From 00e54565ef109a6c697db77b19d1618e37092125 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 17 Apr 2021 21:29:50 +0200 Subject: use atomic read-modify-write increment for LLVM CLASSIC --- instrumentation/afl-llvm-pass.so.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 0f773aba..70480ff9 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -388,7 +388,6 @@ bool AFLCoverage::runOnModule(Module &M) { #endif // other constants we need - ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); ConstantInt *One = ConstantInt::get(Int8Ty, 1); Value * PrevCtx = NULL; // CTX sensitive coverage @@ -628,6 +627,10 @@ bool AFLCoverage::runOnModule(Module &M) { /* Update bitmap */ +#if 1 /* Atomic */ + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); + +#else LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); @@ -651,6 +654,7 @@ bool AFLCoverage::runOnModule(Module &M) { * Counter + OverflowFlag -> Counter */ + ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); auto cf = IRB.CreateICmpEQ(Incr, Zero); auto carry = IRB.CreateZExt(cf, Int8Ty); Incr = IRB.CreateAdd(Incr, carry); @@ -660,6 +664,8 @@ bool AFLCoverage::runOnModule(Module &M) { IRB.CreateStore(Incr, MapPtrIdx) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); +#endif /* non atomic case */ + /* Update prev_loc history vector (by placing cur_loc at the head of the vector and shuffle the other elements back by one) */ -- cgit 1.4.1 From 976969dce56cb7d8349706962eb774a0ab0a0931 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Wed, 28 Apr 2021 00:29:15 +0200 Subject: work in progress: not working correctly yet --- instrumentation/afl-llvm-pass.so.cc | 79 ++++++++++++++++++++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 70480ff9..6c898c48 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -409,8 +409,14 @@ bool AFLCoverage::runOnModule(Module &M) { if (F.size() < function_minimum_size) continue; + unsigned extra_increment_BB = 0; for (auto &BB : F) { + if (extra_increment_BB) { + // increment BB + --extra_increment_BB; + continue; + } BasicBlock::iterator IP = BB.getFirstInsertionPt(); IRBuilder<> IRB(&(*IP)); @@ -628,7 +634,78 @@ bool AFLCoverage::runOnModule(Module &M) { /* Update bitmap */ #if 1 /* Atomic */ - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); +#if LLVM_VERSION_MAJOR < 9 + if (neverZero_counters_str != + NULL) { // with llvm 9 we make this the default as the bug in llvm is + // then fixed +#else + if (!skip_nozero) { + +#endif + /* hexcoder: Realize a counter that skips zero during overflow. + * Once this counter reaches its maximum value, it next increments to 1 + * + * Instead of + * Counter + 1 -> Counter + * we inject now this + * Counter + 1 -> {Counter, OverflowFlag} + * Counter + OverflowFlag -> Counter + */ + + // C: unsigned char old = atomic_load_explicit(MapPtrIdx, memory_order_relaxed); + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setAlignment(llvm::Align()); + Counter->setAtomic(llvm::AtomicOrdering::Monotonic); + Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + // insert a basic block with the corpus of a do while loop + // the calculation may need to repeat, if atomic compare_exchange is not successful + BasicBlock::iterator it(*Counter); it++; + BasicBlock * end_bb = BB.splitBasicBlock(it); + + extra_increment_BB = 2; + // insert the block before the second half of the split + BasicBlock * do_while_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); + + // set terminator of BB from target end_bb to target do_while_bb + auto term = BB.getTerminator(); + BranchInst::Create(do_while_bb, &BB); + term->eraseFromParent(); + + auto saved = IRB.saveIP(); + IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt()); + + PHINode * PN = IRB.CreatePHI(Int8Ty, 2); + + auto * Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1)); + + Value *Incr = IRB.CreateAdd(Counter, One); + + auto * Select = IRB.CreateSelect(Cmp, One, Incr); + + auto * CmpXchg = IRB.CreateAtomicCmpXchg(MapPtrIdx, PN, Select, + llvm::AtomicOrdering::Monotonic, llvm::AtomicOrdering::Monotonic); + CmpXchg->setAlignment(llvm::Align()); + CmpXchg->setWeak(true); + CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + Value * Success = IRB.CreateExtractValue(CmpXchg, ArrayRef({1})); + Value * OldVal = IRB.CreateExtractValue(CmpXchg, ArrayRef({0})); + + PN->addIncoming(Counter, &BB); + PN->addIncoming(OldVal, do_while_bb); + +// term = do_while_bb->getTerminator(); + +// BranchInst::Create(/*true*/end_bb, /*false*/do_while_bb, Success, do_while_bb); + IRB.CreateCondBr(Success, end_bb, do_while_bb); +// BranchInst::Create(end_bb, do_while_bb); +// term->eraseFromParent(); + IRB.restoreIP(saved); + + } else { + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); + } #else LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); -- cgit 1.4.1 From b15fcde477d4c1d59265c717841b5942143917ee Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 30 Apr 2021 12:09:06 +0200 Subject: still not working --- instrumentation/afl-llvm-pass.so.cc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 6c898c48..27b53e68 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -409,12 +409,9 @@ bool AFLCoverage::runOnModule(Module &M) { if (F.size() < function_minimum_size) continue; - unsigned extra_increment_BB = 0; for (auto &BB : F) { - if (extra_increment_BB) { - // increment BB - --extra_increment_BB; + if (BB.getName() == "injected") { continue; } BasicBlock::iterator IP = BB.getFirstInsertionPt(); @@ -662,8 +659,8 @@ bool AFLCoverage::runOnModule(Module &M) { // the calculation may need to repeat, if atomic compare_exchange is not successful BasicBlock::iterator it(*Counter); it++; BasicBlock * end_bb = BB.splitBasicBlock(it); + end_bb->setName("injected"); - extra_increment_BB = 2; // insert the block before the second half of the split BasicBlock * do_while_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); -- cgit 1.4.1 From 70e2737222ee49ca5375f42ab51a858f9b75d5cb Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 6 May 2021 21:11:37 +0200 Subject: first working NeverZero implementation --- instrumentation/afl-llvm-pass.so.cc | 132 +++++++++++++++++++----------------- 1 file changed, 69 insertions(+), 63 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 27b53e68..1ee946e5 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -409,11 +409,9 @@ bool AFLCoverage::runOnModule(Module &M) { if (F.size() < function_minimum_size) continue; + std::list todo; for (auto &BB : F) { - if (BB.getName() == "injected") { - continue; - } BasicBlock::iterator IP = BB.getFirstInsertionPt(); IRBuilder<> IRB(&(*IP)); @@ -639,66 +637,8 @@ bool AFLCoverage::runOnModule(Module &M) { if (!skip_nozero) { #endif - /* hexcoder: Realize a counter that skips zero during overflow. - * Once this counter reaches its maximum value, it next increments to 1 - * - * Instead of - * Counter + 1 -> Counter - * we inject now this - * Counter + 1 -> {Counter, OverflowFlag} - * Counter + OverflowFlag -> Counter - */ - - // C: unsigned char old = atomic_load_explicit(MapPtrIdx, memory_order_relaxed); - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setAlignment(llvm::Align()); - Counter->setAtomic(llvm::AtomicOrdering::Monotonic); - Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - - // insert a basic block with the corpus of a do while loop - // the