diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-11-11 14:36:06 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-11 14:36:06 +0100 |
| commit | 659db7e421b47da4b04110a141d9c20307f74ecc (patch) | |
| tree | 18f9c38cc5270adcf445a62b974712cead4a01c4 /llvm_mode | |
| parent | cd84339bccc104a51a5da614a9f82cc4ae615cce (diff) | |
| parent | 01d55372441960c435af8f3bd6b61d1302042728 (diff) | |
| download | afl++-659db7e421b47da4b04110a141d9c20307f74ecc.tar.gz | |
Merge branch 'master' into radamsa
Diffstat (limited to 'llvm_mode')
| -rw-r--r-- | llvm_mode/LLVMInsTrim.so.cc | 15 | ||||
| -rw-r--r-- | llvm_mode/Makefile | 6 | ||||
| -rw-r--r-- | llvm_mode/README.laf-intel.md | 3 | ||||
| -rw-r--r-- | llvm_mode/README.whitelist.md | 2 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 22 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-pass.so.cc | 13 | ||||
| -rw-r--r-- | llvm_mode/afl-llvm-rt.o.c | 2 | ||||
| -rw-r--r-- | llvm_mode/compare-transform-pass.so.cc | 4 | ||||
| -rw-r--r-- | llvm_mode/split-compares-pass.so.cc | 18 |
9 files changed, 63 insertions, 22 deletions
diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 4b5597e2..89738812 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -158,6 +158,7 @@ struct InsTrim : public ModulePass { bool instrumentBlock = false; DebugLoc Loc; StringRef instFilename; + unsigned int instLine = 0; for (auto &BB : F) { @@ -171,7 +172,7 @@ struct InsTrim : public ModulePass { DILocation *cDILoc = dyn_cast<DILocation>(Loc.getAsMDNode()); - unsigned int instLine = cDILoc->getLine(); + instLine = cDILoc->getLine(); instFilename = cDILoc->getFilename(); if (instFilename.str().empty()) { @@ -217,11 +218,13 @@ struct InsTrim : public ModulePass { * not whitelisted, so we skip instrumentation. */ if (!instrumentBlock) { - if (!instFilename.str().empty()) - SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s ...\n", - instFilename.str().c_str()); - else - SAYF(cYEL "[!] " cBRI "No filename information found, skipping it"); + if (!be_quiet) { + if (!instFilename.str().empty()) + SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s line %u...\n", + instFilename.str().c_str(), instLine); + else + SAYF(cYEL "[!] " cBRI "No filename information found, skipping it"); + } continue; } diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 55bfab59..033babac 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -3,7 +3,7 @@ # ----------------------------------------- # # Written by Laszlo Szekeres <lszekeres@google.com> and -# Michal Zalewski <lcamtuf@google.com> +# Michal Zalewski # # LLVM integration design comes from Laszlo Szekeres. # @@ -52,7 +52,7 @@ endif CFLAGS ?= -O3 -funroll-loops CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I ../include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ - -DVERSION=\"$(VERSION)\" + -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" ifdef AFL_TRACE_PC CFLAGS += -DUSE_TRACE_PC=1 endif @@ -220,7 +220,7 @@ vpath % .. @../$* -h 2>&1 | tail -n +4 >> ../$@ @echo >> ../$@ @echo .SH AUTHOR >> ../$@ - @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexc0der\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@ + @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@ @echo The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@ @echo >> ../$@ @echo .SH LICENSE >> ../$@ diff --git a/llvm_mode/README.laf-intel.md b/llvm_mode/README.laf-intel.md index c787744b..462c7bac 100644 --- a/llvm_mode/README.laf-intel.md +++ b/llvm_mode/README.laf-intel.md @@ -35,4 +35,5 @@ bit_width may be 64, 32 or 16. A new experimental feature is splitting floating point comparisons into a series of sign, exponent and mantissa comparisons followed by splitting each of them into 8 bit comparisons when necessary. -It is activated with the `AFL_LLVM_LAF_SPLIT_COMPARES` setting. +It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting, available only +when `AFL_LLVM_LAF_SPLIT_COMPARES` is set. diff --git a/llvm_mode/README.whitelist.md b/llvm_mode/README.whitelist.md index 6a5770c2..72fb5d09 100644 --- a/llvm_mode/README.whitelist.md +++ b/llvm_mode/README.whitelist.md @@ -64,7 +64,7 @@ a2.cpp but it might lead to files being unwantedly instrumented if the same filename exists somewhere else in the project directories. -The created whitelist file is then set to AFL_INST_WHITELIST when you compile +The created whitelist file is then set to AFL_LLVM_WHITELIST when you compile your program. For each file that didn't match the whitelist, the compiler will issue a warning at the end stating that no blocks were instrumented. If you didn't intend to instrument that file, then you can safely ignore that warning. diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 142d6331..b2243492 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -3,7 +3,7 @@ ------------------------------------------------ Written by Laszlo Szekeres <lszekeres@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski LLVM integration design comes from Laszlo Szekeres. @@ -32,11 +32,13 @@ #include <unistd.