From b126a5d5a8d90dcc10ccb890b379c3dfdc5cf8d4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 12 Jul 2020 13:44:25 +0200 Subject: LTO: autodict default, instrim disabled --- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrumentation.so.cc') diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index af2db3ff..3c1d3565 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -86,7 +86,7 @@ class AFLLTOPass : public ModulePass { bool runOnModule(Module &M) override; protected: - int afl_global_id = 1, debug = 0, autodictionary = 0; + int afl_global_id = 1, debug = 0, autodictionary = 1; uint32_t function_minimum_size = 1; uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0; uint64_t map_addr = 0x10000; @@ -120,10 +120,6 @@ bool AFLLTOPass::runOnModule(Module &M) { be_quiet = 1; - if (getenv("AFL_LLVM_AUTODICTIONARY") || - getenv("AFL_LLVM_LTO_AUTODICTIONARY")) - autodictionary = 1; - if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || -- cgit 1.4.1 From 185f4436598aacb3f25736ce6eb53309d1d9472f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 31 Jul 2020 17:53:01 +0200 Subject: add LTO AFL_LLVM_DOCUMENT_IDS feature --- docs/Changelog.md | 2 ++ docs/FAQ.md | 12 +++++----- docs/env_variables.md | 35 ++++++++++++++++------------ include/envs.h | 1 + llvm_mode/README.lto.md | 6 +++++ llvm_mode/afl-clang-fast.c | 2 ++ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 18 ++++++++++++++ 7 files changed, 55 insertions(+), 21 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrumentation.so.cc') diff --git a/docs/Changelog.md b/docs/Changelog.md index dcaf64a7..14d00a43 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,6 +26,8 @@ sending a mail to . - LTO: autodictionary mode is a default - LTO: instrim instrumentation disabled, only classic support used as it is always better + - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID + was given to which function during compilation - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates AFL_LLVM_LAF_SPLIT_COMPARES - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz diff --git a/docs/FAQ.md b/docs/FAQ.md index e09385a8..b09a16ae 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -95,12 +95,13 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation! 2. Second step: Find the responsible function. - a) For LTO instrumented binaries just disassemble or decompile the target - and look which edge is writing to that edge ID. Ghidra is a good tool - for this: [https://ghidra-sre.org/](https://ghidra-sre.org/) + a) For LTO instrumented binaries this can be documented during compile + time, just set `export AFL_LLVM_DOCUMENT_IDS=/path/to/afile`. + This file will have one assigned edge ID and the corresponding function + per line. - b) For PCGUARD instrumented binaries it is more difficult. Here you can - either modify the __sanitizer_cov_trace_pc_guard function in + b) For PCGUARD instrumented binaries it is much more difficult. Here you + can either modify the __sanitizer_cov_trace_pc_guard function in llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in __afl_area_ptr[*guard] is one of the unstable edge IDs. Then recompile and reinstall llvm_mode and rebuild your target. Run the recompiled @@ -121,4 +122,3 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation! 4. Fourth step: recompile the target Recompile, fuzz it, be happy :) - diff --git a/docs/env_variables.md b/docs/env_variables.md index 87344331..4c0d2db7 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -121,18 +121,16 @@ Then there are a few specific features that are only available in llvm_mode: built if LLVM 11 or newer is used. - AFL_LLVM_INSTRUMENT=CFG will use Control Flow Graph instrumentation. - (recommended) - - - AFL_LLVM_LTO_AUTODICTIONARY will generate a dictionary in the target - binary based on string compare and memory compare functions. - afl-fuzz will automatically get these transmitted when starting to - fuzz. + (not recommended!) None of the following options are necessary to be used and are rather for manual use (which only ever the author of this LTO implementation will use). These are used if several seperated instrumentation are performed which are then later combined. + - AFL_LLVM_DOCUMENT_IDS=file will document to a file which edge ID was given + to which function. This helps to identify functions with variable bytes + or which functions were touched by an input. - AFL_LLVM_MAP_ADDR sets the fixed map address