calculation may need to repeat, if atomic compare_exchange is not successful - BasicBlock::iterator it(*Counter); it++; - BasicBlock * end_bb = BB.splitBasicBlock(it); - end_bb->setName("injected"); - - // insert the block before the second half of the split - BasicBlock * do_while_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); - - // set terminator of BB from target end_bb to target do_while_bb - auto term = BB.getTerminator(); - BranchInst::Create(do_while_bb, &BB); - term->eraseFromParent(); - - auto saved = IRB.saveIP(); - IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt()); - - PHINode * PN = IRB.CreatePHI(Int8Ty, 2); - - auto * Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1)); - - Value *Incr = IRB.CreateAdd(Counter, One); - - auto * Select = IRB.CreateSelect(Cmp, One, Incr); - - auto * CmpXchg = IRB.CreateAtomicCmpXchg(MapPtrIdx, PN, Select, - llvm::AtomicOrdering::Monotonic, llvm::AtomicOrdering::Monotonic); - CmpXchg->setAlignment(llvm::Align()); - CmpXchg->setWeak(true); - CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - - Value * Success = IRB.CreateExtractValue(CmpXchg, ArrayRef({1})); - Value * OldVal = IRB.CreateExtractValue(CmpXchg, ArrayRef({0})); - - PN->addIncoming(Counter, &BB); - PN->addIncoming(OldVal, do_while_bb); - -// term = do_while_bb->getTerminator(); - -// BranchInst::Create(/*true*/end_bb, /*false*/do_while_bb, Success, do_while_bb); - IRB.CreateCondBr(Success, end_bb, do_while_bb); -// BranchInst::Create(end_bb, do_while_bb); -// term->eraseFromParent(); - IRB.restoreIP(saved); + // register MapPtrIdx in a todo list + todo.push_back(MapPtrIdx); } else { IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); @@ -795,6 +735,72 @@ bool AFLCoverage::runOnModule(Module &M) { } +#if 1 /*Atomic NeverZero */ + // handle the todo list + for (auto val : todo) { + /* hexcoder: Realize a counter that skips zero during overflow. + * Once this counter reaches its maximum value, it next increments to 1 + * + * Instead of + * Counter + 1 -> Counter + * we inject now this + * Counter + 1 -> {Counter, OverflowFlag} + * Counter + OverflowFlag -> Counter + */ + + // C: unsigned char old = atomic_load_explicit(MapPtrIdx, memory_order_relaxed); + Value * MapPtrIdx = val; + Instruction * MapPtrIdxInst = cast(val); + BasicBlock::iterator it0(&(*MapPtrIdxInst)); + ++it0; + IRBuilder<> IRB(&(*it0)); + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setAlignment(llvm::Align()); + Counter->setAtomic(llvm::AtomicOrdering::Monotonic); + Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + BasicBlock *BB = IRB.GetInsertBlock(); + // insert a basic block with the corpus of a do while loop + // the calculation may need to repeat, if atomic compare_exchange is not successful + BasicBlock::iterator it(*Counter); it++; + BasicBlock * end_bb = BB->splitBasicBlock(it); + end_bb->setName("injected"); + + // insert the block before the second half of the split + BasicBlock * do_while_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); + + // set terminator of BB from target end_bb to target do_while_bb + auto term = BB->getTerminator(); + BranchInst::Create(do_while_bb, BB); + term->eraseFromParent(); + + IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt()); + + PHINode * PN = IRB.CreatePHI(Int8Ty, 2); + + auto * Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1)); + + Value *Incr = IRB.CreateAdd(Counter, One); + + auto * Select = IRB.CreateSelect(Cmp, One, Incr); + + auto * CmpXchg = IRB.CreateAtomicCmpXchg(MapPtrIdx, PN, Select, + llvm::AtomicOrdering::Monotonic, llvm::AtomicOrdering::Monotonic); + CmpXchg->setAlignment(llvm::Align()); + CmpXchg->setWeak(true); + CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + Value * Success = IRB.CreateExtractValue(CmpXchg, ArrayRef({1})); + Value * OldVal = IRB.CreateExtractValue(CmpXchg, ArrayRef({0})); + + PN->addIncoming(Counter, BB); + PN->addIncoming(OldVal, do_while_bb); + + IRB.CreateCondBr(Success, end_bb, do_while_bb); + + } +#endif + } /* -- cgit 1.4.1 From 32be08d7b31cb004f34d3ef2d3916ca0e4531765 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 7 May 2021 08:13:50 +0200 Subject: add some comments --- instrumentation/afl-llvm-pass.so.cc | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 1ee946e5..53e076ff 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -738,7 +738,8 @@ bool AFLCoverage::runOnModule(Module &M) { #if 1 /*Atomic NeverZero */ // handle the todo list for (auto val : todo) { - /* hexcoder: Realize a counter that skips zero during overflow. + + /* hexcoder: Realize a thread-safe counter that skips zero during overflow. * Once this counter reaches its maximum value, it next increments to 1 * * Instead of @@ -748,12 +749,28 @@ bool AFLCoverage::runOnModule(Module &M) { * Counter + OverflowFlag -> Counter */ - // C: unsigned char old = atomic_load_explicit(MapPtrIdx, memory_order_relaxed); + /* equivalent c code looks like this + * Thanks to https://preshing.com/20150402/you-can-do-any-kind-of-atomic-read-modify-write-operation/ + + int old = atomic_load_explicit(&Counter, memory_order_relaxed); + int new; + do { + if (old == 255) { + new = 1; + } else { + new = old + 1; + } + } while (!atomic_compare_exchange_weak_explicit(&Counter, &old, new, memory_order_relaxed, memory_order_relaxed)); + + */ + Value * MapPtrIdx = val; Instruction * MapPtrIdxInst = cast(val); BasicBlock::iterator it0(&(*MapPtrIdxInst)); ++it0; IRBuilder<> IRB(&(*it0)); + + // load the old counter value atomically LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); Counter->setAlignment(llvm::Align()); Counter->setAtomic(llvm::AtomicOrdering::Monotonic); @@ -762,7 +779,8 @@ bool AFLCoverage::runOnModule(Module &M) { BasicBlock *BB = IRB.GetInsertBlock(); // insert a basic block with the corpus of a do while loop // the calculation may need to repeat, if atomic compare_exchange is not successful - BasicBlock::iterator it(*Counter); it++; + + BasicBlock::iterator it(*Counter); it++; // split after load counter BasicBlock * end_bb = BB->splitBasicBlock(it); end_bb->setName("injected"); @@ -774,28 +792,38 @@ bool AFLCoverage::runOnModule(Module &M) { BranchInst::Create(do_while_bb, BB); term->eraseFromParent(); + // continue to fill instructions into the do_while loop IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt()); PHINode * PN = IRB.CreatePHI(Int8Ty, 2); + // compare with maximum value 0xff auto * Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1)); + // increment the counter Value *Incr = IRB.CreateAdd(Counter, One); + // select the counter value or 1 auto * Select = IRB.CreateSelect(Cmp, One, Incr); + // try to save back the new counter value auto * CmpXchg = IRB.CreateAtomicCmpXchg(MapPtrIdx, PN, Select, llvm::AtomicOrdering::Monotonic, llvm::AtomicOrdering::Monotonic); CmpXchg->setAlignment(llvm::Align()); CmpXchg->setWeak(true); CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + // get the result of trying to update the Counter Value * Success = IRB.CreateExtractValue(CmpXchg, ArrayRef({1})); + // get the (possibly updated) value of Counter Value * OldVal = IRB.CreateExtractValue(CmpXchg, ArrayRef({0})); + // initially we use Counter PN->addIncoming(Counter, BB); + // on retry, we use the updated value PN->addIncoming(OldVal, do_while_bb); + // if the cmpXchg was not successful, retry