From 7a6867e2f8e8b698c08366f79d0c8751b09ce431 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 12 Aug 2020 16:06:30 +0200 Subject: split up __afl_manual_init, added internal AFL_DISABLE_LLVM_INSTRUMENTATION, skipping ctor+ifunc functions for all llvm, code-format --- llvm_mode/afl-llvm-common.cc | 195 +++++++++++++++++++++++++++++-------------- 1 file changed, 132 insertions(+), 63 deletions(-) (limited to 'llvm_mode/afl-llvm-common.cc') diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 0b50c547..f12bbe31 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -67,8 +67,11 @@ bool isIgnoreFunction(const llvm::Function *F) { "__libc_csu", "__asan", "__msan", + "__cmplog", + "__sancov", "msan.", "LLVMFuzzer", + "__decide_deferred", "maybe_duplicate_stderr", "discard_output", "close_stdout", @@ -253,21 +256,93 @@ void initInstrumentList() { } +void scanForDangerousFunctions(llvm::Module *M) { + + if (!M) return; + + for (GlobalIFunc &IF : M->ifuncs()) { + + StringRef ifunc_name = IF.getName(); + Constant *r = IF.getResolver(); + StringRef r_name = cast(r->getOperand(0))->getName(); + if (!be_quiet) + fprintf(stderr, + "Info: Found an ifunc with name %s that points to resolver " + "function %s, we will not instrument this, putting it into the " + "block list.\n", + ifunc_name.str().c_str(), r_name.str().c_str()); + denyListFunctions.push_back(r_name.str()); + + } + + GlobalVariable *GV = M->getNamedGlobal("llvm.global_ctors"); + if (GV && !GV->isDeclaration() && !GV->hasLocalLinkage()) { + + ConstantArray *InitList = dyn_cast(GV->getInitializer()); + + if (InitList) { + + for (unsigned i = 0, e = InitList->getNumOperands(); i != e; ++i) { + + if (ConstantStruct *CS = + dyn_cast(InitList->getOperand(i))) { + + if (CS->getNumOperands() >= 2) { + + if (CS->getOperand(1)->isNullValue()) + break; // Found a null terminator, stop here. + + ConstantInt *CI = dyn_cast(CS->getOperand(0)); + int Priority = CI ? CI->getSExtValue() : 0; + + Constant *FP = CS->getOperand(1); + if (ConstantExpr *CE = dyn_cast(FP)) + if (CE->isCast()) FP = CE->getOperand(0); + if (Function *F = dyn_cast(FP)) { + + if (!F->isDeclaration() && + strncmp(F->getName().str().c_str(), "__afl", 5) != 0) { + + if (!be_quiet) + fprintf(stderr, + "Info: Found constructor function %s with prio " + "%u, we will not instrument this, putting it into a " + "block list.\n", + F->getName().str().c_str(), Priority); + denyListFunctions.push_back(F->getName().str()); + + } + + } + + } + + } + + } + + } + + } + +} + bool isInInstrumentList(llvm::Function *F) { + bool return_default = true; + // is this a function with code? If it is external we dont instrument it // anyway and cant be in the the instrument file list. Or if it is ignored. if (!F->size() || isIgnoreFunction(F)) return false; - // if we do not have a the instrument file list return true - if (!allowListFiles.empty() || !allowListFunctions.empty()) { + if (!denyListFiles.empty() || !denyListFunctions.empty()) { - if (!allowListFunctions.empty()) { + if (!denyListFunctions.empty()) { std::string instFunction = F->getName().str(); - for (std::list::iterator it = allowListFunctions.begin(); - it != allowListFunctions.end(); ++it) { + for (std::list::iterator it = denyListFunctions.begin(); + it != denyListFunctions.end(); ++it) { /* We don't check for filename equality here because * filenames might actually be full paths. Instead we @@ -281,10 +356,10 @@ bool isInInstrumentList(llvm::Function *F) { if (debug) SAYF(cMGN "[D] " cRST - "Function %s is in the allow function list, " - "instrumenting ... \n", + "Function %s is in the deny function list, " + "not instrumenting ... \n", instFunction.c_str()); - return true; + return false; } @@ -294,7 +369,7 @@ bool isInInstrumentList(llvm::Function *F) { } - if (!allowListFiles.empty()) { + if (!denyListFiles.empty()) { // let's try to get the filename for the function auto bb = &F->getEntryBlock(); @@ -328,8 +403,8 @@ bool isInInstrumentList(llvm::Function *F) { /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { - for (std::list::iterator it = allowListFiles.begin(); - it != allowListFiles.end(); ++it) { + for (std::list::iterator it = denyListFiles.begin(); + it != denyListFiles.end(); ++it) { /* We don't check for filename equality here because * filenames might actually be full paths. Instead we @@ -344,10 +419,10 @@ bool isInInstrumentList(llvm::Function *F) { if (debug) SAYF(cMGN "[D] " cRST - "Function %s is in the allowlist (%s), " + "Function %s is in the denylist (%s), not " "instrumenting ... \n", F->getName().str().c_str(), instFilename.str().c_str()); - return true; + return false; } @@ -359,8 +434,6 @@ bool isInInstrumentList(llvm::Function *F) { } - } - #else if (!Loc.isUnknown()) { @@ -373,8 +446,8 @@ bool isInInstrumentList(llvm::Function *F) { /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { - for (std::list::iterator it = allowListFiles.begin(); - it != allowListFiles.end(); ++it) { + for (std::list::iterator it = denyListFiles.begin(); + it != denyListFiles.end(); ++it) { /* We don't check for filename equality here because * filenames might actually be full paths. Instead we @@ -387,7 +460,7 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == 0) { - return true; + return false; } @@ -399,34 +472,34 @@ bool isInInstrumentList(llvm::Function *F) { } - } - #endif - else { + else { - // we could not find out the location. in this case we say it is not - // in the the instrument file list - if (!be_quiet) - WARNF( - "No debug information found for function %s, will not be " - "instrumented (recompile with -g -O[1-3]).", - F->getName().str().c_str()); - return false; + // we could not find out the location. in this case we say it is not + // in the the instrument file list + if (!be_quiet) + WARNF( + "No debug information found for function %s, will be " + "instrumented (recompile with -g -O[1-3]).", + F->getName().str().c_str()); - } + } - return false; + } } - if (!denyListFiles.empty() || !denyListFunctions.empty()) { + // if we do not have a the instrument file list return true + if (!allowListFiles.empty() || !allowListFunctions.empty()) { - if (!denyListFunctions.empty()) { + return_default = false; + + if (!allowListFunctions.empty()) { std::string instFunction = F->getName().str(); - for (std::list::iterator it = denyListFunctions.begin(); - it != denyListFunctions.end(); ++it) { + for (std::list::iterator it = allowListFunctions.begin(); + it != allowListFunctions.end(); ++it) { /* We don't check for filename equality here because * filenames might actually be full paths. Instead we @@ -440,10 +513,10 @@ bool isInInstrumentList(llvm::Function *F) { if (debug) SAYF(cMGN "[D] " cRST - "Function %s is in the deny function list, " - "not instrumenting ... \n", + "Function %s is in the allow function list, " + "instrumenting ... \n", instFunction.c_str()); - return false; + return true; } @@ -453,7 +526,7 @@ bool isInInstrumentList(llvm::Function *F) { } - if (!denyListFiles.empty()) { + if (!allowListFiles.empty()) { // let's try to get the filename for the function auto bb = &F->getEntryBlock(); @@ -487,8 +560,8 @@ bool isInInstrumentList(llvm::Function *F) { /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { - for (std::list::iterator it = denyListFiles.begin(); - it != denyListFiles.end(); ++it) { + for (std::list::iterator it = allowListFiles.begin(); + it != allowListFiles.end(); ++it) { /* We don't check for filename equality here because * filenames might actually be full paths. Instead we @@ -503,10 +576,10 @@ bool isInInstrumentList(llvm::Function *F) { if (debug) SAYF(cMGN "[D] " cRST - "Function %s is in the denylist (%s), not " + "Function %s is in the allowlist (%s), " "instrumenting ... \n", F->getName().str().c_str(), instFilename.str().c_str()); - return false; + return true; } @@ -518,22 +591,20 @@ bool isInInstrumentList(llvm::Function *F) { } - } - #else if (!Loc.isUnknown()) { DILocation cDILoc(Loc.getAsMDNode(F->getContext())); unsigned int instLine = cDILoc.getLineNumber(); - StringRef instFilename = cDILoc.getFilename(); + StringRef instFilename = cDILoc.getFilename(); (void)instLine; /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { - for (std::list::iterator it = denyListFiles.begin(); - it != denyListFiles.end(); ++it) { + for (std::list::iterator it = allowListFiles.begin(); + it != allowListFiles.end(); ++it) { /* We don't check for filename equality here because * filenames might actually be full paths. Instead we @@ -546,7 +617,7 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == 0) { - return false; + return true; } @@ -558,27 +629,25 @@ bool isInInstrumentList(llvm::Function *F) { } - } - #endif - else { + else { - // we could not find out the location. in this case we say it is not - // in the the instrument file list - if (!be_quiet) - WARNF( - "No debug information found for function %s, will be " - "instrumented (recompile with -g -O[1-3]).", - F->getName().str().c_str()); - return true; + // we could not find out the location. in this case we say it is not + // in the the instrument file list + if (!be_quiet) + WARNF( + "No debug information found for function %s, will not be " + "instrumented (recompile with -g -O[1-3]).", + F->getName().str().c_str()); + return false; - } + } - return true; + } } - return true; // not reached + return return_default; } -- cgit 1.4.1 From 47faf3dd33bb2335702fcbb67b3a64650c4344b3 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 13 Aug 2020 15:44:03 +0200 Subject: code review: fixed some typos --- llvm_mode/README.instrument_list.md | 18 +++++++++--------- llvm_mode/afl-llvm-common.cc | 12 ++++++------ llvm_mode/afl-llvm-rt.o.c | 4 ++-- 3 files changed, 17 insertions(+), 17 deletions(-) (limited to 'llvm_mode/afl-llvm-common.cc') diff --git a/llvm_mode/README.instrument_list.md b/llvm_mode/README.instrument_list.md index d4739dda..1fc06414 100644 --- a/llvm_mode/README.instrument_list.md +++ b/llvm_mode/README.instrument_list.md @@ -14,13 +14,13 @@ disturbance by uninteresting code being exercised. For this purpose, a "partial instrumentation" support en par with llvm sancov is provided by afl++ that allows you to specify on a source file and function -level which should be compiled with or without instrumentation. +level which function should be compiled with or without instrumentation. Note: When using PCGUARD mode - and have llvm 12+ - you can use this instead: https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation -the llvm sancov list format is fully supported by afl++, however afl++ has -more flexbility. +The llvm sancov list format is fully supported by afl++, however afl++ has +more flexibility. ## 2) Building the LLVM module @@ -35,13 +35,13 @@ The only required change is that you need to set either the environment variable AFL_LLVM_ALLOWLIST or AFL_LLVM_DENYLIST set with a filename. That file then contains the filenames or functions that should be instrumented -(AFL_LLVM_ALLOWLIST) or should specifically NOT instrumentd (AFL_LLVM_DENYLIST). +(AFL_LLVM_ALLOWLIST) or should specifically NOT be instrumented (AFL_LLVM_DENYLIST). For matching, the function/filename that is being compiled must end in the -function/filename entry contained in this the instrument file list (to avoid +function/filename entry contained in this instrument file list (to avoid breaking the matching when absolute paths are used during compilation). -**NOTE:** In optimization functions might be inlined and then not match! +**NOTE:** In builds with optimization enabled functions might be inlined and would not match! For example if your source tree looks like this: ``` @@ -52,7 +52,7 @@ project/feature_b/b1.cpp project/feature_b/b2.cpp ``` -and you only want to test feature_a, then create a the instrument file list file containing: +and you only want to test feature_a, then create a instrument file list file containing: ``` feature_a/a1.cpp feature_a/a2.cpp @@ -69,7 +69,7 @@ exists somewhere else in the project directories. You can also specify function names. Note that for C++ the function names must be mangled to match! -afl++ is intelligent to identify if an entry is a filename or a function. +afl++ is able to identify if an entry is a filename or a function. However if you want to be sure (and compliant to the sancov allow/blocklist format), you can specify source file entries like this: ``` @@ -79,7 +79,7 @@ and function entries like this: ``` fun: MallocFoo ``` -Note that whitespace is ignored and comments (`# foo`) supported. +Note that whitespace is ignored and comments (`# foo`) are supported. ## 4) UNIX-style pattern matching You can add UNIX-style pattern matching in the the instrument file list entries. diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index f12bbe31..7a73a174 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -331,8 +331,8 @@ bool isInInstrumentList(llvm::Function *F) { bool return_default = true; - // is this a function with code? If it is external we dont instrument it - // anyway and cant be in the the instrument file list. Or if it is ignored. + // is this a function with code? If it is external we don't instrument it + // anyway and it can't be in the instrument file list. Or if it is it is ignored. if (!F->size() || isIgnoreFunction(F)) return false; if (!denyListFiles.empty() || !denyListFunctions.empty()) { @@ -476,7 +476,7 @@ bool isInInstrumentList(llvm::Function *F) { else { // we could not find out the location. in this case we say it is not - // in the the instrument file list + // in the instrument file list if (!be_quiet) WARNF( "No debug information found for function %s, will be " @@ -489,7 +489,7 @@ bool isInInstrumentList(llvm::Function *F) { } - // if we do not have a the instrument file list return true + // if we do not have a instrument file list return true if (!allowListFiles.empty() || !allowListFunctions.empty()) { return_default = false; @@ -632,8 +632,8 @@ bool isInInstrumentList(llvm::Function *F) { #endif else { - // we could not find out the location. in this case we say it is not - // in the the instrument file list + // we could not find out the location. In this case we say it is not + // in the instrument file list if (!be_quiet) WARNF( "No debug information found for function %s, will not be " diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index dacc46a6..78e1c160 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -853,7 +853,7 @@ void __afl_manual_init(void) { if (getenv("AFL_DEBUG")) fprintf(stderr, - "DEBUG: disabled instrumenation because of " + "DEBUG: disabled instrumentation because of " "AFL_DISABLE_LLVM_INSTRUMENTATION\n"); } @@ -901,7 +901,7 @@ __attribute__((constructor(0))) void __afl_auto_early(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { // For stability analysis, if you want to know to which function unstable - // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // edge IDs belong - uncomment, recompile+install llvm_mode, recompile // the target. libunwind and libbacktrace are better solutions. // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture // the backtrace output -- cgit 1.4.1 From 7f435ec5f11341dca4371a7954eee4e3ea83886e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 13 Aug 2020 16:29:00 +0200 Subject: refactor get filename --- llvm_mode/afl-llvm-common.cc | 266 ++++++++++++++----------------------------- 1 file changed, 86 insertions(+), 180 deletions(-) (limited to 'llvm_mode/afl-llvm-common.cc') diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 7a73a174..da01b094 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -327,6 +327,61 @@ void scanForDangerousFunctions(llvm::Module *M) { } +static std::string getSourceName(llvm::Function *F) { + + // let's try to get the filename for the function + auto bb = &F->getEntryBlock(); + BasicBlock::iterator IP = bb->getFirstInsertionPt(); + IRBuilder<> IRB(&(*IP)); + DebugLoc Loc = IP->getDebugLoc(); + +#if LLVM_VERSION_MAJOR >= 4 || \ + (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 7) + if (Loc) { + + DILocation *cDILoc = dyn_cast(Loc.getAsMDNode()); + + unsigned int instLine = cDILoc->getLine(); + StringRef instFilename = cDILoc->getFilename(); + + if (instFilename.str().empty()) { + + /* If the original location is empty, try using the inlined location + */ + DILocation *oDILoc = cDILoc->getInlinedAt(); + if (oDILoc) { + + instFilename = oDILoc->getFilename(); + instLine = oDILoc->getLine(); + + } + + } + + return instFilename.str(); + + } + +#else + if (!Loc.isUnknown()) { + + DILocation cDILoc(Loc.getAsMDNode(F->getContext())); + + unsigned int instLine = cDILoc.getLineNumber(); + StringRef instFilename = cDILoc.getFilename(); + + (void)instLine; + /* Continue only if we know where we actually are */ + return instFilename.str(); + + } + +#endif + + return std::string(""); + +} + bool isInInstrumentList(llvm::Function *F) { bool return_default = true; @@ -371,60 +426,24 @@ bool isInInstrumentList(llvm::Function *F) { if (!denyListFiles.empty()) { - // let's try to get the filename for the function - auto bb = &F->getEntryBlock(); - BasicBlock::iterator IP = bb->getFirstInsertionPt(); - IRBuilder<> IRB(&(*IP)); - DebugLoc Loc = IP->getDebugLoc(); - -#if LLVM_VERSION_MAJOR >= 4 || \ - (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 7) - if (Loc) { - - DILocation *cDILoc = dyn_cast(Loc.getAsMDNode()); - - unsigned int instLine = cDILoc->getLine(); - StringRef instFilename = cDILoc->getFilename(); - - if (instFilename.str().empty()) { - - /* If the original location is empty, try using the inlined location - */ - DILocation *oDILoc = cDILoc->getInlinedAt(); - if (oDILoc) { - - instFilename = oDILoc->getFilename(); - instLine = oDILoc->getLine(); - - } - - } - - /* Continue only if we know where we actually are */ - if (!instFilename.str().empty()) { + std::string source_file = getSourceName(F); - for (std::list::iterator it = denyListFiles.begin(); - it != denyListFiles.end(); ++it) { + if (!source_file.empty()) { - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. We also allow UNIX-style pattern - * matching */ + for (std::list::iterator it = denyListFiles.begin(); + it != denyListFiles.end(); ++it) { - if (instFilename.str().length() >= it->length()) { + /* We don't check for filename equality here because + * filenames might actually be full paths. Instead we + * check that the actual filename ends in the filename + * specified in the list. We also allow UNIX-style pattern + * matching */ - if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == - 0) { + if (source_file.length() >= it->length()) { - if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the denylist (%s), not " - "instrumenting ... \n", - F->getName().str().c_str(), instFilename.str().c_str()); - return false; + if (fnmatch(("*" + *it).c_str(), source_file.c_str(), 0) == 0) { - } + return false; } @@ -432,48 +451,7 @@ bool isInInstrumentList(llvm::Function *F) { } - } - -#else - if (!Loc.isUnknown()) { - - DILocation cDILoc(Loc.getAsMDNode(F->getContext())); - - unsigned int instLine = cDILoc.getLineNumber(); - StringRef instFilename = cDILoc.getFilename(); - - (void)instLine; - /* Continue only if we know where we actually are */ - if (!instFilename.str().empty()) { - - for (std::list::iterator it = denyListFiles.begin(); - it != denyListFiles.end(); ++it) { - - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. We also allow UNIX-style pattern - * matching */ - - if (instFilename.str().length() >= it->length()) { - - if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == - 0) { - - return false; - - } - - } - - } - - } - - } - -#endif - else { + } else { // we could not find out the location. in this case we say it is not // in the instrument file list @@ -528,60 +506,29 @@ bool isInInstrumentList(llvm::Function *F) { if (!allowListFiles.empty()) { - // let's try to get the filename for the function - auto bb = &F->getEntryBlock(); - BasicBlock::iterator IP = bb->getFirstInsertionPt(); - IRBuilder<> IRB(&(*IP)); - DebugLoc Loc = IP->getDebugLoc(); - -#if LLVM_VERSION_MAJOR >= 4 || \ - (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 7) - if (Loc) { - - DILocation *cDILoc = dyn_cast(Loc.getAsMDNode()); - - unsigned int instLine = cDILoc->getLine(); - StringRef instFilename = cDILoc->getFilename(); - - if (instFilename.str().empty()) { - - /* If the original location is empty, try using the inlined location - */ - DILocation *oDILoc = cDILoc->getInlinedAt(); - if (oDILoc) { - - instFilename = oDILoc->getFilename(); - instLine = oDILoc->getLine(); - - } - - } + std::string source_file = getSourceName(F); - /* Continue only if we know where we actually are */ - if (!instFilename.str().empty()) { + if (!source_file.empty()) { - for (std::list::iterator it = allowListFiles.begin(); - it != allowListFiles.end(); ++it) { + for (std::list::iterator it = allowListFiles.begin(); + it != allowListFiles.end(); ++it) { - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. We also allow UNIX-style pattern - * matching */ + /* We don't check for filename equality here because + * filenames might actually be full paths. Instead we + * check that the actual filename ends in the filename + * specified in the list. We also allow UNIX-style pattern + * matching */ - if (instFilename.str().length() >= it->length()) { + if (source_file.length() >= it->length()) { - if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == - 0) { + if (fnmatch(("*" + *it).c_str(), source_file.c_str(), 0) == 0) { - if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allowlist (%s), " - "instrumenting ... \n", - F->getName().str().c_str(), instFilename.str().c_str()); - return true; - - } + if (debug) + SAYF(cMGN "[D] " cRST + "Function %s is in the allowlist (%s), " + "instrumenting ... \n", + F->getName().str().c_str(), source_file.c_str()); + return true; } @@ -589,48 +536,7 @@ bool isInInstrumentList(llvm::Function *F) { } - } - -#else - if (!Loc.isUnknown()) { - - DILocation cDILoc(Loc.getAsMDNode(F->getContext())); - - unsigned int instLine = cDILoc.getLineNumber(); - StringRef instFilename = cDILoc.getFilename(); - - (void)instLine; - /* Continue only if we know where we actually are */ - if (!instFilename.str().empty()) { - - for (std::list::iterator it = allowListFiles.begin(); - it != allowListFiles.end(); ++it) { - - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. We also allow UNIX-style pattern - * matching */ - - if (instFilename.str().length() >= it->length()) { - - if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == - 0) { - - return true; - - } - - } - - } - - } - - } - -#endif - else { + } else { // we could not find out the location. In this case we say it is not // in the instrument file list -- cgit 1.4.1 From 8e984c2aa0100e6244fe6f215c88dd8b3bf3abc2 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 13 Aug 2020 18:24:36 +0200 Subject: fix for sancov --- llvm_mode/afl-llvm-common.cc | 3 ++- llvm_mode/afl-llvm-rt.o.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'llvm_mode/afl-llvm-common.cc') diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index da01b094..4b864cf7 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -387,7 +387,8 @@ bool isInInstrumentList(llvm::Function *F) { bool return_default = true; // is this a function with code? If it is external we don't instrument it - // anyway and it can't be in the instrument file list. Or if it is it is ignored. + // anyway and it can't be in the instrument file list. Or if it is it is + // ignored. if (!F->size() || isIgnoreFunction(F)) return false; if (!denyListFiles.empty() || !denyListFunctions.empty()) { diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 78e1c160..99012ee1 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -64,6 +64,8 @@ #endif #endif +#define CTOR_PRIO 3 + #include #include @@ -881,7 +883,7 @@ __attribute__((constructor())) void __afl_auto_init(void) { /* Initialization of the shmem - earliest possible because of LTO fixed mem. */ -__attribute__((constructor(0))) void __afl_auto_early(void) { +__attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) { if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; -- cgit 1.4.1 From b5d1a021efaede5e084418fe552330590ee43641 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 13 Aug 2020 22:34:11 +0200 Subject: fix llvm and afl-showmap --- docs/Changelog.md | 1 + llvm_mode/LLVMInsTrim.so.cc | 2 +- llvm_mode/afl-clang-fast.c | 4 ++++ llvm_mode/afl-llvm-common.cc | 4 ++++ llvm_mode/afl-llvm-pass.so.cc | 2 +- src/afl-showmap.c | 2 +- 6 files changed, 12 insertions(+), 3 deletions(-) (limited to 'llvm_mode/afl-llvm-common.cc') diff --git a/docs/Changelog.md b/docs/Changelog.md index 2c57448b..5044dce5 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -29,6 +29,7 @@ sending a mail to . - added neverzero counting to trace-pc/pcgard - fixes for laf-intel float splitting (thanks to mark-griffin for reporting) + - fixes for llvm 4.0 - skipping ctors and ifuncs for instrumentation - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR for a fixed map address (eg. 0x10000) diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 2ad7f171..9812b804 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -94,7 +94,7 @@ struct InsTrim : public ModulePass { } -#if LLVM_VERSION_MAJOR >= 4 || \ +#if LLVM_VERSION_MAJOR > 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 10cb3fa3..0597ba17 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -371,8 +371,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (instrument_mode == INSTRUMENT_PCGUARD) { +#if LLVM_VERSION_MAJOR >= 4 cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; // edge coverage by default +#else + FATAL("pcguard instrumentation requires llvm 4.0.1+"); +#endif } else { diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 4b864cf7..4a94ae89 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -260,6 +260,8 @@ void scanForDangerousFunctions(llvm::Module *M) { if (!M) return; +#if LLVM_VERSION_MAJOR >= 4 + for (GlobalIFunc &IF : M->ifuncs()) { StringRef ifunc_name = IF.getName(); @@ -325,6 +327,8 @@ void scanForDangerousFunctions(llvm::Module *M) { } +#endif + } static std::string getSourceName(llvm::Function *F) { diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 2ea9fd84..92823187 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -112,7 +112,7 @@ uint64_t PowerOf2Ceil(unsigned in) { #endif /* #if LLVM_VERSION_STRING >= "4.0.1" */ -#if LLVM_VERSION_MAJOR >= 4 || \ +#if LLVM_VERSION_MAJOR > 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) #define AFL_HAVE_VECTOR_INTRINSICS 1 #endif diff --git a/src/afl-showmap.c b/src/afl-showmap.c index fa9eedc4..47c615d8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -963,7 +963,7 @@ int main(int argc, char **argv_orig, char **envp) { // if a queue subdirectory exists switch to that u8 *dn = alloc_printf("%s/queue", in_dir); - if ((dir_in = opendir(in_dir))) { + if ((dir_in = opendir(dn)) != NULL) { closedir(dir_in); in_dir = dn; -- cgit 1.4.1 From 5f0a9c90c83b2fc9cdd8bc583e9843c9bd9d9ecb Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 14 Aug 2020 12:06:00 +0200 Subject: fixes lots of llvm warnings --- llvm_mode/GNUmakefile | 2 +- llvm_mode/LLVMInsTrim.so.cc | 4 ++-- llvm_mode/afl-clang-fast.c | 4 +++- llvm_mode/afl-ld-lto.c | 2 +- llvm_mode/afl-llvm-common.cc | 17 +++++------------ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 2 +- llvm_mode/afl-llvm-pass.so.cc | 6 +++--- llvm_mode/compare-transform-pass.so.cc | 5 ----- 8 files changed, 16 insertions(+), 26 deletions(-) (limited to 'llvm_mode/afl-llvm-common.cc') diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index 5a5f6b4a..fb4e8537 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -241,7 +241,7 @@ endif ifneq "$(LLVM_CONFIG)" "" CLANG_CFL += -I$(shell dirname $(LLVM_CONFIG))/../include endif -CLANG_CPPFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC $(CXXFLAGS) +CLANG_CPPFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC $(CXXFLAGS) -Wno-deprecated-declarations CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 9812b804..206e2682 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -144,7 +144,7 @@ struct InsTrim : public ModulePass { #ifdef AFL_HAVE_VECTOR_INTRINSICS unsigned int ngram_size = 0; /* Decide previous location vector size (must be a power of two) */ - VectorType *PrevLocTy; + VectorType *PrevLocTy = NULL; if (ngram_size_str) if (sscanf(ngram_size_str, "%u", &ngram_size) != 1 || ngram_size < 2 || @@ -194,7 +194,7 @@ struct InsTrim : public ModulePass { new GlobalVariable(M, PointerType::get(Int8Ty, 0), false, GlobalValue::ExternalLinkage, 0, "__afl_area_ptr"); GlobalVariable *AFLPrevLoc; - GlobalVariable *AFLContext; + GlobalVariable *AFLContext = NULL; LoadInst * PrevCtx = NULL; // for CTX sensitive coverage if (ctx_str) diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 6e8e4a1b..20b0de17 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -379,7 +379,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (instrument_mode == INSTRUMENT_PCGUARD) { -#if LLVM_VERSION_MAJOR >= 4 +#if LLVM_VERSION_MAJOR > 4 || \ + (LLVM_VERSION_MAJOR == 4 && \ + (LLVM_VERSION_MINOR > 0 || LLVM_VERSION_PATCH >= 1)) cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; // edge coverage by default #else diff --git a/llvm_mode/afl-ld-lto.c b/llvm_mode/afl-ld-lto.c index 1b59bb4a..771e2d0d 100644 --- a/llvm_mode/afl-ld-lto.c +++ b/llvm_mode/afl-ld-lto.c @@ -278,7 +278,7 @@ int main(int argc, char **argv) { if (debug) { - (void)getcwd(thecwd, sizeof(thecwd)); + if (getcwd(thecwd, sizeof(thecwd)) != 0) strcpy(thecwd, "."); SAYF(cMGN "[D] " cRST "cd \"%s\";", thecwd); for (i = 0; i < argc; i++) diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 4a94ae89..d9e63bd3 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -260,7 +260,8 @@ void scanForDangerousFunctions(llvm::Module *M) { if (!M) return; -#if LLVM_VERSION_MAJOR >= 4 +#if LLVM_VERSION_MAJOR > 3 || \ + (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR >= 9) for (GlobalIFunc &IF : M->ifuncs()) { @@ -345,20 +346,14 @@ static std::string getSourceName(llvm::Function *F) { DILocation *cDILoc = dyn_cast(Loc.getAsMDNode()); - unsigned int instLine = cDILoc->getLine(); - StringRef instFilename = cDILoc->getFilename(); + StringRef instFilename = cDILoc->getFilename(); if (instFilename.str().empty()) { /* If the original location is empty, try using the inlined location */ DILocation *oDILoc = cDILoc->getInlinedAt(); - if (oDILoc) { - - instFilename = oDILoc->getFilename(); - instLine = oDILoc->getLine(); - - } + if (oDILoc) { instFilename = oDILoc->getFilename(); } } @@ -371,10 +366,8 @@ static std::string getSourceName(llvm::Function *F) { DILocation cDILoc(Loc.getAsMDNode(F->getContext())); - unsigned int instLine = cDILoc.getLineNumber(); - StringRef instFilename = cDILoc.getFilename(); + StringRef instFilename = cDILoc.getFilename(); - (void)instLine; /* Continue only if we know where we actually are */ return instFilename.str(); diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 13c4f775..a4caf77b 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -596,7 +596,7 @@ bool AFLLTOPass::runOnModule(Module &M) { do { --i; - BasicBlock * newBB; + BasicBlock * newBB = NULL; BasicBlock * origBB = &(*InsBlocks[i]); std::vector Successors; Instruction * TI = origBB->getTerminator(); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 92823187..a791d720 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -194,7 +194,7 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS /* Decide previous location vector size (must be a power of two) */ - VectorType *PrevLocTy; + VectorType *PrevLocTy = NULL; if (ngram_size_str) if (sscanf(ngram_size_str, "%u", &ngram_size) != 1 || ngram_size < 2 || @@ -236,7 +236,7 @@ bool AFLCoverage::runOnModule(Module &M) { new GlobalVariable(M, PointerType::get(Int8Ty, 0), false, GlobalValue::ExternalLinkage, 0, "__afl_area_ptr"); GlobalVariable *AFLPrevLoc; - GlobalVariable *AFLContext; + GlobalVariable *AFLContext = NULL; if (ctx_str) #ifdef __ANDROID__ @@ -292,7 +292,7 @@ bool AFLCoverage::runOnModule(Module &M) { ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); ConstantInt *One = ConstantInt::get(Int8Ty, 1); - LoadInst *PrevCtx; // CTX sensitive coverage + LoadInst *PrevCtx = NULL; // CTX sensitive coverage /* Instrument all the things! */ diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index c3bb7f10..acdd0f3b 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -137,7 +137,6 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, bool isStrcasecmp = processStrcasecmp; bool isStrncasecmp = processStrncasecmp; bool isIntMemcpy = true; - bool indirect = false; Function *Callee = callInst->getCalledFunction(); if (!Callee) continue; @@ -264,8 +263,6 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, } - if ((HasStr1 || HasStr2)) indirect = true; - } if (isIntMemcpy) continue; @@ -278,7 +275,6 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, Str1 = StringRef(*val); HasStr1 = true; - indirect = true; // fprintf(stderr, "loaded1 %s\n", Str1.str().c_str()); } else { @@ -288,7 +284,6 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, Str2 = StringRef(*val); HasStr2 = true; - indirect = true; // fprintf(stderr, "loaded2 %s\n", Str2.str().c_str()); } -- cgit 1.4.1