to a different address than the default 0x10000. A value of 0 or empty sets the map address to be dynamic (the original afl way, which is slower) @@ -254,15 +252,6 @@ checks or alter some of the more exotic semantics of the tool: useful if you can't change the defaults (e.g., no root access to the system) and are OK with some performance loss. - - Setting AFL_NO_FORKSRV disables the forkserver optimization, reverting to - fork + execve() call for every tested input. This is useful mostly when - working with unruly libraries that create threads or do other crazy - things when initializing (before the instrumentation has a chance to run). - - Note that this setting inhibits some of the user-friendly diagnostics - normally done when starting up the forkserver and causes a pretty - significant performance drop. - - AFL_EXIT_WHEN_DONE causes afl-fuzz to terminate when all existing paths have been fuzzed and there were no new finds for a while. This would be normally indicated by the cycle counter in the UI turning green. May be @@ -338,6 +327,13 @@ checks or alter some of the more exotic semantics of the tool: - In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace. + - Setting AFL_CYCLE_SCHEDULES will switch to a different schedule everytime + a cycle is finished. + + - Setting AFL_EXPAND_HAVOC_NOW will start in the extended havoc mode that + includes costly mutations. afl-fuzz automatically enables this mode when + deemed useful otherwise. + - Setting AFL_PRELOAD causes AFL to set LD_PRELOAD for the target binary without disrupting the afl-fuzz process itself. This is useful, among other things, for bootstrapping libdislocator.so. @@ -365,6 +361,15 @@ checks or alter some of the more exotic semantics of the tool: for an existing out folder, even if a different `-i` was provided. Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. + - Setting AFL_NO_FORKSRV disables the forkserver optimization, reverting to + fork + execve() call for every tested input. This is useful mostly when + working with unruly libraries that create threads or do other crazy + things when initializing (before the instrumentation has a chance to run). + + Note that this setting inhibits some of the user-friendly diagnostics + normally done when starting up the forkserver and causes a pretty + significant performance drop. + - Outdated environment variables that are that not supported anymore: AFL_DEFER_FORKSRV AFL_PERSISTENT diff --git a/include/envs.h b/include/envs.h index c1c7d387..7153ed47 100644 --- a/include/envs.h +++ b/include/envs.h @@ -65,6 +65,7 @@ static char *afl_environment_variables[] = { "AFL_LLVM_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CTX", + "AFL_LLVM_DOCUMENT_IDS", "AFL_LLVM_INSTRUMENT", "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_LTO_AUTODICTIONARY", diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index a4c969b9..e521ac82 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -140,6 +140,12 @@ to be dynamic - the original afl way, which is slower). AFL_LLVM_MAP_DYNAMIC can be set so the shared memory address is dynamic (which is safer but also slower). +## Document edge IDs + +Setting `export AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge +ID was given to which function. This helps to identify functions with variable +bytes or which functions were touched by an input. + ## Solving difficult targets Some targets are difficult because the configure script does unusual stuff that diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index dca11bf3..a2550d2c 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -890,6 +890,8 @@ int main(int argc, char **argv, char **envp) { "AFL_NO_BUILTIN: compile for use with libtokencap.so\n" "AFL_PATH: path to instrumenting pass and runtime " "(afl-llvm-rt.