm-project/blob/704d92607d26e696daba596b72cb70effe79a872/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp#L390
70// as well as
71// https://github.com/llvm/llvm-project/blob/704d92607d26e696daba596b72cb70effe79a872/compiler-rt/lib/fuzzer/FuzzerValueBitMap.h#L34
72// ValueProfileMap.AddValue() truncates its argument to 16 bits and shifts the
73// PC to the left by log_2(128)=7, which means that only the lowest 16 - 7 bits
74// of the return address matter. String compare hooks use the lowest 12 bits,
75// but take the return address as an argument and thus don't require the
76// indirection through a trampoline.
77// TODO: Remove the inline assembly trampoline once a PC argument has been added to libfuzzer's int compare hooks.
78TEXT	runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $0-32
79	MOVQ	fn+0(FP), AX
80	MOVQ	arg0+8(FP), RARG0
81	MOVQ	arg1+16(FP), RARG1
82	MOVQ	fakePC+24(FP), R8
83
84	get_tls(R12)
85	MOVQ	g(R12), R14
86	MOVQ	g_m(R14), R13
87
88	// Switch to g0 stack.
89	MOVQ	SP, R12		// callee-saved, preserved across the CALL
90	MOVQ	m_g0(R13), R10
91	CMPQ	R10, R14
92	JE	call	// already on g0
93	MOVQ	(g_sched+gobuf_sp)(R10), SP
94call:
95	ANDQ	$~15, SP	// alignment for gcc ABI
96	SUBQ	$8, SP
97	// Load the address of the end of the function and push it into the stack.
98	// This address will be jumped to after executing the return instruction
99	// from the return sled. There we reset the stack pointer and return.
100	MOVQ    $end_of_function<>(SB), BX
101	PUSHQ   BX
102	// Load the starting address of the return sled into BX.
103	MOVQ    $ret_sled<>(SB), BX
104	// Load the address of the i'th return instruction from the return sled.
105	// The index is given in the fakePC argument.
106	ADDQ    R8, BX
107	PUSHQ   BX
108	// Call the original function with the fakePC return address on the stack.
109	// Function arguments arg0 and arg1 are passed in the registers specified
110	// by the x64 calling convention.
111	JMP     AX
112// This code will not be executed and is only there to satisfy assembler
113// check of a balanced stack.
114not_reachable:
115	POPQ    BX
116	POPQ    BX
117	RET
118
119TEXT end_of_function<>(SB), NOSPLIT, $0-0
120	MOVQ	R12, SP
121	RET
122
123#define REPEAT_8(a) a \
124  a \
125  a \
126  a \
127  a \
128  a \
129  a \
130  a
131
132#define REPEAT_512(a) REPEAT_8(REPEAT_8(REPEAT_8(a)))
133
134TEXT ret_sled<>(SB), NOSPLIT, $0-0
135	REPEAT_512(RET)
136
137// void runtime·libfuzzerCallWithTwoByteBuffers(fn, start, end *byte)
138// Calls C function fn from libFuzzer and passes 2 arguments of type *byte to it.
139TEXT	runtime·libfuzzerCallWithTwoByteBuffers(SB), NOSPLIT, $0-24
140	MOVQ	fn+0(FP), AX
141	MOVQ	start+8(FP), RARG0
142	MOVQ	end+16(FP), RARG1
143
144	get_tls(R12)
145	MOVQ	g(R12), R14
146	MOVQ	g_m(R14), R13
147
148	// Switch to g0 stack.
149	MOVQ	SP, R12		// callee-saved, preserved across the CALL
150	MOVQ	m_g0(R13), R10
151	CMPQ	R10, R14
152	JE	call	// already on g0
153	MOVQ	(g_sched+gobuf_sp)(R10), SP
154call:
155	ANDQ	$~15, SP	// alignment for gcc ABI
156	CALL	AX
157	MOVQ	R12, SP
158	RET
159