From 35f09e11a4373b0fb42c690d23127c144f72f73c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 3 Jan 2023 09:38:00 +0100 Subject: welcome 2023 --- instrumentation/afl-compiler-rt.o.c | 2 +- instrumentation/afl-gcc-cmplog-pass.so.cc | 2 +- instrumentation/afl-gcc-cmptrs-pass.so.cc | 2 +- instrumentation/afl-gcc-common.h | 2 +- instrumentation/afl-gcc-pass.so.cc | 2 +- instrumentation/afl-llvm-dict2file.so.cc | 2 +- instrumentation/afl-llvm-lto-instrumentlist.so.cc | 2 +- instrumentation/afl-llvm-pass.so.cc | 2 +- instrumentation/cmplog-instructions-pass.cc | 2 +- instrumentation/cmplog-routines-pass.cc | 2 +- instrumentation/cmplog-switches-pass.cc | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index fd5f2d4c..9c6345b6 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -3,7 +3,7 @@ ------------------------------------------------ Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/afl-gcc-cmplog-pass.so.cc b/instrumentation/afl-gcc-cmplog-pass.so.cc index 3c781fd7..b4e6fda9 100644 --- a/instrumentation/afl-gcc-cmplog-pass.so.cc +++ b/instrumentation/afl-gcc-cmplog-pass.so.cc @@ -3,7 +3,7 @@ Copyright 2014-2019 Free Software Foundation, Inc Copyright 2015, 2016 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. - Copyright 2019-2022 AdaCore + Copyright 2019-2023 AdaCore Written by Alexandre Oliva , based on the AFL++ LLVM CmpLog pass by Andrea Fioraldi , and diff --git a/instrumentation/afl-gcc-cmptrs-pass.so.cc b/instrumentation/afl-gcc-cmptrs-pass.so.cc index 0ddbac15..dbb408b0 100644 --- a/instrumentation/afl-gcc-cmptrs-pass.so.cc +++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc @@ -3,7 +3,7 @@ Copyright 2014-2019 Free Software Foundation, Inc Copyright 2015, 2016 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. - Copyright 2019-2022 AdaCore + Copyright 2019-2023 AdaCore Written by Alexandre Oliva , based on the AFL++ LLVM CmpLog Routines pass by Andrea Fioraldi diff --git a/instrumentation/afl-gcc-common.h b/instrumentation/afl-gcc-common.h index cda3f9d8..1d5eb466 100644 --- a/instrumentation/afl-gcc-common.h +++ b/instrumentation/afl-gcc-common.h @@ -2,7 +2,7 @@ Copyright 2014-2019 Free Software Foundation, Inc Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AdaCore + Copyright 2019-2023 AdaCore Written by Alexandre Oliva , based on the AFL++ GCC plugin. diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index ea938a7f..4d7fd0ef 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -2,7 +2,7 @@ Copyright 2014-2019 Free Software Foundation, Inc Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AdaCore + Copyright 2019-2023 AdaCore Written by Alexandre Oliva , based on the AFL LLVM pass by Laszlo Szekeres and Michal diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index fd8baea2..bbbbe32c 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -4,7 +4,7 @@ Written by Marc Heuse - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index 32b1798a..db5bd55e 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -9,7 +9,7 @@ from afl-as.c are Michal's fault. Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index df1ccc4f..e8d0b1e5 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -12,7 +12,7 @@ NGRAM previous location coverage comes from Adrian Herrera. Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 084ad8c9..bca1f927 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -5,7 +5,7 @@ Written by Andrea Fioraldi Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 9733f86e..0498156d 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -5,7 +5,7 @@ Written by Andrea Fioraldi Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index 563a4481..cd0ae76d 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -5,7 +5,7 @@ Written by Andrea Fioraldi Copyright 2015, 2016 Google Inc. All rights reserved. - Copyright 2019-2022 AFLplusplus Project. All rights reserved. + Copyright 2019-2023 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. -- cgit 1.4.1 From afd2ea90dfdb9aa7668c482e7c427f95c4847843 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 20 Jan 2023 22:12:35 +0000 Subject: LLVM plugin 16+ support proposal. - Lifting the standard to C++17. - Beyond the cosmetic changes, it boils down to BasicBlock::getInstList being no longer available (and reading the header it is no accident). --- GNUmakefile.llvm | 6 + instrumentation/SanitizerCoveragePCGUARD.so.cc | 4 + instrumentation/afl-llvm-common.cc | 1 + instrumentation/afl-llvm-common.h | 7 + instrumentation/compare-transform-pass.so.cc | 4 + instrumentation/split-compares-pass.so.cc | 244 ++++++++++++++++++++----- instrumentation/split-switches-pass.so.cc | 20 ++ 7 files changed, 243 insertions(+), 43 deletions(-) (limited to 'instrumentation') diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index d6e45d29..09e9b5be 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -48,6 +48,7 @@ LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 ) LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[5-9]' && echo 1 || echo 0 ) LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 ) +LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 ) LLVM_10_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[1-9]|^10\.[1-9]|^10\.0.[1-9]' && echo 1 || echo 0 ) LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[1-9]' && echo 1 || echo 0 ) LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) @@ -81,6 +82,11 @@ ifeq "$(LLVM_NEW_API)" "1" LLVM_TOO_OLD=0 endif +ifeq "$(LLVM_NEWER_API)" "1" + $(info [+] llvm_mode detected llvm 16+, enabling c++17) + LLVM_STDCXX = c++17 +endif + ifeq "$(LLVM_TOO_OLD)" "1" $(info [!] llvm_mode detected an old version of llvm, upgrade to at least 9 or preferable 11!) $(shell sleep 1) diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index ef2d3b9c..c4a564f7 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -728,7 +728,11 @@ GlobalVariable *ModuleSanitizerCoverageAFL::CreateFunctionLocalArrayInSection( Array->setSection(getSectionName(Section)); #if (LLVM_VERSION_MAJOR >= 11) || \ (LLVM_VERSION_MAJOR == 10 && LLVM_VERSION_MINOR >= 1) + #if LLVM_VERSION_MAJOR >= 16 + Array->setAlignment(Align(DL->getTypeStoreSize(Ty).getFixedValue())); + #else Array->setAlignment(Align(DL->getTypeStoreSize(Ty).getFixedSize())); + #endif #else Array->setAlignment(Align(4)); // cheating #endif diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 5fcf27fb..dc34d191 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -12,6 +12,7 @@ #include #include #include +#include #include diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index dee5f9fc..0112c325 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -8,6 +8,7 @@ #include #include #include +#include #include #include "llvm/Config/llvm-config.h" @@ -35,6 +36,12 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR >= 11 #define MNAME M.getSourceFileName() #define FMNAME F.getParent()->getSourceFileName() + #if LLVM_VERSION_MAJOR >= 16 + // None becomes deprecated + // the standard std::nullopt_t is recommended instead + // from C++17 and onwards. + constexpr std::nullopt_t None = std::nullopt; + #endif #else #define MNAME std::string("") #define FMNAME std::string("") diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 39bff510..efc99d20 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -708,7 +708,11 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, /* since the call is the first instruction of the bb it is safe to * replace it with a phi instruction */ BasicBlock::iterator ii(callInst); +#if LLVM_MAJOR >= 16 + ReplaceInstWithInst(callInst->getParent(), ii, PN); +#else ReplaceInstWithInst(callInst->getParent()->getInstList(), ii, PN); +#endif } diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 95eca0cb..dd7b09a6 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -322,8 +322,12 @@ bool SplitComparesTransform::simplifyFPCompares(Module &M) { * block bb it is now at the position where the old FcmpInst was */ Instruction *fcmp_np; fcmp_np = CmpInst::Create(Instruction::FCmp, new_pred, op0, op1); +#if LLVM_MAJOR >= 16 + fcmp_np->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); +#else bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), fcmp_np); +#endif /* create a new basic block which holds the new EQ fcmp */ Instruction *fcmp_eq; @@ -331,7 +335,11 @@ bool SplitComparesTransform::simplifyFPCompares(Module &M) { BasicBlock *middle_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); fcmp_eq = CmpInst::Create(Instruction::FCmp, CmpInst::FCMP_OEQ, op0, op1); +#if LLVM_MAJOR >= 16 + fcmp_eq->insertInto(middle_bb, middle_bb->end()); +#else middle_bb->getInstList().push_back(fcmp_eq); +#endif /* add an unconditional branch to the end of middle_bb with destination * end_bb */ BranchInst::Create(end_bb, middle_bb); @@ -352,7 +360,11 @@ bool SplitComparesTransform::simplifyFPCompares(Module &M) { PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb); /* replace the old FcmpInst with our new and shiny PHI inst */ BasicBlock::iterator ii(FcmpInst); +#if LLVM_MAJOR >= 16 + ReplaceInstWithInst(FcmpInst->getParent(), ii, PN); +#else ReplaceInstWithInst(FcmpInst->getParent()->getInstList(), ii, PN); +#endif } @@ -409,7 +421,11 @@ bool SplitComparesTransform::simplifyOrEqualsCompare(CmpInst *IcmpInst, /* create the ICMP instruction with new_pred and add it to the old basic * block bb it is now at the position where the old IcmpInst was */ CmpInst *icmp_np = CmpInst::Create(Instruction::ICmp, new_pred, op0, op1); +#if LLVM_MAJOR >= 16 + icmp_np->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); +#else bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), icmp_np); +#endif /* create a new basic block which holds the new EQ icmp */ CmpInst *icmp_eq; @@ -417,7 +433,11 @@ bool SplitComparesTransform::simplifyOrEqualsCompare(CmpInst *IcmpInst, BasicBlock *middle_bb = BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb); icmp_eq = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, op0, op1); +#if LLVM_MAJOR >= 16 + icmp_eq->insertInto(middle_bb, middle_bb->end()); +#else middle_bb->getInstList().push_back(icmp_eq); +#endif /* add an unconditional branch to the end of middle_bb with destination * end_bb */ BranchInst::Create(end_bb, middle_bb); @@ -438,7 +458,11 @@ bool SplitComparesTransform::simplifyOrEqualsCompare(CmpInst *IcmpInst, PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb); /* replace the old IcmpInst with our new and shiny PHI inst */ BasicBlock::iterator ii(IcmpInst); +#if LLVM_MAJOR >= 16 + ReplaceInstWithInst(IcmpInst->getParent(), ii, PN); +#else ReplaceInstWithInst(IcmpInst->getParent()->getInstList(), ii, PN); +#endif worklist.push_back(icmp_np); worklist.push_back(icmp_eq); @@ -518,7 +542,11 @@ bool SplitComparesTransform::simplifySignedCompare(CmpInst *IcmpInst, Module &M, } +#if LLVM_MAJOR >= 16 + icmp_inv_sig_cmp->insertInto(sign_bb, sign_bb->end()); +#else sign_bb->getInstList().push_back(icmp_inv_sig_cmp); +#endif BranchInst::Create(end_bb, sign_bb); /* create a new bb which is executed if signedness is equal */ @@ -528,7 +556,11 @@ bool SplitComparesTransform::simplifySignedCompare(CmpInst *IcmpInst, Module &M, /* we can do a normal unsigned compare now */ icmp_usign_cmp = CmpInst::Create(Instruction::ICmp, new_pred, op0, op1); +#if LLVM_MAJOR >= 16 + icmp_usign_cmp->insertInto(middle_bb, middle_bb->end()); +#else middle_bb->getInstList().push_back(icmp_usign_cmp); +#endif BranchInst::Create(end_bb, middle_bb); auto term = bb->getTerminator(); @@ -543,7 +575,11 @@ bool SplitComparesTransform::simplifySignedCompare(CmpInst *IcmpInst, Module &M, PN->addIncoming(icmp_inv_sig_cmp, sign_bb); BasicBlock::iterator ii(IcmpInst); +#if LLVM_MAJOR >= 16 + ReplaceInstWithInst(IcmpInst->getParent(), ii, PN); +#else ReplaceInstWithInst(IcmpInst->getParent()->getInstList(), ii, PN); +#endif // save for later worklist.push_back(icmp_usign_cmp); @@ -717,7 +753,11 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M, } +#if LLVM_MAJOR >= 16 + icmp_inv_cmp->insertInto(inv_cmp_bb, inv_cmp_bb->end()); +#else inv_cmp_bb->getInstList().push_back(icmp_inv_cmp); +#endif worklist.push_back(icmp_inv_cmp); auto term = bb->getTerminator(); @@ -728,12 +768,18 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M, BasicBlock *cmp_low_bb = BasicBlock::Create(C, "" /*"injected"*/, end_bb->getParent(), end_bb); op0_low = new TruncInst(op0, NewIntType); - cmp_low_bb->getInstList().push_back(op0_low); op1_low = new TruncInst(op1, NewIntType); - cmp_low_bb->getInstList().push_back(op1_low); - icmp_low = CmpInst::Create(Instruction::ICmp, pred, op0_low, op1_low); + +#if LLVM_MAJOR >= 16 + op0_low->insertInto(cmp_low_bb, cmp_low_bb->end()); + op1_low->insertInto(cmp_low_bb, cmp_low_bb->end()); + icmp_low->insertInto(cmp_low_bb, cmp_low_bb->end()); +#else + cmp_low_bb->getInstList().push_back(op0_low); + cmp_low_bb->getInstList().push_back(op1_low); cmp_low_bb->getInstList().push_back(icmp_low); +#endif BranchInst::Create(end_bb, cmp_low_bb); BranchInst::Create(end_bb, cmp_low_bb, icmp_inv_cmp, inv_cmp_bb); @@ -754,7 +800,11 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M, } BasicBlock::iterator ii(cmp_inst); +#if LLVM_MAJOR >= 16 + ReplaceInstWithInst(cmp_inst->getParent(), ii, PN); +#else ReplaceInstWithInst(cmp_inst->getParent()->getInstList(), ii, PN); +#endif // We split the comparison into low and high. If this isn't our target // bitwidth we recursively split the low and high parts again until we have @@ -999,13 +1049,21 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { Instruction *bpre_op0, *bpre_op1; bpre_op0 = CastInst::Create(Instruction::BitCast, op0, IntegerType::get(C, op_size)); +#if LLVM_MAJOR >= 16 + bpre_op0->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); +#else bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), bpre_op0); +#endif bpre_op1 = CastInst::Create(Instruction::BitCast, op1, IntegerType::get(C, op_size)); +#if LLVM_MAJOR >= 16 + bpre_op1->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); +#else bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), bpre_op1); +#endif /* Check if any operand is NaN. * If so, all comparisons except unequal (which yields true) yield false */ @@ -1025,34 +1083,42 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { Instruction *nan_op0, *nan_op1; nan_op0 = BinaryOperator::Create(Instruction::Shl, bpre_op0, ConstantInt::get(bpre_op0->getType(), 1)); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), - nan_op0); - + /* Check op1 for NaN */ + /* Shift right 1 Bit, ignore sign bit */ + nan_op1 = BinaryOperator::Create(Instruction::Shl, bpre_op1, + ConstantInt::get(bpre_op1->getType(), 1)); /* compare to NaN interval */ Instruction *is_op0_nan = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, nan_op0, ConstantInt::get(intType, NaN_lowend)); + /* compare to NaN interval */ + Instruction *is_op1_nan = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, nan_op1, + ConstantInt::get(intType, NaN_lowend)); + /* combine checks */ + Instruction *is_nan = + BinaryOperator::Create(Instruction::Or, is_op0_nan, is_op1_nan); +#if LLVM_MAJOR >= 16 + nan_op0->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); + is_op0_nan->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); + nan_op1->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); + is_op1_nan->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); + is_nan->insertInto(bb, BasicBlock::iterator(bb->getTerminator())); +#else + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + nan_op0); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), is_op0_nan); - /* Check op1 for NaN */ - /* Shift right 1 Bit, ignore sign bit */ - nan_op1 = BinaryOperator::Create(Instruction::Shl, bpre_op1, - ConstantInt::get(bpre_op1->getType(), 1)); bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), nan_op1); - /* compare to NaN interval */ - Instruction *is_op1_nan = - CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, nan_op1, - ConstantInt::get(intType, NaN_lowend)); bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), is_op1_nan); - /* combine checks */ - Instruction *is_nan = - BinaryOperator::Create(Instruction::Or, is_op0_nan, is_op1_nan); bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), is_nan); +#endif /* the result of the comparison, when at least one op is NaN is true only for the "NOT EQUAL" predicates. */ @@ -1079,23 +1145,30 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { isMzero_op0 = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, bpre_op0, ConstantInt::get(intType, MinusZero)); + isMzero_op1 = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, bpre_op1, + ConstantInt::get(intType, MinusZero)); + b_op0 = SelectInst::Create(isMzero_op0, ConstantInt::get(intType, PlusZero), + bpre_op0); + b_op1 = SelectInst::Create(isMzero_op1, ConstantInt::get(intType, PlusZero), + bpre_op1); +#if LLVM_MAJOR >= 16 + isMzero_op0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + isMzero_op1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + b_op0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + b_op1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); +#else nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), isMzero_op0); - isMzero_op1 = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, bpre_op1, - ConstantInt::get(intType, MinusZero)); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), isMzero_op1); - b_op0 = SelectInst::Create(isMzero_op0, ConstantInt::get(intType, PlusZero), - bpre_op0); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), b_op0); - b_op1 = SelectInst::Create(isMzero_op1, ConstantInt::get(intType, PlusZero), - bpre_op1); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), b_op1); +#endif /* isolate signs of value of floating point type */ @@ -1106,26 +1179,34 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { s_s0 = BinaryOperator::Create(Instruction::LShr, b_op0, ConstantInt::get(b_op0->getType(), op_size - 1)); + s_s1 = + BinaryOperator::Create(Instruction::LShr, b_op1, + ConstantInt::get(b_op1->getType(), op_size - 1)); + t_s0 = new TruncInst(s_s0, Int1Ty); + t_s1 = new TruncInst(s_s1, Int1Ty); + /* compare of the sign bits */ + icmp_sign_bit = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_s0, t_s1); +#if LLVM_MAJOR >= 16 + s_s0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + t_s0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + s_s1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + t_s1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + icmp_sign_bit->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); +#else nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), s_s0); - t_s0 = new TruncInst(s_s0, Int1Ty); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), t_s0); - s_s1 = - BinaryOperator::Create(Instruction::LShr, b_op1, - ConstantInt::get(b_op1->getType(), op_size - 1)); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), s_s1); - t_s1 = new TruncInst(s_s1, Int1Ty); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), t_s1); - /* compare of the sign bits */ - icmp_sign_bit = - CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_s0, t_s1); nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), icmp_sign_bit); +#endif /* create a new basic block which is executed if the signedness bits are * equal */ @@ -1157,17 +1238,28 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { s_e1 = BinaryOperator::Create( Instruction::LShr, b_op1, ConstantInt::get(b_op1->getType(), shiftR_exponent)); +#if LLVM_MAJOR >= 16 + s_e0->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + s_e1->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); +#else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), s_e0); signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), s_e1); +#endif t_e0 = new TruncInst(s_e0, IntExponentTy); t_e1 = new TruncInst(s_e1, IntExponentTy); +#if LLVM_MAJOR >= 16 + t_e0->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + t_e1->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); +#else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), t_e0); signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), t_e1); +#endif + if (sizeInBits - precision < exTySizeBytes * 8) { @@ -1177,10 +1269,15 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { m_e1 = BinaryOperator::Create( Instruction::And, t_e1, ConstantInt::get(t_e1->getType(), mask_exponent)); +#if LLVM_MAJOR >= 16 + m_e0->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + m_e1->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); +#else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), m_e0); signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), m_e1); +#endif } else { @@ -1214,9 +1311,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { Instruction *icmp_exponent; icmp_exponents_equal = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, m_e0, m_e1); +#if LLVM_MAJOR >= 16 + icmp_exponents_equal->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); +#else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), icmp_exponents_equal); +#endif // shortcut for unequal exponents signequal2_bb = signequal_bb->splitBasicBlock( @@ -1230,9 +1331,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponent = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, m_e0, m_e1); +#if LLVM_MAJOR >= 16 + icmp_exponent->insertInto(signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); +#else signequal2_bb->getInstList().insert( BasicBlock::iterator(signequal2_bb->getTerminator()), icmp_exponent); +#endif icmp_exponent_result = BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0); break; @@ -1240,9 +1345,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { case CmpInst::FCMP_ULT: icmp_exponents_equal = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, m_e0, m_e1); +#if LLVM_MAJOR >= 16 + icmp_exponents_equal->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); +#else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), icmp_exponents_equal); +#endif // shortcut for unequal exponents signequal2_bb = signequal_bb->splitBasicBlock( @@ -1256,9 +1365,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponent = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, m_e0, m_e1); +#if LLVM_MAJOR >= 16 + icmp_exponent->insertInto(signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); +#else signequal2_bb->getInstList().insert( BasicBlock::iterator(signequal2_bb->getTerminator()), icmp_exponent); +#endif icmp_exponent_result = BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0); break; @@ -1267,9 +1380,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { } +#if LLVM_MAJOR >= 16 + icmp_exponent_result->insertInto(signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); +#else signequal2_bb->getInstList().insert( BasicBlock::iterator(signequal2_bb->getTerminator()), icmp_exponent_result); +#endif { @@ -1319,19 +1436,29 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { m_f1 = BinaryOperator::Create( Instruction::And, b_op1, ConstantInt::get(b_op1->getType(), mask_fraction)); +#if LLVM_MAJOR >= 16 + m_f0->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); + m_f1->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); +#else middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), m_f0); middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), m_f1); +#endif if (needTrunc) { t_f0 = new TruncInst(m_f0, IntFractionTy); t_f1 = new TruncInst(m_f1, IntFractionTy); +#if LLVM_MAJOR >= 16 + t_f0->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); + t_f1->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); +#else middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), t_f0); middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), t_f1); +#endif } else { @@ -1346,10 +1473,15 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { t_f0 = new TruncInst(b_op0, IntFractionTy); t_f1 = new TruncInst(b_op1, IntFractionTy); +#if LLVM_MAJOR >= 16 + t_f0->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); + t_f1->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); +#else middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), t_f0); middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), t_f1); +#endif } else { @@ -1370,18 +1502,26 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { case CmpInst::FCMP_OEQ: icmp_fraction_result = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_f0, t_f1); +#if LLVM_MAJOR >= 16 + icmp_fraction_result->insertInto(middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); +#else middle2_bb->getInstList().insert( BasicBlock::iterator(middle2_bb->getTerminator()), icmp_fraction_result); +#endif break; case CmpInst::FCMP_UNE: case CmpInst::FCMP_ONE: icmp_fraction_result = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_f0, t_f1); +#if LLVM_MAJOR >= 16 + icmp_fraction_result->insertInto(middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); +#else middle2_bb->getInstList().insert( BasicBlock::iterator(middle2_bb->getTerminator()), icmp_fraction_result); +#endif break; case CmpInst::FCMP_OGT: @@ -1402,21 +1542,31 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { if (FcmpInst->getPredicate() == CmpInst::FCMP_OGT || FcmpInst->getPredicate() == CmpInst::FCMP_UGT) { - negative_bb->getInstList().push_back( - icmp_fraction_result = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1)); - positive_bb->getInstList().push_back( - icmp_fraction_result2 = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1)); + icmp_fraction_result = CmpInst::Create( + Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); + icmp_fraction_result2 = CmpInst::Create( + Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); +#if LLVM_MAJOR >= 16 + icmp_fraction_result->insertInto(negative_bb, negative_bb->end()); + icmp_fraction_result2->insertInto(positive_bb, negative_bb->end()); +#else + negative_bb->getInstList().push_back(icmp_fraction_result); + positive_bb->getInstList().push_back(icmp_fraction_result2); +#endif } else { - negative_bb->getInstList().push_back( - icmp_fraction_result = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1)); - positive_bb->getInstList().push_back( - icmp_fraction_result2 = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1)); + icmp_fraction_result = CmpInst::Create( + Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); + icmp_fraction_result2 = CmpInst::Create( + Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); +#if LLVM_MAJOR >= 16 + icmp_fraction_result->insertInto(negative_bb, negative_bb->end()); + icmp_fraction_result2->insertInto(positive_bb, negative_bb->end()); +#else + negative_bb->getInstList().push_back(icmp_fraction_result); + positive_bb->getInstList().push_back(icmp_fraction_result2); +#endif } @@ -1430,8 +1580,12 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { PN2 = PHINode::Create(Int1Ty, 2, ""); PN2->addIncoming(icmp_fraction_result, negative_bb); PN2->addIncoming(icmp_fraction_result2, positive_bb); +#if LLVM_MAJOR >= 16 + PN2->insertInto(middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); +#else middle2_bb->getInstList().insert( BasicBlock::iterator(middle2_bb->getTerminator()), PN2); +#endif } break; @@ -1494,7 +1648,11 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { } BasicBlock::iterator ii(FcmpInst); +#if LLVM_MAJOR >= 16 + ReplaceInstWithInst(FcmpInst->getParent(), ii, PN); +#else ReplaceInstWithInst(FcmpInst->getParent()->getInstList(), ii, PN); +#endif ++count; } diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index 79ba12d2..aeb9c48e 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -225,12 +225,20 @@ BasicBlock *SplitSwitchesTransform::switchConvert( BasicBlock *NewNode = BasicBlock::Create(Val->getContext(), "NodeBlock", F); Shift = BinaryOperator::Create(Instruction::LShr, Val, ConstantInt::get(ValType, smallestIndex * 8)); +#if LLVM_VERSION_MAJOR >= 16 + Shift->insertInto(NewNode, NewNode->end()); +#else NewNode->getInstList().push_back(Shift); +#endif if (ValTypeBitWidth > 8) { Trunc = new TruncInst(Shift, ByteType); +#if LLVM_VERSION_MAJOR >= 16 + Trunc->insertInto(NewNode, NewNode->end()); +#else NewNode->getInstList().push_back(Trunc); +#endif } else { @@ -253,7 +261,11 @@ BasicBlock *SplitSwitchesTransform::switchConvert( ICmpInst *Comp = new ICmpInst(ICmpInst::ICMP_EQ, Trunc, ConstantInt::get(ByteType, byte), "byteMatch"); +#if LLVM_VERSION_MAJOR >= 16 + Comp->insertInto(NewNode, NewNode->end()); +#else NewNode->getInstList().push_back(Comp); +#endif bytesChecked[smallestIndex] = true; bool allBytesAreChecked = true; @@ -355,7 +367,11 @@ BasicBlock *SplitSwitchesTransform::switchConvert( ICmpInst *Comp = new ICmpInst(ICmpInst::ICMP_ULT, Trunc, ConstantInt::get(ByteType, pivot), "byteMatch"); +#if LLVM_VERSION_MAJOR >= 16 + Comp->insertInto(NewNode, NewNode->end()); +#else NewNode->getInstList().push_back(Comp); +#endif BranchInst::Create(LBB, RBB, Comp, NewNode); } @@ -452,7 +468,11 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) { BranchInst::Create(SwitchBlock, OrigBlock); /* We are now done with the switch instruction, delete it. */ +#if LLVM_VERSION_MAJOR >= 16 + // TODO to erase range of instructions instead ? +#else CurBlock->getInstList().erase(SI); +#endif /* we have to update the phi nodes! */ for (BasicBlock::iterator I = Default->begin(); I != Default->end(); ++I) { -- cgit 1.4.1 From 5837322310b0dc8a05347384900e7fbfcd1db42b Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 23 Jan 2023 22:56:04 +0000 Subject: erase the switch instruction from the current parent --- instrumentation/split-switches-pass.