about summary refs log tree commit diff
path: root/llvm_mode/afl-llvm-rt.o.c
diff options
context:
space:
mode:
Diffstat (limited to 'llvm_mode/afl-llvm-rt.o.c')
-rw-r--r--llvm_mode/afl-llvm-rt.o.c126
1 files changed, 125 insertions, 1 deletions
diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
index a5602501..a8ed44fa 100644
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@@ -25,6 +25,7 @@
 #endif
 #include "config.h"
 #include "types.h"
+#include "cmplog.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -32,6 +33,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <assert.h>
+#include <stdint.h>
 
 #include <sys/mman.h>
 #include <sys/shm.h>
@@ -64,6 +66,9 @@ u32 __afl_prev_loc;
 __thread u32 __afl_prev_loc;
 #endif
 
+struct cmp_map* __afl_cmp_map;
+__thread u32 __afl_cmp_counter;
+
 /* Running in persistent mode? */
 
 static u8 is_persistent;
@@ -123,6 +128,27 @@ static void __afl_map_shm(void) {
     __afl_area_ptr[0] = 1;
 
   }
+  
+  if (getenv("__AFL_CMPLOG_MODE__")) {
+  
+    id_str = getenv(CMPLOG_SHM_ENV_VAR);
+    
+    if (id_str) {
+    
+      u32 shm_id = atoi(id_str);
+      
+      __afl_cmp_map = shmat(shm_id, NULL, 0);
+      
+      if (__afl_cmp_map == (void*)-1) _exit(1);
+      
+    }
+  
+  } else if (getenv("AFL_CMPLOG")) {
+    
+    // during compilation, do this to avoid segfault
+    __afl_cmp_map = calloc(sizeof(struct cmp_map), 1);
+  
+  }
 
 }
 
@@ -135,7 +161,7 @@ static void __afl_start_forkserver(void) {
 
   u8 child_stopped = 0;
 
-  void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
+  void (*old_sigchld_handler)(int)=0;// = signal(SIGCHLD, SIG_DFL);
 
   /* Phone home and tell the parent that we're OK. If parent isn't there,
      assume we're not running in forkserver mode and just execute program. */
@@ -296,6 +322,104 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
 
 }
 
+///// CmpLog instrumentation
+
+void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) {
+  return;  
+}
+
+void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) {
+  
+  uintptr_t k = (uintptr_t)__builtin_return_address(0);
+  k = (k >> 4) ^ (k << 8);
+  k &= CMP_MAP_W - 1;
+  
+  u32 hits = __afl_cmp_map->headers[k].hits;
+  __afl_cmp_map->headers[k].hits = hits+1;
+  // if (!__afl_cmp_map->headers[k].cnt)
+  //  __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++;
+  
+  __afl_cmp_map->headers[k].shape = 1;
+  //__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
+  
+  hits &= CMP_MAP_H -1;
+  __afl_cmp_map->log[k][hits].v0 = Arg1;
+  __afl_cmp_map->log[k][hits].v1 = Arg2;
+  
+}
+
+void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) {
+  
+  uintptr_t k = (uintptr_t)__builtin_return_address(0);
+  k = (k >> 4) ^ (k << 8);
+  k &= CMP_MAP_W - 1;
+  
+  u32 hits = __afl_cmp_map->headers[k].hits;
+  __afl_cmp_map->headers[k].hits = hits+1;
+  
+  __afl_cmp_map->headers[k].shape = 3;
+  
+  hits &= CMP_MAP_H -1;
+  __afl_cmp_map->log[k][hits].v0 = Arg1;
+  __afl_cmp_map->log[k][hits].v1 = Arg2;
+  
+}
+
+void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) {
+  
+  uintptr_t k = (uintptr_t)__builtin_return_address(0);
+  k = (k >> 4) ^ (k << 8);
+  k &= CMP_MAP_W - 1;
+  
+  u32 hits = __afl_cmp_map->headers[k].hits;
+  __afl_cmp_map->headers[k].hits = hits+1;
+  
+  __afl_cmp_map->headers[k].shape = 7;
+  
+  hits &= CMP_MAP_H -1;
+  __afl_cmp_map->log[k][hits].v0 = Arg1;
+  __afl_cmp_map->log[k][hits].v1 = Arg2;
+  
+}
+
+#if defined(__APPLE__)
+#pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1
+#pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2
+#pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4
+#pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8
+#else
+void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2)
+    __attribute__((alias("__sanitizer_cov_trace_cmp1")));
+void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2)
+    __attribute__((alias("__sanitizer_cov_trace_cmp2")));
+void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2)
+    __attribute__((alias("__sanitizer_cov_trace_cmp4")));
+void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2)
+    __attribute__((alias("__sanitizer_cov_trace_cmp8")));
+#endif /* defined(__APPLE__) */
+
+void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) {
+
+  for (uint64_t i = 0; i < Cases[0]; i++) {
+      
+    uintptr_t k = (uintptr_t)__builtin_return_address(0) +i;
+    k = (k >> 4) ^ (k << 8);
+    k &= CMP_MAP_W - 1;
+    
+    u32 hits = __afl_cmp_map->headers[k].hits;
+    __afl_cmp_map->headers[k].hits = hits+1;
+    
+    __afl_cmp_map->headers[k].shape = 7;
+    
+    hits &= CMP_MAP_H -1;
+    __afl_cmp_map->log[k][hits].v0 = Val;
+    __afl_cmp_map->log[k][hits].v1 = Cases[i + 2];
+      
+  }
+
+}
+
+
 /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
    It remains non-operational in the traditional, plugin-backed LLVM mode.
    For more info about 'trace-pc-guard', see README.llvm.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-18 02:03:46 +0000