From 123d97bfb896aefca24ff8bdc235b900fe714fde Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Sep 2019 18:37:16 +0200 Subject: LLVM_CONFIG llvm_mode fix --- docs/ChangeLog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs') diff --git a/docs/ChangeLog b/docs/ChangeLog index 4ea4e4b2..b32253b6 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -22,6 +22,8 @@ Version ++2.54d (dev): add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour) - no more unlinking the input file, this way the input file can also be a FIFO or disk partition + - setting LLVM_CONFIG for llvm_mode will now again switch to the selected + llvm version. If you setup is correct. - reducing duplicate code in afl-fuzz - added "make help" - removed compile warnings from python internal stuff -- cgit 1.4.1 From ff5c7b155ccb44c8a529167f411f3c9783b024fa Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Sep 2019 19:20:15 +0200 Subject: custom mutator fuzzing yields UI --- docs/ChangeLog | 1 + src/afl-fuzz-stats.c | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/ChangeLog b/docs/ChangeLog index b32253b6..31101056 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -24,6 +24,7 @@ Version ++2.54d (dev): FIFO or disk partition - setting LLVM_CONFIG for llvm_mode will now again switch to the selected llvm version. If you setup is correct. + - fuzzing strategy yields for custom mutator were missing from the UI, added them :) - reducing duplicate code in afl-fuzz - added "make help" - removed compile warnings from python internal stuff diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 803faced..5e773e96 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -576,12 +576,13 @@ void show_stats(void) { " imported : " cRST "%-10s" bSTG bV "\n", tmp, sync_id ? DI(queued_imported) : (u8*)"n/a"); - sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]), + sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]), DI(stage_cycles[STAGE_HAVOC]), DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_SPLICE]), DI(stage_finds[STAGE_PYTHON]), - DI(stage_cycles[STAGE_PYTHON])); + DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); - SAYF(bV bSTOP " havoc : " cRST "%-36s " bSTG bV bSTOP, tmp); + SAYF(bV bSTOP "havoc/custom : " cRST "%-36s " bSTG bV bSTOP, tmp); if (t_bytes) sprintf(tmp, "%0.02f%%", stab_ratio); -- cgit 1.4.1 From 6e6480c9527d397f7554614f1e52f5652580cc4b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Sep 2019 19:39:19 +0200 Subject: install libtokencap and libdislocator if present --- Makefile | 2 ++ TODO | 14 +++----------- docs/ChangeLog | 2 ++ libdislocator/Makefile | 6 +++--- libtokencap/Makefile | 6 +++--- 5 files changed, 13 insertions(+), 17 deletions(-) (limited to 'docs') diff --git a/Makefile b/Makefile index da4c5e95..0a654db7 100644 --- a/Makefile +++ b/Makefile @@ -280,6 +280,8 @@ endif if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi + if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi + if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++ diff --git a/TODO b/TODO index 11dc523a..4aa3dc8b 100644 --- a/TODO +++ b/TODO @@ -1,14 +1,3 @@ -Roadmap 2.54d: -============== - -afl-fuzz: - - enable python mutator for MOpt - - enable custom mutator for MOpt - - add superion? - -remote feature - - Roadmap 2.55d: ============== @@ -26,6 +15,9 @@ qemu_mode: Idea: The static analyzer outputs a map in which each edge that must be skipped is marked with 1. QEMU loads it at startup in the parent process. +custom_mutators: + - rip what Superion is doing into custom mutators for js, php, etc. + unit testing / or large testcase campaign diff --git a/docs/ChangeLog b/docs/ChangeLog index 31101056..fdf6422a 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -25,6 +25,8 @@ Version ++2.54d (dev): - setting LLVM_CONFIG for llvm_mode will now again switch to the selected llvm version. If you setup is correct. - fuzzing strategy yields for custom mutator were missing from the UI, added them :) + - libtokencap and libdislocator now compile to the afl_root directory and are + installed to the .../lib/afl directory when present during make install - reducing duplicate code in afl-fuzz - added "make help" - removed compile warnings from python internal stuff diff --git a/libdislocator/Makefile b/libdislocator/Makefile index 236667ec..cbaa05ea 100644 --- a/libdislocator/Makefile +++ b/libdislocator/Makefile @@ -24,15 +24,15 @@ CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign all: libdislocator.so libdislocator.so: libdislocator.so.c ../config.h - $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) + $(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS) .NOTPARALLEL: clean clean: rm -f *.o *.so *~ a.out core core.