An example of a domain-specific custom coverage for AFL++ QEMU mode. This patch hooks functions calls and give feedbacks to the fuzzer if an argument of the function (the first 4 are considered in this naive example) is not a pointer and is a negative integer (can be both a 32 bit negative or a 64 bit negative).

neg_int_feedback.diff

diff --git a/accel/tcg/tcg-runtime.c b/accel/tcg/tcg-runtime.c
index d0d44844..d10d51ce 100644
--- a/accel/tcg/tcg-runtime.c
+++ b/accel/tcg/tcg-runtime.c
@@ -167,3 +167,29 @@ void HELPER(exit_atomic)(CPUArchState *env)
 {
     cpu_loop_exit_atomic(ENV_GET_CPU(env), GETPC());
 }
+
+
+#include "../patches/afl-qemu-common.h"
+
+void HELPER(afl_log_call_4)(uint64_t cur_loc, uint64_t a0, uint64_t a1, uint64_t a2, uint64_t a3)
+{
+    cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
+    cur_loc &= MAP_SIZE - 1;
+
+    if (!is_valid_addr(a0)) {
+      if ((int64_t)a0 < 0) INC_AFL_AREA(cur_loc);
+      else if ((int32_t)a0 < 0) INC_AFL_AREA(cur_loc +1);
+    }
+    if (!is_valid_addr(a1)) {
+      if ((int64_t)a1 < 0) INC_AFL_AREA(cur_loc +2);
+      else if ((int32_t)a1 < 0) INC_AFL_AREA(cur_loc +3);
+    }
+    if (!is_valid_addr(a2)) {
+      if ((int64_t)a2 < 0) INC_AFL_AREA(cur_loc +4);
+      else if ((int32_t)a2 < 0) INC_AFL_AREA(cur_loc +5);
+    }
+    if (!is_valid_addr(a3)) {
+      if ((int64_t)a3 < 0) INC_AFL_AREA(cur_loc +6);
+      else if ((int32_t)a3 < 0) INC_AFL_AREA(cur_loc +7);
+    }
+}
diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h
index 1bd39d13..b8c88bb4 100644
--- a/accel/tcg/tcg-runtime.h
+++ b/accel/tcg/tcg-runtime.h
@@ -260,3 +260,5 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(afl_log_call_4, TCG_CALL_NO_RWG, void, i64, i64, i64, i64, i64)
diff --git a/target/i386/translate.c b/target/i386/translate.c
index a23da128..15ec7bf4 100644
--- a/target/i386/translate.c
+++ b/target/i386/translate.c
@@ -5063,6 +5063,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
                 tcg_gen_ext16u_tl(s->T0, s->T0);
             }
             next_eip = s->pc - s->cs_base;
+
+            gen_helper_afl_log_call_4(s->T0, cpu_regs[R_EDI], cpu_regs[R_ESI], cpu_regs[R_EDX], cpu_regs[R_ECX]);
+
             tcg_gen_movi_tl(s->T1, next_eip);
             gen_push_v(s, s->T1);
             gen_op_jmp_v(s->T0);
@@ -6557,6 +6560,10 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             } else if (!CODE64(s)) {
                 tval &= 0xffffffff;
             }
+
+            TCGv_i64 cur_loc = tcg_const_i64(tval);
+            gen_helper_afl_log_call_4(cur_loc, cpu_regs[R_EDI], cpu_regs[R_ESI], cpu_regs[R_EDX], cpu_regs[R_ECX]);
+
             tcg_gen_movi_tl(s->T0, next_eip);
             gen_push_v(s, s->T0);
             gen_bnd_jmp(s);