From cd4243b6addbb36306c27f507f940f63209c111b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 19 Mar 2020 23:40:45 +0100 Subject: update doc --- docs/Changelog.md | 4 ++++ docs/ideas.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index e1f3cd7e..1fb78625 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,6 +11,10 @@ sending a mail to . ### Version ++2.62d (develop): + ! the repository was moved from vanhauser-thc to AFLplusplus. It is now + an own organisation :) + ! development and acceptance of PRs now happen only in the dev branch + and only occasional when everything is fine we PR to master - all: - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn multiple fuzzing threads in the future or even become a library diff --git a/docs/ideas.md b/docs/ideas.md index 44dcccb2..686c262d 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -33,7 +33,7 @@ This is an excellent mutations scheduler based on Particle Swarm Optimization but the current implementation schedule only the mutations that were present on AFL. -AFL++ added a lost of optional mutators like the Input-2-State one based +AFL++ added a lot of optional mutators like the Input-2-State one based on Redqueen, the Radamsa mutator, the Custom mutator (the user can define its own mutator) and the work is to generalize MOpt for all the current and future mutators. -- cgit 1.4.1 From 29853549c3c12b4ebd4c2af4f0d728a13f30a727 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Mar 2020 08:54:09 +0100 Subject: add RARE schedule. also fixes doc_path --- README.md | 5 +++-- docs/Changelog.md | 9 +++++---- docs/power_schedules.md | 1 + include/afl-fuzz.h | 1 + include/android-ashmem.h | 0 src/afl-fuzz-globals.c | 5 +++-- src/afl-fuzz-queue.c | 49 ++++++++++++++++++++++++++++++++++++------------ src/afl-fuzz-stats.c | 25 +++++++++++++----------- src/afl-fuzz.c | 13 +++++++++---- 9 files changed, 73 insertions(+), 35 deletions(-) mode change 100755 => 100644 include/android-ashmem.h (limited to 'docs') diff --git a/README.md b/README.md index ca321f31..5125928e 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev) : development state of afl++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!* * (any other) : experimental branches to work on specific features or testing - new functionality or changes + new functionality or changes. For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. @@ -365,7 +365,8 @@ The available schedules are: - quad - lin - exploit - - mmopt + - mmopt (experimental) + - rare (experimental) In parallel mode (-M/-S, several instances with shared queue), we suggest to run the master using the explore or fast schedule (-p explore) and the slaves diff --git a/docs/Changelog.md b/docs/Changelog.md index 1fb78625..3eb5d329 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -24,10 +24,11 @@ sending a mail to . - python mutator modules and custom mutator modules now use the same interface and hence the API changed - AFL_AUTORESUME will resume execution without the need to specify `-i -` - - added experimental power schedule -p mmopt that ignores the runtime of - queue entries and gives higher weighting to the last 5 queue entries - it is currently experimental and subject to change but preliminary - results are good + - added experimental power schedules (-p): + - mmopt: ignores runtime of queue entries, gives higher weighting to + the last 5 queue entries + - rare: puts focus on queue entries that hits rare branches, also ignores + runtime - LTO collision free instrumented added in llvm_mode with afl-clang-lto - note that this mode is amazing, but quite some targets won't compile - llvm_mode InsTrim mode: diff --git a/docs/power_schedules.md b/docs/power_schedules.md index cdada0f6..c69c64d2 100644 --- a/docs/power_schedules.md +++ b/docs/power_schedules.md @@ -20,6 +20,7 @@ We find that AFL's exploitation-based constant schedule assigns **too much energ | `-p lin` | ![LIN](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Cmin%5Cleft%28%5Cfrac%7B%5Calpha%28i%29%7D%7B%5Cbeta%7D%5Ccdot%5Cfrac%7Bs%28i%29%7D%7Bf%28i%29%7D%2CM%5Cright%29) | | `-p exploit` (AFL) | ![LIN](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Calpha%28i%29) | | `-p mmopt` | Experimental: `explore` with no weighting to runtime and increased weighting on the last 5 queue entries | +| `-p rare` | Experimental: `rare` puts focus on queue entries that hit rare edges | where *α(i)* is the performance score that AFL uses to compute for the seed input *i*, *β(i)>1* is a constant, *s(i)* is the number of times that seed *i* has been chosen from the queue, *f(i)* is the number of generated inputs that exercise the same path as seed *i*, and *μ* is the average number of generated inputs exercising a path. More details can be found in the paper that was accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/). diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1a798239..1d83f335 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -235,6 +235,7 @@ enum { /* 04 */ QUAD, /* Quadratic schedule */ /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */ /* 06 */ MMOPT, /* Modified MOPT schedule */ + /* 