[1-9][0-9]* - rm -f libdislocator.so + rm -f ../libdislocator.so install: all - install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH) + install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH) install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH) diff --git a/libtokencap/Makefile b/libtokencap/Makefile index ec4c8f95..0faad511 100644 --- a/libtokencap/Makefile +++ b/libtokencap/Makefile @@ -24,15 +24,15 @@ CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign all: libtokencap.so libtokencap.so: libtokencap.so.c ../config.h - $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) + $(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS) .NOTPARALLEL: clean clean: rm -f *.o *.so *~ a.out core core.[1-9][0-9]* - rm -f libtokencap.so + rm -f ../libtokencap.so install: all - install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH) + install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH) install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH) -- cgit 1.4.1 From e423e0a0f1cdbb0f3a369030d9c3f791b5ee139f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 21 Sep 2019 19:00:43 +0200 Subject: make tests --- Makefile | 4 +++- docs/ChangeLog | 2 ++ test/test.sh | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 1 deletion(-) create mode 100755 test/test.sh (limited to 'docs') diff --git a/Makefile b/Makefile index 0a654db7..5d9a55a6 100644 --- a/Makefile +++ b/Makefile @@ -80,6 +80,8 @@ endif all: test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done +tests: + @cd test ; ./test.sh help: @echo "HELP --- the following make targets exist:" @@ -296,7 +298,7 @@ endif cp -r testcases/ $${DESTDIR}$(MISC_PATH) cp -r dictionaries/ $${DESTDIR}$(MISC_PATH) -publish: clean +#publish: clean # test "`basename $$PWD`" = "afl" || exit 1 # test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi # cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \ diff --git a/docs/ChangeLog b/docs/ChangeLog index fdf6422a..7beb32c3 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -25,6 +25,8 @@ Version ++2.54d (dev): - setting LLVM_CONFIG for llvm_mode will now again switch to the selected llvm version. If you setup is correct. - fuzzing strategy yields for custom mutator were missing from the UI, added them :) + - added "make tests" which will perform checks to see that all functionality + is working as expected. this is currently the starting point, its not complete :) - libtokencap and libdislocator now compile to the afl_root directory and are installed to the .../lib/afl directory when present during make install - reducing duplicate code in afl-fuzz diff --git a/test/test.sh b/test/test.sh new file mode 100755 index 00000000..3b70509a --- /dev/null +++ b/test/test.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +# +# Ensure we have: test, type, diff -q, echo -e, grep -qE +# +test -z "" 2> /dev/null || { echo Error: test command not found ; exit 1 ; } +GREP=`type grep > /dev/null 2>&1 && echo OK` +test "$GREP" = OK || { echo Error: grep command not found ; exit 1 ; } +echo foobar | grep -aqE 'asd|oob' 2> /dev/null || { echo Error: grep command does not support -q, -a and/or -E option ; exit 1 ; } +echo 1 > test.1 +echo 1 > test.2 +OK=OK +diff -q test.1 test.2 >/dev/null 2>&1 || OK= +rm -f test.1 test.2 +test -z "$OK" && { echo Error: diff -q is not working ; exit 1 ; } + +ECHO="echo -e" +$ECHO '\x41' 2>&1 | grep -qE '^A' || { + ECHO= + test -e /bin/echo && { + ECHO="/bin/echo -e" + $ECHO '\x41' 2>&1 | grep -qE '^A' || ECHO= + } +} +test -z "$ECHO" && { echo Error: echo command does not support -e option ; exit 1 ; } + +GREY="\\x1b[1;90m" +GREEN="\\x1b[0;32m" +RED="\\x1b[0;31m" +YELLOW="\\x1b[1;93m" +RESET="\\x1b[0m" + +$ECHO "$RESET" + +test -e ../afl-gcc -a -e ../afl-showmap -a -e ../afl-fuzz && { + ../afl-gcc -o test-instr.plain ../test-instr.c > /dev/null 2>&1 + AFL_HARDEN=1 ../afl-gcc -o test-instr.harden ../test-instr.c > /dev/null 2>&1 + test -e test-instr.plain && { + $ECHO "$GREEN[*] afl-gcc compilation succeeded" + echo 0 | ../afl-showmap -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 + ../afl-showmap -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 + test -e test-instr.plain.0 -a -e test-instr.plain.1 && { + diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { + $ECHO "$RED[!] afl-gcc instrumentation should be different on different input but is not" + } || $ECHO "$GREEN[*] afl-gcc instrumentation present and working correctly" + } || $ECHO "$RED[!] afl-gcc instrumentation failed" + rm -f test-instr.plain test-instr.plain.0 test-instr.plain.1 + } || $ECHO "$RED[!] afl-gcc failed" + test -e test-instr.harden && { + grep -qa fstack-protector-all test-instr.harden > /dev/null 2>&1 && { + $ECHO "$GREEN[*] afl-gcc hardened mode succeeded and is working" + } || $ECHO "$RED[!] hardened mode is not hardened" + rm -f test-instr.harden + } || $ECHO "$RED[!] afl-gcc hardened mode compilation failed" + + +} || $ECHO "$YELLOW[-] afl is not compiled, cannot test" + +test -e ../afl-clang-fast && { + echo todo: llvm_mode + + +} || $ECHO "$YELLOW[-] llvm_mode not compiled, cannot test" + +test -e ../libtokencap.so && { + echo todo: libtokencap + +} || $ECHO "$YELLOW[-] libtokencap is not compiled, cannot test" + +$ECHO "$RESET" + +# libdislocator +# unicorn +# qemu \ No newline at end of file -- cgit 1.4.1 From 1e503a586d9f3d45e27bc1dbb3b2093c1e5f7b6f Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 22 Sep 2019 08:02:56 +0200 Subject: first realisation of splitting floating point compares activated with AFL_LLVM_LAF_SPLIT_COMPARES=1 needs testing on big endian machines A compare is split into sign integer comparison exponent integer comparison mantissa/fraction integer comparison These integer comparisons are further splitted if they are bigger than a byte. --- docs/env_variables.txt | 3 +- llvm_mode/split-compares-pass.so.cc | 544 +++++++++++++++++++++++++++++++----- 2 files changed, 481 insertions(+), 66 deletions(-) (limited to 'docs') diff --git a/docs/env_variables.txt b/docs/env_variables.txt index d5688939..e763118e 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -97,7 +97,8 @@ Then there are a few specific features that are only available in llvm_mode: - Setting AFL_LLVM_LAF_TRANSFORM_COMPARES will split string compare functions - - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split > 8 bit CMP instructions + - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split all floating point and + 64, 32 and 16 bit integer CMP instructions See llvm_mode/README.laf-intel for more information. diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 1e9d6542..c5da42c0 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -1,5 +1,6 @@ /* * Copyright 2016 laf-intel + * extended for floating point by Heiko Eißfeldt * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,6 +22,7 @@ #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/IR/Verifier.h" #include "llvm/IR/Module.h" +#include "llvm/ADT/APFloat.h" #include "llvm/IR/IRBuilder.h" @@ -49,9 +51,11 @@ class SplitComparesTransform : public ModulePass { } private: - bool splitCompares(Module &M, unsigned bitw); + size_t splitIntCompares(Module &M, unsigned bitw); + size_t splitFPCompares(Module &M); bool simplifyCompares(Module &M); - bool simplifySignedness(Module &M); + bool simplifyIntSignedness(Module &M); + size_t nextPowerOfTwo(size_t in); }; @@ -65,6 +69,7 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { LLVMContext & C = M.getContext(); std::vector icomps; + std::vector fcomps; IntegerType * Int1Ty = IntegerType::getInt1Ty(C); /* iterate over all functions, bbs and instruction and add @@ -79,25 +84,41 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { if ((selectcmpInst = dyn_cast(&IN))) { - if (selectcmpInst->getPredicate() != CmpInst::ICMP_UGE && - selectcmpInst->getPredicate() != CmpInst::ICMP_SGE && - selectcmpInst->getPredicate() != CmpInst::ICMP_ULE && - selectcmpInst->getPredicate() != CmpInst::ICMP_SLE) { + if (selectcmpInst->getPredicate() == CmpInst::ICMP_UGE || + selectcmpInst->getPredicate() == CmpInst::ICMP_SGE || + selectcmpInst->getPredicate() == CmpInst::ICMP_ULE || + selectcmpInst->getPredicate() == CmpInst::ICMP_SLE) { - continue; + auto op0 = selectcmpInst->getOperand(0); + auto op1 = selectcmpInst->getOperand(1); + + IntegerType *intTyOp0 = dyn_cast(op0->getType()); + IntegerType *intTyOp1 = dyn_cast(op1->getType()); + + /* this is probably not needed but we do it anyway */ + if (!intTyOp0 || !intTyOp1) { continue; } + + icomps.push_back(selectcmpInst); } - auto op0 = selectcmpInst->getOperand(0); - auto op1 = selectcmpInst->getOperand(1); + if (selectcmpInst->getPredicate() == CmpInst::FCMP_OGE || + selectcmpInst->getPredicate() == CmpInst::FCMP_UGE || + selectcmpInst->getPredicate() == CmpInst::FCMP_OLE || + selectcmpInst->getPredicate() == CmpInst::FCMP_ULE) { - IntegerType *intTyOp0 = dyn_cast(op0->getType()); - IntegerType *intTyOp1 = dyn_cast(op1->getType()); + auto op0 = selectcmpInst->getOperand(0); + auto op1 = selectcmpInst->getOperand(1); - /* this is probably not needed but we do it anyway */ - if (!intTyOp0 || !intTyOp1) { continue; } + Type *TyOp0 = op0->getType(); + Type *TyOp1 = op1->getType(); - icomps.push_back(selectcmpInst); + /* this is probably not needed but we do it anyway */ + if (TyOp0 != TyOp1) { continue; } + + fcomps.push_back(selectcmpInst); + + } } @@ -107,7 +128,7 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { } - if (!icomps.size()) { return false; } + if (!icomps.size() && !fcomps.size()) { return false; } for (auto &IcmpInst : icomps) { @@ -173,18 +194,83 @@ bool SplitComparesTransform::simplifyCompares(Module &M) { } + /* now for floating point */ + for (auto &FcmpInst : fcomps) { + + BasicBlock *bb = FcmpInst->getParent(); + + auto op0 = FcmpInst->getOperand(0); + auto op1 = FcmpInst->getOperand(1); + + /* find out what the new