IRB.CreateCondBr(Success, end_bb, do_while_bb); } -- cgit 1.4.1 From c9539aa6b7fb4b9d2dae6c65446c525375388c2f Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 30 May 2021 11:45:11 +0200 Subject: support new env var AFL_LLVM_THREADSAFE_INST to enable atomic counters. add new test case for that. --- include/envs.h | 1 + instrumentation/afl-llvm-pass.so.cc | 279 ++++++++++++++++++++---------------- test/test-llvm.sh | 30 ++++ 3 files changed, 183 insertions(+), 127 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/include/envs.h b/include/envs.h index ebe98257..e6f6d7c9 100644 --- a/include/envs.h +++ b/include/envs.h @@ -114,6 +114,7 @@ static char *afl_environment_variables[] = { "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_INSTRUMENT_FILE", + "AFL_LLVM_THREADSAFE_INST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 53e076ff..3b1119fc 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -86,6 +86,7 @@ class AFLCoverage : public ModulePass { uint32_t map_size = MAP_SIZE; uint32_t function_minimum_size = 1; char * ctx_str = NULL, *caller_str = NULL, *skip_nozero = NULL; + char * use_threadsafe_counters = nullptr; }; @@ -182,6 +183,19 @@ bool AFLCoverage::runOnModule(Module &M) { char *neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO"); #endif skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); + use_threadsafe_counters = getenv("AFL_LLVM_THREADSAFE_INST"); + + if ((isatty(2) && !getenv("AFL_QUIET")) || !!getenv("AFL_DEBUG")) { + + if (use_threadsafe_counters) { + SAYF(cCYA "afl-llvm-pass" VERSION cRST " using threadsafe instrumentation\n"); + } + else + { + SAYF(cCYA "afl-llvm-pass" VERSION cRST " using non-threadsafe instrumentation\n"); + } + + } unsigned PrevLocSize = 0; unsigned PrevCallerSize = 0; @@ -628,57 +642,63 @@ bool AFLCoverage::runOnModule(Module &M) { /* Update bitmap */ -#if 1 /* Atomic */ -#if LLVM_VERSION_MAJOR < 9 - if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug in llvm is - // then fixed -#else - if (!skip_nozero) { -#endif + if (use_threadsafe_counters) {/* Atomic */ + + #if LLVM_VERSION_MAJOR < 9 + if (neverZero_counters_str != + NULL) { // with llvm 9 we make this the default as the bug in llvm is then fixed + #else + if (!skip_nozero) { + + #endif // register MapPtrIdx in a todo list todo.push_back(MapPtrIdx); - } else { - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); + } + else + { + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, + llvm::AtomicOrdering::Monotonic); + } } + else + { -#else - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - Value *Incr = IRB.CreateAdd(Counter, One); + Value *Incr = IRB.CreateAdd(Counter, One); -#if LLVM_VERSION_MAJOR < 9 - if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug in llvm is - // then fixed -#else - if (!skip_nozero) { + #if LLVM_VERSION_MAJOR < 9 + if (neverZero_counters_str != + NULL) { // with llvm 9 we make this the default as the bug in llvm is + // then fixed + #else + if (!skip_nozero) { -#endif - /* hexcoder: Realize a counter that skips zero during overflow. - * Once this counter reaches its maximum value, it next increments to 1 - * - * Instead of - * Counter + 1 -> Counter - * we inject now this - * Counter + 1 -> {Counter, OverflowFlag} - * Counter + OverflowFlag -> Counter - */ + #endif + /* hexcoder: Realize a counter that skips zero during overflow. + * Once this counter reaches its maximum value, it next increments to 1 + * + * Instead of + * Counter + 1 -> Counter + * we inject now this + * Counter + 1 -> {Counter, OverflowFlag} + * Counter + OverflowFlag -> Counter + */ - ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); - auto cf = IRB.CreateICmpEQ(Incr, Zero); - auto carry = IRB.CreateZExt(cf, Int8Ty); - Incr = IRB.CreateAdd(Incr, carry); + ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); - } + } - IRB.CreateStore(Incr, MapPtrIdx) - ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + IRB.CreateStore(Incr, MapPtrIdx) + ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); -#endif /* non atomic case */ + } /* non atomic case */ /* Update prev_loc history vector (by placing cur_loc at the head of the vector and shuffle the other elements back by one) */ @@ -735,99 +755,104 @@ bool AFLCoverage::runOnModule(Module &M) { } -#if 1 /*Atomic NeverZero */ - // handle the todo list - for (auto val : todo) { - - /* hexcoder: Realize a thread-safe counter that skips zero during overflow. - * Once this counter reaches its maximum value, it next increments to 1 - * - * Instead of - * Counter + 1 -> Counter - * we inject now this - * Counter + 1 -> {Counter, OverflowFlag} - * Counter + OverflowFlag -> Counter - */ - - /* equivalent c code looks like this - * Thanks to https://preshing.com/20150402/you-can-do-any-kind-of-atomic-read-modify-write-operation/ - - int old = atomic_load_explicit(&Counter, memory_order_relaxed); - int new; - do { - if (old == 255) { - new = 1; - } else { - new = old + 1; - } - } while (!atomic_compare_exchange_weak_explicit(&Counter, &old, new, memory_order_relaxed, memory_order_relaxed)); - - */ - - Value * MapPtrIdx = val; - Instruction * MapPtrIdxInst = cast(val); - BasicBlock::iterator it0(&(*MapPtrIdxInst)); - ++it0; - IRBuilder<> IRB(&(*it0)); - - // load the old counter value atomically - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setAlignment(llvm::Align()); - Counter->setAtomic(llvm::AtomicOrdering::Monotonic); - Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - - BasicBlock *BB = IRB.GetInsertBlock(); - // insert a basic block with the corpus of a do while loop - // the calculation may need to repeat, if atomic compare_exchange is not successful - - BasicBlock::iterator it(*Counter); it++; // split after load counter - BasicBlock * end_bb = BB->splitBasicBlock(it); - end_bb->setName("injected"); - - // insert the block before the second half of the split - BasicBlock * do_while_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); - - // set terminator of BB from target end_bb to target do_while_bb - auto term = BB->getTerminator(); - BranchInst::Create(do_while_bb, BB); - term->eraseFromParent(); - - // continue to fill instructions into the do_while loop - IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt()); - - PHINode * PN = IRB.CreatePHI(Int8Ty, 2); - - // compare with maximum value 0xff - auto * Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1)); - - // increment the counter - Value *Incr = IRB.CreateAdd(Counter, One); - - // select the counter value or 1 - auto * Select = IRB.CreateSelect(Cmp, One, Incr); - - // try to save back the new counter value - auto * CmpXchg = IRB.CreateAtomicCmpXchg(MapPtrIdx, PN, Select, - llvm::AtomicOrdering::Monotonic, llvm::AtomicOrdering::Monotonic); - CmpXchg->setAlignment(llvm::Align()); - CmpXchg->setWeak(true); - CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + if (use_threadsafe_counters) { /*Atomic NeverZero */ + // handle the list of registered blocks to instrument + for (auto val : todo) { + /* hexcoder: Realize a thread-safe counter that skips zero during overflow. Once this counter reaches its maximum value, it next increments to 1 + * + * Instead of + * Counter + 1 -> Counter + * we inject now this + * Counter + 1 -> {Counter, OverflowFlag} + * Counter + OverflowFlag -> Counter + */ - // get the result of trying to update the Counter - Value * Success = IRB.CreateExtractValue(CmpXchg, ArrayRef({1})); - // get the (possibly updated) value of Counter - Value * OldVal = IRB.CreateExtractValue(CmpXchg, ArrayRef({0})); + /* equivalent c code looks like this + * Thanks to + https://preshing.com/20150402/you-can-do-any-kind-of-atomic-read-modify-write-operation/ + + int old = atomic_load_explicit(&Counter, memory_order_relaxed); + int new; + do { + if (old == 255) { + new = 1; + } else { + new = old + 1; + } + } while (!atomic_compare_exchange_weak_explicit(&Counter, &old, new, + memory_order_relaxed, memory_order_relaxed)); - // initially we use Counter - PN->addIncoming(Counter, BB); - // on retry, we use the updated value - PN->addIncoming(OldVal, do_while_bb); + */ - // if the cmpXchg was not successful, retry - IRB.CreateCondBr(Success, end_bb, do_while_bb); + Value * MapPtrIdx = val; + Instruction * MapPtrIdxInst = cast(val); + BasicBlock::iterator it0(&(*MapPtrIdxInst)); + ++it0; + IRBuilder<> IRB(&(*it0)); + + // load the old counter value atomically + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setAlignment(llvm::Align()); + Counter->setAtomic(llvm::AtomicOrdering::Monotonic); + Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + BasicBlock *BB = IRB.GetInsertBlock(); + // insert a basic block with the corpus of a do while loop + // the calculation may need to repeat, if atomic compare_exchange is not successful + + BasicBlock::iterator it(*Counter); + it++; // split after load counter + BasicBlock *end_bb = BB->splitBasicBlock(it); + end_bb->setName("injected"); + + // insert the block before the second half of the split + BasicBlock *do_while_bb = + BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); + + // set terminator of BB from target end_bb to target do_while_bb + auto term = BB->getTerminator(); + BranchInst::Create(do_while_bb, BB); + term->eraseFromParent(); + + // continue to fill instructions into the do_while loop + IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt()); + + PHINode *PN = IRB.CreatePHI(Int8Ty, 2); + + // compare with maximum value 0xff + auto *Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1)); + + // increment the counter + Value *Incr = IRB.CreateAdd(Counter, One); + + // select the counter value or 1 + auto *Select = IRB.CreateSelect(Cmp, One, Incr); + + // try to save back the new counter value + auto *CmpXchg = IRB.CreateAtomicCmpXchg( + MapPtrIdx, PN, Select, llvm::AtomicOrdering::Monotonic, + llvm::AtomicOrdering::Monotonic); + CmpXchg->setAlignment(llvm::Align()); + CmpXchg->setWeak(true); + CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + // get the result of trying to update the Counter + Value *Success = + IRB.CreateExtractValue(CmpXchg, ArrayRef({1})); + // get the (possibly updated) value of Counter + Value *OldVal = + IRB.CreateExtractValue(CmpXchg, ArrayRef({0})); + + // initially we use Counter + PN->addIncoming(Counter, BB); + // on retry, we use the updated value + PN->addIncoming(OldVal, do_while_bb); + + // if the cmpXchg was not successful, retry + IRB.CreateCondBr(Success, end_bb, do_while_bb); + } - } -#endif + } } diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 06d0a0f8..1152cc4e 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -43,6 +43,36 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { $ECHO "$RED[!] llvm_mode failed" CODE=1 } + AFL_LLVM_INSTRUMENT=CLASSIC AFL_LLVM_THREADSAFE_INST=1 ../afl-clang-fast -o test-instr.ts ../test-instr.c > /dev/null 2>&1 + test -e test-instr.ts && { + $ECHO "$GREEN[+] llvm_mode threadsafe compilation succeeded" + echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.ts.0 -r -- ./test-instr.ts > /dev/null 2>&1 + AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.ts.1 -r -- ./test-instr.ts < /dev/null > /dev/null 2>&1 + test -e test-instr.ts.0 -a -e test-instr.ts.1 && { + diff test-instr.ts.0 test-instr.ts.1 > /dev/null 2>&1 && { + $ECHO "$RED[!] llvm_mode threadsafe instrumentation should be different on different input but is not" + CODE=1 + } || { + $ECHO "$GREEN[+] llvm_mode threadsafe instrumentation present and working correctly" + TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.ts 2>&1 | grep Captur | awk '{print$3}'` + test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && { + $ECHO "$GREEN[+] llvm_mode run reported $TUPLES threadsafe instrumented locations which is fine" + } || { + $ECHO "$RED[!] llvm_mode threadsafe instrumentation produces weird numbers: $TUPLES" + CODE=1 + } + test "$TUPLES" -lt 3 && SKIP=1 + true + } + } || { + $ECHO "$RED[!] llvm_mode threadsafe instrumentation failed" + CODE=1 + } + rm -f test-instr.ts.0 test-instr.ts.1 + } || { + $ECHO "$RED[!] llvm_mode (threadsafe) failed" + CODE=1 + } ../afl-clang-fast -DTEST_SHARED_OBJECT=1 -z defs -fPIC -shared -o test-instr.so ../test-instr.c > /dev/null 2>&1 test -e test-instr.so && { $ECHO "$GREEN[+] llvm_mode shared object with -z defs compilation succeeded" -- cgit 1.4.1 From b246de789105750558f3d6f884ba61e54cb98441 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sun, 30 May 2021 15:25:10 +0200 Subject: add support for AFL_LLVM_THREADSAFE_INST to other LLVM passes --- instrumentation/README.neverzero.md | 9 ++--- instrumentation/SanitizerCoverageLTO.so.cc | 42 +++++++++++++--------- instrumentation/SanitizerCoveragePCGUARD.so.cc | 35 ++++++++++-------- instrumentation/afl-llvm-lto-instrumentation.so.cc | 36 ++++++++++--------- instrumentation/afl-llvm-pass.so.cc | 15 +++++--- 5 files changed, 81 insertions(+), 56 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/README.neverzero.md b/instrumentation/README.neverzero.md index 06334eab..9bcae324 100644 --- a/instrumentation/README.neverzero.md +++ b/instrumentation/README.neverzero.md @@ -16,11 +16,12 @@ at a very little cost (one instruction per edge). (The alternative of saturated counters has been tested also and proved to be inferior in terms of path discovery.) -This is implemented in afl-gcc and afl-gcc-fast, however for llvm_mode this is optional if -the llvm version is below 9 - as there is a perfomance bug that is only fixed -in version 9 and onwards. +This is implemented in afl-gcc and afl-gcc-fast, however for llvm_mode this is +optional if multithread safe counters are selected or the llvm version is below +9 - as there are severe performance costs in these cases. -If you want to enable this for llvm versions below 9 then set +If you want to enable this for llvm versions below 9 or thread safe counters +then set ``` export AFL_LLVM_NOT_ZERO=1 diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index cd6b1939..f5af32d2 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -237,7 +237,8 @@ class ModuleSanitizerCoverage { uint32_t inst = 0; uint32_t afl_global_id = 0; uint64_t map_addr = 0; - char * skip_nozero = NULL; + const char * skip_nozero = NULL; + const char * use_threadsafe_counters = nullptr; std::vector BlockList; DenseMap valueMap; std::vector dictionary; @@ -438,6 +439,7 @@ bool ModuleSanitizerCoverage::instrumentModule( be_quiet = 1; skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); + use_threadsafe_counters = getenv("AFL_LLVM_THREADSAFE_INST"); if ((ptr = getenv("AFL_LLVM_LTO_STARTID")) != NULL) if ((afl_global_id = atoi(ptr)) < 0) @@ -1209,7 +1211,7 @@ void ModuleSanitizerCoverage::instrumentFunction( return; // Should not instrument sanitizer init