07 */ RARE, /* Rare edges */ POWER_SCHEDULES_NUM diff --git a/include/android-ashmem.h b/include/android-ashmem.h old mode 100755 new mode 100644 diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index dbd8c835..88633a1b 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -30,8 +30,9 @@ s8 interesting_8[] = {INTERESTING_8}; s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; -char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", "lin", - "quad", "exploit", "mmopt"}; +char *power_names[POWER_SCHEDULES_NUM] = { + + "explore", "fast", "coe", "lin", "quad", "exploit", "mmopt", "rare"}; u8 *doc_path = NULL; /* gath to documentation dir */ diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 8a995727..f49e1f1e 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -185,12 +185,16 @@ void destroy_queue(afl_state_t *afl) { void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u32 i; - u64 fav_factor = q->exec_us * q->len; + u64 fav_factor; u64 fuzz_p2 = next_p2(q->n_fuzz); + if (afl->schedule == MMOPT || afl->schedule == RARE) + fav_factor = q->len << 2; + else + fav_factor = q->exec_us * q->len; + /* For every byte set in afl->fsrv.trace_bits[], see if there is a previous winner, and how it compares to us. */ - for (i = 0; i < MAP_SIZE; ++i) if (afl->fsrv.trace_bits[i]) { @@ -198,20 +202,20 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { if (afl->top_rated[i]) { /* Faster-executing or smaller test cases are favored. */ + u64 top_rated_fav_factor; u64 top_rated_fuzz_p2 = next_p2(afl->top_rated[i]->n_fuzz); - u64 top_rated_fav_factor = - afl->top_rated[i]->exec_us * afl->top_rated[i]->len; - if (fuzz_p2 > top_rated_fuzz_p2) { + if (afl->schedule == MMOPT || afl->schedule == RARE) + top_rated_fav_factor = afl->top_rated[i]->len << 2; + else + top_rated_fav_factor = + afl->top_rated[i]->exec_us * afl->top_rated[i]->len; + if (fuzz_p2 > top_rated_fuzz_p2) continue; - - } else if (fuzz_p2 == top_rated_fuzz_p2) { - + else if (fuzz_p2 == top_rated_fuzz_p2) if (fav_factor > top_rated_fav_factor) continue; - } - if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len) continue; @@ -328,7 +332,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // Longer execution time means longer work on the input, the deeper in // coverage, the better the fuzzing, right? -mh - if (afl->schedule != MMOPT) { + if (afl->schedule != MMOPT && afl->schedule != RARE) { if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; @@ -448,8 +452,29 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { break; case MMOPT: + /* -- this was a more complex setup, which is good, but competed with + -- rare. the simpler algo however is good when rare is not. + // the newer the entry, the higher the pref_score + perf_score *= (1 + (double)((double)q->depth / + (double)afl->queued_paths)); + // with special focus on the last 8 entries + if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 - + (afl->max_depth - q->depth)) / 5)); + */ + // put focus on the last 5 entries + if (afl->max_depth - q->depth < 5) perf_score *= 2; + + break; + + case RARE: - if (afl->max_depth - q->depth < 5) perf_score *= 1.5; + // increase the score for every bitmap byte for which this entry + // is the top contender + perf_score += (q->tc_ref * 10); + // the more often fuzz result paths are equal to this queue entry, + // reduce its value + perf_score *= + (1 - (double)((double)q->n_fuzz / (double)afl->total_execs)); break; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index dcd4f542..6ea6a8e9 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -32,9 +32,10 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, struct rusage rus; - u8 * fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); - s32 fd; - FILE *f; + unsigned long long int cur_time = get_cur_time(); + u8 * fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); + s32 fd; + FILE * f; fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); @@ -69,6 +70,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, f, "start_time : %llu\n" "last_update : %llu\n" + "run_time : %llu\n" "fuzzer_pid : %d\n" "cycles_done : %llu\n" "execs_done : %llu\n" @@ -99,7 +101,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "\n" "target_mode : %s%s%s%s%s%s%s%s\n" "command_line : %s\n", - afl->start_time / 1000, get_cur_time() / 1000, getpid(), + afl->start_time / 1000, cur_time / 1000, + (cur_time - afl->start_time) / 1000, getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->total_execs, /*eps,*/ afl->total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), @@ -357,9 +360,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -441,9 +444,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -472,9 +475,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -546,7 +549,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 10fee76c..15caa65f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -96,8 +96,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Execution control settings:\n" " -p schedule - power schedules recompute a seed's performance " "score.