about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/FAQ.md9
-rw-r--r--llvm_mode/afl-llvm-rt.o.c21
2 files changed, 26 insertions, 4 deletions
diff --git a/docs/FAQ.md b/docs/FAQ.md
index ee221d02..c15cd484 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -103,10 +103,11 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation!
      b) For PCGUARD instrumented binaries it is much more difficult. Here you
         can either modify the __sanitizer_cov_trace_pc_guard function in
         llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in
-        __afl_area_ptr[*guard] is one of the unstable edge IDs. Then recompile
-        and reinstall llvm_mode and rebuild your target. Run the recompiled
-	target with afl-fuzz for a while and then check the file that you
-        wrote with the backtrace information.
+        __afl_area_ptr[*guard] is one of the unstable edge IDs.
+        (Example code is already there).
+        Then recompile and reinstall llvm_mode and rebuild your target.
+        Run the recompiled target with afl-fuzz for a while and then check the
+        file that you wrote with the backtrace information.
         Alternatively you can use `gdb` to hook __sanitizer_cov_trace_pc_guard_init
         on start, check to which memory address the edge ID value is written
         and set a write breakpoint to that address (`watch 0x.....`).
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
index c0ed1bcf..c2859d9c 100644
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@@ -859,6 +859,27 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
 
 void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
 
+ // For stability analysis, if you want to know to which function unstable
+ // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile
+ // the target. libunwind and libbacktrace are better solutions.
+ // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture
+ // the backtrace output
+ /*
+ uint32_t unstable[] = { ... unstable edge IDs };
+ uint32_t idx;
+ char bt[1024];
+ for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) {
+   if (unstable[idx] == __afl_area_ptr[*guard]) {
+     int bt_size = backtrace(bt, 256);
+     if (bt_size > 0) {
+       char **bt_syms = backtrace_symbols(bt, bt_size);
+       if (bt_syms)
+         fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]);
+     }
+   }
+ }
+ */
+
   __afl_area_ptr[*guard]++;
 
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-18 20:09:55 +0000