functions. if (F.getName().startswith("__sanitizer_")) return; // Don't instrument __sanitizer_* callbacks. - // Don't touch available_externally functions, their actual body is elewhere. + // Don't touch available_externally functions, their actual body is elsewhere. if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return; // Don't instrument MSVC CRT configuration helpers. They may run before normal // initialization. @@ -1496,27 +1498,33 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } /* Update bitmap */ -#if 1 /* Atomic */ - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, - llvm::AtomicOrdering::Monotonic); + if (use_threadsafe_counters) { /* Atomic */ -#else - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setMetadata(Mo->getMDKindID("nosanitize"), MDNode::get(*Ct, None)); + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, + llvm::AtomicOrdering::Monotonic); - Value *Incr = IRB.CreateAdd(Counter, One); + } + else + { - if (skip_nozero == NULL) { + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setMetadata(Mo->getMDKindID("nosanitize"), + MDNode::get(*Ct, None)); - auto cf = IRB.CreateICmpEQ(Incr, Zero); - auto carry = IRB.CreateZExt(cf, Int8Tyi); - Incr = IRB.CreateAdd(Incr, carry); + Value *Incr = IRB.CreateAdd(Counter, One); - } + if (skip_nozero == NULL) { - IRB.CreateStore(Incr, MapPtrIdx) - ->setMetadata(Mo->getMDKindID("nosanitize"), MDNode::get(*Ct, None)); -#endif + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Tyi); + Incr = IRB.CreateAdd(Incr, carry); + + } + + IRB.CreateStore(Incr, MapPtrIdx) + ->setMetadata(Mo->getMDKindID("nosanitize"), MDNode::get(*Ct, None)); + + } // done :) inst++; diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index dd2e1459..e1e922be 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -96,7 +96,8 @@ static const char *const SanCovPCsSectionName = "sancov_pcs"; static const char *const SanCovLowestStackName = "__sancov_lowest_stack"; -static char *skip_nozero; +static const char *skip_nozero; +static const char *use_threadsafe_counters; namespace { @@ -396,6 +397,7 @@ bool ModuleSanitizerCoverage::instrumentModule( be_quiet = 1; skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); + use_threadsafe_counters = getenv("AFL_LLVM_THREADSAFE_INST"); initInstrumentList(); scanForDangerousFunctions(&M); @@ -1081,27 +1083,32 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, Value * MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); -#if 1 /* Atomic */ - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, - llvm::AtomicOrdering::Monotonic); + if (use_threadsafe_counters) { -#else - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, + llvm::AtomicOrdering::Monotonic); + + } + else + { - /* Update bitmap */ + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + /* Update bitmap */ - Value *Incr = IRB.CreateAdd(Counter, One); + Value *Incr = IRB.CreateAdd(Counter, One); - if (skip_nozero == NULL) { + if (skip_nozero == NULL) { - auto cf = IRB.CreateICmpEQ(Incr, Zero); - auto carry = IRB.CreateZExt(cf, Int8Ty); - Incr = IRB.CreateAdd(Incr, carry); + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); + + } + + IRB.CreateStore(Incr, MapPtrIdx); } - IRB.CreateStore(Incr, MapPtrIdx); -#endif // done :) // IRB.CreateCall(SanCovTracePCGuard, Offset)->setCannotMerge(); diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index 5ed13ff0..10cfa579 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -93,7 +93,8 @@ class AFLLTOPass : public ModulePass { uint32_t function_minimum_size = 1; uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0; unsigned long long int map_addr = 0x10000; - char * skip_nozero = NULL; + const char *skip_nozero = NULL; + const char *use_threadsafe_counters = nullptr; }; @@ -131,6 +132,8 @@ bool AFLLTOPass::runOnModule(Module &M) { be_quiet = 1; + use_threadsafe_counters = getenv("AFL_LLVM_THREADSAFE_INST"); + if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { if ((documentFile = fopen(ptr, "a")) == NULL) @@ -839,29 +842,28 @@ bool AFLLTOPass::runOnModule(Module &M) { /* Update bitmap */ -#if 1 /* Atomic */ - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, - llvm::AtomicOrdering::Monotonic); + if (use_threadsafe_counters) { + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, + llvm::AtomicOrdering::Monotonic); + } else { + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); -#else - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); - Counter->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(C, None)); + Value *Incr = IRB.CreateAdd(Counter, One); - Value *Incr = IRB.CreateAdd(Counter, One); + if (skip_nozero == NULL) { - if (skip_nozero == NULL) { + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); - auto cf = IRB.CreateICmpEQ(Incr, Zero); - auto carry = IRB.CreateZExt(cf, Int8Ty); - Incr = IRB.CreateAdd(Incr, carry); + } + IRB.CreateStore(Incr, MapPtrIdx) + ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); } - IRB.CreateStore(Incr, MapPtrIdx) - ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); -#endif - // done :) inst_blocks++; diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 3b1119fc..fe9e2e40 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -85,8 +85,8 @@ class AFLCoverage : public ModulePass { uint32_t ctx_k = 0; uint32_t map_size = MAP_SIZE; uint32_t function_minimum_size = 1; - char * ctx_str = NULL, *caller_str = NULL, *skip_nozero = NULL; - char * use_threadsafe_counters = nullptr; + const char * ctx_str = NULL, *caller_str = NULL, *skip_nozero = NULL; + const char * use_threadsafe_counters = nullptr; }; @@ -188,11 +188,18 @@ bool AFLCoverage::runOnModule(Module &M) { if ((isatty(2) && !getenv("AFL_QUIET")) || !!getenv("AFL_DEBUG")) { if (use_threadsafe_counters) { - SAYF(cCYA "afl-llvm-pass" VERSION cRST " using threadsafe instrumentation\n"); + if (!getenv("AFL_LLVM_NOT_ZERO")) { + skip_nozero = "1"; + SAYF(cCYA "afl-llvm-pass" VERSION cRST " using thread safe counters\n"); + } + else { + SAYF(cCYA "afl-llvm-pass" VERSION cRST + " using thread safe not-zero-counters\n"); + } } else { - SAYF(cCYA "afl-llvm-pass" VERSION cRST " using non-threadsafe instrumentation\n"); + SAYF(cCYA "afl-llvm-pass" VERSION cRST " using non-thread safe instrumentation\n"); } } -- cgit 1.4.1 From 76653544056ce2334b6523252e91a8f8a6ac9dcb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Jun 2021 10:13:16 +0200 Subject: threadsafe doc fixes, code format --- README.md | 3 +- docs/Changelog.md | 3 +- docs/env_variables.md | 9 +- frida_mode/src/instrument/instrument_debug.c | 2 +- frida_mode/src/stats/stats.c | 4 +- instrumentation/README.llvm.md | 7 +- instrumentation/SanitizerCoverageLTO.so.cc | 7 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 6 +- instrumentation/afl-llvm-lto-instrumentation.so.cc | 11 +- instrumentation/afl-llvm-pass.so.cc | 116 +++++++++++++-------- qemu_mode/libqasan/libqasan.c | 5 +- src/afl-cc.c | 3 +- src/afl-fuzz-one.c | 1 + src/afl-fuzz.c | 7 +- 14 files changed, 106 insertions(+), 78 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/README.md b/README.md index 69e2d14a..c04dba98 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,7 @@ behaviours and defaults: | Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | frida_mode | qemu_mode |unicorn_mode | | -------------------------|:-------:|:---------:|:----------:|:----------:|:----------------:|:------------:| + | Threadsafe