\n" - " \n" + " \n" " see docs/power_schedules.md\n" " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" @@ -250,7 +250,7 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a big online community\n"); - doc_path = access(DOC_PATH, F_OK) ? (u8 *)"docs" : doc_path; + doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; gettimeofday(&tv, &tz); afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); @@ -304,6 +304,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->schedule = MMOPT; + } else if (!stricmp(optarg, "rare")) { + + afl->schedule = RARE; + } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") || !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) { @@ -760,8 +764,9 @@ int main(int argc, char **argv_orig, char **envp) { case LIN: OKF("Using linear power schedule (LIN)"); break; case QUAD: OKF("Using quadratic power schedule (QUAD)"); break; case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break; + case RARE: OKF("Using rare edge focus power schedule (RARE)"); break; case EXPLORE: - OKF("Using exploration-based constant power schedule (EXPLORE)"); + OKF("Using exploration-based constant power schedule (EXPLORE, default)"); break; default: FATAL("Unknown power schedule"); break; -- cgit 1.4.1 From 5532fc1102f0df69ec807fcdbf2b001c2e16ed08 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Mar 2020 09:28:43 +0100 Subject: added missing descriptions of entries in fuzzer_stats --- docs/notes_for_asan.md | 3 +++ docs/status_screen.md | 51 ++++++++++++++++++++++++++++++-------------------- 2 files changed, 34 insertions(+), 20 deletions(-) (limited to 'docs') diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index feac49f9..fa7c0f27 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -28,6 +28,9 @@ Note that ASAN is incompatible with -static, so be mindful of that. (You can also use AFL_USE_MSAN=1 to enable MSAN instead.) +NOTE: if you run several slaves only one should run the target compiled with +ASAN (and UBSAN), the others run the target with no sanitiziers compiled. + There is also the option of generating a corpus using a non-ASAN binary, and then feeding it to an ASAN-instrumented one to check for bugs. This is faster, and can give you somewhat comparable results. You can also try using diff --git a/docs/status_screen.md b/docs/status_screen.md index 0bc636c4..34ce3a7e 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -372,26 +372,37 @@ For unattended operation, some of the key status screen information can be also found in a machine-readable format in the fuzzer_stats file in the output directory. This includes: - - `start_time` - unix time indicating the start time of afl-fuzz - - `last_update` - unix time corresponding to the last update of this file - - `fuzzer_pid` - PID of the fuzzer process - - `cycles_done` - queue cycles completed so far - - `execs_done` - number of execve() calls attempted - - `execs_per_sec` - overall number of execs per second - - `paths_total` - total number of entries in the queue - - `paths_found` - number of entries discovered through local fuzzing - - `paths_imported` - number of entries imported from other instances - - `max_depth` - number of levels in the generated data set - - `cur_path` - currently processed entry number - - `pending_favs` - number of favored entries still waiting to be fuzzed - - `pending_total` - number of all entries waiting to be fuzzed - - `stability - percentage of bitmap bytes that behave consistently - - `variable_paths` - number of test cases showing variable behavior - - `unique_crashes` - number of unique crashes recorded - - `unique_hangs` - number of unique hangs encountered - - `command_line` - full command line used for the fuzzing session - - `slowest_exec_ms`- real time of the slowest execution in seconds - - `peak_rss_mb` - max rss usage reached during fuzzing in MB + - `start_time` - unix time indicating the start time of afl-fuzz + - `last_update` - unix time corresponding to the last update of this file + - `run_time` - run time in seconds to the last update of this file + - `fuzzer_pid` - PID of the fuzzer process + - `cycles_done` - queue cycles completed so far + - `execs_done` - number of execve() calls attempted + - `execs_per_sec` - overall number of execs per second + - `paths_total` - total number of entries in the queue + - `paths_favored` - number of queue entries that are favored + - `paths_found` - number of entries discovered through local fuzzing + - `paths_imported` - number of entries imported from other instances + - `max_depth` - number of levels in the generated data set + - `cur_path` - currently processed entry number + - `pending_favs` - number of favored entries still waiting to be fuzzed + - `pending_total` - number of all entries waiting to be fuzzed + - `variable_paths` - number of test cases showing variable behavior + - `stability` - percentage of bitmap bytes that behave consistently + - `bitmap_cvg` - percentage of edge coverage found in the map so far + - `unique_crashes` - number of unique crashes recorded + - `unique_hangs` - number of unique hangs encountered + - `last_path` - seconds since the last path was found + - `last_crash` - seconds since the last crash was found + - `last_hang` - seconds