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'instrumentation') diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index aeb9c48e..dcd89652 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -469,7 +469,7 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) { /* We are now done with the switch instruction, delete it. */ #if LLVM_VERSION_MAJOR >= 16 - // TODO to erase range of instructions instead ? + SI->eraseFromParent(); #else CurBlock->getInstList().erase(SI); #endif -- cgit 1.4.1 From 0251b9bfd8545b8070d8e5c1294c4b1e7968dcf4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 24 Jan 2023 14:56:14 +0100 Subject: llvm15 pcguard_init earlier constructor --- instrumentation/afl-compiler-rt.o.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 9c6345b6..dcff6a0f 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1514,6 +1514,9 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { _is_sancov = 1; + __afl_auto_first(); + __afl_auto_second(); + if (__afl_debug) { fprintf(stderr, -- cgit 1.4.1 From c5a84a124c56a9478cf779b5aea7369a4eed07ed Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 25 Jan 2023 13:33:02 +0100 Subject: fixes --- instrumentation/afl-compiler-rt.o.c | 5 +++++ utils/aflpp_driver/GNUmakefile | 23 ++++++++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index dcff6a0f..d6d6c38c 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -149,6 +149,7 @@ u32 __afl_already_initialized_shm; u32 __afl_already_initialized_forkserver; u32 __afl_already_initialized_first; u32 __afl_already_initialized_second; +u32 __afl_already_initialized_early; u32 __afl_already_initialized_init; /* Dummy pipe for area_is_valid() */ @@ -1373,6 +1374,9 @@ __attribute__((constructor(EARLY_FS_PRIO))) void __early_forkserver(void) { __attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { + if (__afl_already_initialized_early) return; + __afl_already_initialized_early = 1; + is_persistent = !!getenv(PERSIST_ENV_VAR); if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; @@ -1516,6 +1520,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { __afl_auto_first(); __afl_auto_second(); + __afl_auto_early(); if (__afl_debug) { diff --git a/utils/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile index 234a1c31..b973f96a 100644 --- a/utils/aflpp_driver/GNUmakefile +++ b/utils/aflpp_driver/GNUmakefile @@ -8,9 +8,14 @@ ifeq "$(shell uname -s)" "Darwin" LDFLAGS += $(SDK_LD) endif +ifeq "" "$(LLVM_CONFIG)" + LLVM_CONFIG := llvm-config +endif LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) ifneq "" "$(LLVM_BINDIR)" - LLVM_BINDIR := $(LLVM_BINDIR)/ + ifeq "$(shell test -x $(LLVM_BINDIR)/clang && echo 1)" "1" + CC := $(LLVM_BINDIR)/clang + endif endif CFLAGS := -O3 -funroll-loops -g -fPIC @@ -18,31 +23,31 @@ CFLAGS := -O3 -funroll-loops -g -fPIC all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.c - -$(LLVM_BINDIR)clang -I. -I../../include $(CFLAGS) -c aflpp_driver.c + -$(CC) -I. -I../../include $(CFLAGS) -c aflpp_driver.c libAFLDriver.a: aflpp_driver.o @ar rc libAFLDriver.a aflpp_driver.o @cp -vf libAFLDriver.a ../../ debug: - $(LLVM_BINDIR)clang -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.o ../../src/afl-performance.c - $(LLVM_BINDIR)clang -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c - #$(LLVM_BINDIR)clang -S -emit-llvm -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.ll ../../src/afl-performance.c - #$(LLVM_BINDIR)clang -S -emit-llvm -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c + $(CC) -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.o ../../src/afl-performance.c + $(CC) -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c + #$(CC) -S -emit-llvm -Wno-deprecated -I../../include $(CFLAGS) -D_DEBUG=\"1\" -c -o afl-performance.ll ../../src/afl-performance.c + #$(CC) -S -emit-llvm -I../../include -D_DEBUG=\"1\" -g -funroll-loops -c aflpp_driver.c ar rc libAFLDriver.a afl-performance.o aflpp_driver.o aflpp_qemu_driver.o: aflpp_qemu_driver.c - -$(LLVM_BINDIR)clang $(CFLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c + -$(CC) $(CFLAGS) -O0 -funroll-loops -c aflpp_qemu_driver.c libAFLQemuDriver.a: aflpp_qemu_driver.o @-ar rc libAFLQemuDriver.a aflpp_qemu_driver.o @-cp -vf libAFLQemuDriver.a ../../ aflpp_qemu_driver_hook.so: aflpp_qemu_driver_hook.o - @-test -e aflpp_qemu_driver_hook.o && $(LLVM_BINDIR)clang $(LDFLAGS) -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so || echo "Note: Optional aflpp_qemu_driver_hook.so not built." + @-test -e aflpp_qemu_driver_hook.o && $(CC) $(LDFLAGS) -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so || echo "Note: Optional aflpp_qemu_driver_hook.so not built." aflpp_qemu_driver_hook.o: aflpp_qemu_driver_hook.c - @-test -e ../../qemu_mode/qemuafl/qemuafl/api.h && $(LLVM_BINDIR)clang $(CFLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c || echo "Note: Optional aflpp_qemu_driver_hook.o not built." + @-test -e ../../qemu_mode/qemuafl/qemuafl/api.h && $(CC) $(CFLAGS) -funroll-loops -c aflpp_qemu_driver_hook.c || echo "Note: Optional aflpp_qemu_driver_hook.o not built." test: debug #clang -S -emit-llvm -D_DEBUG=\"1\" -I../../include -Wl,--allow-multiple-definition -funroll-loops -o aflpp_driver_test.ll aflpp_driver_test.c -- cgit 1.4.1 From 4946e9cc3a340efd9b08807ae5cb0a657e0214a9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 2 Feb 2023 12:08:45 +0100 Subject: small fix to compiler rt --- instrumentation/afl-compiler-rt.o.c | 66 ++++++++++--------------------------- 1 file changed, 17 insertions(+), 49 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index d6d6c38c..6ba19b5a 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1534,6 +1534,16 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { if (start == stop || *start) return; + x = getenv("AFL_INST_RATIO"); + if (x) { inst_ratio = (u32)atoi(x); } + + if (!inst_ratio || inst_ratio > 100) { + + fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n"); + abort(); + + } + // If a dlopen of an instrumented library happens after the forkserver then // we have a problem as we cannot increase the coverage map anymore. if (__afl_already_initialized_forkserver) { @@ -1554,62 +1564,20 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { while (start < stop) { - *(start++) = offset; + if (likely(inst_ratio == 100) || R(100) < inst_ratio) + *start = offset; + else + *start = 0; // write to map[0] if (unlikely(++offset >= __afl_final_loc)) { offset = 4; } } } - } - - x = getenv("AFL_INST_RATIO"); - if (x) { inst_ratio = (u32)atoi(x); } - - if (!inst_ratio || inst_ratio > 100) { - - fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n"); - abort(); - - } - - /* instrumented code is loaded *after* our forkserver is up. this is a - problem. We cannot prevent collisions then :( */ - /* - if (__afl_already_initialized_forkserver && - __afl_final_loc + 1 + stop - start > __afl_map_size) { - - if (__afl_debug) { - - fprintf(stderr, "Warning: new instrumented code after the forkserver!\n"); - - } - - __afl_final_loc = 2; - - if (1 + stop - start > __afl_map_size) { - - *(start++) = ++__afl_final_loc; - - while (start < stop) { - - if (R(100) < inst_ratio) - *start = ++__afl_final_loc % __afl_map_size; - else - *start = 4; - - start++; - - } - - return; - - } + return; // we are done for this special case } - */ - /* Make sure that the first element in the range is always set - we use that to avoid duplicate calls (which can happen as an artifact of the underlying implementation in LLVM). */ @@ -1618,10 +1586,10 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { while (start < stop) { - if (R(100) < inst_ratio) + if (likely(inst_ratio == 100) || R(100) < inst_ratio) *start = ++__afl_final_loc; else - *start = 4; + *start = 0; // write to map[0] start++; -- cgit 1.4.1 From 25b4b32627a1ef1e65b328f90f3ad1fd25d8f906 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 2 Feb 2023 12:13:48 +0100 Subject: small fix to compiler rt --- instrumentation/afl-compiler-rt.o.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 6ba19b5a..b1ce4427 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1582,6 +1582,8 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { to avoid duplicate calls (which can happen as an artifact of the underlying implementation in LLVM). */ + if (__afl_final_loc < 3) __afl_final_loc = 3; // we skip the first 4 entries + *(start++) = ++__afl_final_loc; while (start < stop) { -- cgit 1.4.1 From 53c19a807c701760af577cea1f44916d9133a971 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 4 Feb 2023 14:09:50 +0100 Subject: code indent --- instrumentation/split-compares-pass.so.cc | 102 +++++++++++++++++++----------- src/afl-gotcpu.c | 4 +- 2 files changed, 66 insertions(+), 40 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index dd7b09a6..8a07610c 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -1152,10 +1152,14 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { b_op1 = SelectInst::Create(isMzero_op1, ConstantInt::get(intType, PlusZero), bpre_op1); #if LLVM_MAJOR >= 16 - isMzero_op0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); - isMzero_op1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); - b_op0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); - b_op1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + isMzero_op0->insertInto(nonan_bb, + BasicBlock::iterator(nonan_bb->getTerminator())); + isMzero_op1->insertInto(nonan_bb, + BasicBlock::iterator(nonan_bb->getTerminator())); + b_op0->insertInto(nonan_bb, + BasicBlock::iterator(nonan_bb->getTerminator())); + b_op1->insertInto(nonan_bb, + BasicBlock::iterator(nonan_bb->getTerminator())); #else nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), isMzero_op0); @@ -1192,7 +1196,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { t_s0->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); s_s1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); t_s1->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); - icmp_sign_bit->insertInto(nonan_bb, BasicBlock::iterator(nonan_bb->getTerminator())); + icmp_sign_bit->insertInto(nonan_bb, + BasicBlock::iterator(nonan_bb->getTerminator())); #else nonan_bb->getInstList().insert( BasicBlock::iterator(nonan_bb->getTerminator()), s_s0); @@ -1239,8 +1244,10 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { Instruction::LShr, b_op1, ConstantInt::get(b_op1->getType(), shiftR_exponent)); #if LLVM_MAJOR >= 16 - s_e0->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); - s_e1->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + s_e0->insertInto(signequal_bb, + BasicBlock::iterator(signequal_bb->getTerminator())); + s_e1->insertInto(signequal_bb, + BasicBlock::iterator(signequal_bb->getTerminator())); #else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), s_e0); @@ -1251,15 +1258,16 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { t_e0 = new TruncInst(s_e0, IntExponentTy); t_e1 = new TruncInst(s_e1, IntExponentTy); #if LLVM_MAJOR >= 16 - t_e0->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); - t_e1->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + t_e0->insertInto(signequal_bb, + BasicBlock::iterator(signequal_bb->getTerminator())); + t_e1->insertInto(signequal_bb, + BasicBlock::iterator(signequal_bb->getTerminator())); #else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), t_e0); signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), t_e1); #endif - if (sizeInBits - precision < exTySizeBytes * 8) { @@ -1270,8 +1278,10 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { Instruction::And, t_e1, ConstantInt::get(t_e1->getType(), mask_exponent)); #if LLVM_MAJOR >= 16 - m_e0->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); - m_e1->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + m_e0->insertInto(signequal_bb, + BasicBlock::iterator(signequal_bb->getTerminator())); + m_e1->insertInto(signequal_bb, + BasicBlock::iterator(signequal_bb->getTerminator())); #else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), m_e0); @@ -1312,7 +1322,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponents_equal = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, m_e0, m_e1); #if LLVM_MAJOR >= 16 - icmp_exponents_equal->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + icmp_exponents_equal->insertInto( + signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); #else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), @@ -1332,7 +1343,9 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponent = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, m_e0, m_e1); #if LLVM_MAJOR >= 16 - icmp_exponent->insertInto(signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); + icmp_exponent->insertInto( + signequal2_bb, + BasicBlock::iterator(signequal2_bb->getTerminator())); #else signequal2_bb->getInstList().insert( BasicBlock::iterator(signequal2_bb->getTerminator()), @@ -1346,7 +1359,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponents_equal = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, m_e0, m_e1); #if LLVM_MAJOR >= 16 - icmp_exponents_equal->insertInto(signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); + icmp_exponents_equal->insertInto( + signequal_bb, BasicBlock::iterator(signequal_bb->getTerminator())); #else signequal_bb->getInstList().insert( BasicBlock::iterator(signequal_bb->getTerminator()), @@ -1366,7 +1380,9 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_exponent = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, m_e0, m_e1); #if LLVM_MAJOR >= 16 - icmp_exponent->insertInto(signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); + icmp_exponent->insertInto( + signequal2_bb, + BasicBlock::iterator(signequal2_bb->getTerminator())); #else signequal2_bb->getInstList().insert( BasicBlock::iterator(signequal2_bb->getTerminator()), @@ -1381,7 +1397,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { } #if LLVM_MAJOR >= 16 - icmp_exponent_result->insertInto(signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); + icmp_exponent_result->insertInto( + signequal2_bb, BasicBlock::iterator(signequal2_bb->getTerminator())); #else signequal2_bb->getInstList().insert( BasicBlock::iterator(signequal2_bb->getTerminator()), @@ -1437,8 +1454,10 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { Instruction::And, b_op1, ConstantInt::get(b_op1->getType(), mask_fraction)); #if LLVM_MAJOR >= 16 - m_f0->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); - m_f1->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); + m_f0->insertInto(middle_bb, + BasicBlock::iterator(middle_bb->getTerminator())); + m_f1->insertInto(middle_bb, + BasicBlock::iterator(middle_bb->getTerminator())); #else middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), m_f0); @@ -1451,8 +1470,10 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { t_f0 = new TruncInst(m_f0, IntFractionTy); t_f1 = new TruncInst(m_f1, IntFractionTy); #if LLVM_MAJOR >= 16 - t_f0->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); - t_f1->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); + t_f0->insertInto(middle_bb, + BasicBlock::iterator(middle_bb->getTerminator())); + t_f1->insertInto(middle_bb, + BasicBlock::iterator(middle_bb->getTerminator())); #else middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), t_f0); @@ -1474,8 +1495,10 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { t_f0 = new TruncInst(b_op0, IntFractionTy); t_f1 = new TruncInst(b_op1, IntFractionTy); #if LLVM_MAJOR >= 16 - t_f0->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); - t_f1->insertInto(middle_bb, BasicBlock::iterator(middle_bb->getTerminator())); + t_f0->insertInto(middle_bb, + BasicBlock::iterator(middle_bb->getTerminator())); + t_f1->insertInto(middle_bb, + BasicBlock::iterator(middle_bb->getTerminator())); #else middle_bb->getInstList().insert( BasicBlock::iterator(middle_bb->getTerminator()), t_f0); @@ -1503,7 +1526,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_fraction_result = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_f0, t_f1); #if LLVM_MAJOR >= 16 - icmp_fraction_result->insertInto(middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); + icmp_fraction_result->insertInto( + middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); #else middle2_bb->getInstList().insert( BasicBlock::iterator(middle2_bb->getTerminator()), @@ -1516,7 +1540,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { icmp_fraction_result = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_f0, t_f1); #if LLVM_MAJOR >= 16 - icmp_fraction_result->insertInto(middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); + icmp_fraction_result->insertInto( + middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); #else middle2_bb->getInstList().insert( BasicBlock::iterator(middle2_bb->getTerminator()), @@ -1542,13 +1567,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { if (FcmpInst->getPredicate() == CmpInst::FCMP_OGT || FcmpInst->getPredicate() == CmpInst::FCMP_UGT) { - icmp_fraction_result = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); - icmp_fraction_result2 = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); + icmp_fraction_result = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); + icmp_fraction_result2 = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); #if LLVM_MAJOR >= 16 - icmp_fraction_result->insertInto(negative_bb, negative_bb->end()); - icmp_fraction_result2->insertInto(positive_bb, negative_bb->end()); + icmp_fraction_result->insertInto(negative_bb, negative_bb->end()); + icmp_fraction_result2->insertInto(positive_bb, negative_bb->end()); #else negative_bb->getInstList().push_back(icmp_fraction_result); positive_bb->getInstList().push_back(icmp_fraction_result2); @@ -1556,13 +1581,13 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { } else { - icmp_fraction_result = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); - icmp_fraction_result2 = CmpInst::Create( - Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); + icmp_fraction_result = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1); + icmp_fraction_result2 = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1); #if LLVM_MAJOR >= 16 - icmp_fraction_result->insertInto(negative_bb, negative_bb->end()); - icmp_fraction_result2->insertInto(positive_bb, negative_bb->end()); + icmp_fraction_result->insertInto(negative_bb, negative_bb->end()); + icmp_fraction_result2->insertInto(positive_bb, negative_bb->end()); #else negative_bb->getInstList().push_back(icmp_fraction_result); positive_bb->getInstList().push_back(icmp_fraction_result2); @@ -1581,7 +1606,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { PN2->addIncoming(icmp_fraction_result, negative_bb); PN2->addIncoming(icmp_fraction_result2, positive_bb); #if LLVM_MAJOR >= 16 - PN2->insertInto(middle2_bb, BasicBlock::iterator(middle2_bb->getTerminator())); + PN2->insertInto(middle2_bb, + BasicBlock::iterator(middle2_bb->getTerminator())); #else middle2_bb->getInstList().insert( BasicBlock::iterator(middle2_bb->getTerminator()), PN2); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 1762cfe2..fd9e9f54 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -217,8 +217,8 @@ int main(int argc, char **argv) { const char *error_code = "Unkown error code"; if (errno == EFAULT) error_code = "EFAULT"; if (errno == EINVAL) error_code = "EINVAL"; - if (errno == EPERM) error_code = "EPERM"; - if (errno == ESRCH) error_code = "ESRCH"; + if (errno == EPERM) error_code = "EPERM"; + if (errno == ESRCH) error_code = "ESRCH"; PFATAL("sched_setaffinity failed for cpu %d, error: %s", i, error_code); -- cgit 1.4.1 From dbfa23b40a6bdd1b8affc3920c68f11a6e63b231 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 6 Feb 2023 16:38:46 +0100 Subject: fixes --- instrumentation/afl-compiler-rt.o.c | 10 +++++++--- src/afl-fuzz-one.c | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index b1ce4427..9871d7f4 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1518,9 +1518,13 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { _is_sancov = 1; - __afl_auto_first(); - __afl_auto_second(); - __afl_auto_early(); + if (!getenv("AFL_DUMP_MAP_SIZE")) { + + __afl_auto_first(); + __afl_auto_second(); + __afl_auto_early(); + + } if (__afl_debug) { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 97855607..6367f597 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -5798,7 +5798,7 @@ void pso_updating(afl_state_t *afl) { u8 fuzz_one(afl_state_t *afl) { - int key_val_lv_1 = 0, key_val_lv_2 = 0; + int key_val_lv_1 = -1, key_val_lv_2 = -1; #ifdef _AFL_DOCUMENT_MUTATIONS @@ -5840,7 +5840,7 @@ u8 fuzz_one(afl_state_t *afl) { } - return (key_val_lv_1 | key_val_lv_2); + return (key_val_lv_1 == 0 || key_val_lv_2 == 0 ? 0 : 1 ); } -- cgit 1.4.1 From 80eabd6e8a30c2ffc0f084ab34df8b9d582419c3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 13 Feb 2023 11:34:14 +0100 Subject: AFL_LLVM_DICT2FILE_NO_MAIN support --- TODO.md | 3 +-- docs/Changelog.md | 1 + docs/env_variables.md | 3 +++ docs/fuzzing_in_depth.md | 4 +++- include/envs.h | 1 + instrumentation/README.llvm.md | 4 ++++ instrumentation/SanitizerCoverageLTO.so.cc | 11 ++++++++++- instrumentation/afl-llvm-dict2file.so.cc | 17 ++++++++++++++--- src/afl-cc.c | 5 ++++- 9 files changed, 41 insertions(+), 8 deletions(-) (limited to 'instrumentation') diff --git a/TODO.md b/TODO.md index 862224f0..187fa191 100644 --- a/TODO.md +++ b/TODO.md @@ -9,13 +9,12 @@ - afl-plot to support multiple plot_data - parallel builds for source-only targets - get rid of check_binary, replace with more forkserver communication - - first fuzzer should be a main automatically + - first fuzzer should be a main automatically? not sure. ## Maybe - forkserver tells afl-fuzz if cmplog is supported and if so enable it by default, with AFL_CMPLOG_NO=1 (?) set to skip? - - afl_custom_fuzz_splice_optin() - afl_custom_splice() - cmdline option from-to range for mutations diff --git a/docs/Changelog.md b/docs/Changelog.md index eee88a51..89c37912 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,7 @@ - add CFI sanitizer variant to gcc targets - llvm 16 support (thanks to @devnexen!) - support llvm 15 native pcguard changes + - LTO autoken and llvm_mode: added AFL_LLVM_DICT2FILE_NO_MAIN support - better sanitizer default options support for all tools - unicorn_mode: updated and minor issues fixed - frida_mode: fix issue on MacOS diff --git a/docs/env_variables.md b/docs/env_variables.md index 0a57d190..61fb1e2b 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -129,6 +129,9 @@ subset of the settings discussed in section 1, with the exception of: write all constant string comparisons to this file to be used later with afl-fuzz' `-x` option. + - An option to `AFL_LLVM_DICT2FILE` is `AFL_LLVM_DICT2FILE_NO_MAIN=1` which + skill not parse `main()`. + - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are created. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 87f31a58..efab0633 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -534,6 +534,8 @@ dictionaries/FORMAT.dict`. * With `afl-clang-fast`, you can set `AFL_LLVM_DICT2FILE=/full/path/to/new/file.dic` to automatically generate a dictionary during target compilation. + Adding `AFL_LLVM_DICT2FILE_NO_MAIN=1` to not parse main (usually command line + parameter parsing) is often a good idea too. * You also have the option to generate a dictionary yourself during an independent run of the target, see [utils/libtokencap/README.md](../utils/libtokencap/README.md). @@ -935,7 +937,7 @@ phase and start fuzzing at once. 3. Also randomize the afl-fuzz runtime options, e.g.: * 65% for `AFL_DISABLE_TRIM` * 50% for `AFL_KEEP_TIMEOUTS` - * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + `AFL_LLVM_DICT2FILE_NO_MAIN=1` * 40% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) diff --git a/include/envs.h b/include/envs.h index 0770f94d..5018b0f8 100644 --- a/include/envs.h +++ b/include/envs.h @@ -133,6 +133,7 @@ static char *afl_environment_variables[] = { "AFL_LLVM_CTX", "AFL_LLVM_CTX_K", "AFL_LLVM_DICT2FILE", + "AFL_LLVM_DICT2FILE_NO_MAIN", "AFL_LLVM_DOCUMENT_IDS", "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_INSTRUMENT", diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 9da1b0f6..c0677474 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -167,6 +167,10 @@ Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation all constant string compare parameters will be written to this file to be used with afl-fuzz' `-x` option. +Adding `AFL_LLVM_DICT2FILE_NO_MAIN=1` will skip parsing `main()` which often +does command line parsing which has string comparisons that are not helpful +for fuzzing. + ## 6) AFL++ Context Sensitive Branch Coverage ### What is this? diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 231151f5..f82224ed 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -236,6 +236,7 @@ class ModuleSanitizerCoverageLTO // const SpecialCaseList * Allowlist; // const SpecialCaseList * Blocklist; uint32_t autodictionary = 1; + uint32_t autodictionary_no_main = 0; uint32_t inst = 0; uint32_t afl_global_id = 0; uint32_t unhandled = 0; @@ -411,7 +412,8 @@ bool ModuleSanitizerCoverageLTO::instrumentModule( /* Show a banner */ setvbuf(stdout, NULL, _IONBF, 0); - if (getenv("AFL_DEBUG")) debug = 1; + if (getenv("AFL_DEBUG")) { debug = 1; } + if (getenv("AFL_LLVM_DICT2FILE_NO_MAIN")) { autodictionary_no_main = 1; } if ((isatty(2) && !getenv("AFL_QUIET")) || debug) { @@ -503,6 +505,13 @@ bool ModuleSanitizerCoverageLTO::instrumentModule( if (!isInInstrumentList(&F, MNAME) || !F.size()) { continue; } + if (autodictionary_no_main && + (!F.getName().compare("main") || !F.getName().compare("_main"))) { + + continue; + + } + for (auto &BB : F) { for (auto &IN : BB) { diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index bbbbe32c..97f1d47f 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -182,7 +182,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { DenseMap valueMap; char *ptr; - int found = 0; + int found = 0, handle_main = 1; /* Show a banner */ setvbuf(stdout, NULL, _IONBF, 0); @@ -192,10 +192,14 @@ bool AFLdict2filePass::runOnModule(Module &M) { SAYF(cCYA "afl-llvm-dict2file" VERSION cRST " by Marc \"vanHauser\" Heuse \n"); - } else + } else { be_quiet = 1; + } + + if (getenv("AFL_LLVM_DICT2FILE_NO_MAIN")) { handle_main = 0; } + scanForDangerousFunctions(&M); ptr = getenv("AFL_LLVM_DICT2FILE"); @@ -210,7 +214,14 @@ bool AFLdict2filePass::runOnModule(Module &M) { for (auto &F : M) { - if (isIgnoreFunction(&F)) continue; + if (!handle_main && + (!F.getName().compare("main") || !F.getName().compare("_main"))) { + + continue; + + } + + if (isIgnoreFunction(&F)) { continue; } if (!isInInstrumentList(&F, MNAME) || !F.size()) { continue; } /* Some implementation notes. diff --git a/src/afl-cc.c b/src/afl-cc.c index 7c3682fb..7b059d40 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -2041,6 +2041,8 @@ int main(int argc, char **argv, char **envp) { " AFL_LLVM_DICT2FILE: generate an afl dictionary based on found " "comparisons\n" + " AFL_LLVM_DICT2FILE_NO_MAIN: skip parsing main() for the " + "dictionary\n" " AFL_LLVM_LAF_ALL: enables all LAF splits/transforms\n" " AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons\n" " AFL_LLVM_LAF_SPLIT_COMPARES_BITW: size limit (default 8)\n" @@ -2128,7 +2130,8 @@ int main(int argc, char **argv, char **envp) { "defaults.\n" "Recommended is afl-clang-lto with AFL_LLVM_CMPLOG or afl-clang-fast " "with\n" - "AFL_LLVM_CMPLOG and AFL_LLVM_DICT2FILE.\n\n"); + "AFL_LLVM_CMPLOG and " + "AFL_LLVM_DICT2FILE+AFL_LLVM_DICT2FILE_NO_MAIN.\n\n"); exit(1); -- cgit 1.4.1 From 8bc3fa1df286aac46a0a724f64e2e07010d2497e Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Mon, 13 Feb 2023 23:00:15 +0000 Subject: LLVM cmplog factoring custom Instruction iterator with added restriction --- instrumentation/afl-llvm-common.cc | 18 ++++++++++++++++++ instrumentation/afl-llvm-common.h | 2 ++ instrumentation/cmplog-instructions-pass.cc | 15 --------------- instrumentation/cmplog-switches-pass.cc | 15 --------------- 4 files changed, 20 insertions(+), 30 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index dc34d191..b50269fe 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -582,6 +582,24 @@ bool isInInstrumentList(llvm::Function *F, std::string Filename) { } +template +Iterator Unique(Iterator first, Iterator last) { + static_assert(std::is_trivially_copyable< + typename std::iterator_traits + >::value_type, "Invalid underlying type"); + + while (first != last) { + + Iterator next(first); + last = std::remove(++next, last, *first); + first = next; + + } + + return last; + +} + // Calculate the number of average collisions that would occur if all // location IDs would be assigned randomly (like normal afl/afl++). // This uses the "balls in bins" algorithm. diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index 0112c325..8b8dc756 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include "llvm/Config/llvm-config.h" @@ -53,6 +54,7 @@ void initInstrumentList(); bool isInInstrumentList(llvm::Function *F, std::string Filename); unsigned long long int calculateCollisions(uint32_t edges); void scanForDangerousFunctions(llvm::Module *M); +template Iterator Unique(Iterator, Iterator); #ifndef IS_EXTERN #define IS_EXTERN diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index bca1f927..c6fd7c56 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -138,21 +138,6 @@ llvmGetPassPluginInfo() { char CmpLogInstructions::ID = 0; #endif -template -Iterator Unique(Iterator first, Iterator last) { - - while (first != last) { - - Iterator next(first); - last = std::remove(++next, last, *first); - first = next; - - } - - return last; - -} - bool CmpLogInstructions::hookInstrs(Module &M) { std::vector icomps; diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index cd0ae76d..f4a9fbd7 