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #include <assert.h> static u8* obj_path; /* Path to runtime libraries */ static u8** cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ +static u8 llvm_fullpath[PATH_MAX]; /* Try to find the runtime libraries. If that fails, abort. */ @@ -104,6 +106,7 @@ static void find_obj(u8* argv0) { static void edit_params(u32 argc, char** argv) { u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0; + u8 has_llvm_config = 0; u8* name; cc_params = ck_alloc((argc + 128) * sizeof(u8*)); @@ -112,23 +115,29 @@ static void edit_params(u32 argc, char** argv) { if (!name) name = argv[0]; else - name++; + ++name; + + has_llvm_config = (strlen(LLVM_BINDIR) > 0); if (!strcmp(name, "afl-clang-fast++")) { u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; + if (has_llvm_config) snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR); + else sprintf(llvm_fullpath, "clang++"); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath; } else { u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; + if (has_llvm_config) snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); + else sprintf(llvm_fullpath, "clang"); + cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath; } /* There are three ways to compile with afl-clang-fast. In the traditional mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is - much faster but has less coverage. Finally tere is the experimental + much faster but has less coverage. Finally there is the experimental 'trace-pc-guard' mode, we use native LLVM instrumentation callbacks instead. For trace-pc-guard see: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards @@ -273,6 +282,9 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-bcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; } diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 3ca5ccc4..0c68136b 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -3,7 +3,7 @@ --------------------------------------------------- Written by Laszlo Szekeres <lszekeres@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted from afl-as.c are Michal's fault. @@ -34,6 +34,7 @@ #include <list> #include <string> #include <fstream> +#include <sys/time.h> #include "llvm/IR/DebugInfo.h" #include "llvm/IR/BasicBlock.h" @@ -95,8 +96,16 @@ bool AFLCoverage::runOnModule(Module &M) { IntegerType *Int8Ty = IntegerType::getInt8Ty(C); IntegerType *Int32Ty = IntegerType::getInt32Ty(C); + struct timeval tv; + struct timezone tz; + u32 rand_seed; unsigned int cur_loc = 0; + /* Setup random() so we get Actually Random(TM) outputs from AFL_R() */ + gettimeofday(&tv, &tz); + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + AFL_SR(rand_seed); + /* Show a banner */ char be_quiet = 0; @@ -181,6 +190,8 @@ bool AFLCoverage::runOnModule(Module &M) { } + (void)instLine; + /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 20b34336..5740fe42 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -3,7 +3,7 @@ --------------------------------------------------- Written by Laszlo Szekeres <lszekeres@google.com> and - Michal Zalewski <lcamtuf@google.com> + Michal Zalewski LLVM integration design comes from Laszlo Szekeres. diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index e1b6e671..0ccce875 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -234,6 +234,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, ConstantInt *ilen = dyn_cast<ConstantInt>(op2); sizedLen = ilen->getZExtValue(); + } else { + + sizedLen = 0; + } if (HasStr1) { diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index f1a0f94e..60420f77 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -50,6 +50,8 @@ class SplitComparesTransform : public ModulePass { } private: + int enableFPSplit; + size_t splitIntCompares(Module &M, unsigned bitw); size_t splitFPCompares(Module &M); bool simplifyCompares(Module &M); @@ -101,10 +103,11 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { } - if (selectcmpInst->getPredicate() == CmpInst::FCMP_OGE || + if (enableFPSplit && ( + selectcmpInst->getPredicate() == CmpInst::FCMP_OGE || selectcmpInst->getPredicate() == CmpInst::FCMP_UGE || selectcmpInst->getPredicate() == CmpInst::FCMP_OLE || - selectcmpInst->getPredicate() == CmpInst::FCMP_ULE) { + selectcmpInst->getPredicate() == CmpInst::FCMP_ULE)) { auto op0 = selectcmpInst->getOperand(0); auto op1 = selectcmpInst->getOperand(1); @@ -115,6 +118,8 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { /* this is probably not needed but we do it anyway */ if (TyOp0 != TyOp1) { continue; } + if (TyOp0->isArrayTy() || TyOp0->isVectorTy()) { continue; } + fcomps.push_back(selectcmpInst); } @@ -476,6 +481,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { if (TyOp0 != TyOp1) { continue; } + if (TyOp0->isArrayTy() || TyOp0->isVectorTy()) { continue; } + fcomps.push_back(selectcmpInst); } @@ -1039,6 +1046,8 @@ bool SplitComparesTransform::runOnModule(Module &M) { char *bitw_env = getenv("LAF_SPLIT_COMPARES_BITW"); if (!bitw_env) bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW"); if (bitw_env) { bitw = atoi(bitw_env); } + + enableFPSplit = getenv("AFL_LLVM_LAF_SPLIT_FLOATS") != NULL; simplifyCompares(M); @@ -1048,8 +1057,9 @@ bool SplitComparesTransform::runOnModule(Module &M) { errs() << "Split-compare-pass by laf.intel@gmail.com, extended by " "heiko@hexco.de\n"; - errs() << "Split-floatingpoint-compare-pass: " << splitFPCompares(M) - << " FP comparisons splitted\n"; + if (enableFPSplit) + errs() << "Split-floatingpoint-compare-pass: " << splitFPCompares(M) + << " FP comparisons splitted\n"; switch (bitw) { |