*o)\n" + "AFL_LLVM_DOCUMENT_IDS: document edge IDs given to which function (LTO " + "only)\n" "AFL_QUIET: suppress verbose output\n" "AFL_USE_ASAN: activate address sanitizer\n" "AFL_USE_CFISAN: activate control flow sanitizer\n" diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 3c1d3565..46a97e54 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -103,6 +103,7 @@ bool AFLLTOPass::runOnModule(Module &M) { std::vector calls; DenseMap valueMap; char * ptr; + FILE * documentFile = NULL; IntegerType *Int8Ty = IntegerType::getInt8Ty(C); IntegerType *Int32Ty = IntegerType::getInt32Ty(C); @@ -120,6 +121,13 @@ bool AFLLTOPass::runOnModule(Module &M) { be_quiet = 1; + if ((ptr = getenv("AFL_LLVM_DOCUMENT_IDS")) != NULL) { + + if ((documentFile = fopen(ptr, "a")) == NULL) + WARNF("Cannot access document file %s", ptr); + + } + if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || @@ -579,6 +587,14 @@ bool AFLLTOPass::runOnModule(Module &M) { } + if (documentFile) { + + fprintf(documentFile, "%s %u\n", + origBB->getParent()->getName().str().c_str(), + afl_global_id); + + } + BasicBlock::iterator IP = newBB->getFirstInsertionPt(); IRBuilder<> IRB(&(*IP)); @@ -632,6 +648,8 @@ bool AFLLTOPass::runOnModule(Module &M) { } + if (documentFile) fclose(documentFile); + } // save highest location ID to global variable -- cgit 1.4.1 From b708cf7d45edd0297ff47b89dd95dcf5e3664a40 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 1 Aug 2020 19:43:29 +0200 Subject: fix lto single block and no zero --- docs/Changelog.md | 2 ++ examples/persistent_demo/persistent_demo_new.c | 9 +++++--- llvm_mode/afl-clang-fast.c | 13 ++++++----- llvm_mode/afl-llvm-lto-instrim.so.cc | 2 +- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 30 ++++++++++++++++++-------- 5 files changed, 36 insertions(+), 20 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrumentation.so.cc') diff --git a/docs/Changelog.md b/docs/Changelog.md index 14d00a43..8ab3fdf4 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -28,6 +28,8 @@ sending a mail to . as it is always better - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID was given to which function during compilation + - LTO: single block functions were not implemented by default, fixed + - LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates AFL_LLVM_LAF_SPLIT_COMPARES - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 86b19fa8..5f347667 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -30,13 +30,16 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - ssize_t fuzz_len; - #define __AFL_FUZZ_TESTCASE_LEN fuzz_len + + ssize_t fuzz_len; unsigned char fuzz_buf[1024000]; + + #define __AFL_FUZZ_TESTCASE_LEN fuzz_len #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf #define __AFL_FUZZ_INIT() void sync(void); #define __AFL_LOOP(x) ((fuzz_len = read(0, fuzz_buf, sizeof(fuzz_buf))) > 0 ? - #define __AFL_INIT() sync() + #define __AFL_INIT() sync() + #endif __AFL_FUZZ_INIT(); diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index b819b43a..57330395 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -162,7 +162,7 @@ static void find_obj(u8 *argv0) { static void edit_params(u32 argc, char **argv, char **envp) { u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0; - u8 have_pic = 0, have_s = 0, have_c = 0, have_shared = 0; + u8 have_pic = 0; u8 *name; cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); @@ -369,15 +369,11 @@ static void edit_params(u32 argc, char **argv, char **envp) { for (idx = 1; idx < argc; idx++) { - if (!strncmp(argv[idx], "-shared", 7)) have_shared = 1; - if (!strcmp(argv[idx], "-S")) have_s = 1; - if (!strcmp(argv[idx], "-c")) have_c = 1; if (!strncasecmp(argv[idx], "-fpic", 5)) have_pic = 1; } if (!have_pic) cc_params[cc_par_cnt++] = "-fPIC"; - // if (!have_shared && (have_s || have_c)) cc_params[cc_par_cnt++] = "-shared"; } @@ -527,9 +523,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { "unsigned char __afl_fuzz_alt[1024000];" "unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;"; cc_params[cc_par_cnt++] = - "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : __afl_fuzz_alt_ptr)"; + "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : " + "__afl_fuzz_alt_ptr)"; cc_params[cc_par_cnt++] = - "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : (*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1024000)) == 0xffffffff ? 0 : *__afl_fuzz_len)"; + "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : " + "(*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1024000)) == 0xffffffff " + "? 