- Parse the x86emmiter.h file and create a wrapper function each mnemonic offered by the emitter
- Create extra functions that return a randomly selected register or memory location (of the right type)
- Put these wrapper functions into function arrays which the fuzzer can then use to emit instructions by calling at the right index
I found out that this approach is quite limited because there are many edge cases (AVX512 instructions with different KRegs, consecutive registers, implicit operands,...). Thanks in advance.
arm instruction database? I'm looking at the ISA documentation they distribute in XML format (https://developer.arm.com/downloads/-/exploration-tools) which is awesome. However, maybe I've missed it, but I don't see the RW action on operands represented in this spec in a simple way, at least without parsing out the "Arm Pseudocode".
I think i need to serialize CodeHolder after compiler.finalize() but before being runtime.add(), as this is where we have the compiled code but it hasn't been physically addressed yet.
Has anyone else serialized the compiled asmjit to file for execution later?
Is there a more practical approach? CodeHolder looks like quite a complex data structure for serializing.
@deltars
It would be possible to serialize and deserialize CodeHolder, however, I would suggest to instead emit code that is PIC (position independent code), which would not need you to serialize/deserialize the content of CodeHolder, but only to maintain a table of addresses that would be resolved by the deserializer.
The reason is that if you use a function, for example, that you call within the code, you would serialize / deserialize its address too, which doesn't have to be valid in some other process (especially if OS/linker does address randomization for you). To fix this, you can just maintain a function table, or symbol table, which would contain pointer, and another structure which would describe the name of the symbol at each index. In the code, you would use a separate section for this, which would be flattened and put at the end, and patched before the code is actually used by the deserializer.
This way, you would have code that is position independent, and that uses a table of addresses, that can change across processes.
For generating PIC, I think I do a similar thing to JitRuntime::_add(), but call code->relocateToBase(0)
And the relocateToBase function shows me that I need to keep track of the RelocEntry CodeHolder._relocations (a simple table with offset, value size, RelocType) to apply my baseAddress later on.
And for my table of physical addresses, I create a ConstPool which I can also fill out later on.
@mmcloughlin It's a hand made database. The problem of importing third party data is that there is sometimes missing stuff that asmjit needs.
Yeah, I see that. Presumably though when you say "hand made" you actually mean "derived one or more third-party sources with adhoc scripts and partial automation"? Could you elaborate a bit more?
Well, not even that. I just downloaded ARM architecture reference manual and created the DB from each instruction listed in that manual (well except SVE and some others). So I really added there each instruction manually. It's okay for me as I get an overview about the architecture and patterns in encodings even before I start writing the assembler.
BTW even assemblers in LLVM are not fully automated - they use "tablegen" and have a specific language designed to generate tables and code.
arm support to my avo project.
golang.org/x/arch, including a 2.5k+ line function with a massive switch statement
https://github.com/asmjit/asmjit/tree/abi_2_0
The instruction db is here:
https://github.com/asmjit/asmjit/blob/abi_2_0/db/armdata.js
and is similar to asmdb, but I have reorganized it a bit:
{"inst": "vsri.x8-64 Dx, Dn, #n" , "t32": "1111|11111|Vx'|imm[5:0]|Vx|0100|imm[6]|0|Vn'|1|Vn" , "ext": "ASIMD", "imm": "VecShiftNImm(sz, n)"},So this is an instruction, very similar to ARM definition, but I have added more metadata regarding encoding - like "imm": "VecShiftNImm(sz, n)" - this is an inline function in the assembler that is responsible for verifying and encoding the immediate into an opcode field. This helps as the assembler generator doesn't have to be that smart, it just processes the fields and calls utility functions where necessary - and theoretically it would also work for a disassembler (the transformation would be just opposite)
https://github.com/asmjit/asmjit/blob/abi_2_0/src/asmjit/arm/a32assembler.cpp