counters | | x(3) | | | | | | NeverZero | x86[_64]| x(1) | x | x | x | x | | Persistent Mode | | x | x | x86[_64] | x86[_64]/arm[64] | x | | LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm | @@ -104,7 +105,7 @@ behaviours and defaults: 1. default for LLVM >= 9.0, env var for older version due an efficiency bug in previous llvm versions 2. GCC creates non-performant code, hence it is disabled in gcc_plugin - 3. (currently unassigned) + 3. with `AFL_LLVM_THREADSAFE_INST`, disables NeverZero 4. with pcguard mode and LTO mode for LLVM 11 and newer 5. upcoming, development in the branch 6. not compatible with LTO instrumentation and needs at least LLVM v4.1 diff --git a/docs/Changelog.md b/docs/Changelog.md index d8ffe498..29ea918b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -41,6 +41,8 @@ sending a mail to . it fails - afl-cc: - We do not support llvm versions prior 6.0 anymore + - added thread safe counters to all modes (`AFL_LLVM_THREADSAFE_INST`), + note that this disables never zero counters. - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks! - Removed InsTrim instrumentation as it is not as good as PCGUARD @@ -58,7 +60,6 @@ sending a mail to . MacOS shared memory - updated the grammar custom mutator to the newest version - add -d (add dead fuzzer stats) to afl-whatsup - - add thread safe counters for LLVM CLASSIC (set AFL_LLVM_THREADSAFE_INST) - added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the current filename - afl-showmap/cmin will now process queue items in alphabetical order diff --git a/docs/env_variables.md b/docs/env_variables.md index b4b866ab..38a67bc7 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -231,10 +231,11 @@ Then there are a few specific features that are only available in instrumentatio See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. -### Thread safe instrumentation counters (in mode LLVM CLASSIC) - - Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe counters. - The overhead is a bit higher compared to the older non-thread safe case. - `AFL_LLVM_NOT_ZERO` and `AFL_LLVM_SKIP_NEVERZERO` are supported (see below). +### Thread safe instrumentation counters (in all modes) + + - Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread + safe counters. The overhead is a little bit higher compared to the older + non-thread safe case. Note that this disables neverzero (see below). ### NOT_ZERO diff --git a/frida_mode/src/instrument/instrument_debug.c b/frida_mode/src/instrument/instrument_debug.c index be72ef89..f8c1df77 100644 --- a/frida_mode/src/instrument/instrument_debug.c +++ b/frida_mode/src/instrument/instrument_debug.c @@ -17,7 +17,7 @@ static void instrument_debug(char *format, ...) { va_list ap; char buffer[4096] = {0}; int ret; - int len; + int len; va_start(ap, format); ret = vsnprintf(buffer, sizeof(buffer) - 1, format, ap); diff --git a/frida_mode/src/stats/stats.c b/frida_mode/src/stats/stats.c index 890a8d6b..662fb6d5 100644 --- a/frida_mode/src/stats/stats.c +++ b/frida_mode/src/stats/stats.c @@ -96,10 +96,10 @@ void stats_init(void) { void stats_vprint(int fd, char *format, va_list ap) { char buffer[4096] = {0}; - int ret; + int ret; int len; - if(vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } + if (vsnprintf(buffer, sizeof(buffer) - 1, format, ap) < 0) { return; } len = strnlen(buffer, sizeof(buffer)); IGNORED_RETURN(write(fd, buffer, len)); diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 02722588..8ce5afb9 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -144,9 +144,10 @@ is not optimal and was only fixed in llvm 9. You can set this with AFL_LLVM_NOT_ZERO=1 See [README.neverzero.md](README.neverzero.md) -Support for thread safe counters has been added for mode LLVM CLASSIC. -Activate it with `AFL_LLVM_THREADSAFE_INST=1`. The tradeoff is better precision in -multi threaded apps for a slightly higher instrumentation overhead. +Support for thread safe counters has been added for all modes. +Activate it with `AFL_LLVM_THREADSAFE_INST=1`. The tradeoff is better precision +in multi threaded apps for a slightly higher instrumentation overhead. +This also disables the nozero counter default for performance reasons. ## 4) Snapshot feature diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 58969e18..20f1856e 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1497,14 +1497,12 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } /* Update bitmap */ - if (use_threadsafe_counters) { /* Atomic */ + if (use_threadsafe_counters) { /* Atomic */ IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); - } - else - { + } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); Counter->setMetadata(Mo->getMDKindID("nosanitize"), @@ -1524,6 +1522,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, ->setMetadata(Mo->getMDKindID("nosanitize"), MDNode::get(*Ct, None)); } + // done :) inst++; diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index dbddad0a..4a8c9e28 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -1069,16 +1069,14 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, /* Load counter for CurLoc */ - Value * MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); if (use_threadsafe_counters) { IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); - } - else - { + } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); /* Update bitmap */ diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index b5fdb3d6..fe43fbe5 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -93,8 +93,8 @@ class AFLLTOPass : public ModulePass { uint32_t function_minimum_size = 1; uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0; unsigned long long int map_addr = 0x10000; - const char *skip_nozero = NULL; - const char *use_threadsafe_counters = nullptr; + const char * skip_nozero = NULL; + const char * use_threadsafe_counters = nullptr; }; @@ -843,9 +843,12 @@ bool AFLLTOPass::runOnModule(Module &M) { /* Update bitmap */ if (use_threadsafe_counters) { + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); + } else { + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); @@ -861,7 +864,9 @@ bool AFLLTOPass::runOnModule(Module &M) { } IRB.CreateStore(Incr, MapPtrIdx) - ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + ->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + } // done :) diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index fe9e2e40..62f8b2ed 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -81,12 +81,12 @@ class AFLCoverage : public ModulePass { bool runOnModule(Module &M) override; protected: - uint32_t ngram_size = 0; - uint32_t ctx_k = 0; - uint32_t map_size = MAP_SIZE; - uint32_t function_minimum_size = 1; - const char * ctx_str = NULL, *caller_str = NULL, *skip_nozero = NULL; - const char * use_threadsafe_counters = nullptr; + uint32_t ngram_size = 0; + uint32_t ctx_k = 0; + uint32_t map_size = MAP_SIZE; + uint32_t function_minimum_size = 1; + const char *ctx_str = NULL, *caller_str = NULL, *skip_nozero = NULL; + const char *use_threadsafe_counters = nullptr; }; @@ -188,18 +188,30 @@ bool AFLCoverage::runOnModule(Module &M) { if ((isatty(2) && !getenv("AFL_QUIET")) || !!getenv("AFL_DEBUG")) { if (use_threadsafe_counters) { - if (!getenv("AFL_LLVM_NOT_ZERO")) { - skip_nozero = "1"; - SAYF(cCYA "afl-llvm-pass" VERSION