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -131,21 +131,6 @@ llvmGetPassPluginInfo() { char CmplogSwitches::ID = 0; #endif -template -Iterator Unique(Iterator first, Iterator last) { - - while (first != last) { - - Iterator next(first); - last = std::remove(++next, last, *first); - first = next; - - } - - return last; - -} - bool CmplogSwitches::hookInstrs(Module &M) { std::vector switches; -- cgit 1.4.1 From b786558dea5fd5dca471a0e36a8b420ff6a65846 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 20 Feb 2023 15:43:54 +0100 Subject: Revert "LLVM cmplog factoring custom Instruction iterator with added restriction" This reverts commit 8bc3fa1df286aac46a0a724f64e2e07010d2497e. --- instrumentation/afl-llvm-common.cc | 18 ------------------ instrumentation/afl-llvm-common.h | 2 -- instrumentation/cmplog-instructions-pass.cc | 15 +++++++++++++++ instrumentation/cmplog-switches-pass.cc | 15 +++++++++++++++ 4 files changed, 30 insertions(+), 20 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index b50269fe..dc34d191 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -582,24 +582,6 @@ bool isInInstrumentList(llvm::Function *F, std::string Filename) { } -template -Iterator Unique(Iterator first, Iterator last) { - static_assert(std::is_trivially_copyable< - typename std::iterator_traits - >::value_type, "Invalid underlying type"); - - while (first != last) { - - Iterator next(first); - last = std::remove(++next, last, *first); - first = next; - - } - - return last; - -} - // Calculate the number of average collisions that would occur if all // location IDs would be assigned randomly (like normal afl/afl++). // This uses the "balls in bins" algorithm. diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index 8b8dc756..0112c325 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -9,7 +9,6 @@ #include #include #include -#include #include #include "llvm/Config/llvm-config.h" @@ -54,7 +53,6 @@ void initInstrumentList(); bool isInInstrumentList(llvm::Function *F, std::string Filename); unsigned long long int calculateCollisions(uint32_t edges); void scanForDangerousFunctions(llvm::Module *M); -template Iterator Unique(Iterator, Iterator); #ifndef IS_EXTERN #define IS_EXTERN diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index c6fd7c56..bca1f927 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -138,6 +138,21 @@ llvmGetPassPluginInfo() { char CmpLogInstructions::ID = 0; #endif +template +Iterator Unique(Iterator first, Iterator last) { + + while (first != last) { + + Iterator next(first); + last = std::remove(++next, last, *first); + first = next; + + } + + return last; + +} + bool CmpLogInstructions::hookInstrs(Module &M) { std::vector icomps; diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index f4a9fbd7..cd0ae76d 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -131,6 +131,21 @@ llvmGetPassPluginInfo() { char CmplogSwitches::ID = 0; #endif +template +Iterator Unique(Iterator first, Iterator last) { + + while (first != last) { + + Iterator next(first); + last = std::remove(++next, last, *first); + first = next; + + } + + return last; + +} + bool CmplogSwitches::hookInstrs(Module &M) { std::vector switches; -- cgit 1.4.1 From bc61c90fb6e8d26d864aea7bd31f00485db4e942 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sat, 4 Mar 2023 14:46:38 +0000 Subject: llvm instrumentation trying to delete all static data at module end of pass with llvm_shutdown and is concurrent safe. --- instrumentation/cmplog-instructions-pass.cc | 2 +- instrumentation/cmplog-routines-pass.cc | 2 +- instrumentation/cmplog-switches-pass.cc | 2 +- instrumentation/split-compares-pass.so.cc | 2 +- instrumentation/split-switches-pass.so.cc | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index bca1f927..7dcf8bfa 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -66,7 +66,7 @@ namespace { #if LLVM_MAJOR >= 11 /* use new pass manager */ class CmpLogInstructions : public PassInfoMixin { - + llvm_shutdown_obj LSO; public: CmpLogInstructions() { diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 0498156d..c2c52874 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -63,7 +63,7 @@ namespace { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ class CmpLogRoutines : public PassInfoMixin { - + llvm_shutdown_obj LSO; public: CmpLogRoutines() { diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index cd0ae76d..d96c5a4f 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -64,7 +64,7 @@ namespace { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ class CmplogSwitches : public PassInfoMixin { - + llvm_shutdown_obj LSO; public: CmplogSwitches() { diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 8a07610c..a189c203 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -66,7 +66,7 @@ namespace { #if LLVM_MAJOR >= 11 class SplitComparesTransform : public PassInfoMixin { - + llvm_shutdown_obj LSO; public: // static char ID; SplitComparesTransform() : enableFPSplit(0) { diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index dcd89652..1028c5b0 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -65,7 +65,7 @@ namespace { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ class SplitSwitchesTransform : public PassInfoMixin { - + llvm_shutdown_obj LSO; public: SplitSwitchesTransform() { -- cgit 1.4.1 From e6a05382b83817b245da51bcba16be5df56eb283 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 6 Mar 2023 09:59:52 +0100 Subject: fix IGNORE_PROBLEMS and update qemuafl --- docs/Changelog.md | 2 ++ instrumentation/afl-compiler-rt.o.c | 39 ++++++++++++++++++++++++------------- instrumentation/afl-llvm-common.h | 8 ++++---- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- src/afl-fuzz-stats.c | 22 ++++++++++----------- 6 files changed, 44 insertions(+), 31 deletions(-) (limited to 'instrumentation') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8f71fd83..f4fa4382 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,6 +11,8 @@ - add CFI sanitizer variant to gcc targets - llvm 16 support (thanks to @devnexen!) - support llvm 15 native pcguard changes + - qemu_mode: + - fix _RANGES envs to allow hyphens in the filenames - new custom module: autotoken, grammar free fuzzer for text inputs - LTO autoken and llvm_mode: added AFL_LLVM_DICT2FILE_NO_MAIN support - better sanitizer default options support for all tools diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 9871d7f4..94022a65 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1539,12 +1539,16 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { if (start == stop || *start) return; x = getenv("AFL_INST_RATIO"); - if (x) { inst_ratio = (u32)atoi(x); } + if (x) { - if (!inst_ratio || inst_ratio > 100) { + inst_ratio = (u32)atoi(x); - fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n"); - abort(); + if (!inst_ratio || inst_ratio > 100) { + + fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n"); + abort(); + + } } @@ -1568,10 +1572,16 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { while (start < stop) { - if (likely(inst_ratio == 100) || R(100) < inst_ratio) - *start = offset; - else - *start = 0; // write to map[0] + if (likely(inst_ratio == 100) || R(100) < inst_ratio) { + + *(start++) = offset; + + } else { + + *(start++) = 0; // write to map[0] + + } + if (unlikely(++offset >= __afl_final_loc)) { offset = 4; } } @@ -1592,12 +1602,15 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { while (start < stop) { - if (likely(inst_ratio == 100) || R(100) < inst_ratio) - *start = ++__afl_final_loc; - else - *start = 0; // write to map[0] + if (likely(inst_ratio == 100) || R(100) < inst_ratio) { + + *(start++) = ++__afl_final_loc; - start++; + } else { + + *(start++) = 0; // write to map[0] + + } } diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index 0112c325..16a13da5 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -37,10 +37,10 @@ typedef long double max_align_t; #define MNAME M.getSourceFileName() #define FMNAME F.getParent()->getSourceFileName() #if LLVM_VERSION_MAJOR >= 16 - // None becomes deprecated - // the standard std::nullopt_t is recommended instead - // from C++17 and onwards. - constexpr std::nullopt_t None = std::nullopt; +// None becomes deprecated +// the standard std::nullopt_t is recommended instead +// from C++17 and onwards. +constexpr std::nullopt_t None = std::nullopt; #endif #else #define MNAME std::string("") diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 9c68f02c..39e41f79 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -a8af9cbde7 +74c583b11a diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index a8af9cbd..74c583b1 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit a8af9cbde71e333ce72a46f15e655d0b82ed0939 +Subproject commit 74c583b11ac508b90660723da7ee9ff7ff77ee92 diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 26e1a50e..53ab8c77 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -672,12 +672,11 @@ void show_stats_normal(afl_state_t *afl) { /* If no coverage was found yet, check whether run time is greater than * exit_on_time. */ - if (unlikely( - !afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && - ((afl->last_find_time && - (cur_ms - afl->last_find_time) > afl->exit_on_time) || - (!afl->last_find_time && (cur_ms - afl->start_time) - > afl->exit_on_time)))) { + if (unlikely(!afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && + ((afl->last_find_time && + (cur_ms - afl->last_find_time) > afl->exit_on_time) || + (!afl->last_find_time && + (cur_ms - afl->start_time) > afl->exit_on_time)))) { afl->stop_soon = 2; @@ -1476,12 +1475,11 @@ void show_stats_pizza(afl_state_t *afl) { /* If no coverage was found yet, check whether run time is greater than * exit_on_time. */ - if (unlikely( - !afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && - ((afl->last_find_time && - (cur_ms - afl->last_find_time) > afl->exit_on_time) || - (!afl->last_find_time && (cur_ms - afl->start_time) - > afl->exit_on_time)))) { + if (unlikely(!afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && + ((afl->last_find_time && + (cur_ms - afl->last_find_time) > afl->exit_on_time) || + (!afl->last_find_time && + (cur_ms - afl->start_time) > afl->exit_on_time)))) { afl->stop_soon = 2; -- cgit 1.4.1 From 2f128e0dbd1b39f1d99a042f8813b93da1747731 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 6 Mar 2023 10:13:35 +0100 Subject: Revert "Merge pull request #1665 from devnexen/llvm_inst_mem_leaks" This reverts commit e5f8c7a6129e42d1798fac1131c912b2eca8159c, reversing changes made to e6a05382b83817b245da51bcba16be5df56eb283. --- instrumentation/cmplog-instructions-pass.cc | 2 +- instrumentation/cmplog-routines-pass.cc | 2 +- instrumentation/cmplog-switches-pass.cc | 2 +- instrumentation/split-compares-pass.so.cc | 2 +- instrumentation/split-switches-pass.so.cc | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 7dcf8bfa..bca1f927 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -66,7 +66,7 @@ namespace { #if LLVM_MAJOR >= 11 /* use new pass manager */ class CmpLogInstructions : public PassInfoMixin { - llvm_shutdown_obj LSO; + public: CmpLogInstructions() { diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index c2c52874..0498156d 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -63,7 +63,7 @@ namespace { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ class CmpLogRoutines : public PassInfoMixin { - llvm_shutdown_obj LSO; + public: CmpLogRoutines() { diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index d96c5a4f..cd0ae76d 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -64,7 +64,7 @@ namespace { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ class CmplogSwitches : public PassInfoMixin { - llvm_shutdown_obj LSO; + public: CmplogSwitches() { diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index a189c203..8a07610c 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -66,7 +66,7 @@ namespace { #if LLVM_MAJOR >= 11 class SplitComparesTransform : public PassInfoMixin { - llvm_shutdown_obj LSO; + public: // static char ID; SplitComparesTransform() : enableFPSplit(0) { diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index 1028c5b0..dcd89652 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -65,7 +65,7 @@ namespace { #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */ class SplitSwitchesTransform : public PassInfoMixin { - llvm_shutdown_obj LSO; + public: SplitSwitchesTransform() { -- cgit 1.4.1 From 5221938945cc5ff15af04b727c6a7e0085005044 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 9 Mar 2023 17:36:13 +0100 Subject: various fixes --- docs/Changelog.md | 2 +- include/common.h | 3 +++ instrumentation/afl-compiler-rt.o.c | 18 ++++++++++++------ src/afl-analyze.c | 4 ++++ src/afl-common.c | 37 ++++++++++++++++++++++++++++++------- src/afl-fuzz-init.c | 19 ++++++++++++------- src/afl-fuzz-stats.c | 2 +- src/afl-showmap.c | 4 ++++ src/afl-tmin.c | 4 ++++ 9 files changed, 71 insertions(+), 22 deletions(-) (limited to 'instrumentation') diff --git a/docs/Changelog.md b/docs/Changelog.md index 5287d038..25c1f6bc 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,7 +20,7 @@ - better sanitizer default options support for all tools - unicorn_mode: updated and minor issues fixed - frida_mode: fix issue on MacOS - - more minor fixes + - more minor fixes and cross-platform support ### Version ++4.05c (release) - MacOS: libdislocator, libtokencap etc. do not work with modern diff --git a/include/common.h b/include/common.h index c5a32cdb..5d198468 100644 --- a/include/common.h +++ b/include/common.h @@ -143,5 +143,8 @@ FILE *create_ffile(u8 *fn); /* create a file */ s32 create_file(u8 *fn); +/* memmem implementation as not all platforms support this */ +void *afl_memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen); + #endif diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 94022a65..a88396d4 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1622,17 +1622,23 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { } - if (__afl_already_initialized_shm && __afl_final_loc > __afl_map_size) { + if (__afl_already_initialized_shm) { - if (__afl_debug) { + if (__afl_final_loc > __afl_map_size) { + + if (__afl_debug) { + + fprintf(stderr, "Reinit shm necessary (+%u)\n", + __afl_final_loc - __afl_map_size); + + } - fprintf(stderr, "Reinit shm necessary (+%u)\n", - __afl_final_loc - __afl_map_size); + __afl_unmap_shm(); + __afl_map_shm(); } - __afl_unmap_shm(); - __afl_map_shm(); + __afl_map_size = __afl_final_loc + 1; } diff --git a/src/afl-analyze.c b/src/afl-analyze.c index d4a9aa91..9734f75c 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -725,7 +725,11 @@ static void setup_signal_handlers(void) { struct sigaction sa; sa.sa_handler = NULL; + #ifdef SA_RESTART sa.sa_flags = SA_RESTART; + #else + sa.sa_flags = 0; + #endif sa.sa_sigaction = NULL; sigemptyset(&sa.sa_mask); diff --git