0 : *__afl_fuzz_len)"; cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)=" diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 880963ac..dba98777 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -701,7 +701,7 @@ struct InsTrimLTO : public ModulePass { Value *Incr = IRB.CreateAdd(Counter, One); - if (skip_nozero) { + if (skip_nozero == NULL) { auto cf = IRB.CreateICmpEQ(Incr, Zero); auto carry = IRB.CreateZExt(cf, Int8Ty); diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 46a97e54..430cb0ad 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -130,9 +130,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; - if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || - getenv("AFL_LLVM_SKIPSINGLEBLOCK")) - function_minimum_size = 2; + if (getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2; if ((ptr = getenv("AFL_LLVM_MAP_ADDR"))) { @@ -540,6 +538,8 @@ bool AFLLTOPass::runOnModule(Module &M) { uint32_t succ = 0; + if (F.size() == 1) InsBlocks.push_back(&BB); + for (succ_iterator SI = succ_begin(&BB), SE = succ_end(&BB); SI != SE; ++SI) if ((*SI)->size() > 0) succ++; @@ -558,9 +558,12 @@ bool AFLLTOPass::runOnModule(Module &M) { do { --i; + BasicBlock * newBB; BasicBlock * origBB = &(*InsBlocks[i]); std::vector Successors; Instruction * TI = origBB->getTerminator(); + uint32_t fs = origBB->getParent()->size(); + uint32_t countto; for (succ_iterator SI = succ_begin(origBB), SE = succ_end(origBB); SI != SE; ++SI) { @@ -570,15 +573,25 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (TI == NULL || TI->getNumSuccessors() < 2) continue; + if (fs == 1) { + + newBB = origBB; + countto = 1; + + } else { + + if (TI == NULL || TI->getNumSuccessors() < 2) continue; + countto = Successors.size(); + + } // if (Successors.size() != TI->getNumSuccessors()) // FATAL("Different successor numbers %lu <-> %u\n", Successors.size(), // TI->getNumSuccessors()); - for (uint32_t j = 0; j < Successors.size(); j++) { + for (uint32_t j = 0; j < countto; j++) { - BasicBlock *newBB = llvm::SplitEdge(origBB, Successors[j]); + if (fs != 1) newBB = llvm::SplitEdge(origBB, Successors[j]); if (!newBB) { @@ -589,8 +602,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (documentFile) { - fprintf(documentFile, "%s %u\n", - origBB->getParent()->getName().str().c_str(), + fprintf(documentFile, "%s %u\n", F.getName().str().c_str(), afl_global_id); } @@ -627,7 +639,7 @@ bool AFLLTOPass::runOnModule(Module &M) { Value *Incr = IRB.CreateAdd(Counter, One); - if (skip_nozero) { + if (skip_nozero == NULL) { auto cf = IRB.CreateICmpEQ(Incr, Zero); auto carry = IRB.CreateZExt(cf, Int8Ty); -- cgit 1.4.1 From 6041b1c4866d11b443545f5b9d6f17ef5483304c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 2 Aug 2020 15:00:49 +0200 Subject: fix LTO document id feature, warnings for INSTRUMENT_FILE --- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 9 +++--- llvm_mode/afl-llvm-lto-instrumentlist.so.cc | 48 ++++++++++++++++++---------- 2 files changed, 37 insertions(+), 20 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrumentation.so.cc') diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 430cb0ad..d81b35f4 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -206,8 +206,8 @@ bool AFLLTOPass::runOnModule(Module &M) { if (debug) fprintf(stderr, - "DEBUG: Function %s is not the instrument file listed\n", - F.getName().str().c_str()); + "DEBUG: Function %s is not in a source file that was specified " + "in the instrument file list\n", F.getName().str().c_str()); continue; } @@ -660,10 +660,11 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (documentFile) fclose(documentFile); - } + if (documentFile) fclose(documentFile); + documentFile = NULL; + // save highest location ID to global variable // do this after each function to fail faster if (!be_quiet && afl_global_id > MAP_SIZE && diff --git a/llvm_mode/afl-llvm-lto-instrumentlist.so.cc b/llvm_mode/afl-llvm-lto-instrumentlist.so.cc index 6e6199e9..dc1a9a61 100644 --- a/llvm_mode/afl-llvm-lto-instrumentlist.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentlist.so.cc @@ -164,32 +164,41 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { } + if (instFilename.str().empty()) { + + if (!be_quiet) + WARNF( + "Function %s has no source file name information and will " + "not be instrumented.", + F.getName().str().c_str()); + continue; + + } + } - (void)instLine; + //(void)instLine; + fprintf(stderr, "xxx %s %s\n", F.getName().str().c_str(), + instFilename.str().c_str()); if (debug) SAYF(cMGN "[D] " cRST "function %s is in file %s\n", F.getName().str().c_str(), instFilename.str().c_str()); - /* Continue only if we know where we actually are */ - if (!instFilename.str().empty()) { - for (std::list::iterator it = myInstrumentList.begin(); - it != myInstrumentList.end(); ++it) { + for (std::list::iterator it = myInstrumentList.begin(); + it != myInstrumentList.end(); ++it) { - /* We don't check for filename equality here because - * filenames might actually be full paths. Instead we - * check that the actual filename ends in the filename - * specified in the list. */ - if (instFilename.str().length() >= it->length()) { + /* We don't check for filename equality here because + * filenames might actually be full paths. Instead we + * check that the actual filename ends in the filename + * specified in the list. */ + if (instFilename.str().length() >= it->length()) { - if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == - 0) { + if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == + 0) { - instrumentFunction = true; - break; - - } + instrumentFunction = true; + break; } @@ -197,6 +206,13 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { } + } else { + + if (!be_quiet) + WARNF("No debug information found for function %s, recompile with -g", + F.getName().str().c_str()); + continue; + } /* Either we couldn't figure out our location or the location is -- cgit 1.4.1 From 1cddd51662865ee407dcc93d6f1ef8ce443585a1 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 2 Aug 2020 22:28:16 +0200 Subject: refactoring debug/be_quiet, fatal on dont_optimize and instrument_file --- llvm_mode/LLVMInsTrim.so.cc | 2 -- llvm_mode/afl-clang-fast.c | 4 ++++ llvm_mode/afl-llvm-common.cc | 20 ++++++++++++++++---- llvm_mode/afl-llvm-common.h | 9 +++++++++ llvm_mode/afl-llvm-lto-instrim.so.cc | 4 ++-- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 7 ++++--- llvm_mode/afl-llvm-lto-instrumentlist.so.cc | 8 ++++---- llvm_mode/afl-llvm-pass.so.cc | 2 -- llvm_mode/cmplog-instructions-pass.cc | 3 --- llvm_mode/cmplog-routines-pass.cc | 3 --- llvm_mode/compare-transform-pass.so.cc | 3 --- llvm_mode/split-compares-pass.so.cc | 3 --- llvm_mode/split-switches-pass.so.cc | 3 --- 13 files changed, 39 insertions(+), 32 deletions(-) (limited to 'llvm_mode/afl-llvm-lto-instrumentation.so.cc') diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 75548266..4d8c4719 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -56,7 +56,6 @@ struct InsTrim : public ModulePass { protected: uint32_t function_minimum_size = 1; - uint32_t debug = 0; char * skip_nozero = NULL; private: @@ -102,7 +101,6 @@ struct InsTrim : public ModulePass { bool runOnModule(Module &M) override { - char be_quiet = 0; setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 57330395..738433ac 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -639,6 +639,10 @@ int main(int argc, char **argv, char **envp) { } + if ((getenv("AFL_LLVM_INSTRUMENT_FILE") || getenv("AFL_LLVM_WHITELIST")) && + getenv("AFL_DONT_OPTIMIZE")) + FATAL("AFL_LLVM_INSTRUMENT_FILE and AFL_DONT_OPTIMIZE cannot be combined"); + if (getenv("AFL_LLVM_INSTRIM") || getenv("INSTRIM") || getenv("INSTRIM_LIB")) { diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 47b49358..9a884ded 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -14,6 +14,8 @@ #include #include + +#define IS_EXTERN extern #include "afl-llvm-common.h" using namespace llvm; @@ -88,6 +90,7 @@ void initInstrumentList() { char *instrumentListFilename = getenv("AFL_LLVM_INSTRUMENT_FILE"); if (!instrumentListFilename) instrumentListFilename = getenv("AFL_LLVM_WHITELIST"); + if (instrumentListFilename) { std::string line; @@ -105,6 +108,10 @@ void initInstrumentList() { } + if (debug) + SAYF(cMGN "[D] " cRST "loaded instrument list with %zu entries\n", + myInstrumentList.size()); + } bool isInInstrumentList(llvm::Function *F) { @@ -145,8 +152,6 @@ bool isInInstrumentList(llvm::Function *F) { } - (void)instLine; - /* Continue only if we know where we actually are */ if (!instFilename.str().empty()) { @@ -164,6 +169,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFilename.str().c_str(), 0) == 0) { + if (debug) + SAYF(cMGN "[D] " cRST + "Function %s is in the list (%s), instrumenting ... \n", + F->getName().str().c_str(), instFilename.str().c_str()); return true; } @@ -219,12 +228,15 @@ bool isInInstrumentList(llvm::Function *F) { // we could not find out the location. in this case we say it is not // in the the instrument file list - + if (!be_quiet) + WARNF( + "No debug information found for function %s, will not be " + "instrumented (recompile with -g -O[1-3]).", + F->getName().str().c_str()); return false; } - // return false; } diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index 38e0c830..5b96be43 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -38,5 +38,14 @@ void initInstrumentList(); bool isInInstrumentList(llvm::Function *F); unsigned long long int