predicate is going to be */ + auto pred = dyn_cast(FcmpInst)->getPredicate(); + CmpInst::Predicate new_pred; + switch (pred) { + + case CmpInst::FCMP_UGE: new_pred = CmpInst::FCMP_UGT; break; + case CmpInst::FCMP_OGE: new_pred = CmpInst::FCMP_OGT; break; + case CmpInst::FCMP_ULE: new_pred = CmpInst::FCMP_ULT; break; + case CmpInst::FCMP_OLE: new_pred = CmpInst::FCMP_OLT; break; + default: // keep the compiler happy + continue; + + } + + /* split before the icmp instruction */ + BasicBlock *end_bb = bb->splitBasicBlock(BasicBlock::iterator(FcmpInst)); + + /* the old bb now contains a unconditional jump to the new one (end_bb) + * we need to delete it later */ + + /* create the ICMP instruction with new_pred and add it to the old basic + * block bb it is now at the position where the old IcmpInst was */ + Instruction *fcmp_np; + fcmp_np = CmpInst::Create(Instruction::FCmp, new_pred, op0, op1); + bb->getInstList().insert(bb->getTerminator()->getIterator(), fcmp_np); + + /* create a new basic block which holds the new EQ fcmp */ + Instruction *fcmp_eq; + /* insert middle_bb before end_bb */ + BasicBlock *middle_bb = + BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); + fcmp_eq = CmpInst::Create(Instruction::FCmp, CmpInst::FCMP_OEQ, op0, op1); + middle_bb->getInstList().push_back(fcmp_eq); + /* add an unconditional branch to the end of middle_bb with destination + * end_bb */ + BranchInst::Create(end_bb, middle_bb); + + /* replace the uncond branch with a conditional one, which depends on the + * new_pred icmp. True goes to end, false to the middle (injected) bb */ + auto term = bb->getTerminator(); + BranchInst::Create(end_bb, middle_bb, fcmp_np, bb); + term->eraseFromParent(); + + /* replace the old IcmpInst (which is the first inst in end_bb) with a PHI + * inst to wire up the loose ends */ + PHINode *PN = PHINode::Create(Int1Ty, 2, ""); + /* the first result depends on the outcome of icmp_eq */ + PN->addIncoming(fcmp_eq, middle_bb); + /* if the source was the original bb we know that the icmp_np yielded true + * hence we can hardcode this value */ + PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb); + /* replace the old IcmpInst with our new and shiny PHI inst */ + BasicBlock::iterator ii(FcmpInst); + ReplaceInstWithInst(FcmpInst->getParent()->getInstList(), ii, PN); + + } + return true; } /* this function transforms signed compares to equivalent unsigned compares */ -bool SplitComparesTransform::simplifySignedness(Module &M) { +bool SplitComparesTransform::simplifyIntSignedness(Module &M) { LLVMContext & C = M.getContext(); std::vector icomps; IntegerType * Int1Ty = IntegerType::getInt1Ty(C); - /* iterate over all functions, bbs and instruction and add + /* iterate over all functions, bbs and instructions and add * all signed compares to icomps vector */ for (auto &F : M) { @@ -196,26 +282,24 @@ bool SplitComparesTransform::simplifySignedness(Module &M) { if ((selectcmpInst = dyn_cast(&IN))) { - if (selectcmpInst->getPredicate() != CmpInst::ICMP_SGT && - selectcmpInst->getPredicate() != CmpInst::ICMP_SLT) { + if (selectcmpInst->getPredicate() == CmpInst::ICMP_SGT || + selectcmpInst->getPredicate() == CmpInst::ICMP_SLT) { - continue; + auto op0 = selectcmpInst->getOperand(0); + auto op1 = selectcmpInst->getOperand(1); - } - - auto op0 = selectcmpInst->getOperand(0); - auto op1 = selectcmpInst->getOperand(1); + IntegerType *intTyOp0 = dyn_cast(op0->getType()); + IntegerType *intTyOp1 = dyn_cast(op1->getType()); - IntegerType *intTyOp0 = dyn_cast(op0->getType()); - IntegerType *intTyOp1 = dyn_cast(op1->getType()); + /* see above */ + if (!intTyOp0 || !intTyOp1) { continue; } - /* see above */ - if (!intTyOp0 || !intTyOp1) { continue; } + /* i think this is not possible but to lazy to look it up */ + if (intTyOp0->getBitWidth() != intTyOp1->getBitWidth()) { continue; } - /* i think this is not possible but to lazy to look it up */ - if (intTyOp0->getBitWidth() != intTyOp1->getBitWidth()) { continue; } + icomps.push_back(selectcmpInst); - icomps.push_back(selectcmpInst); + } } @@ -328,8 +412,333 @@ bool SplitComparesTransform::simplifySignedness(Module &M) { } +size_t SplitComparesTransform::nextPowerOfTwo(size_t in) { + --in; + in |= in >> 1; + in |= in >> 2; + in |= in >> 4; +// in |= in >> 8; +// in |= in >> 16; + return in + 1; +} + +/* splits fcmps into two nested fcmps with sign compare and the rest */ +size_t SplitComparesTransform::splitFPCompares(Module &M) { + size_t count = 0; + + LLVMContext &C = M.getContext(); + + const DataLayout &dl = M.getDataLayout(); + + /* define unions with floating point and (sign, exponent, mantissa) triples */ + if (dl.isLittleEndian()) { + } + else if (dl.isBigEndian()) { + } + else { + return count; + } + + std::vector fcomps; + + /* get all EQ, NE, GT, and LT fcmps. if the other two + * functions were executed only these four predicates