a/src/afl-common.c b/src/afl-common.c index b0df1994..86226c9f 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -58,6 +58,25 @@ u8 last_intr = 0; #define AFL_PATH "/usr/local/lib/afl/" #endif +void *afl_memmem(const void *haystack, size_t haystacklen, const void *needle, + size_t needlelen) { + + if (unlikely(needlelen > haystacklen)) { return NULL; } + + for (u32 i = 0; i <= haystacklen - needlelen; ++i) { + + if (unlikely(memcmp(haystack + i, needle, needlelen) == 0)) { + + return (void *)(haystack + i); + + } + + } + + return (void *)NULL; + +} + void set_sanitizer_defaults() { /* Set sane defaults for ASAN if nothing else is specified. */ @@ -67,9 +86,9 @@ void set_sanitizer_defaults() { u8 *have_lsan_options = getenv("LSAN_OPTIONS"); u8 have_san_options = 0; u8 default_options[1024] = - "detect_odr_violation=0:abort_on_error=1:symbolize=0:malloc_context_" - "size=0:allocator_may_return_null=1:handle_segv=0:handle_sigbus=0:" - "handle_abort=0:handle_sigfpe=0:handle_sigill=0:"; + "detect_odr_violation=0:abort_on_error=1:symbolize=0:allocator_may_" + "return_null=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_" + "sigfpe=0:handle_sigill=0:"; if (have_asan_options || have_ubsan_options || have_msan_options || have_lsan_options) { @@ -84,14 +103,18 @@ void set_sanitizer_defaults() { u8 buf[2048] = ""; if (!have_san_options) { strcpy(buf, default_options); } - strcat(buf, "exitcode=" STRINGIFY(LSAN_ERROR) ":fast_unwind_on_malloc=0:print_suppressions=0:detect_leaks=1:"); + strcat(buf, "exitcode=" STRINGIFY(LSAN_ERROR) ":fast_unwind_on_malloc=0:print_suppressions=0:detect_leaks=1:malloc_context_size=30:"); setenv("LSAN_OPTIONS", buf, 1); } /* for everything not LSAN we disable detect_leaks */ - if (!have_lsan_options) { strcat(default_options, "detect_leaks=0:"); } + if (!have_lsan_options) { + + strcat(default_options, "detect_leaks=0:malloc_context_size=0:"); + + } /* Set sane defaults for ASAN if nothing else is specified. */ @@ -130,7 +153,7 @@ u32 check_binary_signatures(u8 *fn) { if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); } close(fd); - if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + if (afl_memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); } setenv(PERSIST_ENV_VAR, "1", 1); @@ -155,7 +178,7 @@ u32 check_binary_signatures(u8 *fn) { } - if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + if (afl_memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); } setenv(DEFER_ENV_VAR, "1", 1); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index c20965b4..3b441eee 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -24,7 +24,9 @@ */ #include "afl-fuzz.h" +#include "common.h" #include +#include #include "cmplog.h" #ifdef HAVE_AFFINITY @@ -2786,7 +2788,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { !afl->fsrv.nyx_mode && #endif !afl->fsrv.cs_mode && !afl->non_instrumented_mode && - !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { + !afl_memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST "Looks like the target binary is not instrumented! The fuzzer depends " @@ -2817,7 +2819,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } if ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode) && - memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { + afl_memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST "This program appears to be instrumented with afl-gcc, but is being " @@ -2830,9 +2832,9 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (memmem(f_data, f_len, "__asan_init", 11) || - memmem(f_data, f_len, "__msan_init", 11) || - memmem(f_data, f_len, "__lsan_init", 11)) { + if (afl_memmem(f_data, f_len, "__asan_init", 11) || + afl_memmem(f_data, f_len, "__msan_init", 11) || + afl_memmem(f_data, f_len, "__lsan_init", 11)) { afl->fsrv.uses_asan = 1; @@ -2840,7 +2842,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { /* Detect persistent & deferred init signatures in the binary. */ - if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + if (afl_memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { OKF(cPIN "Persistent mode binary detected."); setenv(PERSIST_ENV_VAR, "1", 1); @@ -2867,7 +2869,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } if (afl->fsrv.frida_mode || - memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + afl_memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { OKF(cPIN "Deferred forkserver binary detected."); setenv(DEFER_ENV_VAR, "1", 1); @@ -2923,8 +2925,11 @@ void setup_signal_handlers(void) { struct sigaction sa; + memset((void*)&sa, 0, sizeof(sa)); sa.sa_handler = NULL; +#ifdef SA_RESTART sa.sa_flags = SA_RESTART; +#endif sa.sa_sigaction = NULL; sigemptyset(&sa.sa_mask); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 65caf5ee..f53fd610 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -62,7 +62,7 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { if (memchr(argv[i], '\'', strlen(argv[i]))) { #else - if (index(argv[i], '\'')) { + if (strchr(argv[i], '\'')) { #endif diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 1e281d08..32dd1c20 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -654,7 +654,11 @@ static void setup_signal_handlers(void) { struct sigaction sa; sa.sa_handler = NULL; + #ifdef SA_RESTART sa.sa_flags = SA_RESTART; + #else + sa.sa_flags = 0; + #endif sa.sa_sigaction = NULL; sigemptyset(&sa.sa_mask); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 12c5e0c9..530578d9 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -743,7 +743,11 @@ static void setup_signal_handlers(void) { struct sigaction sa; sa.sa_handler = NULL; + #ifdef SA_RESTART sa.sa_flags = SA_RESTART; + #else + sa.sa_flags = 0; + #endif sa.sa_sigaction = NULL; sigemptyset(&sa.sa_mask); -- cgit 1.4.1 From c594a58583c16301606e79a536f04ea3c8263e56 Mon Sep 17 00:00:00 2001 From: Tulio Magno Quites Machado Filho Date: Tue, 28 Mar 2023 12:01:30 -0300 Subject: Stop using removed pipeline extensions LLVM commit 7ae6838defb21737963b1dd8ff9de7e87052c74f removed the following extensions: - PassManagerBuilder::EP_OptimizerLast - PassManagerBuilder::EP_EnabledOnOptLevel0 - PassManagerBuilder::EP_FullLinkTimeOptimizationLast --- instrumentation/SanitizerCoverageLTO.so.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'instrumentation') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index f82224ed..85f13c19 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1787,14 +1787,16 @@ static void registerLTOPass(const PassManagerBuilder &, } +#if LLVM_VERSION_MAJOR < 16 static RegisterStandardPasses RegisterCompTransPass( PassManagerBuilder::EP_OptimizerLast, registerLTOPass); static RegisterStandardPasses RegisterCompTransPass0( PassManagerBuilder::EP_EnabledOnOptLevel0, registerLTOPass); -#if LLVM_VERSION_MAJOR >= 11 + #if LLVM_VERSION_MAJOR >= 11 static RegisterStandardPasses RegisterCompTransPassLTO( PassManagerBuilder::EP_FullLinkTimeOptimizationLast, registerLTOPass); + #endif #endif -- cgit 1.4.1 From be96253f5293a0446aae8b2f1795119456c0d5d5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 31 Mar 2023 11:02:27 +0200 Subject: nits --- instrumentation/SanitizerCoverageLTO.so.cc | 2 ++ instrumentation/afl-compiler-rt.o.c | 11 ++++++----- src/afl-fuzz-bitmap.c | 10 +++++++--- src/afl-fuzz-one.c | 6 +++--- 4 files changed, 18 insertions(+), 11 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 85f13c19..9691f17f 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -431,6 +431,8 @@ bool ModuleSanitizerCoverageLTO::instrumentModule( if ((afl_global_id = atoi(ptr)) < 0) FATAL("AFL_LLVM_LTO_STARTID value of \"%s\" is negative\n", ptr); + if (afl_global_id < 4) { afl_global_id = 4; } + if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { dFile.open(ptr, std::ofstream::out | std::ofstream::app); diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index a88396d4..26fc7256 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1536,7 +1536,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { } - if (start == stop || *start) return; + if (start == stop || *start) { return; } x = getenv("AFL_INST_RATIO"); if (x) { @@ -1563,12 +1563,13 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { "[-] FATAL: forkserver is already up, but an instrumented dlopen() " "library loaded afterwards. You must AFL_PRELOAD such libraries to " "be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.\n" - "To ignore this set AFL_IGNORE_PROBLEMS=1.\n"); + "To ignore this set AFL_IGNORE_PROBLEMS=1 but this will be bad for " + "coverage.\n"); abort(); } else { - static u32 offset = 4; + static u32 offset = 5; while (start < stop) { @@ -1582,7 +1583,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { } - if (unlikely(++offset >= __afl_final_loc)) { offset = 4; } + if (unlikely(++offset >= __afl_final_loc)) { offset = 5; } } @@ -1596,7 +1597,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { to avoid duplicate calls (which can happen as an artifact of the underlying implementation in LLVM). */ - if (__afl_final_loc < 3) __afl_final_loc = 3; // we skip the first 4 entries + if (__afl_final_loc < 5) __afl_final_loc = 5; // we skip the first 5 entries *(start++) = ++__afl_final_loc; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d9c792d1..556bb5d1 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -465,7 +465,8 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; u8 *queue_fn = ""; - u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0; + u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0, + need_hash = 1; s32 fd; u64 cksum = 0; @@ -477,6 +478,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { classify_counts(&afl->fsrv); classified = 1; + need_hash = 0; cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -499,6 +501,8 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { new_bits = has_new_bits_unclassified(afl, afl->virgin_bits); + if (unlikely(new_bits)) { classified = 1; } + } if (likely(!new_bits)) { @@ -565,12 +569,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (unlikely(!classified && new_bits)) { + if (unlikely(need_hash && new_bits)) { /* due to classify counts we have to recalculate the checksum */ afl->queue_top->exec_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - classified = 1; + need_hash = 0; } diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 070669c5..eec5e4b5 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2071,7 +2071,7 @@ havoc_stage: afl->stage_short = "havoc"; afl->stage_max = ((doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * perf_score / afl->havoc_div) >> - 7; + 8; } else { @@ -2080,7 +2080,7 @@ havoc_stage: snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle); afl->stage_name = afl->stage_name_buf; afl->stage_short = "splice"; - afl->stage_max = (SPLICE_HAVOC * perf_score / afl->havoc_div) >> 7; + afl->stage_max = (SPLICE_HAVOC * perf_score / afl->havoc_div) >> 8; } @@ -4640,7 +4640,7 @@ pacemaker_fuzzing: MOpt_globals.splice_stageformat, splice_cycle); afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; - afl->stage_max = (SPLICE_HAVOC * perf_score / afl->havoc_div) >> 7; + afl->stage_max = (SPLICE_HAVOC * perf_score / afl->havoc_div) >> 8; } -- cgit 1.4.1 From a01138e1c822b97cf187bfcad9938597bf3edc1e Mon Sep 17 00:00:00 2001 From: nj00001 <42004790+nj00001@users.noreply.github.com> Date: Mon, 3 Apr 2023 15:32:52 +0800 Subject: fix getOperand out of range This commit fixes a sloppy function call that should normally check the number of insn's Operand before calling insn's getOperand method. The fix is that if it is 0 it should continue the loop. I solved problem https://github.com/AFLplusplus/AFLplusplus/issues/1688#issue-1648543691 using this modification --- instrumentation/afl-llvm-common.cc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'instrumentation') diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index dc34d191..de334fb7 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -289,6 +289,9 @@ void scanForDangerousFunctions(llvm::Module *M) { StringRef ifunc_name = IF.getName(); Constant *r = IF.getResolver(); + if(r->getNumOperands() == 0){ + continue ; + } StringRef r_name = cast(r->getOperand(0))->getName(); if (!be_quiet) fprintf(stderr, -- cgit 1.4.1 From a0818c4fceff67e2cff986432c98e3ac1211bdd8 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Mon, 10 Apr 2023 12:38:26 +0100 Subject: LLVM instrumentation disable build warning. Since clang 16 is the version for Ubuntu 23 04/Fedora 38 and is easy enough to fix.. --- instrumentation/SanitizerCoverageLTO.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'instrumentation') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 9691f17f..b024179a 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1781,6 +1781,7 @@ INITIALIZE_PASS_END(ModuleSanitizerCoverageLTOLegacyPass, "sancov-lto", "Pass for instrumenting coverage on functions", false, false) +#if LLVM_VERSION_MAJOR < 16 static void registerLTOPass(const PassManagerBuilder &, legacy::PassManagerBase &PM) { @@ -1789,7 +1790,6 @@ static void registerLTOPass(const PassManagerBuilder &, } -#if LLVM_VERSION_MAJOR < 16 static RegisterStandardPasses RegisterCompTransPass( PassManagerBuilder::EP_OptimizerLast, registerLTOPass); -- cgit 1.4.1 From 743ae507756db0707a213cd8272b219b0de0f514 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Apr 2023 10:53:23 +0200 Subject: nits --- GNUmakefile | 2 +- instrumentation/afl-llvm-common.cc | 4 +--- utils/aflpp_driver/GNUmakefile | 4 ---- utils/aflpp_driver/aflpp_driver.c | 8 +++++--- 4 files changed, 7 insertions(+), 11 deletions(-) (limited to 'instrumentation') diff --git a/GNUmakefile b/GNUmakefile index 72da14ea..208e965b 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -196,7 +196,7 @@ ifeq "$(PYTHON_INCLUDE)" "" ifneq "$(shell command -v python3-config 2>/dev/null)" "" PYTHON_INCLUDE ?= $(shell python3-config --includes) PYTHON_VERSION ?= $(strip $(shell python3 --version 2>&1)) - # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag. + # Starting with python3.8, we need to pass the `embed` flag. Earlier versions didn't know this flag. ifeq "$(shell python3-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1" PYTHON_LIB ?= $(shell python3-config --libs --embed --ldflags) else diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index de334fb7..5d82aa25 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -289,9 +289,7 @@ void scanForDangerousFunctions(llvm::Module *M) { StringRef ifunc_name = IF.getName(); Constant *r = IF.getResolver(); - if(r->getNumOperands() == 0){ - continue ; - } + if (r->getNumOperands() == 0) { continue; } StringRef r_name = cast(r->getOperand(0))->getName(); if (!be_quiet) fprintf(stderr, diff --git a/utils/aflpp_driver/GNUmakefile b/utils/aflpp_driver/GNUmakefile index 409789cb..b973f96a 100644 --- a/utils/aflpp_driver/GNUmakefile +++ b/utils/aflpp_driver/GNUmakefile @@ -20,10 +20,6 @@ endif CFLAGS := -O3 -funroll-loops -g -fPIC -ifdef MAGMA_PATCH - CFLAGS += -DMAGMA_PATCH -endif - all: libAFLDriver.