From b126a5d5a8d90dcc10ccb890b379c3dfdc5cf8d4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 12 Jul 2020 13:44:25 +0200 Subject: LTO: autodict default, instrim disabled --- llvm_mode/afl-llvm-lto-instrim.so.cc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrim.so.cc') diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index ca2b5886..880963ac 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -73,7 +73,7 @@ struct InsTrimLTO : public ModulePass { protected: uint32_t function_minimum_size = 1; char * skip_nozero = NULL; - int afl_global_id = 1, debug = 0, autodictionary = 0; + int afl_global_id = 1, debug = 0, autodictionary = 1; uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0; uint64_t map_addr = 0x10000; @@ -127,10 +127,6 @@ struct InsTrimLTO : public ModulePass { /* Process environment variables */ - if (getenv("AFL_LLVM_AUTODICTIONARY") || - getenv("AFL_LLVM_LTO_AUTODICTIONARY")) - autodictionary = 1; - if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; if ((ptr = getenv("AFL_LLVM_MAP_ADDR"))) { -- cgit 1.4.1 From b708cf7d45edd0297ff47b89dd95dcf5e3664a40 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 1 Aug 2020 19:43:29 +0200 Subject: fix lto single block and no zero --- docs/Changelog.md | 2 ++ examples/persistent_demo/persistent_demo_new.c | 9 +++++--- llvm_mode/afl-clang-fast.c | 13 ++++++----- llvm_mode/afl-llvm-lto-instrim.so.cc | 2 +- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 30 ++++++++++++++++++-------- 5 files changed, 36 insertions(+), 20 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrim.so.cc') diff --git a/docs/Changelog.md b/docs/Changelog.md index 14d00a43..8ab3fdf4 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -28,6 +28,8 @@ sending a mail to . as it is always better - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID was given to which function during compilation + - LTO: single block functions were not implemented by default, fixed + - LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates AFL_LLVM_LAF_SPLIT_COMPARES - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 86b19fa8..5f347667 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -30,13 +30,16 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - ssize_t fuzz_len; - #define __AFL_FUZZ_TESTCASE_LEN fuzz_len + + ssize_t fuzz_len; unsigned char fuzz_buf[1024000]; + + #define __AFL_FUZZ_TESTCASE_LEN fuzz_len #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf #define __AFL_FUZZ_INIT() void sync(void); #define __AFL_LOOP(x) ((fuzz_len = read(0, fuzz_buf, sizeof(fuzz_buf))) > 0 ? - #define __AFL_INIT() sync() + #define __AFL_INIT() sync() + #endif __AFL_FUZZ_INIT(); diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index b819b43a..57330395 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -162,7 +162,7 @@ static void find_obj(u8 *argv0) { static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0; - u8 have_pic = 0, have_s = 0, have_c = 0, have_shared = 0; + u8 have_pic = 0; u8 *name; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -369,15 +369,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { for (idx = 1; idx < argc; idx++) { - if (!strncmp(argv[idx], "-shared", 7)) have_shared = 1; - if (!strcmp(argv[idx], "-S")) have_s = 1; - if (!strcmp(argv[idx], "-c")) have_c = 1; if (!strncasecmp(argv[idx], "-fpic", 5)) have_pic = 1; } if (!have_pic) cc_params[cc_par_cnt++] = "-fPIC"; - // if (!have_shared && (have_s || have_c)) cc_params[cc_par_cnt++] = "-shared"; } @@ -527,9 +523,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { "unsigned char __afl_fuzz_alt[1024000];" "unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;"; cc_params[cc_par_cnt++] = - "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : __afl_fuzz_alt_ptr)"; + "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : " + "__afl_fuzz_alt_ptr)"; cc_params[cc_par_cnt++] = - "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : (*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1024000)) == 0xffffffff ? 0 : *__afl_fuzz_len)"; + "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : " + "(*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1024000)) == 0xffffffff " + "? 