From 7cd98f565ffdf3e0c0ccd34c04ed2f3126ab4189 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 12:16:58 +0200 Subject: lto and llvm14-dev --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 -- 1 file changed, 2 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 48ad2d02..013492f9 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -881,8 +881,6 @@ void ModuleSanitizerCoverage::InjectCoverageForIndirectCalls( Function &F, ArrayRef IndirCalls) { if (IndirCalls.empty()) return; - assert(Options.TracePC || Options.TracePCGuard || - Options.Inline8bitCounters /*|| Options.InlineBoolFlag*/); for (auto I : IndirCalls) { IRBuilder<> IRB(I); -- cgit 1.4.1 From d918a9e85b3b73127bbf7e0e14e63104537ab1d6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 31 Oct 2021 13:25:27 +0100 Subject: insert select instrumentation --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 67 ++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 3 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 013492f9..d6098897 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -203,7 +203,7 @@ class ModuleSanitizerCoverage { SanitizerCoverageOptions Options; - uint32_t instr = 0; + uint32_t instr = 0, selects = 0; GlobalVariable *AFLMapPtr = NULL; ConstantInt * One = NULL; ConstantInt * Zero = NULL; @@ -553,8 +553,9 @@ bool ModuleSanitizerCoverage::instrumentModule( getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); - OKF("Instrumented %u locations with no collisions (%s mode).", instr, - modeline); + OKF("Instrumented %u locations with no collisions (%s mode) and %u " + "selects.", + instr, modeline, selects); } @@ -836,6 +837,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (AllBlocks.empty()) return false; uint32_t special = 0; + uint32_t skip_next = 0; + for (auto &BB : F) { for (auto &IN : BB) { @@ -856,6 +859,64 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } + SelectInst *selectInst = nullptr; + + if (!skip_next && (selectInst = dyn_cast(&IN))) { + + selects++; + uint32_t id1 = 1 + instr + (uint32_t)AllBlocks.size() + special++; + uint32_t id2 = 1 + instr + (uint32_t)AllBlocks.size() + special++; + Value * val1 = ConstantInt::get(Int32Ty, id1); + Value * val2 = ConstantInt::get(Int32Ty, id2); + auto cond = selectInst->getCondition(); + IRBuilder<> IRB(selectInst->getNextNode()); + auto result = IRB.CreateSelect(cond, val1, val2); + + /* Get CurLoc */ + + /* Load SHM pointer */ + + LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + + /* Load counter for CurLoc */ + + Value *MapPtrIdx = IRB.CreateGEP(MapPtr, result); + + if (use_threadsafe_counters) { + + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, +#if LLVM_VERSION_MAJOR >= 13 + llvm::MaybeAlign(1), +#endif + llvm::AtomicOrdering::Monotonic); + + } else { + + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + /* Update bitmap */ + + Value *Incr = IRB.CreateAdd(Counter, One); + + if (skip_nozero == NULL) { + + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); + + } + + IRB.CreateStore(Incr, MapPtrIdx); + + } + + skip_next = 1; + + } else { + + skip_next = 0; + + } + } } -- cgit 1.4.1 From 0cbb406451a77b7b293cd317ad116531a9cb46bf Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 1 Nov 2021 00:30:56 +0100 Subject: fix --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 88 ++++++++++++++++++++------ 1 file changed, 70 insertions(+), 18 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index d6098897..cfb777ce 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -834,10 +834,39 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, ArrayRef AllBlocks, bool IsLeafFunc) { - if (AllBlocks.empty()) return false; + uint32_t cnt_cov = 0, cnt_sel = 0; - uint32_t special = 0; - uint32_t skip_next = 0; + for (auto &BB : F) { + + for (auto &IN : BB) { + + CallInst *callInst = nullptr; + + if ((callInst = dyn_cast(&IN))) { + + Function *Callee = callInst->getCalledFunction(); + if (!Callee) continue; + if (callInst->getCallingConv() != llvm::CallingConv::C) continue; + StringRef FuncName = Callee->getName(); + if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue; + + cnt_cov++; + + } + + SelectInst *selectInst = nullptr; + + if ((selectInst = dyn_cast(&IN))) { cnt_sel++; } + + } + + } + + /* Create PCGUARD array */ + CreateFunctionLocalArrays(F, AllBlocks, cnt_cov + cnt_sel * 2); + selects += cnt_sel; + + uint32_t special = 0, local_selects = 0, skip_next = 0; for (auto &BB : F) { @@ -853,9 +882,14 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, StringRef FuncName = Callee->getName(); if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue; - uint32_t id = 1 + instr + (uint32_t)AllBlocks.size() + special++; - Value * val = ConstantInt::get(Int32Ty, id); - callInst->setOperand(1, val); + IRBuilder<> IRB(callInst); + Value * GuardPtr = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get(IntptrTy, (++special + AllBlocks.size()) * 4)), + Int32PtrTy); + + callInst->setOperand(1, GuardPtr); } @@ -863,24 +897,40 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (!skip_next && (selectInst = dyn_cast(&IN))) { - selects++; - uint32_t id1 = 1 + instr + (uint32_t)AllBlocks.size() + special++; - uint32_t id2 = 1 + instr + (uint32_t)AllBlocks.size() + special++; - Value * val1 = ConstantInt::get(Int32Ty, id1); - Value * val2 = ConstantInt::get(Int32Ty, id2); - auto cond = selectInst->getCondition(); IRBuilder<> IRB(selectInst->getNextNode()); - auto result = IRB.CreateSelect(cond, val1, val2); + + Value *GuardPtr1 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get( + IntptrTy, + (cnt_cov + local_selects * 2 + 1 + AllBlocks.size()) * 4)), + Int32PtrTy); + + Value *GuardPtr2 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get( + IntptrTy, + (cnt_cov + local_selects * 2 + 2 + AllBlocks.size()) * 4)), + Int32PtrTy); + + local_selects++; + + auto cond = selectInst->getCondition(); + auto result = IRB.CreateSelect(cond, GuardPtr1, GuardPtr2); /* Get CurLoc */ + LoadInst *CurLoc = IRB.CreateLoad(result); + /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); /* Load counter for CurLoc */ - Value *MapPtrIdx = IRB.CreateGEP(MapPtr, result); + Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); if (use_threadsafe_counters) { @@ -893,6 +943,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + /* Update bitmap */ Value *Incr = IRB.CreateAdd(Counter, One); @@ -910,6 +961,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } skip_next = 1; + instr += 2; } else { @@ -921,11 +973,11 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - CreateFunctionLocalArrays(F, AllBlocks, special); - for (size_t i = 0, N = AllBlocks.size(); i < N; i++) - InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc); + if (AllBlocks.empty() && !special && !local_selects) return false; - instr += special; + if (!AllBlocks.empty()) + for (size_t i = 0, N = AllBlocks.size(); i < N; i++) + InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc); return true; -- cgit 1.4.1 From 7e813ca4925c26253dcba34daa29cd5140b7b8ba Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 1 Nov 2021 09:23:05 +0100 Subject: fix --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 108 ++++++++++++++----------- 1 file changed, 63 insertions(+), 45 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index cfb777ce..4bd62bc7 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -203,7 +203,7 @@ class ModuleSanitizerCoverage { SanitizerCoverageOptions Options; - uint32_t instr = 0, selects = 0; + uint32_t instr = 0, selects = 0, unhandled = 0; GlobalVariable *AFLMapPtr = NULL; ConstantInt * One = NULL; ConstantInt * Zero = NULL; @@ -553,9 +553,9 @@ bool ModuleSanitizerCoverage::instrumentModule( getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); - OKF("Instrumented %u locations with no collisions (%s mode) and %u " - "selects.", - instr, modeline, selects); + OKF("Instrumented %u locations with no collisions (%s mode) of which are " + "%u handled and %u unhandled selects.", + instr, modeline, selects, unhandled); } @@ -856,12 +856,20 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, SelectInst *selectInst = nullptr; - if ((selectInst = dyn_cast(&IN))) { cnt_sel++; } + if ((selectInst = dyn_cast(&IN))) { + + Value *c = selectInst->getCondition(); + auto t = c->getType(); + if (t->getTypeID() == llvm::Type::IntegerTyID) cnt_sel++; + + } } } + fprintf(stderr, "%u selects in %s!