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so aflpp_driver.o: aflpp_driver.c diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 5fef4730..ec304c8c 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -1,8 +1,10 @@ // -// afl_driver.cpp - a glue between AFL++ and libFuzzer +// afl_driver.cpp - a glue between AFL++ and LLVMFuzzerTestOneInput harnesses // -/* This file allows to fuzz libFuzzer-style target functions +/* + + This file allows to fuzz libFuzzer-style target functions (LLVMFuzzerTestOneInput) with AFL++ using persistent in-memory fuzzing. Usage: @@ -26,7 +28,7 @@ EOF # Build your target with afl-cc -fsanitize=fuzzer $ afl-c++ -fsanitize=fuzzer -o test_fuzzer test_fuzzer.cc # Run AFL: -$ rm -rf in out; mkdir in out; echo z > in/foo; +$ mkdir -p in ; echo z > in/foo; $ afl-fuzz -i in -o out -- ./test_fuzzer */ -- cgit 1.4.1 From d304f4e4f190409e9b1cc6993355128673eb0c3b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Apr 2023 11:24:56 +0200 Subject: update lto doc --- instrumentation/README.lto.md | 126 ++++++++++++++---------------------------- 1 file changed, 43 insertions(+), 83 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index a1c2f44a..df59cc2a 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -2,36 +2,37 @@ ## TL;DR: -This version requires a current llvm 11+ compiled from the GitHub master. +This version requires a LLVM 11 or newer. -1. Use afl-clang-lto/afl-clang-lto++ because it is faster and gives better - coverage than anything else that is out there in the AFL world. +1. Use afl-clang-lto/afl-clang-lto++ because the resulting binaries run + slightly faster and give better coverage. -2. You can use it together with llvm_mode: laf-intel and the instrument file - listing features and can be combined with cmplog/Redqueen. +2. You can use it together with COMPCOV, COMPLOG and the instrument file + listing features. -3. It only works with llvm 11+. +3. It only works with LLVM 11 or newer. -4. AUTODICTIONARY feature (see below)! +4. AUTODICTIONARY feature (see below) -5. If any problems arise, be sure to set `AR=llvm-ar RANLIB=llvm-ranlib`. Some - targets might need `LD=afl-clang-lto` and others `LD=afl-ld-lto`. +5. If any problems arise, be sure to set `AR=llvm-ar RANLIB=llvm-ranlib AS=llvm-as`. + Some targets might need `LD=afl-clang-lto` and others `LD=afl-ld-lto`. ## Introduction and problem description -A big issue with how AFL++ works is that the basic block IDs that are set during -compilation are random - and hence naturally the larger the number of -instrumented locations, the higher the number of edge collisions are in the map. -This can result in not discovering new paths and therefore degrade the +A big issue with how vanilla AFL worked was that the basic block IDs that are +set during compilation are random - and hence naturally the larger the number +of instrumented locations, the higher the number of edge collisions are in the +map. This can result in not discovering new paths and therefore degrade the efficiency of the fuzzing process. -*This issue is underestimated in the fuzzing community!* With a 2^16 = 64kb +*This issue is underestimated in the fuzzing community* With a 2^16 = 64kb standard map at already 256 instrumented blocks, there is on average one collision. On average, a target has 10.000 to 50.000 instrumented blocks, hence the real collisions are between 750-18.000! -To reach a solution that prevents any collisions took several approaches and -many dead ends until we got to this: +Note that PCGUARD (our own modified implementation and the SANCOV PCGUARD +implementation from libfuzzer) also provides collision free coverage. +It is a bit slower though and can a few targets with very early constructors. * We instrument at link time when we have all files pre-compiled. * To instrument at link time, we compile in LTO (link time optimization) mode. @@ -45,9 +46,9 @@ many dead ends until we got to this: The result: * 10-25% speed gain compared to llvm_mode -* guaranteed non-colliding edge coverage :-) +* guaranteed non-colliding edge coverage * The compile time, especially for binaries to an instrumented library, can be - much longer. + much (and sometimes much much) longer. Example build output from a libtiff build: @@ -59,71 +60,30 @@ AUTODICTIONARY: 11 strings found [+] Instrumented 12071 locations with no collisions (on average 1046 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). ``` -## Getting llvm 11+ +## Getting LLVM 11+ -### Installing llvm version 11 or 12 +### Installing llvm -llvm 11 or even 12 should be available in all current Linux repositories. If you -use an outdated Linux distribution, read the next section. - -### Installing llvm from the llvm repository (version 12+) - -Installing the llvm snapshot builds is easy and mostly painless: - -In the following line, change `NAME` for your Debian or Ubuntu release name -(e.g., buster, focal, eon, etc.): +The best way to install LLVM is to follow [https://apt.llvm.org/](https://apt.llvm.org/) +e.g. for LLVM 15: ``` -echo deb http://apt.llvm.org/NAME/ llvm-toolchain-NAME NAME >> /etc/apt/sources.list +wget https://apt.llvm.org/llvm.sh +chmod +x llvm.sh +sudo ./llvm.sh 15 all ``` -Then add the pgp key of llvm and install the packages: +LLVM 11 to 16 should be available in all current Linux repositories. -``` -wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - -apt-get update && apt-get upgrade -y -apt-get install -y clang-12 clang-tools-12 libc++1-12 libc++-12-dev \ - libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \ - libclang-common-12-dev libclang-cpp12 libclang-cpp12-dev liblld-12 \ - liblld-12-dev liblldb-12 liblldb-12-dev libllvm12 libomp-12-dev \ - libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools -``` +## How to build afl-clang-lto + +That part is easy. +Just set `LLVM_CONFIG` to the llvm-config-VERSION and build AFL++, e.g. for +LLVM 15: -### Building llvm yourself (version 12+) - -Building llvm from GitHub takes quite some time and is not painless: - -```sh -sudo apt install binutils-dev # this is *essential*! -git clone --depth=1 https://github.com/llvm/llvm-project -cd llvm-project -mkdir build -cd build - -# Add -G Ninja if ninja-build installed -# "Building with ninja significantly improves your build time, especially with -# incremental builds, and improves your memory usage." -cmake \ - -DCLANG_INCLUDE_DOCS="OFF" \ - -DCMAKE_BUILD_TYPE=Release \ - -DLLVM_BINUTILS_INCDIR=/usr/include/ \ - -DLLVM_BUILD_LLVM_DYLIB="ON" \ - -DLLVM_ENABLE_BINDINGS="OFF" \ - -DLLVM_ENABLE_PROJECTS='clang;compiler-rt;libcxx;libcxxabi;libunwind;lld' \ - -DLLVM_ENABLE_WARNINGS="OFF" \ - -DLLVM_INCLUDE_BENCHMARKS="OFF" \ - -DLLVM_INCLUDE_DOCS="OFF" \ - -DLLVM_INCLUDE_EXAMPLES="OFF" \ - -DLLVM_INCLUDE_TESTS="OFF" \ - -DLLVM_LINK_LLVM_DYLIB="ON" \ - -DLLVM_TARGETS_TO_BUILD="host" \ - ../llvm/ -# NOTE: for llvm 16 this needs to be changed to: -# -DLLVM_ENABLE_PROJECTS='clang;compiler-rt;lld' \ -# -DLLVM_ENABLE_RUNTIMES='libcxx;libcxxabi' \ -cmake --build . -j4 -export LLVM_CONFIG="$(pwd)/bin/llvm-config" -cd /path/to/AFLplusplus/ +``` +cd ~/AFLplusplus +export LLVM_CONFIG=llvm-config-15 make sudo make install ``` @@ -136,10 +96,10 @@ Also, the instrument file listing (AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST -> [README.instrument_list.md](README.instrument_list.md)) and laf-intel/compcov (AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work. -Example: +Example (note that you might need to add the version, e.g. `llvm-ar-15`: ``` -CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar ./configure +CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar AS=llvm-as ./configure make ``` @@ -317,13 +277,13 @@ AS=llvm-as ... afl-clang-lto is still work in progress. Known issues: -* Anything that llvm 11+ cannot compile, afl-clang-lto cannot compile either - +* Anything that LLVM 11+ cannot compile, afl-clang-lto cannot compile either - obviously. * Anything that does not compile with LTO, afl-clang-lto cannot compile either - obviously. Hence, if building a target with afl-clang-lto fails, try to build it with -llvm12 and LTO enabled (`CC=clang-12`, `CXX=clang++-12`, `CFLAGS=-flto=full`, +LLVM 12 and LTO enabled (`CC=clang-12`, `CXX=clang++-12`, `CFLAGS=-flto=full`, and `CXXFLAGS=-flto=full`). If this succeeds, then there is an issue with afl-clang-lto. Please report at @@ -341,7 +301,7 @@ knows what this is doing. And the developer who implemented this didn't respond to emails.) In December then came the idea to implement this as a pass that is run via the -llvm "opt" program, which is performed via an own linker that afterwards calls +LLVM "opt" program, which is performed via an own linker that afterwards calls the real linker. This was first implemented in January and work ... kinda. The LTO time instrumentation worked, however, "how" the basic blocks were instrumented was a problem, as reducing duplicates turned out to be very, very @@ -353,13 +313,13 @@ dead-end too. The final idea to solve this came from domenukk who proposed to insert a block into an edge and then just use incremental counters ... and this worked! After some trials and errors to implement this vanhauser-thc found out that there is -actually an llvm function for this: SplitEdge() :-) +actually an LLVM function for this: SplitEdge() :-) -Still more problems came up though as this only works without bugs from llvm 9 +Still more problems came up though as this only works without bugs from LLVM 9 onwards, and with high optimization the link optimization ruins the instrumented control flow graph. -This is all now fixed with llvm 11+. The llvm's own linker is now able to load +This is all now fixed with LLVM 11+. The llvm's own linker is now able to load passes and this bypasses all problems we had. Happy end :) -- cgit 1.4.1 From 824385f52ce3133ecd033e587aa1a3b324adf76c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Apr 2023 14:03:29 +0200 Subject: make llvm 17 work --- docs/Changelog.md | 2 +- instrumentation/SanitizerCoverageLTO.so.cc | 2 ++ instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) (limited to 'instrumentation') diff --git a/docs/Changelog.md b/docs/Changelog.md index 40c328ec..736deb30 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,7 +16,7 @@ - print name of custom mutator in UI - afl-cc: - add CFI sanitizer variant to gcc targets - - llvm 16 support (thanks to @devnexen!) + - llvm 16 + 17 support (thanks to @devnexen!) - support llvm 15 native pcguard changes - support for LLVMFuzzerTestOneInput -1 return - qemu_mode: diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index b024179a..5603c455 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -17,7 +17,9 @@ #include "llvm/Transforms/Instrumentation/SanitizerCoverage.h" #include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/SmallVector.h" +#if LLVM_VERSION_MAJOR < 17 #include "llvm/ADT/Triple.h" +#endif #include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/PostDominators.h" #include "llvm/Analysis/ValueTracking.h" diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index c4a564f7..5f23698b 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -13,7 +13,9 @@ #include "llvm/Transforms/Instrumentation/SanitizerCoverage.h" #include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/SmallVector.h" +#if LLVM_VERSION_MAJOR < 17 #include "llvm/ADT/Triple.h" +#endif #include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/PostDominators.h" #include "llvm/IR/CFG.h" -- cgit 1.4.1 From 6cc8d607fb24e060591ece4b42d83fc06de68fc6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Apr 2023 11:44:39 +0200 Subject: remove -z option, use -p mmopt instead --- GNUmakefile | 2 +- docs/Changelog.md | 2 +- include/afl-fuzz.h | 3 +-- instrumentation/SanitizerCoverageLTO.so.cc | 2 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 +- src/afl-fuzz-queue.c | 14 ++++---------- src/afl-fuzz.c | 7 +------ 7 files changed, 10 insertions(+), 22 deletions(-) (limited to 'instrumentation') diff --git a/GNUmakefile b/GNUmakefile index 208e965b..85f164f5 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -546,7 +546,7 @@ ifndef AFL_NO_X86 test_build: afl-cc afl-gcc afl-as afl-showmap @echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..." @unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c $(LDFLAGS) -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 ) - - ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -o .test-instr0 ./test-instr < /dev/null + -ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -q -m none -o .test-instr0 ./test-instr < /dev/null -echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-cc does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi diff --git a/docs/Changelog.md b/docs/Changelog.md index 736deb30..501300b1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -12,7 +12,7 @@ - fixed a crash in pizza (1st april easter egg) mode. Sorry for everyone who was affected! - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1 - - add -z switch to prefer new coverage findings in seed selection + - option `-p mmopt` now also selects new queue items more often - print name of custom mutator in UI - afl-cc: - add CFI sanitizer variant to gcc targets diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7ff3315b..5fd393dd 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -501,8 +501,7 @@ typedef struct afl_state { custom_splice_optout, /* Custom mutator no splice buffer */ is_main_node, /* if this is the main node */ is_secondary_node, /* if this is a secondary instance */ - pizza_is_served, /* pizza mode */ - prefer_new; /* prefer new queue entries */ + pizza_is_served; /* pizza mode */ u32 stats_update_freq; /* Stats update frequency (execs) */ diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 5603c455..e41f19b6 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -18,7 +18,7 @@ #include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/SmallVector.h" #if LLVM_VERSION_MAJOR < 17 -#include "llvm/ADT/Triple.h" + #include "llvm/ADT/Triple.h" #endif #include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/PostDominators.h" diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 5f23698b..85b1ddd5 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -14,7 +14,7 @@ #include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/SmallVector.h" #if LLVM_VERSION_MAJOR < 17 -#include "llvm/ADT/Triple.h" + #include "llvm/ADT/Triple.h" #endif #include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/PostDominators.h" diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 6fc3c743..8ad7cd97 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -149,21 +149,15 @@ void create_alias_table(afl_state_t *afl) { } - if (unlikely(afl->prefer_new) && afl->queued_discovered) { + if (unlikely(afl->schedule == MMOPT) && afl->queued_discovered) { - double avg_weight = sum / active; + u32 cnt = afl->queued_discovered >= 5 ? 