diff options
| author | Hexcoder <heiko@hexco.de> | 2019-06-25 22:03:59 +0200 |
|---|---|---|
| committer | Hexcoder <heiko@hexco.de> | 2019-06-25 22:03:59 +0200 |
| commit | 45be91ff48554569be7f1ba6e4fc1de57e7286c3 (patch) | |
| tree | 5004e9fef6f8a3cbe693ceffd8b847a9c789ec1a | |
| parent | c657b3d0727835cd53e57a5d14b2e766fa241c7d (diff) | |
| download | afl++-45be91ff48554569be7f1ba6e4fc1de57e7286c3.tar.gz | |
experimental implementation of counters that skip zero on overflow.
Enable with AFL_NZERO_COUNTS=1 during compilation of target.
| -rw-r--r-- | docs/env_variables.txt | 5 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-pass.so.cc | 30 |
2 files changed, 34 insertions, 1 deletions
diff --git a/docs/env_variables.txt b/docs/env_variables.txt index f5db3b4f..725dc82e 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -106,6 +106,11 @@ Then there are a few specific features that are only available in llvm_mode: See llvm_mode/README.whitelist for more information. + OTHER + ===== + - Setting AFL_NZERO_COUNTS=1 during compilation will use counters + that skip zero on overflow. + Note that AFL_INST_RATIO will behave a bit differently than for afl-gcc, because functions are *not* instrumented unconditionally - so low values will have a more striking effect. For this tool, 0 is not a valid choice. diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index d46db7c0..2d283f1f 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -118,6 +118,9 @@ bool AFLCoverage::runOnModule(Module &M) { } + char* neverZero_counters_str = getenv("AFL_NZERO_COUNTS"); + bool enable_neverZero_counters = neverZero_counters_str && '1' == *neverZero_counters_str; + /* Get globals for the SHM region and the previous location. Note that __afl_prev_loc is thread-local. */ @@ -234,7 +237,32 @@ bool AFLCoverage::runOnModule(Module &M) { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1)); + + Value *Incr; + if (enable_neverZero_counters) { + /* hexcoder: Realize a counter that skips zero during overflow. + * Once this counter reaches its maximum value, it next increments to 1 + * + * Instead of + * Counter + 1 -> Counter + * we inject now this + * Counter + 1 -> {Counter, OverflowFlag} + * Counter + OverflowFlag -> Counter + */ + CallInst *AddOv = IRB.CreateBinaryIntrinsic(Intrinsic::uadd_with_overflow, + Counter, ConstantInt::get(Int8Ty, 1)); + AddOv->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + Value *SumWithOverflowBit = AddOv; + Incr = IRB.CreateAdd( + IRB.CreateExtractValue(SumWithOverflowBit, 0), /* sum */ + IRB.CreateZExt( /* convert from one bit type to 8 bits type */ + IRB.CreateExtractValue(SumWithOverflowBit, 1) /* overflow */ + , Int8Ty)); + } else { + /* standard AFL behavior: wrapping counters */ + Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1)); + } + IRB.CreateStore(Incr, MapPtrIdx) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); |