cRST " using thread safe counters\n"); - } - else { - SAYF(cCYA "afl-llvm-pass" VERSION cRST - " using thread safe not-zero-counters\n"); - } - } - else - { - SAYF(cCYA "afl-llvm-pass" VERSION cRST " using non-thread safe instrumentation\n"); + + // disabled unless there is support for other modules as well + // (increases documentation complexity) + /* if (!getenv("AFL_LLVM_NOT_ZERO")) { */ + + skip_nozero = "1"; + SAYF(cCYA "afl-llvm-pass" VERSION cRST " using thread safe counters\n"); + + /* + + } else { + + SAYF(cCYA "afl-llvm-pass" VERSION cRST + " using thread safe not-zero-counters\n"); + + } + + */ + + } else { + + SAYF(cCYA "afl-llvm-pass" VERSION cRST + " using non-thread safe instrumentation\n"); + } } @@ -649,44 +661,44 @@ bool AFLCoverage::runOnModule(Module &M) { /* Update bitmap */ + if (use_threadsafe_counters) { /* Atomic */ - if (use_threadsafe_counters) {/* Atomic */ - - #if LLVM_VERSION_MAJOR < 9 +#if LLVM_VERSION_MAJOR < 9 if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug in llvm is then fixed - #else + NULL) { // with llvm 9 we make this the default as the bug in llvm + // is then fixed +#else if (!skip_nozero) { - #endif +#endif // register MapPtrIdx in a todo list todo.push_back(MapPtrIdx); - } - else - { + } else { + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, llvm::AtomicOrdering::Monotonic); + } - } - else - { + + } else { LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *Incr = IRB.CreateAdd(Counter, One); - #if LLVM_VERSION_MAJOR < 9 +#if LLVM_VERSION_MAJOR < 9 if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug in llvm is - // then fixed - #else + NULL) { // with llvm 9 we make this the default as the bug in llvm + // is then fixed +#else if (!skip_nozero) { - #endif +#endif /* hexcoder: Realize a counter that skips zero during overflow. - * Once this counter reaches its maximum value, it next increments to 1 + * Once this counter reaches its maximum value, it next increments to + * 1 * * Instead of * Counter + 1 -> Counter @@ -705,7 +717,7 @@ bool AFLCoverage::runOnModule(Module &M) { IRB.CreateStore(Incr, MapPtrIdx) ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - } /* non atomic case */ + } /* non atomic case */ /* Update prev_loc history vector (by placing cur_loc at the head of the vector and shuffle the other elements back by one) */ @@ -762,16 +774,19 @@ bool AFLCoverage::runOnModule(Module &M) { } - if (use_threadsafe_counters) { /*Atomic NeverZero */ + if (use_threadsafe_counters) { /*Atomic NeverZero */ // handle the list of registered blocks to instrument for (auto val : todo) { - /* hexcoder: Realize a thread-safe counter that skips zero during overflow. Once this counter reaches its maximum value, it next increments to 1 - * - * Instead of - * Counter + 1 -> Counter - * we inject now this - * Counter + 1 -> {Counter, OverflowFlag} - * Counter + OverflowFlag -> Counter + + /* hexcoder: Realize a thread-safe counter that skips zero during + * overflow. Once this counter reaches its maximum value, it next + * increments to 1 + * + * Instead of + * Counter + 1 -> Counter + * we inject now this + * Counter + 1 -> {Counter, OverflowFlag} + * Counter + OverflowFlag -> Counter */ /* equivalent c code looks like this @@ -781,12 +796,19 @@ bool AFLCoverage::runOnModule(Module &M) { int old = atomic_load_explicit(&Counter, memory_order_relaxed); int new; do { + if (old == 255) { + new = 1; + } else { + new = old + 1; + } + } while (!atomic_compare_exchange_weak_explicit(&Counter, &old, new, + memory_order_relaxed, memory_order_relaxed)); */ @@ -805,7 +827,8 @@ bool AFLCoverage::runOnModule(Module &M) { BasicBlock *BB = IRB.GetInsertBlock(); // insert a basic block with the corpus of a do while loop - // the calculation may need to repeat, if atomic compare_exchange is not successful + // the calculation may need to repeat, if atomic compare_exchange is not + // successful BasicBlock::iterator it(*Counter); it++; // split after load counter @@ -857,6 +880,7 @@ bool AFLCoverage::runOnModule(Module &M) { // if the cmpXchg was not successful, retry IRB.CreateCondBr(Success, end_bb, do_while_bb); + } } diff --git a/qemu_mode/libqasan/libqasan.c b/qemu_mode/libqasan/libqasan.c index d4742e3e..6ea24f08 100644 --- a/qemu_mode/libqasan/libqasan.c +++ b/qemu_mode/libqasan/libqasan.c @@ -69,9 +69,8 @@ __attribute__((constructor)) void __libqasan_init() { __libqasan_is_initialized = 1; __libqasan_init_hooks(); - - if (getenv("AFL_INST_LIBS") || getenv("QASAN_HOTPACH")) - __libqasan_hotpatch(); + + if (getenv("AFL_INST_LIBS") || getenv("QASAN_HOTPACH")) __libqasan_hotpatch(); if (getenv("AFL_INST_LIBS") || getenv("QASAN_HOTPACH")) __libqasan_hotpatch(); diff --git a/src/afl-cc.c b/src/afl-cc.c index 6be6e165..486f7468 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1777,7 +1777,8 @@ int main(int argc, char **argv, char **envp) { SAYF( "\nLLVM/LTO/afl-clang-fast/afl-clang-lto specific environment " "variables:\n" - " AFL_LLVM_THREADSAFE_INST: instrument with thread safe counters\n" + " AFL_LLVM_THREADSAFE_INST: instrument with thread safe counters, " + "disables neverzero\n" COUNTER_BEHAVIOUR diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 4a3e7f33..c3ce2edd 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -561,6 +561,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->cmplog_lvl == 3 || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || + afl->queue_cur->favored || !(afl->fsrv.total_execs % afl->queued_paths) || get_cur_time() - afl->last_path_time > 300000) { // 300 seconds diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a3a623d9..5bdb4c8d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2066,13 +2066,10 @@ int main(int argc, char **argv_orig, char **envp) { break; case 4: afl->expand_havoc = 5; - if (afl->cmplog_lvl && afl->cmplog_lvl < 3) afl->cmplog_lvl = 3; + // if (afl->cmplog_lvl && afl->cmplog_lvl < 3) afl->cmplog_lvl = + // 3; break; case 5: - // if not in sync mode, enable deterministic mode? - // if (!afl->sync_id) afl->skip_deterministic = 0; - afl->expand_havoc = 6; - case 6: // nothing else currently break; -- cgit 1.4.1 From b9799bbe1d10461d69f919f950d4a53a578176fa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Jun 2021 11:28:31 +0200 Subject: fix classic threadsafe counters --- instrumentation/afl-llvm-pass.so.cc | 44 ++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 18 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 62f8b2ed..a8f1baff 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -662,24 +662,29 @@ bool AFLCoverage::runOnModule(Module &M) { /* Update bitmap */ if (use_threadsafe_counters) { /* Atomic */ - -#if LLVM_VERSION_MAJOR < 9 - if (neverZero_counters_str != - NULL) { // with llvm 9 we make this the default as the bug in llvm - // is then fixed -#else - if (!skip_nozero) { - -#endif - // register MapPtrIdx in a todo list - todo.push_back(MapPtrIdx); - - } else { - - IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, - llvm::AtomicOrdering::Monotonic); - - } + /* + #if LLVM_VERSION_MAJOR < 9 + if (neverZero_counters_str != + NULL) { // with llvm 9 we make this the default as the bug + in llvm + // is then fixed + #else + if (!skip_nozero) { + + #endif + // register MapPtrIdx in a todo list + todo.push_back(MapPtrIdx); + + } else { + + */ + IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, + llvm::AtomicOrdering::Monotonic); + /* + + } + + */ } else { @@ -774,6 +779,7 @@ bool AFLCoverage::runOnModule(Module &M) { } +#if 0 if (use_threadsafe_counters) { /*Atomic NeverZero */ // handle the list of registered blocks to instrument for (auto val : todo) { @@ -885,6 +891,8 @@ bool AFLCoverage::runOnModule(Module &M) { } +#endif + } /* -- cgit 1.4.1 From 97225f1f6f55366a8e2702652dd2e3e1f65b72d5 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 1 Jun 2021 18:36:28 +0200 Subject: adapt to incompatible LLVM 13 API --- instrumentation/SanitizerCoverageLTO.so.cc | 3 +++ instrumentation/SanitizerCoveragePCGUARD.so.cc | 3 +++ instrumentation/afl-llvm-lto-instrumentation.so.cc | 3 +++ instrumentation/afl-llvm-pass.so.cc | 3 +++ 4 files changed, 12 insertions(+) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 20f1856e..74ef03df 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1500,6 +1500,9 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, if (use_threadsafe_counters) { /* Atomic */ IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, +#if LLVM_VERSION_MAJOR >= 13 + llvm_MaybeAlign(1), +#endif llvm::AtomicOrdering::Monotonic); } else { diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 4a8c9e28..d79dd65a 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -1074,6 +1074,9 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, if (use_threadsafe_counters) { IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, +#if LLVM_VERSION_MAJOR >= 13 + llvm_MaybeAlign(1), +#endif llvm::AtomicOrdering::Monotonic); } else { diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index fe43fbe5..91f0e7e6 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -845,6 +845,9 @@ bool AFLLTOPass::runOnModule(Module &M) { if (use_threadsafe_counters) { IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, +#if LLVM_VERSION_MAJOR >= 13 + llvm_MaybeAlign(1), +#endif llvm::AtomicOrdering::Monotonic); } else { diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index a8f1baff..a2de5cb3 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -679,6 +679,9 @@ bool AFLCoverage::runOnModule(Module &M) { */ IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, +#if LLVM_VERSION_MAJOR >= 13 + llvm_MaybeAlign(1), +#endif llvm::AtomicOrdering::Monotonic); /* -- cgit 1.4.1 From 96c802fce83fc2fa178207214573f8c9f1995fba Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 1 Jun 2021 18:41:38 +0200 Subject: fix stupid typos --- instrumentation/SanitizerCoverageLTO.so.cc | 2 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 +- instrumentation/afl-llvm-lto-instrumentation.so.cc | 2 +- instrumentation/afl-llvm-pass.so.cc | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 74ef03df..372af003 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1501,7 +1501,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 - llvm_MaybeAlign(1), + llvm::MaybeAlign(1), #endif llvm::AtomicOrdering::Monotonic); diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index d79dd65a..48ad2d02 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -1075,7 +1075,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 - llvm_MaybeAlign(1), + llvm::MaybeAlign(1), #endif llvm::AtomicOrdering::Monotonic); diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index 91f0e7e6..bb9b9279 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -846,7 +846,7 @@ bool AFLLTOPass::runOnModule(Module &M) { IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 - llvm_MaybeAlign(1), + llvm::MaybeAlign(1), #endif llvm::AtomicOrdering::Monotonic); diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index a2de5cb3..6fe34ccd 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -680,7 +680,7 @@ bool AFLCoverage::runOnModule(Module &M) { */ IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 - llvm_MaybeAlign(1), + llvm::MaybeAlign(1), #endif llvm::AtomicOrdering::Monotonic); /* -- cgit 1.4.1 From 76c0940cee04a4fc68f7bb6c3487bc3263494034 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 7 Jun 2021 12:54:16 +0200 Subject: format --- instrumentation/afl-llvm-pass.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 6fe34ccd..94b77f7d 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -676,7 +676,7 @@ bool AFLCoverage::runOnModule(Module &M) { todo.push_back(MapPtrIdx); } else { - + */ IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One, #if LLVM_VERSION_MAJOR >= 13 -- cgit 1.4.1 From 9ec63d3f1776ae1442fe89d5e076b58b36997f76 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 14 Jul 2021 14:31:27 +0200 Subject: fix frida, fix dictionary generation to honor AFL_LLVM_{ALLOW/DENY}LIST --- docs/Changelog.md | 2 ++ frida_mode/src/instrument/instrument.c | 3 ++- instrumentation/SanitizerCoverageLTO.so.cc | 2 ++ instrumentation/afl-llvm-dict2file.so.cc | 1 + instrumentation/afl-llvm-pass.so.cc | 4 ++-- 5 files changed, 9 insertions(+), 3 deletions(-) (limited to 'instrumentation/afl-llvm-pass.so.cc') diff --git a/docs/Changelog.md b/docs/Changelog.md index 29af44ab..8aca5608 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -24,10 +24,12 @@ sending a mail to . - Fix to instrument global namespace functions in c++ - Fix for llvm 13 - support partial linking + - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE - We do support llvm versions from 3.8 to 5.0 again - frida_mode: - several fixes for cmplog - remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET + - less coverage collision - feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan) - afl-cmin and afl-showmap -i do now descend into subdirectories diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c index 81d14013..e1dabf92 100644 --- a/frida_mode/src/instrument/instrument.c +++ b/frida_mode/src/instrument/instrument.c @@ -1,6 +1,7 @@ #include #include #include +#include #include "frida-gumjs.h" @@ -289,7 +290,7 @@ void instrument_init(void) { * needs to be different for each instance. */ instrument_hash_seed = - g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ gettid(); + g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ syscall(SYS_gettid); OKF("Instrumentation - seed [0x%016" G_GINT64_MODIFIER "x]", instrument_hash_seed); diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 28eb0b9f..91b81910 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -516,6 +516,8 @@ bool ModuleSanitizerCoverage::instrumentModule( for (auto &F : M) { + if (!isInInstrumentList(&F) || !F.size()) { continue; } + for (auto &BB : F) { for (auto &IN : BB) { diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 5350f62b..9daa75a8 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -154,6 +154,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { for (auto &F : M) { if (isIgnoreFunction(&F)) continue; + if (!isInInstrumentList(&F) || !F.size()) { continue; } /* Some implementation notes. * diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 94b77f7d..ecf28f31 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -438,9 +438,9 @@ bool AFLCoverage::runOnModule(Module &M) { fprintf(stderr, "FUNCTION: %s (%zu)\n", F.getName().str().c_str(), F.size()); - if (!isInInstrumentList(&F)) continue; + if (!isInInstrumentList(&F)) { continue; } - if (F.size() < function_minimum_size) continue; + if (F.size() < function_minimum_size) { continue; } std::list todo; for (auto &BB : F) { -- cgit 1.4.1