should exist */ + for (auto &F : M) { + + for (auto &BB : F) { + + for (auto &IN : BB) { + + CmpInst *selectcmpInst = nullptr; + + if ((selectcmpInst = dyn_cast(&IN))) { + + if (selectcmpInst->getPredicate() == CmpInst::FCMP_OEQ || + selectcmpInst->getPredicate() == CmpInst::FCMP_ONE || + selectcmpInst->getPredicate() == CmpInst::FCMP_UNE || + selectcmpInst->getPredicate() == CmpInst::FCMP_OGT || + selectcmpInst->getPredicate() == CmpInst::FCMP_OLT) { + + auto op0 = selectcmpInst->getOperand(0); + auto op1 = selectcmpInst->getOperand(1); + + Type *TyOp0 = op0->getType(); + Type *TyOp1 = op1->getType(); + + if (TyOp0 != TyOp1) { continue; } + + fcomps.push_back(selectcmpInst); + + } + + } + + } + + } + + } + if (!fcomps.size()) { return count; } + + IntegerType *Int1Ty = IntegerType::getInt1Ty(C); + + for (auto &FcmpInst : fcomps) { + + BasicBlock *bb = FcmpInst->getParent(); + + auto op0 = FcmpInst->getOperand(0); + auto op1 = FcmpInst->getOperand(1); + + unsigned op0_size, op1_size; + op0_size = op0->getType()->getPrimitiveSizeInBits(); + op1_size = op1->getType()->getPrimitiveSizeInBits(); + + if (op0_size != op1_size) { + continue; + } + + const unsigned int precision = llvm::APFloatBase::semanticsPrecision(op0->getType()->getFltSemantics()); + const unsigned int sizeInBits = llvm::APFloatBase::semanticsSizeInBits(op0->getType()->getFltSemantics()); + + + const unsigned shiftR_exponent = precision - 1; + const unsigned long long mask_fraction = ((1 << (precision - 2))) | ((1 << (precision - 2)) - 1); + const unsigned long long mask_exponent = (1 << (sizeInBits - precision)) - 1; + + // round up sizes to the next power of two + // this should help with integer compare splitting + size_t exTySizeBytes = ((sizeInBits - precision + 7) >> 3); + size_t frTySizeBytes = ((precision - 1 + 7) >> 3); + + IntegerType *IntExponentTy = IntegerType::get(C, nextPowerOfTwo(exTySizeBytes) << 3); + IntegerType *IntFractionTy = IntegerType::get(C, nextPowerOfTwo(frTySizeBytes) << 3); + + BasicBlock *end_bb = bb->splitBasicBlock(BasicBlock::iterator(FcmpInst)); + + /* create the integers from floats directly */ + Instruction *b_op0, *b_op1; + b_op0 = CastInst::Create(Instruction::BitCast, op0, IntegerType::get(C, op0_size)); + bb->getInstList().insert(bb->getTerminator()->getIterator(), b_op0); + + b_op1 = CastInst::Create(Instruction::BitCast, op1, IntegerType::get(C, op1_size)); + bb->getInstList().insert(bb->getTerminator()->getIterator(), b_op1); + + /* isolate signs of value of floating point type */ + + /* create a 1 bit compare for the sign bit. to do this shift and trunc + * the original operands so only the first bit remains.*/ + Instruction *s_s0, *t_s0, *s_s1, *t_s1, *icmp_sign_bit; + + s_s0 = BinaryOperator::Create(Instruction::LShr, b_op0, + ConstantInt::get(b_op0->getType(), op0_size - 1)); + bb->getInstList().insert(bb->getTerminator()->getIterator(), s_s0); + t_s0 = new TruncInst(s_s0, Int1Ty); + bb->getInstList().insert(bb->getTerminator()->getIterator(), t_s0); + + s_s1 = BinaryOperator::Create(Instruction::LShr, b_op1, + ConstantInt::get(b_op1->getType(), op1_size - 1)); + bb->getInstList().insert(bb->getTerminator()->getIterator(), s_s1); + t_s1 = new TruncInst(s_s1, Int1Ty); + bb->getInstList().insert(bb->getTerminator()->getIterator(), t_s1); + + /* compare of the sign bits */ + icmp_sign_bit = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_s0, t_s1); + bb->getInstList().insert(bb->getTerminator()->getIterator(), icmp_sign_bit); + + /* create a new basic block which is executed if the signedness bits are + * equal */ + BasicBlock * signequal_bb = + BasicBlock::Create(C, "signequal", end_bb->getParent(), end_bb); + + BranchInst::Create(end_bb, signequal_bb); + + /* create a new bb which is executed if exponents are equal */ + BasicBlock * middle_bb = + BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); + + BranchInst::Create(end_bb, middle_bb); + + auto term = bb->getTerminator(); + /* if the signs are different goto end_bb else to signequal_bb */ + BranchInst::Create(signequal_bb, end_bb, icmp_sign_bit, bb); + term->eraseFromParent(); + + /* insert code for equal signs */ + + /* isolate the exponents */ + Instruction *s_e0, *m_e0, *t_e0, *s_e1, *m_e1, *t_e1; + + s_e0 = BinaryOperator::Create(Instruction::LShr, b_op0, ConstantInt::get(b_op0->getType(), shiftR_exponent)); + s_e1 = BinaryOperator::Create(Instruction::LShr, b_op1, ConstantInt::get(b_op1->getType(), shiftR_exponent)); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), s_e0); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), s_e1); + + if (sizeInBits - precision < exTySizeBytes * 8) { + m_e0 = BinaryOperator::Create(Instruction::And, s_e0, ConstantInt::get(s_e0->getType(), mask_exponent)); + m_e1 = BinaryOperator::Create(Instruction::And, s_e1, ConstantInt::get(s_e1->getType(), mask_exponent)); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), m_e0); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), m_e1); + + t_e0 = new TruncInst(m_e0, IntExponentTy); + t_e1 = new TruncInst(m_e1, IntExponentTy); + } else { + t_e0 = new TruncInst(s_e0, IntExponentTy); + t_e1 = new TruncInst(s_e1, IntExponentTy); + } + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), t_e0); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), t_e1); + /* compare the exponents of the operands */ + Instruction *icmp_exponent_result; + switch (FcmpInst->getPredicate()) { + case CmpInst::FCMP_OEQ: + icmp_exponent_result = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_e0, t_e1); + break; + case CmpInst::FCMP_ONE: + case CmpInst::FCMP_UNE: + icmp_exponent_result = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_e0, t_e1); + break; + case CmpInst::FCMP_OGT: + Instruction *icmp_exponent; + icmp_exponent = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_e0, t_e1); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), icmp_exponent); + icmp_exponent_result = BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0); + break; + case CmpInst::FCMP_OLT: + icmp_exponent = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_e0, t_e1); + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), icmp_exponent); + icmp_exponent_result = BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0); + break; + default: + continue; + } + signequal_bb->getInstList().insert(signequal_bb->getTerminator()->getIterator(), icmp_exponent_result); + + { + auto term = signequal_bb->getTerminator(); + /* if the exponents are different do a fraction cmp */ + BranchInst::Create(middle_bb, end_bb, icmp_exponent_result, signequal_bb); + term->eraseFromParent(); + } + + + /* isolate the mantissa aka fraction */ + Instruction *t_f0, *t_f1; + bool needTrunc = IntFractionTy->getPrimitiveSizeInBits() < op0_size; +//errs() << "Fractions: IntFractionTy size " << IntFractionTy->getPrimitiveSizeInBits() << ", op0_size " << op0_size << ", needTrunc " << needTrunc << "\n"; + if (precision - 1 < frTySizeBytes * 8) { + Instruction *m_f0, *m_f1; + m_f0 = BinaryOperator::Create(Instruction::And, b_op0, ConstantInt::get(b_op0->getType(), mask_fraction)); + m_f1 = BinaryOperator::Create(Instruction::And, b_op1, ConstantInt::get(b_op1->getType(), mask_fraction)); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), m_f0); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), m_f1); + + if (needTrunc) { + t_f0 = new TruncInst(m_f0, IntFractionTy); + t_f1 = new TruncInst(m_f1, IntFractionTy); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), t_f0); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), t_f1); + } else { + t_f0 = m_f0; + t_f1 = m_f1; + } + } else { + if (needTrunc) { + t_f0 = new TruncInst(b_op0, IntFractionTy); + t_f1 = new TruncInst(b_op1, IntFractionTy); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), t_f0); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), t_f1); + } else { + t_f0 = b_op0; + t_f1 = b_op1; + } + } + + /* compare the fractions of the operands */ + Instruction *icmp_fraction_result; + switch (FcmpInst->getPredicate()) { + case CmpInst::FCMP_OEQ: + icmp_fraction_result = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_f0, t_f1); + break; + case CmpInst::FCMP_UNE: + case CmpInst::FCMP_ONE: + icmp_fraction_result = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_f0, t_f1); + break; + case CmpInst::FCMP_OGT: + Instruction *icmp_fraction; + icmp_fraction = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), icmp_fraction); + icmp_fraction_result = BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0); + break; + case CmpInst::FCMP_OLT: + icmp_fraction = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), icmp_fraction); + icmp_fraction_result = BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0); + break; + default: + continue; + } + middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(), icmp_fraction_result); + + PHINode *PN = PHINode::Create(Int1Ty, 3, ""); + + switch (FcmpInst->getPredicate()) { + case CmpInst::FCMP_OEQ: + /* unequal signs cannot be equal values */ + /* goto false branch */ + PN->addIncoming(ConstantInt::get(Int1Ty, 0), bb); + /* unequal exponents cannot be equal values, too */ + PN->addIncoming(ConstantInt::get(Int1Ty, 0), signequal_bb); + /* fractions comparison */ + PN->addIncoming(icmp_fraction_result, middle_bb); + break; + case CmpInst::FCMP_ONE: + case CmpInst::FCMP_UNE: + /* unequal signs are unequal values */ + /* goto true branch */ + PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb); + /* unequal exponents are unequal values, too */ + PN->addIncoming(ConstantInt::get(Int1Ty, 1), signequal_bb); + /* fractions comparison */ + PN->addIncoming(icmp_fraction_result, middle_bb); + break; + case CmpInst::FCMP_OGT: + /* if op1 is