From 1e76079e93f5b4a9729367dd982d632013669bc5 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 4 Mar 2021 11:32:32 +0100 Subject: llvm mode CALLER mode --- instrumentation/README.ctx.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'instrumentation/README.ctx.md') diff --git a/instrumentation/README.ctx.md b/instrumentation/README.ctx.md index caf2c09a..ffcce0a9 100644 --- a/instrumentation/README.ctx.md +++ b/instrumentation/README.ctx.md @@ -4,14 +4,19 @@ This is an LLVM-based implementation of the context sensitive branch coverage. -Basically every function gets its own ID and that ID is combined with the -edges of the called functions. +Basically every function gets its own ID and, every time that an edge is logged, +all the IDs in the callstack are hashed and combined with the edge transition +hash to augment the classic edge coverage with the information about the +calling context. So if both function A and function B call a function C, the coverage collected in C will be different. In math the coverage is collected as follows: -`map[current_location_ID ^ previous_location_ID >> 1 ^ previous_callee_ID] += 1` +`map[current_location_ID ^ previous_location_ID >> 1 ^ hash_callstack_IDs] += 1` + +The callstack hash is produced XOR-ing the function IDs to avoid explosion with +recusrsive functions. ## Usage @@ -20,3 +25,14 @@ Set the `AFL_LLVM_INSTRUMENT=CTX` or `AFL_LLVM_CTX=1` environment variable. It is highly recommended to increase the MAP_SIZE_POW2 definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. + +## Caller Branch Coverage + +If the context sensitive coverage introduces too may collisions becoming +decremental, the user can choose to augment edge coverage with just the +called function ID, instead of the entire callstack hash. + +In math the coverage is collected as follows: +`map[current_location_ID ^ previous_location_ID >> 1 ^ previous_callee_ID] += 1` + +Set the `AFL_LLVM_INSTRUMENT=CALLER` or `AFL_LLVM_CALLER=1` environment variable. -- cgit 1.4.1 From 16d6f35aa6f968d6dbdd2005e8fa140955815837 Mon Sep 17 00:00:00 2001 From: hexcoder Date: Fri, 5 Mar 2021 18:11:05 +0100 Subject: typos --- instrumentation/README.ctx.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'instrumentation/README.ctx.md') diff --git a/instrumentation/README.ctx.md b/instrumentation/README.ctx.md index ffcce0a9..577b3e5f 100644 --- a/instrumentation/README.ctx.md +++ b/instrumentation/README.ctx.md @@ -4,7 +4,7 @@ This is an LLVM-based implementation of the context sensitive branch coverage. -Basically every function gets its own ID and, every time that an edge is logged, +Basically every function gets its own ID and, every time when an edge is logged, all the IDs in the callstack are hashed and combined with the edge transition hash to augment the classic edge coverage with the information about the calling context. @@ -16,7 +16,7 @@ In math the coverage is collected as follows: `map[current_location_ID ^ previous_location_ID >> 1 ^ hash_callstack_IDs] += 1` The callstack hash is produced XOR-ing the function IDs to avoid explosion with -recusrsive functions. +recursive functions. ## Usage @@ -28,7 +28,7 @@ many map collisions occur. ## Caller Branch Coverage -If the context sensitive coverage introduces too may collisions becoming +If the context sensitive coverage introduces too may collisions and becoming decremental, the user can choose to augment edge coverage with just the called function ID, instead of the entire callstack hash. -- cgit 1.4.1