\n", cnt_sel, F.getName().str().c_str()); + /* Create PCGUARD array */ CreateFunctionLocalArrays(F, AllBlocks, cnt_cov + cnt_sel * 2); selects += cnt_sel; @@ -897,71 +905,81 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (!skip_next && (selectInst = dyn_cast(&IN))) { - IRBuilder<> IRB(selectInst->getNextNode()); + Value *c = selectInst->getCondition(); + auto t = c->getType(); + if (t->getTypeID() == llvm::Type::IntegerTyID) { - Value *GuardPtr1 = IRB.CreateIntToPtr( - IRB.CreateAdd( - IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), - ConstantInt::get( - IntptrTy, - (cnt_cov + local_selects * 2 + 1 + AllBlocks.size()) * 4)), - Int32PtrTy); + IRBuilder<> IRB(selectInst->getNextNode()); - Value *GuardPtr2 = IRB.CreateIntToPtr( - IRB.CreateAdd( - IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), - ConstantInt::get( - IntptrTy, - (cnt_cov + local_selects * 2 + 2 + AllBlocks.size()) * 4)), - Int32PtrTy); + Value *GuardPtr1 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get(IntptrTy, (cnt_cov + local_selects * 2 + 1 + + AllBlocks.size()) * + 4)), + Int32PtrTy); + + Value *GuardPtr2 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get(IntptrTy, (cnt_cov + local_selects * 2 + 2 + + AllBlocks.size()) * + 4)), + Int32PtrTy); - local_selects++; + local_selects++; - auto cond = selectInst->getCondition(); - auto result = IRB.CreateSelect(cond, GuardPtr1, GuardPtr2); + auto cond = selectInst->getCondition(); + auto result = IRB.CreateSelect(cond, GuardPtr1, GuardPtr2); - /* Get CurLoc */ + /* Get CurLoc */ - LoadInst *CurLoc = IRB.CreateLoad(result); + LoadInst *CurLoc = IRB.CreateLoad(result); - /* Load SHM pointer */ + /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); - /* Load counter for CurLoc */ + /* Load counter for CurLoc */ - Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); - if (use_threadsafe_counters) { + if (use_threadsafe_counters) { - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 - llvm::MaybeAlign(1), + llvm::MaybeAlign(1), #endif - llvm::AtomicOrdering::Monotonic); + llvm::AtomicOrdering::Monotonic); - } else { + } else { + + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + + /* Update bitmap */ - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Value *Incr = IRB.CreateAdd(Counter, One); - /* Update bitmap */ + if (skip_nozero == NULL) { - Value *Incr = IRB.CreateAdd(Counter, One); + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); - if (skip_nozero == NULL) { + } - auto cf = IRB.CreateICmpEQ(Incr, Zero); - auto carry = IRB.CreateZExt(cf, Int8Ty); - Incr = IRB.CreateAdd(Incr, carry); + IRB.CreateStore(Incr, MapPtrIdx); } - IRB.CreateStore(Incr, MapPtrIdx); + skip_next = 1; + instr += 2; - } + } else { - skip_next = 1; - instr += 2; + unhandled++; + + } } else { -- cgit 1.4.1 From f97c5dba2af3c1428ee26e0936c931e58e5d67e7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 1 Nov 2021 09:25:11 +0100 Subject: remove debug --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 -- 1 file changed, 2 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 4bd62bc7..da1db3ff 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -868,8 +868,6 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - fprintf(stderr, "%u selects in %s!\n", cnt_sel, F.getName().str().c_str()); - /* Create PCGUARD array */ CreateFunctionLocalArrays(F, AllBlocks, cnt_cov + cnt_sel * 2); selects += cnt_sel; -- cgit 1.4.1 From cd9f596ce04cdf5bb18d73be7052a7f4aa8f7c94 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 1 Nov 2021 17:33:18 +0100 Subject: remove debug --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 1 + 1 file changed, 1 insertion(+) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index da1db3ff..6b6a00d1 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -905,6 +905,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, Value *c = selectInst->getCondition(); auto t = c->getType(); + if (t->getTypeID() == llvm::Type::IntegerTyID) { IRBuilder<> IRB(selectInst->getNextNode()); -- cgit 1.4.1 From fb3a71bd253e446de0b71b73c1d4a69c478f1ecd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 2 Nov 2021 17:47:17 +0100 Subject: support select with vectors --- instrumentation/SanitizerCoveragePCGUARD.so.cc | 177 +++++++++++++++++++++---- 1 file changed, 148 insertions(+), 29 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 6b6a00d1..e8239483 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -834,7 +834,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, ArrayRef AllBlocks, bool IsLeafFunc) { - uint32_t cnt_cov = 0, cnt_sel = 0; + uint32_t cnt_cov = 0, cnt_sel = 0, cnt_sel_inc = 0; for (auto &BB : F) { @@ -860,7 +860,22 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, Value *c = selectInst->getCondition(); auto t = c->getType(); - if (t->getTypeID() == llvm::Type::IntegerTyID) cnt_sel++; + if (t->getTypeID() == llvm::Type::IntegerTyID) { + + cnt_sel++; + cnt_sel_inc += 2; + + } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + + FixedVectorType *tt = dyn_cast(t); + if (tt) { + + cnt_sel++; + cnt_sel_inc += tt->getElementCount().getFixedValue(); + + } + + } } @@ -869,7 +884,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } /* Create PCGUARD array */ - CreateFunctionLocalArrays(F, AllBlocks, cnt_cov + cnt_sel * 2); + CreateFunctionLocalArrays(F, AllBlocks, cnt_cov + cnt_sel_inc); selects += cnt_sel; uint32_t special = 0, local_selects = 0, skip_next = 0; @@ -889,13 +904,16 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue; IRBuilder<> IRB(callInst); - Value * GuardPtr = IRB.CreateIntToPtr( + + Value *GuardPtr = IRB.CreateIntToPtr( IRB.CreateAdd( IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), ConstantInt::get(IntptrTy, (++special + AllBlocks.size()) * 4)), Int32PtrTy); - callInst->setOperand(1, GuardPtr); + LoadInst *Idx = IRB.CreateLoad(GuardPtr); + + callInst->setOperand(1, Idx); } @@ -903,45 +921,139 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (!skip_next && (selectInst = dyn_cast(&IN))) { - Value *c = selectInst->getCondition(); - auto t = c->getType(); + uint32_t vector_cnt = 0; + Value * condition = selectInst->getCondition(); + Value * result; + auto t = condition->getType(); + IRBuilder<> IRB(selectInst->getNextNode()); if (t->getTypeID() == llvm::Type::IntegerTyID) { - IRBuilder<> IRB(selectInst->getNextNode()); - - Value *GuardPtr1 = IRB.CreateIntToPtr( + auto GuardPtr1 = IRB.CreateIntToPtr( IRB.CreateAdd( IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), - ConstantInt::get(IntptrTy, (cnt_cov + local_selects * 2 + 1 + - AllBlocks.size()) * - 4)), + ConstantInt::get( + IntptrTy, + (cnt_cov + ++local_selects + AllBlocks.size()) * 4)), Int32PtrTy); - Value *GuardPtr2 = IRB.CreateIntToPtr( + auto GuardPtr2 = IRB.CreateIntToPtr( IRB.CreateAdd( IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), - ConstantInt::get(IntptrTy, (cnt_cov + local_selects * 2 + 2 + - AllBlocks.size()) * - 4)), + ConstantInt::get( + IntptrTy, + (cnt_cov + ++local_selects + AllBlocks.size()) * 4)), Int32PtrTy); - local_selects++; + result = IRB.CreateSelect(condition, GuardPtr1, GuardPtr2); + + } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + + FixedVectorType *tt = dyn_cast(t); + if (tt) { + + uint32_t elements = tt->getElementCount().getFixedValue(); + vector_cnt = elements; + if (elements) { + + FixedVectorType *GuardPtr1 = + FixedVectorType::get(Int32PtrTy, elements); + FixedVectorType *GuardPtr2 = + FixedVectorType::get(Int32PtrTy, elements); + Value *x, *y; + + Value *val1 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get( + IntptrTy, + (cnt_cov + ++local_selects + AllBlocks.size()) * 4)), + Int32PtrTy); + x = IRB.CreateInsertElement(GuardPtr1, val1, (uint64_t)0); + + Value *val2 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get( + IntptrTy, + (cnt_cov + ++local_selects + AllBlocks.size()) * 4)), + Int32PtrTy); + y = IRB.CreateInsertElement(GuardPtr2, val2, (uint64_t)0); + + for (uint64_t i = 1; i < elements; i++) { + + val1 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get(IntptrTy, (cnt_cov + ++local_selects + + AllBlocks.size()) * + 4)), + Int32PtrTy); + x = IRB.CreateInsertElement(x, val1, i); + + val2 = IRB.CreateIntToPtr( + IRB.CreateAdd( + IRB.CreatePointerCast(FunctionGuardArray, IntptrTy), + ConstantInt::get(IntptrTy, (cnt_cov + ++local_selects + + AllBlocks.size()) * + 4)), + Int32PtrTy); + y = IRB.CreateInsertElement(y, val2, i); + + } + + /* + std::string errMsg; + raw_string_ostream os(errMsg); + x->print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ + result = IRB.CreateSelect(condition, x, y); - auto cond = selectInst->getCondition(); - auto result = IRB.CreateSelect(cond, GuardPtr1, GuardPtr2); + } - /* Get CurLoc */ + } + + } else { - LoadInst *CurLoc = IRB.CreateLoad(result); + unhandled++; + + } + + local_selects++; + uint32_t vector_cur = 0; + + /* Load SHM pointer */ - /* Load SHM pointer */ + LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + /* + std::string errMsg; + raw_string_ostream os(errMsg); + result->print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ + + while (1) { + + /* Get CurLoc */ + LoadInst *CurLoc = nullptr; + Value * MapPtrIdx = nullptr; /* Load counter for CurLoc */ + if (!vector_cnt) { - Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + CurLoc = IRB.CreateLoad(result); + MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + + } else { + + auto element = IRB.CreateExtractElement(result, vector_cur++); + auto elementptr = IRB.CreateIntToPtr(element, Int32PtrTy); + auto elementld = IRB.CreateLoad(elementptr); + MapPtrIdx = IRB.CreateGEP(MapPtr, elementld); + + } if (use_threadsafe_counters) { @@ -971,15 +1083,22 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - skip_next = 1; - instr += 2; + if (!vector_cnt) { - } else { + vector_cnt = 2; + break; - unhandled++; + } else if (vector_cnt == vector_cur) { + + break; + + } } + skip_next = 1; + instr += vector_cnt; + } else { skip_next = 0; -- cgit 1.4.1 From ce41f881a0109ada6b550d96766d52e692a0e0f4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 2 Nov 2021 19:53:15 +0100 Subject: nosan --- instrumentation/SanitizerCoverageLTO.so.cc | 27 ++++++++++++-------------- instrumentation/SanitizerCoveragePCGUARD.so.cc | 15 ++++++++++++-- 2 files changed, 25 insertions(+), 17 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index bc4df34e..b3a6ba45 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1042,8 +1042,7 @@ bool ModuleSanitizerCoverage::instrumentModule( M, Int64Tyi, true, GlobalValue::ExternalLinkage, 0, "__afl_map_addr"); ConstantInt *MapAddr = ConstantInt::get(Int64Tyi, map_addr); StoreInst * StoreMapAddr = IRB.CreateStore(MapAddr, AFLMapAddrFixed); - StoreMapAddr->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreMapAddr); } @@ -1058,8 +1057,7 @@ bool ModuleSanitizerCoverage::instrumentModule( "__afl_final_loc"); ConstantInt *const_loc = ConstantInt::get(Int32Tyi, write_loc); StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); - StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreFinalLoc); } @@ -1107,8 +1105,7 @@ bool ModuleSanitizerCoverage::instrumentModule( 0, "__afl_dictionary_len"); ConstantInt *const_len = ConstantInt::get(Int32Tyi, offset); StoreInst *StoreDictLen = IRB.CreateStore(const_len, AFLDictionaryLen); - StoreDictLen->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreDictLen); ArrayType *ArrayTy = ArrayType::get(IntegerType::get(Ctx, 8), offset); GlobalVariable *AFLInternalDictionary = new GlobalVariable( @@ -1128,8 +1125,7 @@ bool ModuleSanitizerCoverage::instrumentModule( Value *AFLDictPtr = IRB.CreatePointerCast(AFLDictOff, PointerType::get(Int8Tyi, 0)); StoreInst *StoreDict = IRB.CreateStore(AFLDictPtr, AFLDictionary); - StoreDict->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(Ctx, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreDict); } @@ -1370,6 +1366,7 @@ void ModuleSanitizerCoverage::instrumentFunction( uint32_t vector_cur = 0; /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); while (1) { @@ -1399,6 +1396,7 @@ void ModuleSanitizerCoverage::instrumentFunction( } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1412,7 +1410,8 @@ void