negative goto true branch, + else go on comparing */ + PN->addIncoming(t_s1, bb); + PN->addIncoming(icmp_exponent_result, signequal_bb); + PN->addIncoming(icmp_fraction_result, middle_bb); + break; + case CmpInst::FCMP_OLT: + /* if op0 is negative goto true branch, + else go on comparing */ + PN->addIncoming(t_s0, bb); + PN->addIncoming(icmp_exponent_result, signequal_bb); + PN->addIncoming(icmp_fraction_result, middle_bb); + break; + default: + continue; + } + + BasicBlock::iterator ii(FcmpInst); + ReplaceInstWithInst(FcmpInst->getParent()->getInstList(), ii, PN); + ++count; + } + + return count; + +} + /* splits icmps of size bitw into two nested icmps with bitw/2 size each */ -bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) { +size_t SplitComparesTransform::splitIntCompares(Module &M, unsigned bitw) { + size_t count = 0; LLVMContext &C = M.getContext(); @@ -339,13 +748,14 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) { std::vector icomps; - if (bitw % 2) { return false; } + if (bitw % 2) { return 0; } /* not supported yet */ - if (bitw > 64) { return false; } + if (bitw > 64) { return 0; } - /* get all EQ, NE, UGT, and ULT icmps of width bitw. if the other two - * unctions were executed only these four predicates should exist */ + /* get all EQ, NE, UGT, and ULT icmps of width bitw. if the + * functions simplifyCompares() and simplifyIntSignedness() + * were executed only these four predicates should exist */ for (auto &F : M) { for (auto &BB : F) { @@ -356,33 +766,31 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) { if ((selectcmpInst = dyn_cast(&IN))) { - if (selectcmpInst->getPredicate() != CmpInst::ICMP_EQ && - selectcmpInst->getPredicate() != CmpInst::ICMP_NE && - selectcmpInst->getPredicate() != CmpInst::ICMP_UGT && - selectcmpInst->getPredicate() != CmpInst::ICMP_ULT) { + if (selectcmpInst->getPredicate() == CmpInst::ICMP_EQ || + selectcmpInst->getPredicate() == CmpInst::ICMP_NE || + selectcmpInst->getPredicate() == CmpInst::ICMP_UGT || + selectcmpInst->getPredicate() == CmpInst::ICMP_ULT) { - continue; + auto op0 = selectcmpInst->getOperand(0); + auto op1 = selectcmpInst->getOperand(1); - } + IntegerType *intTyOp0 = dyn_cast(op0->getType()); + IntegerType *intTyOp1 = dyn_cast(op1->getType()); - auto op0 = selectcmpInst->getOperand(0); - auto op1 = selectcmpInst->getOperand(1); + if (!intTyOp0 || !intTyOp1) { continue; } - IntegerType *intTyOp0 = dyn_cast(op0->getType()); - IntegerType *intTyOp1 = dyn_cast(op1->getType()); + /* check if the bitwidths are the one we are looking for */ + if (intTyOp0->getBitWidth() != bitw || + intTyOp1->getBitWidth() != bitw) { - if (!intTyOp0 || !intTyOp1) { continue; } + continue; - /* check if the bitwidths are the one we are looking for */ - if (intTyOp0->getBitWidth() != bitw || - intTyOp1->getBitWidth() != bitw) { + } - continue; + icomps.push_back(selectcmpInst); } - icomps.push_back(selectcmpInst); - } } @@ -391,7 +799,7 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) { } - if (!icomps.size()) { return false; } + if (!icomps.size()) { return 0; } for (auto &IcmpInst : icomps) { @@ -482,7 +890,7 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) { /* transformations for < and > */ /* create a basic block which checks for the inverse predicate. - * if this is true we can go to the end if not we have to got to the + * if this is true we can go to the end if not we have to go to the * bb which checks the lower half of the operands */ Instruction *icmp_inv_cmp, *op0_low, *op1_low, *icmp_low; BasicBlock * inv_cmp_bb = @@ -528,10 +936,10 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) { ReplaceInstWithInst(IcmpInst->getParent()->getInstList(), ii, PN); } - + ++count; } - return true; + return count; } @@ -545,26 +953,32 @@ bool SplitComparesTransform::runOnModule(Module &M) { simplifyCompares(M); - simplifySignedness(M); + simplifyIntSignedness(M); if (getenv("AFL_QUIET") == NULL) - errs() << "Split-compare-pass by laf.intel@gmail.com\n"; + errs() << "Split-compare-pass by laf.intel@gmail.com, extended by heiko@hexco.de\n"; + + errs() << "Split-floatingpoint-compare-pass: " << splitFPCompares(M) << " FP comparisons splitted\n"; switch (bitw) { case 64: - errs() << "Running split-compare-pass " << 64 << "\n"; - splitCompares(M, 64); + errs() << "Split-integer-compare-pass " << bitw << "bit: " + << splitIntCompares(M, bitw) << " splitted\n"; + bitw >>= 1; [[clang::fallthrough]]; /*FALLTHRU*/ /* FALLTHROUGH */ case 32: - errs() << "Running split-compare-pass " << 32 << "\n"; - splitCompares(M, 32); + errs() << "Split-integer-compare-pass " << bitw << "bit: " + << splitIntCompares(M, bitw) << " splitted\n"; + bitw >>= 1; [[clang::fallthrough]]; /*FALLTHRU*/ /* FALLTHROUGH */ case 16: - errs() << "Running split-compare-pass " << 16 << "\n"; - splitCompares(M, 16); + errs() << "Split-integer-compare-pass " << bitw << "bit: " + << splitIntCompares(M, bitw) << " splitted\n"; + + bitw >>= 1; break; default: -- cgit 1.4.1 From b4ca95a9fafccd0506285000595ada5ed47f9ca3 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Sep 2019 13:21:15 +0200 Subject: afl-fuzz mutation documentation feature --- Makefile | 7 +++++++ docs/ChangeLog | 2 ++ include/afl-fuzz.h | 5 +++++ src/afl-fuzz-globals.c | 4 ++++ src/afl-fuzz-one.c | 17 +++++++++++++++++ src/afl-fuzz-run.c | 12 ++++++++++++ test/test.sh | 8 ++++++++ 7 files changed, 55 insertions(+) (limited to 'docs') diff --git a/Makefile b/Makefile index d7309cff..35f58ac5 100644 --- a/Makefile +++ b/Makefile @@ -92,6 +92,8 @@ help: @echo "distrib: everything (for both binary-only and source code fuzzing)" @echo "install: installs everything you have compiled with the build option above" @echo "clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well" + @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem" + @echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations" @echo "help: shows these build options :-)" @echo "==========================================" @echo "Recommended: \"distrib\" or \"source-only\", then \"install\"" @@ -176,6 +178,11 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS) +# document all mutations and only do one run (use with only one input file!) +document: include/afl-fuzz.h $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS afl-common.o afl-sharedmem.o afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) + + code-format: ./.custom-format.py -i src/*.c ./.custom-format.py -i include/*.h diff --git a/docs/ChangeLog b/docs/ChangeLog index 7beb32c3..0f5bb99c 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -27,6 +27,8 @@ Version ++2.54d (dev): - fuzzing strategy yields for custom mutator were missing from the UI, added them :) - added "make tests" which will perform checks to see that all functionality is working as expected. this is currently the starting point, its not complete :) + - added mutation documentation feature ("make document"), creates afl-fuzz-document + and saves all mutations of the first run on the first file into out/queue/mutations - libtokencap and libdislocator now compile to the afl_root directory and are installed to the .../lib/afl directory when present during make install - reducing duplicate code in afl-fuzz diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9536e06a..4912b3f0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -682,5 +682,10 @@ static u64 get_cur_time_us(void) { } +#ifdef _AFL_DOCUMENT_MUTATIONS + extern u8 do_document; + extern u32 document_counter; +#endif + #endif diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 1358a1fb..01b242b8 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -259,3 +259,7 @@ PyObject *py_functions[PY_FUNC_COUNT]; #endif +#ifdef _AFL_DOCUMENT_MUTATIONS + u8 do_document; + u32 document_counter; +#endif diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 59483b8f..1824f0b2 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -4231,6 +4231,7 @@ pacemaker_fuzzing: #define core_fuzzing(a) common_fuzzing((a), MOpt_globals_core) + void pso_updating(void) { g_now += 1; @@ -4310,6 +4311,22 @@ void pso_updating(void) { u8 fuzz_one(char** argv) { int key_val_lv = 0; + +#ifdef _AFL_DOCUMENT_MUTATIONS + if (do_document == 0) { + char *fn = alloc_printf("%s/mutations", out_dir); + if (fn) { + do_document = mkdir(fn, 0700); // if it exists we do not care + do_document = 1; + ck_free(fn); + } else + PFATAL("malloc()"); + } else { + do_document = 2; + stop_soon = 2; + } +#endif + if (limit_time_sig == 0) { key_val_lv = fuzz_one_original(argv); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f2f663dc..220433fc 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -251,6 +251,18 @@ void write_to_testcase(void* mem, u32 len) { s32 fd = out_fd; +#ifdef _AFL_DOCUMENT_MUTATIONS + s32 doc_fd; + char *fn = alloc_printf("%s/mutations/%09u:%s", out_dir, document_counter++, describe_op(0)); + if (fn != NULL) { + if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) { + if (write(doc_fd, mem, len) != len) PFATAL("write to mutation file failed: %s", fn); + close(doc_fd); + } + ck_free(fn); + } +#endif + if (out_file) { // unlink(out_file); /* Ignore errors. diff --git a/test/test.sh b/test/test.sh index 5d67588a..d230cf71 100755 --- a/test/test.sh +++ b/test/test.sh @@ -27,10 +27,18 @@ test -z "$ECHO" && { echo Error: echo command does not support -e option ; exit export AFL_EXIT_WHEN_DONE=1 export AFL_SKIP_CPUFREQ=1 +unset AFL_QUIET unset AFL_DEBUG unset AFL_HARDEN +unset AFL_USE_ASAN +unset AFL_USE_MSAN +unset AFL_CC +unset AFL_PRELOAD unset AFL_LLVM_WHITELIST unset AFL_LLVM_INSTRIM +unset AFL_LLVM_LAF_SPLIT_SWITCHES +unset AFL_LLVM_LAF_TRANSFORM_COMPARES +unset AFL_LLVM_LAF_SPLIT_COMPARES GREY="\\x1b[1;90m" BLUE="\\x1b[1;94m" -- cgit 1.4.1