about summary refs log tree commit diff
path: root/instrumentation
diff options
context:
space:
mode:
Diffstat (limited to 'instrumentation')
-rw-r--r--instrumentation/README.llvm.md2
-rw-r--r--instrumentation/README.lto.md20
-rw-r--r--instrumentation/README.persistent_mode.md17
-rw-r--r--instrumentation/afl-compiler-rt.o.c7
-rw-r--r--instrumentation/afl-llvm-lto-instrumentation.so.cc17
5 files changed, 32 insertions, 31 deletions
diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md
index 2d428e6d..6e210a7c 100644
--- a/instrumentation/README.llvm.md
+++ b/instrumentation/README.llvm.md
@@ -6,7 +6,7 @@
 
 ## 1) Introduction
 
-! llvm_mode works with llvm versions 3.8 up to 12 !
+! llvm_mode works with llvm versions 3.8 up to 13 !
 
 The code in this directory allows you to instrument programs for AFL using
 true compiler-level instrumentation, instead of the more crude
diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md
index 38252308..6174cdc0 100644
--- a/instrumentation/README.lto.md
+++ b/instrumentation/README.lto.md
@@ -60,12 +60,12 @@ AUTODICTIONARY: 11 strings found
 
 ## Getting llvm 11+
 
-### Installing llvm version 11
+### Installing llvm version 11 or 12
 
-llvm 11 should be available in all current Linux repositories.
+llvm 11 or even 12 should be available in all current Linux repositories.
 If you use an outdated Linux distribution read the next section.
 
-### Installing llvm from the llvm repository (version 12)
+### Installing llvm from the llvm repository (version 12+)
 
 Installing the llvm snapshot builds is easy and mostly painless:
 
@@ -85,7 +85,7 @@ apt-get install -y clang-12 clang-tools-12 libc++1-12 libc++-12-dev \
     libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools
 ```
 
-### Building llvm yourself (version 12)
+### Building llvm yourself (version 12+)
 
 Building llvm from github takes quite some long time and is not painless:
 ```sh
@@ -146,22 +146,22 @@ afl-clang-lto instead of shared libraries!
 To make instrumented shared libraries work with afl-clang-lto you have to do
 quite some extra steps.
 
-Every shared library you want to instrument has to be individually compiled-
+Every shared library you want to instrument has to be individually compiled.
 The environment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during
 compilation.
 Additionally the environment variable `AFL_LLVM_LTO_STARTID` has to be set to
-the combined edge values of all previous compiled instrumented shared
+the added edge count values of all previous compiled instrumented shared
 libraries for that target.
 E.g. for the first shared library this would be `AFL_LLVM_LTO_STARTID=0` and
 afl-clang-lto will then report how many edges have been instrumented (let's say
 it reported 1000 instrumented edges).
 The second shared library then has to be set to that value
-(`AFL_LLVM_LTO_STARTID=1000` in our example), the third to all previous
-combined, etc.
+(`AFL_LLVM_LTO_STARTID=1000` in our example), for the third to all previous
+counts added, etc.
 
 The final program compilation step then may *not* have `AFL_LLVM_LTO_DONTWRITEID`
-set, and `AFL_LLVM_LTO_STARTID` must be set to all combined edges of all shared
-libaries it will be linked to.
+set, and `AFL_LLVM_LTO_STARTID` must be set to all edge counts added of all shared
+libraries it will be linked to.
 
 This is quite some hands-on work, so better stay away from instrumenting
 shared libraries :-)
diff --git a/instrumentation/README.persistent_mode.md b/instrumentation/README.persistent_mode.md
index 0517886b..c6ba2103 100644
--- a/instrumentation/README.persistent_mode.md
+++ b/instrumentation/README.persistent_mode.md
@@ -2,17 +2,18 @@
 
 ## 1) Introduction
 
-In persistent mode, AFL++ fuzzes a target multiple times
-in a single process, instead of forking a new process for each fuzz execution.
-This is the most effective way to fuzz, as the speed can easily
-be x10 or x20 times faster without any disadvanges.
+In persistent mode, AFL++ fuzzes a target multiple times in a single forked
+process, instead of forking a new process for each fuzz execution.
+This is the most effective way to fuzz, as the speed can easily be x10 or x20
+times faster without any disadvanges.
 *All professional fuzzing uses this mode.*
 
-
 Persistent mode requires that the target can be called in one or more functions,
-and that its state can be reset so that multiple calls can be performed
-without resource leaks and earlier runs will have no impact on future runs
-(this can be seen by the `stability` indicator in the `afl-fuzz` UI).
+and that it's state can be completely reset so that multiple calls can be
+performed without resource leaks, and that earlier runs will have no impact on
+future runs (an indicator for this is the `stability` value in the `afl-fuzz`
+UI, if this decreases to lower values in persistent mode compared to
+non-persistent mode, that the fuzz target keeps state).
 
 Examples can be found in [utils/persistent_mode](../utils/persistent_mode).
 
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 18b0a55b..9acab4e7 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1273,7 +1273,12 @@ __attribute__((constructor(1))) void __afl_auto_second(void) {
   if (__afl_already_initialized_second) return;
   __afl_already_initialized_second = 1;
 
-  if (getenv("AFL_DEBUG")) { __afl_debug = 1; }
+  if (getenv("AFL_DEBUG")) {
+
+    __afl_debug = 1;
+    fprintf(stderr, "DEBUG: debug enabled\n");
+
+  }
 
   if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
   u8 *ptr;
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index d685e76c..73e41f60 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -28,6 +28,7 @@
 #include <sys/time.h>
 
 #include <list>
+#include <memory>
 #include <string>
 #include <fstream>
 #include <set>
@@ -1014,13 +1015,7 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
       if (count) {
 
-        if ((ptr = (char *)malloc(memlen + count)) == NULL) {
-
-          fprintf(stderr, "Error: malloc for %zu bytes failed!\n",
-                  memlen + count);
-          exit(-1);
-
-        }
+        auto ptrhld = std::unique_ptr<char []>(new char[memlen + count]);
 
         count = 0;
 
@@ -1029,8 +1024,8 @@ bool AFLLTOPass::runOnModule(Module &M) {
 
           if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) {
 
-            ptr[offset++] = (uint8_t)token.length();
-            memcpy(ptr + offset, token.c_str(), token.length());
+            ptrhld.get()[offset++] = (uint8_t)token.length();
+            memcpy(ptrhld.get() + offset, token.c_str(), token.length());
             offset += token.length();
             count++;
 
@@ -1050,10 +1045,10 @@ bool AFLLTOPass::runOnModule(Module &M) {
         GlobalVariable *AFLInternalDictionary = new GlobalVariable(
             M, ArrayTy, true, GlobalValue::ExternalLinkage,
             ConstantDataArray::get(C,
-                                   *(new ArrayRef<char>((char *)ptr, offset))),
+                                   *(new ArrayRef<char>(ptrhld.get(), offset))),
             "__afl_internal_dictionary");
         AFLInternalDictionary->setInitializer(ConstantDataArray::get(
-            C, *(new ArrayRef<char>((char *)ptr, offset))));
+            C, *(new ArrayRef<char>(ptrhld.get(), offset))));
         AFLInternalDictionary->setConstant(true);
 
         GlobalVariable *AFLDictionary = new GlobalVariable(
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-11-16 09:52:04 +0000