since the last hang was found + - `execs_since_crash` - execs since the last crash was found + - `exec_timeout` - the -t command line value + - `slowest_exec_ms` - real time of the slowest execution in ms + - `peak_rss_mb` - max rss usage reached during fuzzing in MB + - `afl_banner` - banner text (e.g. the target name) + - `afl_version` - the version of afl used + - `target_mode` - default, persistent, qemu, unicorn, dumb + - `command_line` - full command line used for the fuzzing session Most of these map directly to the UI elements discussed earlier on. -- cgit 1.4.1 From 5d932398dfcd11ef12918919181a37a2a96adb42 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Mar 2020 09:44:51 +0100 Subject: expose cycles_wo_finds in fuzzer_stats --- docs/status_screen.md | 1 + src/afl-fuzz-stats.c | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/status_screen.md b/docs/status_screen.md index 34ce3a7e..8b3d5bda 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -377,6 +377,7 @@ directory. This includes: - `run_time` - run time in seconds to the last update of this file - `fuzzer_pid` - PID of the fuzzer process - `cycles_done` - queue cycles completed so far + - `cycles_wo_finds` - number of cycles without any new paths found - `execs_done` - number of execve() calls attempted - `execs_per_sec` - overall number of execs per second - `paths_total` - total number of entries in the queue diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 6ea6a8e9..b6e64841 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -73,6 +73,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "run_time : %llu\n" "fuzzer_pid : %d\n" "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" "execs_done : %llu\n" "execs_per_sec : %0.02f\n" // "real_execs_per_sec: %0.02f\n" // damn the name is too long @@ -103,9 +104,9 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "command_line : %s\n", afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, getpid(), - afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->total_execs, - /*eps,*/ afl->total_execs / - ((double)(get_cur_time() - afl->start_time) / 1000), + afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, + afl->total_execs, /*eps,*/ + afl->total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), afl->queued_paths, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->max_depth, afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, -- cgit 1.4.1 From 5a74cffa0f22b4e3b3dbc829dfb1c8f7c7a6fb76 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Mar 2020 17:10:44 +0100 Subject: added llvm_mode ngram coverage --- README.md | 5 ++ docs/Changelog.md | 3 + docs/PATCHES.md | 1 + docs/env_variables.md | 34 ++++++---- llvm_mode/afl-clang-fast.c | 11 +++- llvm_mode/afl-llvm-pass.so.cc | 134 ++++++++++++++++++++++++++++++++++------ llvm_mode/afl-llvm-rt.o.c | 13 ++-- llvm_mode/llvm-ngram-coverage.h | 18 ++++++ src/afl-common.c | 8 +-- src/afl-fuzz-stats.c | 2 +- 10 files changed, 187 insertions(+), 42 deletions(-) create mode 100644 llvm_mode/llvm-ngram-coverage.h (limited to 'docs') diff --git a/README.md b/README.md index 5125928e..1476b440 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,8 @@ * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf) + * llvm_mode ngram coverage by Adrean Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass) + A more thorough list is available in the PATCHES file. | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | @@ -84,6 +86,7 @@ | Whitelist | | x | x | (x)(3) | | | non-colliding coverage | | x(4) | | (x)(5) | | | InsTrim | | x | | | | + | ngram prev_loc coverage | | x(6) | | | | neverZero: @@ -97,6 +100,8 @@ (5) upcoming, development in branch + (6) not compatible with LTO and InsTrim modes + So all in all this is the best-of afl that is currently out there :-) For new versions and additional information, check out: diff --git a/docs/Changelog.md b/docs/Changelog.md index 3eb5d329..ece2c4b5 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -31,6 +31,9 @@ sending a mail to . runtime - LTO collision free instrumented added in llvm_mode with afl-clang-lto - note that this mode is amazing, but quite some targets won't compile + - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera + (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting + AFL_LLVM_NGRAM_SIZE - llvm_mode InsTrim mode: - removed workaround for bug where paths were not instrumented and imported fix by author diff --git a/docs/PATCHES.md b/docs/PATCHES.md index 1dfb6622..a6783523 100644 --- a/docs/PATCHES.md +++ b/docs/PATCHES.md @@ -20,6 +20,7 @@ afl-qemu-speed.diff by abiondo on github afl-qemu-optimize-map.diff by mh(at)mh-sec(dot)de ``` ++ llvm_mode ngram prev_loc coverage (github.com/adrianherrera/afl-ngram-pass) + Custom mutator (native library) (by kyakdan) + unicorn_mode (modernized and updated by domenukk) + instrim (https://github.com/csienslab/instrim) was integrated diff --git a/docs/env_variables.md b/docs/env_variables.md index 8c7510cd..98f27bdf 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -93,23 +93,26 @@ Then there are a few specific features that are only available in llvm_mode: ### LTO -This is a different kind way of instrumentation: first it compiles all -code in LTO (link time optimization) and then performs an edge inserting -instrumentation which is 100% collision free (collisions are a big issue -in afl and afl-like instrumentations). This is performed by using -afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only -built if LLVM 9 or newer is used. - -None of these options are necessary to be used and are rather for manual -use (which only ever the author of this LTO implementation will use ;-) -These are used if several seperated instrumentation are performed which -are then later combined. + This is a different kind way of instrumentation: first it compiles all + code in LTO (link time optimization) and then performs an edge inserting + instrumentation which is 100% collision free (collisions are a big issue + in afl and afl-like instrumentations). This is performed by using + afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only + built if LLVM 9 or newer is used. + + None of these options are necessary to be used and are rather for manual + use (which only ever the author of this LTO implementation will use ;-) + These are used if several seperated instrumentation are performed which + are then later combined. - AFL_LLVM_LTO_STARTID sets the starting location ID for the instrumentation. This defaults to 1 - AFL_LLVM_LTO_DONTWRITEID prevents that the highest location ID written into the instrumentation is set in a global variable + Instrim, LTO and ngram modes can not be used together. + See llvm_mode/README.LTO.md for more information. + ### LAF-INTEL This great feature will split compares to series of single byte comparisons @@ -149,8 +152,17 @@ are then later combined. functions with a single basic block. This is useful for most C and some C++ targets. + Instrim, LTO and ngram modes can not be used together. See llvm_mode/README.instrim.md +### NGRAM + + - Setting AFL_LLVM_NGRAM_SIZE activates ngram prev_loc coverage, good + values are 2, 4 or 8. + + Instrim, LTO and ngram modes can not be used together. + See llvm_mode/README.ngram.md + ### NOT_ZERO - Setting AFL_LLVM_NOT_ZERO=1 during compilation will use counters diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 313a2533..77cb1c0f 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -158,14 +158,20 @@ static void edit_params(u32 argc, char **argv) { #endif if (lto_flag[0] != '-') FATAL( - "afl-clang-lto not possible because Makefile magic did not identify " - "the correct -flto flag"); + "Using afl-clang-lto is not possible because Makefile magic did not " + "identify the correct -flto flag"); if (getenv("AFL_LLVM_INSTRIM") != NULL) FATAL("afl-clang-lto does not work with InsTrim mode"); + if (getenv("AFL_LLVM_NGRAM_SIZE") != NULL) + FATAL("afl-clang-lto does not work with ngram coverage mode"); lto_mode = 1; } + if (getenv("AFL_LLVM_NGRAM_SIZE") != NULL && + getenv("AFL_LLVM_INSTRIM") != NULL) + FATAL("AFL_LLVM_NGRAM_SIZE and AFL_LLVM_INSTRIM can not be used together"); + if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) { u8 *alt_cxx = getenv("AFL_CXX"); @@ -605,6 +611,7 @@ int main(int argc, char **argv, char **envp) { "AFL_LLVM_LAF_SPLIT_COMPARES_BITW: size limit (default 8)\n" "AFL_LLVM_INSTRIM: use light weight instrumentation InsTrim\n" "AFL_LLVM_INSTRIM_LOOPHEAD: optimize loop tracing for speed\n" + "AFL_LLVM_NGRAM_SIZE: use ngram prev_loc coverage\n" "AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen mutator)\n" "\nafl-clang-fast was built for llvm %s with the llvm binary path " "of " diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 133c64b4..fefd9edd 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -2,12 +2,15 @@ american fuzzy lop++ - LLVM-mode instrumentation pass --------------------------------------------------- - Written by Laszlo Szekeres and + Written by Laszlo Szekeres , + Adrian Herrera , Michal Zalewski LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted from afl-as.c are Michal's fault. + NGRAM previous location coverage comes from Adrian Herrera. + Copyright 2015, 2016 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. @@ -27,7 +30,6 @@ #include "config.h" #include "debug.h" - #include #include #include @@ -47,6 +49,7 @@ typedef long double max_align_t; #include "llvm/IR/BasicBlock.h" #include "llvm/IR/Module.h" #include "llvm/Support/Debug.h" +#include "llvm/Support/MathExtras.