5 : afl->queued_discovered; - for (i = n - afl->queued_discovered; i < n; i++) { + for (i = n - cnt; i < n; i++) { struct queue_entry *q = afl->queue_buf[i]; - if (likely(!q->disabled) && q->weight > avg_weight) { - - double prev_weight = q->weight; - q->weight *= (2.0 * (i / n)); - sum += (q->weight - prev_weight); - - } + if (likely(!q->disabled)) { q->weight *= 2.0; } } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a0c322da..5ba54d0b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -132,7 +132,6 @@ static void usage(u8 *argv0, int more_help) { " fast(default), explore, exploit, seek, rare, mmopt, " "coe, lin\n" " quad -- see docs/FAQ.md for more information\n" - " -z - prefer new coverage findings when fuzzing\n" " -f file - location read by the fuzzed program (default: stdin " "or @@)\n" " -t msec - timeout for each run (auto-scaled, default %u ms). " @@ -556,7 +555,7 @@ int main(int argc, char **argv_orig, char **envp) { while ( (opt = getopt( argc, argv, - "+Ab:B:c:CdDe:E:hi:I:f:F:g:G:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:YzZ")) > + "+Ab:B:c:CdDe:E:hi:I:f:F:g:G:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:YZ")) > 0) { switch (opt) { @@ -569,10 +568,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->max_length = atoi(optarg); break; - case 'z': - afl->prefer_new = 1; - break; - case 'Z': afl->old_seed_selection = 1; break; -- cgit 1.4.1 From 120d009e7d7c425019e984c29e027af710a0a7df Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 15 Apr 2023 11:36:58 +0200 Subject: wasm support --- GNUmakefile | 1 + GNUmakefile.llvm | 5 +++++ instrumentation/afl-compiler-rt.o.c | 2 +- instrumentation/afl-llvm-pass.so.cc | 10 +++++----- 4 files changed, 12 insertions(+), 6 deletions(-) (limited to 'instrumentation') diff --git a/GNUmakefile b/GNUmakefile index 85f164f5..5bc3f9d5 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -388,6 +388,7 @@ help: @echo NO_NYX - disable building nyx mode dependencies @echo "NO_CORESIGHT - disable building coresight (arm64 only)" @echo NO_UNICORN_ARM64 - disable building unicorn on arm64 + @echo "WAFL_MODE - enable for WASM fuzzing with https://github.com/fgsect/WAFL" @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian)" @echo "==========================================" diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 09e9b5be..a053403b 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -294,6 +294,11 @@ endif CLANG_CPPFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC $(CXXFLAGS) -Wno-deprecated-declarations CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) +# wasm fuzzing: disable thread-local storage and unset LLVM debug flag +ifdef WAFL_MODE + $(info Compiling libraries for use with WAVM) + CLANG_CPPFL += -DNDEBUG -DNO_TLS +endif # User teor2345 reports that this is required to make things work on MacOS X. ifeq "$(SYS)" "Darwin" diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 26fc7256..e0e40983 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -113,7 +113,7 @@ int __afl_selective_coverage __attribute__((weak)); int __afl_selective_coverage_start_off __attribute__((weak)); static int __afl_selective_coverage_temp = 1; -#if defined(__ANDROID__) || defined(__HAIKU__) +#if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS) PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX]; PREV_LOC_T __afl_prev_caller[CTX_MAX_K]; u32 __afl_prev_ctx; diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index e8d0b1e5..c59324fd 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -413,7 +413,7 @@ bool AFLCoverage::runOnModule(Module &M) { GlobalVariable *AFLContext = NULL; if (ctx_str || caller_str) -#if defined(__ANDROID__) || defined(__HAIKU__) +#if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS) AFLContext = new GlobalVariable( M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx"); #else @@ -424,7 +424,7 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) - #if defined(__ANDROID__) || defined(__HAIKU__) + #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS) AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); @@ -437,7 +437,7 @@ bool AFLCoverage::runOnModule(Module &M) { #endif else #endif -#if defined(__ANDROID__) || defined(__HAIKU__) +#if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS) AFLPrevLoc = new GlobalVariable( M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc"); #else @@ -448,7 +448,7 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ctx_k) - #if defined(__ANDROID__) || defined(__HAIKU__) + #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS) AFLPrevCaller = new GlobalVariable( M, PrevCallerTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_caller"); @@ -461,7 +461,7 @@ bool AFLCoverage::runOnModule(Module &M) { #endif else #endif -#if defined(__ANDROID__) || defined(__HAIKU__) +#if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS) AFLPrevCaller = new GlobalVariable(M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_caller"); -- cgit 1.4.1 From 531380d6ab9d2467d174ae45dcfa64bbf12230c0 Mon Sep 17 00:00:00 2001 From: Keno Hassler <40292329+kenohassler@users.noreply.github.com> Date: Mon, 24 Apr 2023 17:46:56 +0200 Subject: llvm-lto: allow skipping initialization --- instrumentation/SanitizerCoverageLTO.so.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'instrumentation') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index e41f19b6..42583f9e 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1005,7 +1005,8 @@ bool ModuleSanitizerCoverageLTO::instrumentModule( // afl++ START if (dFile.is_open()) dFile.close(); - if (!getenv("AFL_LLVM_LTO_DONTWRITEID") || dictionary.size() || map_addr) { + if (!getenv("AFL_LLVM_LTO_SKIPINIT") && + (!getenv("AFL_LLVM_LTO_DONTWRITEID") || dictionary.size() || map_addr)) { // yes we could create our own function, insert it into ctors ... // but this would be a pain in the butt ... so we use afl-llvm-rt-lto.o -- cgit 1.4.1 From f94a7e88902f1589b105e74ec1a36e3e3bf01f9e Mon Sep 17 00:00:00 2001 From: "Christian Holler (:decoder)" Date: Tue, 25 Apr 2023 16:03:21 +0200 Subject: Add env var to ignore coverage from dynamically loaded code after forkserver. When using TRACEPC instrumentation, loading code dynamically (e.g. through dlopen()) it can be useful to completely ignore the loaded code, esp. when it cannot be preloaded and is not the target to be tested. This patch allows setting AFL_LLVM_IGNORE_PROBLEMS_COVERAGE=1 to do so. --- instrumentation/afl-compiler-rt.o.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index e0e40983..74506e4c 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1563,17 +1563,27 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { "[-] FATAL: forkserver is already up, but an instrumented dlopen() " "library loaded afterwards. You must AFL_PRELOAD such libraries to " "be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.\n" - "To ignore this set AFL_IGNORE_PROBLEMS=1 but this will be bad for " - "coverage.\n"); + "To ignore this set AFL_IGNORE_PROBLEMS=1 but this will lead to " + "ambiguous coverage data.\n" + "In addition, you can set AFL_LLVM_IGNORE_PROBLEMS_COVERAGE=1 to " + "ignore the additional coverage instead (use with caution!).\n"); abort(); } else { + u8 ignore_dso_after_fs = !!getenv("AFL_LLVM_IGNORE_PROBLEMS_COVERAGE"); + if (__afl_debug && ignore_dso_after_fs) { + + fprintf(stderr, "Ignoring coverage from dynamically loaded code\n"); + + } + static u32 offset = 5; while (start < stop) { - if (likely(inst_ratio == 100) || R(100) < inst_ratio) { + if (!ignore_dso_after_fs && + (likely(inst_ratio == 100) || R(100) < inst_ratio)) { *(start++) = offset; -- cgit 1.4.1 From 21865c622483d2e2285de3dfad4626c28ca27843 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 Apr 2023 16:47:37 +0200 Subject: rename env to AFL_IGNORE_PROBLEMS_COVERAGE --- docs/FAQ.md | 3 ++- docs/env_variables.md | 3 ++- include/envs.h | 1 + instrumentation/afl-compiler-rt.o.c | 4 ++-- src/afl-fuzz.c | 2 ++ 5 files changed, 9 insertions(+), 4 deletions(-) (limited to 'instrumentation') diff --git a/docs/FAQ.md b/docs/FAQ.md index 4a9080f8..76350c79 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -229,7 +229,8 @@ If you find an interesting or important question missing, submit it via If this is not a viable option, you can set `AFL_IGNORE_PROBLEMS=1` but then the existing map will be used also for the newly loaded libraries, which allows it to work, however, the efficiency of the fuzzing will be partially - degraded. + degraded. Note that there is additionally `AFL_IGNORE_PROBLEMS_COVERAGE` to + additionally tell AFL++ to ignore any coverage from the late loaded libaries.

diff --git a/docs/env_variables.md b/docs/env_variables.md index 087ccdb7..b1f23159 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -406,7 +406,8 @@ checks or alter some of the more exotic semantics of the tool: - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session (not at startup), it will terminate. If you do not want this, then you can - set `AFL_IGNORE_PROBLEMS`. + set `AFL_IGNORE_PROBLEMS`. If you additionally want to also ignore coverage + from late loaded libraries, you can set `AFL_IGNORE_PROBLEMS_COVERAGE`. - When running in the `-M` or `-S` mode, setting `AFL_IMPORT_FIRST` causes the fuzzer to import test cases from other instances before doing anything else. diff --git a/include/envs.h b/include/envs.h index 5e68c80b..fe5ee0e3 100644 --- a/include/envs.h +++ b/include/envs.h @@ -106,6 +106,7 @@ static char *afl_environment_variables[] = { "AFL_HARDEN", "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_PROBLEMS", + "AFL_IGNORE_PROBLEMS_COVERAGE", "AFL_IGNORE_TIMEOUTS", "AFL_IGNORE_UNKNOWN_ENVS", "AFL_IMPORT_FIRST", diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 74506e4c..0912e52b 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1565,13 +1565,13 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { "be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.\n" "To ignore this set AFL_IGNORE_PROBLEMS=1 but this will lead to " "ambiguous coverage data.\n" - "In addition, you can set AFL_LLVM_IGNORE_PROBLEMS_COVERAGE=1 to " + "In addition, you can set AFL_IGNORE_PROBLEMS_COVERAGE=1 to " "ignore the additional coverage instead (use with caution!).\n"); abort(); } else { - u8 ignore_dso_after_fs = !!getenv("AFL_LLVM_IGNORE_PROBLEMS_COVERAGE"); + u8 ignore_dso_after_fs = !!getenv("AFL_IGNORE_PROBLEMS_COVERAGE"); if (__afl_debug && ignore_dso_after_fs) { fprintf(stderr, "Ignoring coverage from dynamically loaded code\n"); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index ebdbb3fa..c44144f5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -259,6 +259,8 @@ static void usage(u8 *argv0, int more_help) { "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected\n" + "AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to AFL_IGNORE_PROBLEMS - also\n + " ignore those libs for coverage\n" "AFL_IGNORE_TIMEOUTS: do not process or save any timeouts\n" "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" -- cgit 1.4.1 From 74be9ab5ce61d5b561faf688c245143da1a0141e Mon Sep 17 00:00:00 2001 From: vH Date: Fri, 28 Apr 2023 14:55:35 +0200 Subject: llvm 17 changes --- instrumentation/SanitizerCoverageLTO.so.cc | 6 ++++-- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 +- instrumentation/afl-llvm-common.h | 2 ++ instrumentation/afl-llvm-dict2file.so.cc | 4 +++- instrumentation/cmplog-routines-pass.cc | 4 +++- instrumentation/cmplog-switches-pass.cc | 4 +++- 6 files changed, 16 insertions(+), 6 deletions(-) (limited to 'instrumentation') diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 42583f9e..e779bb79 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -19,8 +19,8 @@ #include "llvm/ADT/SmallVector.h" #if LLVM_VERSION_MAJOR < 17 #include "llvm/ADT/Triple.h" + #include "llvm/Analysis/EHPersonalities.h" #endif -#include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/PostDominators.h" #include "llvm/Analysis/ValueTracking.h" #include "llvm/IR/BasicBlock.h" @@ -49,7 +49,9 @@ #include "llvm/Support/VirtualFileSystem.h" #include "llvm/Support/raw_ostream.h" #include "llvm/Transforms/Instrumentation.h" -#include "llvm/Transforms/IPO/PassManagerBuilder.h" +#if LLVM_VERSION_MAJOR < 17 + #include "llvm/Transforms/IPO/PassManagerBuilder.h" +#endif #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Transforms/Utils/ModuleUtils.h" diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 85b1ddd5..8be9e329 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -15,8 +15,8 @@ #include "llvm/ADT/SmallVector.h" #if LLVM_VERSION_MAJOR < 17 #include "llvm/ADT/Triple.h" + #include "llvm/Analysis/EHPersonalities.h" #endif -#include "llvm/Analysis/EHPersonalities.h" #include "llvm/Analysis/PostDominators.h" #include "llvm/IR/CFG.h" #include "llvm/IR/Constant.h" diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h index 16a13da5..c9324460 100644 --- a/instrumentation/afl-llvm-common.h +++ b/instrumentation/afl-llvm-common.h @@ -22,7 +22,9 @@ typedef long double max_align_t; #include "llvm/IR/Module.h" #include "llvm/Support/Debug.h" #include "llvm/Support/MathExtras.h" +#if LLVM_VERSION_MAJOR < 17 #include "llvm/Transforms/IPO/PassManagerBuilder.h" +#endif #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 97f1d47f..97155cd6 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -53,7 +53,9 @@ #include "llvm/IR/Verifier.h" #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" -#include "llvm/Transforms/IPO/PassManagerBuilder.h" +#if LLVM_VERSION_MAJOR < 17 + #include "llvm/Transforms/IPO/PassManagerBuilder.h" +#endif #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Analysis/LoopInfo.h" #include "llvm/Analysis/ValueTracking.h" diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 0498156d..39db5aa4 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -38,7 +38,9 @@ #include "llvm/IR/Module.h" #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" -#include "llvm/Transforms/IPO/PassManagerBuilder.h" +#if LLVM_VERSION_MAJOR < 17 + #include "llvm/Transforms/IPO/PassManagerBuilder.h" +#endif #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Pass.h" #include "llvm/Analysis/ValueTracking.h" diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index cd0ae76d..38de669d 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -39,7 +39,9 @@ #include "llvm/IR/Module.h" #include "llvm/Support/Debug.h" #include "llvm/Support/raw_ostream.h" -#include "llvm/Transforms/IPO/PassManagerBuilder.h" +#if LLVM_VERSION_MAJOR < 17 + #include "llvm/Transforms/IPO/PassManagerBuilder.h" +#endif #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Pass.h" #include "llvm/Analysis/ValueTracking.h" -- cgit 1.4.1