ModuleSanitizerCoverage::instrumentFunction( } - IRB.CreateStore(Incr, MapPtrIdx); + auto nosan = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(nosan); } @@ -1655,8 +1654,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); - MapPtr->setMetadata(Mo->getMDKindID("nosanitize"), - MDNode::get(*Ct, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); } @@ -1673,8 +1671,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setMetadata(Mo->getMDKindID("nosanitize"), - MDNode::get(*Ct, None)); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); Value *Incr = IRB.CreateAdd(Counter, One); @@ -1686,8 +1683,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } - IRB.CreateStore(Incr, MapPtrIdx) - ->setMetadata(Mo->getMDKindID("nosanitize"), MDNode::get(*Ct, None)); + auto nosan = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(nosan); } diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index e8239483..70af2ee2 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -912,6 +912,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, Int32PtrTy); LoadInst *Idx = IRB.CreateLoad(GuardPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Idx); callInst->setOperand(1, Idx); @@ -1026,6 +1027,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* std::string errMsg; @@ -1044,6 +1046,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, if (!vector_cnt) { CurLoc = IRB.CreateLoad(result); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); } else { @@ -1051,6 +1054,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, auto element = IRB.CreateExtractElement(result, vector_cur++); auto elementptr = IRB.CreateIntToPtr(element, Int32PtrTy); auto elementld = IRB.CreateLoad(elementptr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(elementld); MapPtrIdx = IRB.CreateGEP(MapPtr, elementld); } @@ -1066,6 +1070,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1079,7 +1084,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - IRB.CreateStore(Incr, MapPtrIdx); + StoreInst *StoreCtx = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreCtx); } @@ -1309,10 +1315,12 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, Int32PtrTy); LoadInst *CurLoc = IRB.CreateLoad(GuardPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); /* Load SHM pointer */ LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* Load counter for CurLoc */ @@ -1329,6 +1337,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); + /* Update bitmap */ Value *Incr = IRB.CreateAdd(Counter, One); @@ -1341,7 +1351,8 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } - IRB.CreateStore(Incr, MapPtrIdx); + StoreInst *StoreCtx = IRB.CreateStore(Incr, MapPtrIdx); + ModuleSanitizerCoverage::SetNoSanitizeMetadata(StoreCtx); } -- cgit 1.4.1 From ccded9fc5cfead1b88104484c4acde12e81e0afe Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 12:49:54 +0100 Subject: vectorized coverage only possible for llvm 14 :( --- instrumentation/SanitizerCoverageLTO.so.cc | 10 ++++++++-- instrumentation/SanitizerCoveragePCGUARD.so.cc | 17 +++++++++++++++-- instrumentation/cmplog-instructions-pass.cc | 1 - 3 files changed, 23 insertions(+), 5 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index b3a6ba45..fbbe24a2 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1313,7 +1313,10 @@ void ModuleSanitizerCoverage::instrumentFunction( result = IRB.CreateSelect(condition, val1, val2); inst += 2; - } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + } + +#if LLVM_VERSION_MAJOR > 13 + else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -1355,7 +1358,10 @@ void ModuleSanitizerCoverage::instrumentFunction( } - } else { + } else + +#endif + { unhandled++; continue; diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 70af2ee2..10c9430e 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -895,6 +895,12 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, CallInst *callInst = nullptr; + /* + std::string errMsg; + raw_string_ostream os(errMsg); + IN.print(os); + fprintf(stderr, "X: %s\n", os.str().c_str()); + */ if ((callInst = dyn_cast(&IN))) { Function *Callee = callInst->getCalledFunction(); @@ -948,7 +954,10 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, result = IRB.CreateSelect(condition, GuardPtr1, GuardPtr2); - } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + } else + +#if LLVM_VERSION_MAJOR > 13 + if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -1015,9 +1024,13 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } - } else { + } else + +#endif + { unhandled++; + continue; } diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 86e206f1..cb149e9a 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -377,7 +377,6 @@ bool CmpLogInstructions::hookInstrs(Module &M) { vector_cnt = tt->getElementCount().getFixedValue(); ty1 = ty0 = tt->getElementType(); - fprintf(stderr, "vec %u\n", vector_cnt); } -- cgit 1.4.1 From 7a7630ae91c87e000b40f63c592fad9e09ad45d3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 13:18:02 +0100 Subject: support llvm >= 11 --- instrumentation/SanitizerCoverageLTO.so.cc | 18 ++++++++++-------- instrumentation/SanitizerCoveragePCGUARD.so.cc | 7 ++++++- instrumentation/cmplog-instructions-pass.cc | 11 ++++++++++- 3 files changed, 26 insertions(+), 10 deletions(-) (limited to 'instrumentation/SanitizerCoveragePCGUARD.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index fbbe24a2..ee8c317e 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1296,6 +1296,12 @@ void ModuleSanitizerCoverage::instrumentFunction( SelectInst *selectInst = nullptr; + /* + std::string errMsg; + raw_string_ostream os(errMsg); + IN.print(os); + fprintf(stderr, "X(%u): %s\n", skip_next, os.str().c_str()); + */ if (!skip_next && (selectInst = dyn_cast(&IN))) { uint32_t vector_cnt = 0; @@ -1311,12 +1317,13 @@ void ModuleSanitizerCoverage::instrumentFunction( Value *val1 = ConstantInt::get(Int32Ty, ++afl_global_id); Value *val2 = ConstantInt::get(Int32Ty, ++afl_global_id); result = IRB.CreateSelect(condition, val1, val2); + skip_next = 1; inst += 2; - } + } else #if LLVM_VERSION_MAJOR > 13 - else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -1346,13 +1353,8 @@ void ModuleSanitizerCoverage::instrumentFunction( } - /* - std::string errMsg; - raw_string_ostream os(errMsg); - x->print(os); - fprintf(stderr, "X: %s\n", os.str().c_str()); - */ result = IRB.CreateSelect(condition, x, y); + skip_next = 1; } diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 10c9430e..be3f4f49 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -865,7 +865,10 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, cnt_sel++; cnt_sel_inc += 2; - } else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { + } + +#if LLVM__MAJOR > 11 + else if (t->getTypeID() == llvm::Type::FixedVectorTyID) { FixedVectorType *tt = dyn_cast(t); if (tt) { @@ -877,6 +880,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } +#endif + } } diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index cb149e9a..01a8a637 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -338,8 +338,10 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } +#if LLVM_MAJOR > 11 vector_cnt = tt->getElementCount().getFixedValue(); ty0 = tt->getElementType(); +#endif } @@ -357,9 +359,11 @@ bool CmpLogInstructions::hookInstrs(Module &M) { max_size = 80; else if (ty0->isFP128Ty() || ty0->isPPC_FP128Ty()) max_size = 128; +#if LLVM_MAJOR > 11 else if (ty0->getTypeID() != llvm::Type::PointerTyID && !be_quiet) fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u!\n", ty0->getTypeID()); +#endif attr += 8; @@ -367,6 +371,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { if (ty0->isVectorTy()) { +#if LLVM_MAJOR > 11 VectorType *tt = dyn_cast(ty0); if (!tt) { @@ -377,6 +382,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) { vector_cnt = tt->getElementCount().getFixedValue(); ty1 = ty0 = tt->getElementType(); +#endif } @@ -391,13 +397,16 @@ bool CmpLogInstructions::hookInstrs(Module &M) { } else { +#if LLVM_MAJOR > 11 if (ty0->getTypeID() != llvm::Type::PointerTyID && !be_quiet) { - fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u!\n", + fprintf(stderr, "Warning: unsupported cmp type for cmplog: %u\n", ty0->getTypeID()); } +#endif + } } -- cgit 1.4.1