0 : *__afl_fuzz_len)"; cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 880963ac..dba98777 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -701,7 +701,7 @@ struct InsTrimLTO : public ModulePass { Value *Incr = IRB.CreateAdd(Counter, One); - if (skip_nozero) { + if (skip_nozero == NULL) { auto cf = IRB.CreateICmpEQ(Incr, Zero); auto carry = IRB.CreateZExt(cf, Int8Ty); diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 46a97e54..430cb0ad 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -130,9 +130,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; - if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || - getenv("AFL_LLVM_SKIPSINGLEBLOCK")) - function_minimum_size = 2; + if (getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2; if ((ptr = getenv("AFL_LLVM_MAP_ADDR"))) { @@ -540,6 +538,8 @@ bool AFLLTOPass::runOnModule(Module &M) { uint32_t succ = 0; + if (F.size() == 1) InsBlocks.push_back(&BB); + for (succ_iterator SI = succ_begin(&BB), SE = succ_end(&BB); SI != SE; ++SI) if ((*SI)->size() > 0) succ++; @@ -558,9 +558,12 @@ bool AFLLTOPass::runOnModule(Module &M) { do { --i; + BasicBlock * newBB; BasicBlock * origBB = &(*InsBlocks[i]); std::vector Successors; Instruction * TI = origBB->getTerminator(); + uint32_t fs = origBB->getParent()->size(); + uint32_t countto; for (succ_iterator SI = succ_begin(origBB), SE = succ_end(origBB); SI != SE; ++SI) { @@ -570,15 +573,25 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (TI == NULL || TI->getNumSuccessors() < 2) continue; + if (fs == 1) { + + newBB = origBB; + countto = 1; + + } else { + + if (TI == NULL || TI->getNumSuccessors() < 2) continue; + countto = Successors.size(); + + } // if (Successors.size() != TI->getNumSuccessors()) // FATAL("Different successor numbers %lu <-> %u\n", Successors.size(), // TI->getNumSuccessors()); - for (uint32_t j = 0; j < Successors.size(); j++) { + for (uint32_t j = 0; j < countto; j++) { - BasicBlock *newBB = llvm::SplitEdge(origBB, Successors[j]); + if (fs != 1) newBB = llvm::SplitEdge(origBB, Successors[j]); if (!newBB) { @@ -589,8 +602,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (documentFile) { - fprintf(documentFile, "%s %u\n", - origBB->getParent()->getName().str().c_str(), + fprintf(documentFile, "%s %u\n", F.getName().str().c_str(), afl_global_id); } @@ -627,7 +639,7 @@ bool AFLLTOPass::runOnModule(Module &M) { Value *Incr = IRB.CreateAdd(Counter, One); - if (skip_nozero) { + if (skip_nozero == NULL) { auto cf = IRB.CreateICmpEQ(Incr, Zero); auto carry = IRB.CreateZExt(cf, Int8Ty); -- cgit 1.4.1 From 1cddd51662865ee407dcc93d6f1ef8ce443585a1 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 2 Aug 2020 22:28:16 +0200 Subject: refactoring debug/be_quiet, fatal on dont_optimize and instrument_file --- llvm_mode/LLVMInsTrim.so.cc | 2 -- llvm_mode/afl-clang-fast.c | 4 ++++ llvm_mode/afl-llvm-common.cc | 20 ++++++++++++++++---- llvm_mode/afl-llvm-common.h | 9 +++++++++ llvm_mode/afl-llvm-lto-instrim.so.cc | 4 ++-- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 7 ++++--- llvm_mode/afl-llvm-lto-instrumentlist.so.cc | 8 ++++---- llvm_mode/afl-llvm-pass.so.cc | 2 -- llvm_mode/cmplog-instructions-pass.cc | 3 --- llvm_mode/cmplog-routines-pass.cc | 3 --- llvm_mode/compare-transform-pass.so.cc | 3 --- llvm_mode/split-compares-pass.so.cc | 3 --- llvm_mode/split-switches-pass.so.cc | 3 --- 13 files changed, 39 insertions(+), 32 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrim.so.cc') diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 75548266..4d8c4719 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -56,7 +56,6 @@ struct InsTrim : public ModulePass { protected: uint32_t function_minimum_size = 1; - uint32_t debug = 0; char * skip_nozero = NULL; private: @@ -102,7 +101,6 @@ struct InsTrim : public ModulePass { bool runOnModule(Module &M) override { - char be_quiet = 0; setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 57330395..738433ac 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -639,6 +639,10 @@ int main(int argc, char **argv, char **envp) { } + if ((getenv("AFL_LLVM_INSTRUMENT_FILE") || getenv("AFL_LLVM_WHITELIST")) && + getenv("AFL_DONT_OPTIMIZE")) + FATAL("AFL_LLVM_INSTRUMENT_FILE and AFL_DONT_OPTIMIZE cannot be combined"); + if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") || getenv("INSTRIM_LIB")) { diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 47b49358..9a884ded 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -14,6 +14,8 @@ #include #include + +#define IS_EXTERN extern #include "afl-llvm-common.h" using namespace llvm; @@ -88,6 +90,7 @@ void initInstrumentList() { char *instrumentListFilename = getenv("AFL_LLVM_INSTRUMENT_FILE"); if (!instrumentListFilename) instrumentListFilename = getenv("AFL_LLVM_WHITELIST"); + if (instrumentListFilename) { std::string line; @@ -105,6 +108,10 @@ void initInstrumentList() { } + if (debug) + SAYF(cMGN "[D] " cRST "loaded instrument list with %zu entries\n", + myInstrumentList.size()); + } bool isInInstrumentList(llvm::Function *F) { @@ -145,8 +152,6 @@ bool isInInstrumentList(llvm::Function *F) { } - (void)instLine; - /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { @@ -164,6 +169,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == 0) { + if (debug) + SAYF(cMGN "[D] " cRST + "Function %s is in the list (%s), instrumenting ... \n", + F->getName().str().c_str(), instFilename.str().c_str()); return true; } @@ -219,12 +228,15 @@ bool isInInstrumentList(llvm::Function *F) { // we could not find out the location. in this case we say it is not // in the the