| // Copyright 2025 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| //go:build libfuzzer |
| |
| #include "go_asm.h" |
| #include "textflag.h" |
| |
| // Based on race_loong64.s; see commentary there. |
| |
| #define RARG0 R4 |
| #define RARG1 R5 |
| #define RARG2 R6 |
| #define RARG3 R7 |
| |
| #define REPEAT_2(a) a a |
| #define REPEAT_8(a) REPEAT_2(REPEAT_2(REPEAT_2(a))) |
| #define REPEAT_128(a) REPEAT_2(REPEAT_8(REPEAT_8(a))) |
| |
| // void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr) |
| // Calls C function fn from libFuzzer and passes 4 arguments to it. |
| TEXT runtime·libfuzzerCall4<ABIInternal>(SB), NOSPLIT, $0-0 |
| MOVV R4, R12 // fn |
| MOVV R5, RARG0 // hookId |
| MOVV R6, RARG1 // s1 |
| MOVV R7, RARG2 // s2 |
| MOVV R8, RARG3 // result |
| |
| MOVV g_m(g), R13 |
| |
| // Switch to g0 stack. |
| MOVV R3, R23 // callee-saved, preserved across the CALL |
| MOVV m_g0(R13), R14 |
| BEQ R14, g, call // already on g0 |
| MOVV (g_sched+gobuf_sp)(R14), R3 |
| |
| call: |
| JAL (R12) |
| MOVV R23, R3 |
| RET |
| |
| // void runtime·libfuzzerCallWithTwoByteBuffers(fn, start, end *byte) |
| // Calls C function fn from libFuzzer and passes 2 arguments of type *byte to it. |
| TEXT runtime·libfuzzerCallWithTwoByteBuffers<ABIInternal>(SB), NOSPLIT, $0-0 |
| MOVV R4, R12 // fn |
| MOVV R5, RARG0 // start |
| MOVV R6, RARG1 // end |
| |
| MOVV g_m(g), R13 |
| |
| // Switch to g0 stack. |
| MOVV R3, R23 // callee-saved, preserved across the CALL |
| MOVV m_g0(R13), R14 |
| BEQ R14, g, call // already on g0 |
| MOVV (g_sched+gobuf_sp)(R14), R3 |
| |
| call: |
| JAL (R12) |
| MOVV R23, R3 |
| RET |
| |
| // void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr) |
| // Calls C function fn from libFuzzer and passes 2 arguments to it after |
| // manipulating the return address so that libfuzzer's integer compare hooks |
| // work. |
| // The problem statement and solution are documented in detail in libfuzzer_amd64.s. |
| // See commentary there. |
| TEXT runtime·libfuzzerCallTraceIntCmp<ABIInternal>(SB), NOSPLIT, $0-0 |
| MOVV R4, R12 // fn |
| MOVV R5, RARG0 // arg0 |
| MOVV R6, RARG1 // arg1 |
| // Save the original return address in a local variable |
| MOVV R1, savedRetAddr-8(SP) |
| |
| MOVV g_m(g), R13 |
| |
| // Switch to g0 stack. |
| MOVV R3, R23 // callee-saved, preserved across the CALL |
| MOVV m_g0(R13), R14 |
| BEQ R14, g, call // already on g0 |
| MOVV (g_sched+gobuf_sp)(R14), R3 |
| |
| call: |
| // Load address of the ret sled into the default register for the return |
| // address. |
| MOVV $ret_sled(SB), R1 |
| // Clear the lowest 2 bits of fakePC. All Loong64 instructions are four |
| // bytes long, so we cannot get better return address granularity than |
| // multiples of 4. |
| AND $-4, R7 |
| // Load the address of the i'th return instruction from the return sled. |
| // The index is given in the fakePC argument. |
| ADDV R7, R1 |
| // Call the function by jumping to it and reusing all registers except |
| // for the modified return address register R1. |
| JMP (R12) |
| |
| // The ret sled for Loong64 consists of 128 br instructions jumping to the |
| // end of the function. Each instruction is 4 bytes long. The sled thus has |
| // the same byte length of 4 * 128 = 512 as the x86_64 sled, but coarser |
| // granularity. |
| #define RET_SLED \ |
| JMP end_of_function; |
| |
| TEXT ret_sled(SB), NOSPLIT, $0-0 |
| REPEAT_128(RET_SLED); |
| |
| end_of_function: |
| MOVV R23, R3 |
| MOVV savedRetAddr-8(SP), R1 |
| RET |