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ @@ -58,6 +61,8 @@ typedef long double max_align_t; #include "llvm/Support/CFG.h" #endif +#include "llvm-ngram-coverage.h" + using namespace llvm; namespace { @@ -118,6 +123,7 @@ class AFLCoverage : public ModulePass { protected: std::list myWhitelist; + uint32_t ngram_size = 0; }; @@ -129,8 +135,10 @@ bool AFLCoverage::runOnModule(Module &M) { LLVMContext &C = M.getContext(); - IntegerType * Int8Ty = IntegerType::getInt8Ty(C); - IntegerType * Int32Ty = IntegerType::getInt32Ty(C); + IntegerType *Int8Ty = IntegerType::getInt8Ty(C); + IntegerType *Int32Ty = IntegerType::getInt32Ty(C); + IntegerType *IntLocTy = + IntegerType::getIntNTy(C, sizeof(PREV_LOC_T) * CHAR_BIT); struct timeval tv; struct timezone tz; u32 rand_seed; @@ -147,7 +155,8 @@ bool AFLCoverage::runOnModule(Module &M) { if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { - SAYF(cCYA "afl-llvm-pass" VERSION cRST " by \n"); + SAYF(cCYA "afl-llvm-pass" VERSION cRST + " by and \n"); } else @@ -170,21 +179,73 @@ bool AFLCoverage::runOnModule(Module &M) { char *neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO"); #endif + /* Decide previous location vector size (must be a power of two) */ + + char *ngram_size_str = getenv("AFL_LLVM_NGRAM_SIZE"); + if (!ngram_size_str) ngram_size_str = getenv("AFL_NGRAM_SIZE"); + + if (ngram_size_str) + if (sscanf(ngram_size_str, "%u", &ngram_size) != 1 || ngram_size < 2 || + ngram_size > MAX_NGRAM_SIZE) + FATAL( + "Bad value of AFL_NGRAM_SIZE (must be between 2 and MAX_NGRAM_SIZE)"); + + unsigned PrevLocSize; + if (ngram_size == 1) ngram_size = 0; + if (ngram_size) + PrevLocSize = ngram_size - 1; + else + PrevLocSize = 1; + uint64_t PrevLocVecSize = PowerOf2Ceil(PrevLocSize); + VectorType *PrevLocTy; + + if (ngram_size) PrevLocTy = VectorType::get(IntLocTy, PrevLocVecSize); + /* Get globals for the SHM region and the previous location. Note that __afl_prev_loc is thread-local. */ GlobalVariable *AFLMapPtr = new GlobalVariable(M, PointerType::get(Int8Ty, 0), false, GlobalValue::ExternalLinkage, 0, "__afl_area_ptr"); + GlobalVariable *AFLPrevLoc; + if (ngram_size) #ifdef __ANDROID__ - GlobalVariable *AFLPrevLoc = new GlobalVariable( - M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc"); + AFLPrevLoc = new GlobalVariable( + M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, + /* Initializer */ nullptr, "__afl_prev_loc"); #else - GlobalVariable *AFLPrevLoc = new GlobalVariable( - M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0, - GlobalVariable::GeneralDynamicTLSModel, 0, false); + AFLPrevLoc = new GlobalVariable( + M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, + /* Initializer */ nullptr, "__afl_prev_loc", + /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, + /* AddressSpace */ 0, /* IsExternallyInitialized */ false); #endif + else +#ifdef __ANDROID__ + AFLPrevLoc = new GlobalVariable( + M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc"); +#else + AFLPrevLoc = new GlobalVariable( + M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0, + GlobalVariable::GeneralDynamicTLSModel, 0, false); +#endif + + /* Create the vector shuffle mask for updating the previous block history. + Note that the first element of the vector will store cur_loc, so just set + it to undef to allow the optimizer to do its thing. */ + + SmallVector PrevLocShuffle = {UndefValue::get(Int32Ty)}; + + for (unsigned I = 0; I < PrevLocSize - 1; ++I) + PrevLocShuffle.push_back(ConstantInt::get(Int32Ty, I)); + + for (unsigned I = PrevLocSize; I < PrevLocVecSize; ++I) + PrevLocShuffle.push_back(ConstantInt::get(Int32Ty, PrevLocSize)); + + Constant *PrevLocShuffleMask = ConstantVector::get(PrevLocShuffle); + + // other constants we need ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); ConstantInt *One = ConstantInt::get(Int8Ty, 1); @@ -356,20 +417,41 @@ bool AFLCoverage::runOnModule(Module &M) { // fprintf(stderr, " == %d\n", more_than_one); if (more_than_one != 1) continue; #endif - ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc); + + ConstantInt *CurLoc; + + if (ngram_size) + CurLoc = ConstantInt::get(IntLocTy, cur_loc); + else + CurLoc = ConstantInt::get(Int32Ty, cur_loc); /* Load prev_loc */ LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc); PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty()); + Value *PrevLocTrans; + + /* "For efficiency, we propose to hash the tuple as a key into the + hit_count map as (prev_block_trans << 1) ^ curr_block_trans, where + prev_block_trans = (block_trans_1 ^ ... ^ block_trans_(n-1)" */ + + if (ngram_size) + PrevLocTrans = IRB.CreateXorReduce(PrevLoc); + else + PrevLocTrans = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty()); /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - Value *MapPtrIdx = - IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc)); + + Value *MapPtrIdx; + if (ngram_size) + MapPtrIdx = IRB.CreateGEP( + MapPtr, + IRB.CreateZExt(IRB.CreateXor(PrevLocTrans, CurLoc), Int32Ty)); + else + MapPtrIdx = IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocTrans, CurLoc)); /* Update bitmap */ @@ -449,11 +531,27 @@ bool AFLCoverage::runOnModule(Module &M) { IRB.CreateStore(Incr, MapPtrIdx) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - /* Set prev_loc to cur_loc >> 1 */ + /* Update prev_loc history vector (by placing cur_loc at the head of the + vector and shuffle the other elements back by one) */ - StoreInst *Store = - IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc); - Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + StoreInst *Store; + + if (ngram_size) { + + Value *ShuffledPrevLoc = IRB.CreateShuffleVector( + PrevLoc, UndefValue::get(PrevLocTy), PrevLocShuffleMask); + Value *UpdatedPrevLoc = IRB.CreateInsertElement( + ShuffledPrevLoc, IRB.CreateLShr(CurLoc, (uint64_t)1), (uint64_t)0); + + Store = IRB.CreateStore(UpdatedPrevLoc, AFLPrevLoc); + Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + } else { + + Store = IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), + AFLPrevLoc); + + } inst_blocks++; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 5f9a5534..8fad0fbb 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -26,6 +26,7 @@ #include "config.h" #include "types.h" #include "cmplog.h" +#include "llvm-ngram-coverage.h" #include #include @@ -62,11 +63,11 @@ u8 __afl_area_initial[MAP_SIZE]; u8 *__afl_area_ptr = __afl_area_initial; #ifdef __ANDROID__ -u32 __afl_prev_loc; -u32 __afl_final_loc; +PREV_LOC_T __afl_prev_loc[MAX_NGRAM_SIZE]; +u32 __afl_final_loc; #else -__thread u32 __afl_prev_loc; -__thread u32 __afl_final_loc; +__thread PREV_LOC_T __afl_prev_loc[MAX_NGRAM_SIZE]; +__thread u32 __afl_final_loc; #endif struct cmp_map *__afl_cmp_map; @@ -281,7 +282,7 @@ int __afl_persistent_loop(unsigned int max_cnt) { memset(__afl_area_ptr, 0, MAP_SIZE); __afl_area_ptr[0] = 1; - __afl_prev_loc = 0; + memset(__afl_prev_loc, 0, MAX_NGRAM_SIZE * sizeof(PREV_LOC_T)); } @@ -298,7 +299,7 @@ int __afl_persistent_loop(unsigned int max_cnt) { raise(SIGSTOP); __afl_area_ptr[0] = 1; - __afl_prev_loc = 0; + memset(__afl_prev_loc, 0, MAX_NGRAM_SIZE * sizeof(PREV_LOC_T)); return 1; diff --git a/llvm_mode/llvm-ngram-coverage.h b/llvm_mode/llvm-ngram-coverage.h new file mode 100644 index 00000000..4459bcd7 --- /dev/null +++ b/llvm_mode/llvm-ngram-coverage.h @@ -0,0 +1,18 @@ +#ifndef AFL_NGRAM_CONFIG_H +#define AFL_NGRAM_CONFIG_H + +#include "../config.h" + +#if (MAP_SIZE_POW2 <= 16) +typedef u16 PREV_LOC_T; +#elif (MAP_SIZE_POW2 <= 32) +typedef u32 PREV_LOC_T; +#else +typedef u64 PREV_LOC_T; +#endif + +/* Maximum ngram size */ +#define MAX_NGRAM_SIZE 128 + +#endif + diff --git a/src/afl-common.c b/src/afl-common.c index 1aa15442..8c4d53e8 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -57,10 +57,10 @@ char * afl_environment_variables[] = { "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES", "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", - "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_NOT_ZERO", - "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", - "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", - "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", + "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", + "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", + "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", + "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index b6e64841..34fdea25 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -105,7 +105,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, - afl->total_execs, /*eps,*/ + afl->total_execs, afl->total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), afl->queued_paths, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->max_depth, afl->current_entry, -- cgit 1.4.1 From 5a0cc43ee142842d845a0281fa8f5d0d0721a8ba Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 09:26:46 +0100 Subject: all afl msgs to stdout and only read AFL_BENCH_JUST_ONE once --- docs/Changelog.md | 2 ++ include/debug.h | 4 ++++ src/afl-fuzz.c | 4 ++-- 3 files changed, 8 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index ece2c4b5..8e63c388 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,6 +20,8 @@ sending a mail to . multiple fuzzing threads in the future or even become a library - afl basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output + - force all output to stdout (some OK/SAY/WARN messages were sent to + stdout, some to stderr) - afl-fuzz: - python mutator modules and custom mutator modules now use the same interface and hence the API changed diff --git a/include/debug.h b/include/debug.h index b3865c19..6ced60b1 100644 --- a/include/debug.h +++ b/include/debug.h @@ -32,6 +32,10 @@ * Terminal colors * *******************/ +#ifndev MESSAGES_TO_STDOUT +#define MESSAGES_TO_STDOUT +#endif + #ifdef USE_COLOR #define cBLK "\x1b[0;30m" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 15caa65f..cc22fd5c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -230,8 +230,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0; u8 * extras_dir = 0; - u8 mem_limit_given = 0; - u8 exit_1 = !!get_afl_env("AFL_BENCH_JUST_ONE"); + u8 mem_limit_given = 0, exit_1 = 0; char **use_argv; struct timeval tv; @@ -246,6 +245,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init(&afl->fsrv); read_afl_environment(afl, envp); + exit_1 = !!afl->afl_env.afl_bench_just_one; SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a big online community\n"); -- cgit 1.4.1 From db302ff18b3d300017833517ec1a9f81508b556b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 23 Mar 2020 08:44:27 +0100 Subject: minor fixes --- docs/Changelog.md | 2 +- llvm_mode/Makefile | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8e63c388..6af269ce 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,7 +14,7 @@ sending a mail to . ! the repository was moved from vanhauser-thc to AFLplusplus. It is now an own organisation :) ! development and acceptance of PRs now happen only in the