calculateCollisions(uint32_t edges); +#ifndef IS_EXTERN + #define IS_EXTERN +#endif + +IS_EXTERN int debug; +IS_EXTERN int be_quiet; + +#undef IS_EXTERN + #endif diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index dba98777..98e9ff9a 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -73,8 +73,8 @@ struct InsTrimLTO : public ModulePass { protected: uint32_t function_minimum_size = 1; char * skip_nozero = NULL; - int afl_global_id = 1, debug = 0, autodictionary = 1; - uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0; + int afl_global_id = 1, autodictionary = 1; + uint32_t inst_blocks = 0, inst_funcs = 0; uint64_t map_addr = 0x10000; public: diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index d81b35f4..5686eb56 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -86,9 +86,9 @@ class AFLLTOPass : public ModulePass { bool runOnModule(Module &M) override; protected: - int afl_global_id = 1, debug = 0, autodictionary = 1; + int afl_global_id = 1, autodictionary = 1; uint32_t function_minimum_size = 1; - uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0; + uint32_t inst_blocks = 0, inst_funcs = 0, total_instr = 0; uint64_t map_addr = 0x10000; char * skip_nozero = NULL; @@ -207,7 +207,8 @@ bool AFLLTOPass::runOnModule(Module &M) { if (debug) fprintf(stderr, "DEBUG: Function %s is not in a source file that was specified " - "in the instrument file list\n", F.getName().str().c_str()); + "in the instrument file list\n", + F.getName().str().c_str()); continue; } diff --git a/llvm_mode/afl-llvm-lto-instrumentlist.so.cc b/llvm_mode/afl-llvm-lto-instrumentlist.so.cc index dc1a9a61..ab7c0c58 100644 --- a/llvm_mode/afl-llvm-lto-instrumentlist.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentlist.so.cc @@ -104,7 +104,6 @@ class AFLcheckIfInstrument : public ModulePass { protected: std::list myInstrumentList; - int debug = 0; }; @@ -116,7 +115,6 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { /* Show a banner */ - char be_quiet = 0; setvbuf(stdout, NULL, _IONBF, 0); if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { @@ -209,8 +207,10 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { } else { if (!be_quiet) - WARNF("No debug information found for function %s, recompile with -g", - F.getName().str().c_str()); + WARNF( + "No debug information found for function %s, recompile with -g " + "-O[1-3]", + F.getName().str().c_str()); continue; } diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 90cf3eb4..618abe48 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -82,7 +82,6 @@ class AFLCoverage : public ModulePass { protected: uint32_t ngram_size = 0; - uint32_t debug = 0; uint32_t map_size = MAP_SIZE; uint32_t function_minimum_size = 1; char * ctx_str = NULL, *skip_nozero = NULL; @@ -139,7 +138,6 @@ bool AFLCoverage::runOnModule(Module &M) { /* Show a banner */ - char be_quiet = 0; setvbuf(stdout, NULL, _IONBF, 0); if (getenv("AFL_DEBUG")) debug = 1; diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index f929361a..7c48d906 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -76,9 +76,6 @@ class CmpLogInstructions : public ModulePass { } - protected: - int be_quiet = 0; - private: bool hookInstrs(Module &M); diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index 318193a4..a0f8f64f 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -76,9 +76,6 @@ class CmpLogRoutines : public ModulePass { } - protected: - int be_quiet = 0; - private: bool hookRtns(Module &M); diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index d389651c..bed3597a 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -75,9 +75,6 @@ class CompareTransform : public ModulePass { } - protected: - int be_quiet = 0; - private: bool transformCmps(Module &M, const bool processStrcmp, const bool processMemcmp, const bool processStrncmp, diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index f65adde8..3630bd8c 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -71,9 +71,6 @@ class SplitComparesTransform : public ModulePass { } - protected: - int be_quiet = 0; - private: int enableFPSplit; diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index 44075c94..f025df77 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -91,9 +91,6 @@ class SplitSwitchesTransform : public ModulePass { typedef std::vector CaseVector; - protected: - int be_quiet = 0; - private: bool splitSwitches(Module &M); bool transformCmps(Module &M, const bool processStrcmp, -- cgit 1.4.1