instrument file list - + if (!be_quiet) + WARNF( + "No debug information found for function %s, will not be " + "instrumented (recompile with -g -O[1-3]).", + F->getName().str().c_str()); return false; } - // return false; } diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index 38e0c830..5b96be43 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -38,5 +38,14 @@ void initInstrumentList(); bool isInInstrumentList(llvm::Function *F); unsigned long long int calculateCollisions(uint32_t edges); +#ifndef IS_EXTERN + #define IS_EXTERN +#endif + +IS_EXTERN int debug; +IS_EXTERN int be_quiet; + +#undef IS_EXTERN + #endif diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index dba98777..98e9ff9a 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -73,8 +73,8 @@ struct InsTrimLTO : public ModulePass { protected: uint32_t function_minimum_size = 1; char * skip_nozero = NULL; - int afl_global_id = 1, debug = 0, autodictionary = 1; - uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0; + int afl_global_id = 1, autodictionary = 1; + uint32_t inst_blocks = 0, inst_funcs = 0; uint64_t map_addr = 0x10000; public: diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index d81b35f4..5686eb56 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -86,9 +86,9 @@ class AFLLTOPass : public ModulePass { bool runOnModule(Module &M) override; protected: - int afl_global_id = 1, debug = 0, autodictionary = 1; + int afl_global_id = 1, autodictionary = 1; uint32_t function_minimum_size = 1; - uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0; + uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0; uint64_t map_addr = 0x10000; char * skip_nozero = NULL; @@ -207,7 +207,8 @@ bool AFLLTOPass::runOnModule(Module &M) { if (debug) fprintf(stderr, "DEBUG: Function %s is not in a source file that was specified " - "in the instrument file list\n", F.getName().str().c_str()); + "in the instrument file list\n", + F.getName().str().c_str()); continue; } diff --git a/llvm_mode/afl-llvm-lto-instrumentlist.so.cc b/llvm_mode/afl-llvm-lto-instrumentlist.so.cc index dc1a9a61..ab7c0c58 100644 --- a/llvm_mode/afl-llvm-lto-instrumentlist.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentlist.so.cc @@ -104,7 +104,6 @@ class AFLcheckIfInstrument : public ModulePass { protected: std::list myInstrumentList; - int debug = 0; }; @@ -116,7 +115,6 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { /* Show a banner */ - char be_quiet = 0; setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { @@ -209,8 +207,10 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { } else { if (!be_quiet) - WARNF("No debug information found for function %s, recompile with -g", - F.getName().str().c_str()); + WARNF( + "No debug information found for function %s, recompile with -g " + "-O[1-3]", + F.getName().str().c_str()); continue; } diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 90cf3eb4..618abe48 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -82,7 +82,6 @@ class AFLCoverage : public ModulePass { protected: uint32_t ngram_size = 0; - uint32_t debug = 0; uint32_t map_size = MAP_SIZE; uint32_t function_minimum_size = 1; char * ctx_str = NULL, *skip_nozero = NULL; @@ -139,7 +138,6 @@ bool AFLCoverage::runOnModule(Module &M) { /* Show a banner */ - char be_quiet = 0; setvbuf(stdout, NULL, _IONBF, 0); if (getenv("AFL_DEBUG")) debug = 1; diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index f929361a..7c48d906 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -76,9 +76,6 @@ class CmpLogInstructions : public ModulePass { } - protected: - int be_quiet = 0; - private: bool hookInstrs(Module &M); diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index 318193a4..a0f8f64f 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -76,9 +76,6 @@ class CmpLogRoutines : public ModulePass { } - protected: - int be_quiet = 0; - private: bool hookRtns(Module &M); diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index d389651c..bed3597a 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -75,9 +75,6 @@ class CompareTransform : public ModulePass { } - protected: - int be_quiet = 0; - private: bool transformCmps(Module &M, const bool processStrcmp, const bool processMemcmp, const bool processStrncmp, diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index f65adde8..3630bd8c 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -71,9 +71,6 @@ class SplitComparesTransform : public ModulePass { } - protected: - int be_quiet = 0; - private: int enableFPSplit; diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index 44075c94..f025df77 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -91,9 +91,6 @@ class SplitSwitchesTransform : public ModulePass { typedef std::vector CaseVector; - protected: - int be_quiet = 0; - private: bool splitSwitches(Module &M); bool transformCmps(Module &M, const bool processStrcmp, -- cgit 1.4.1