dev branch - and only occasional when everything is fine we PR to master + and only occasionally when everything is fine we PR to master - all: - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn multiple fuzzing threads in the future or even become a library diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 2b1660a3..9c333836 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -335,12 +335,7 @@ endif if [ -f ../split-switches-pass.so ]; then set -e; install -m 755 ../split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f ../cmplog-instructions-pass.so ]; then set -e; install -m 755 ../cmplog-*-pass.so $${DESTDIR}$(HELPER_PATH); fi set -e; if [ -f ../afl-clang-fast ] ; then ln -sf ../afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf ../afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf ../afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf ../afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi - install -m 644 -T README.laf-intel.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.laf-intel.md - install -m 644 -T README.cmplog.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.cmplog.md - install -m 644 -T README.lto.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.lto.md - install -m 644 -T README.instrim.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.instrim.md - install -m 644 -T README.neverzero.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.neverzero.md - install -m 644 -T README.whitelist.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.whitelist.md + install -m 644 -T README.*.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.laf-intel.md install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.md vpath % .. -- cgit 1.4.1 From 426351947956b0f13ab909050e8db049e71324d6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 23 Mar 2020 08:48:57 +0100 Subject: more fixes --- docs/notes_for_asan.md | 3 ++- llvm_mode/Makefile | 2 +- llvm_mode/afl-clang-fast.c | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index fa7c0f27..a52d3de4 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -29,7 +29,8 @@ Note that ASAN is incompatible with -static, so be mindful of that. (You can also use AFL_USE_MSAN=1 to enable MSAN instead.) NOTE: if you run several slaves only one should run the target compiled with -ASAN (and UBSAN), the others run the target with no sanitiziers compiled. +ASAN (and UBSAN), the others should run the target with no sanitiziers +compiled in. There is also the option of generating a corpus using a non-ASAN binary, and then feeding it to an ASAN-instrumented one to check for bugs. This is faster, diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 9c333836..5f808729 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -335,7 +335,7 @@ endif if [ -f ../split-switches-pass.so ]; then set -e; install -m 755 ../split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f ../cmplog-instructions-pass.so ]; then set -e; install -m 755 ../cmplog-*-pass.so $${DESTDIR}$(HELPER_PATH); fi set -e; if [ -f ../afl-clang-fast ] ; then ln -sf ../afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf ../afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf ../afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf ../afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi - install -m 644 -T README.*.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.laf-intel.md + install -m 644 -T README.*.md $${DESTDIR}$(DOC_PATH)/ install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.llvm_mode.md vpath % .. diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 77cb1c0f..55f1f8ca 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -170,7 +170,7 @@ static void edit_params(u32 argc, char **argv) { if (getenv("AFL_LLVM_NGRAM_SIZE") != NULL && getenv("AFL_LLVM_INSTRIM") != NULL) - FATAL("AFL_LLVM_NGRAM_SIZE and AFL_LLVM_INSTRIM can not be used together"); + FATAL("AFL_LLVM_NGRAM_SIZE and AFL_LLVM_INSTRIM cannot be used together"); if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) { @@ -551,11 +551,11 @@ int main(int argc, char **argv, char **envp) { #else if (strstr(argv[0], "afl-clang-lto") == NULL) - printf(cCYA "afl-clang-fast" VERSION cRST " by \n"); + printf("afl-clang-fast" VERSION " by \n"); else { - printf(cCYA "afl-clang-lto" VERSION cRST + printf("afl-clang-lto" VERSION " by Marc \"vanHauser\" Heuse \n"); } -- cgit 1.4.1 From 39208eeb9a36c5fac1d800ce9def0d464d3b81b1 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 23 Mar 2020 12:06:43 +0100 Subject: typo --- docs/notes_for_asan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index a52d3de4..b65873be 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -29,7 +29,7 @@ Note that ASAN is incompatible with -static, so be mindful of that. (You can also use AFL_USE_MSAN=1 to enable MSAN instead.) NOTE: if you run several slaves only one should run the target compiled with -ASAN (and UBSAN), the others should run the target with no sanitiziers +ASAN (and UBSAN), the others should run the target with no sanitizers compiled in. There is also the option of generating a corpus using a non-ASAN binary, and -- cgit 1.4.1