From 80ddb484deb82aefc9ba35c766ffca313d74e377 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 11:51:28 +0200 Subject: added InsTrimLTO :-) --- llvm_mode/GNUmakefile | 9 +- llvm_mode/README.lto.md | 10 +- llvm_mode/afl-clang-fast.c | 93 +-- llvm_mode/afl-llvm-common.cc | 17 + llvm_mode/afl-llvm-common.h | 9 +- llvm_mode/afl-llvm-lto-instrim.so.cc | 898 +++++++++++++++++++++++++++ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 44 +- 7 files changed, 999 insertions(+), 81 deletions(-) create mode 100644 llvm_mode/afl-llvm-lto-instrim.so.cc (limited to 'llvm_mode') diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index 93886e47..6a58f6a5 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -238,7 +238,7 @@ ifeq "$(TEST_MMAP)" "1" LDFLAGS += -Wno-deprecated-declarations endif - PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-lto-whitelist.so ../afl-llvm-lto-instrumentation.so ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so ../cmplog-routines-pass.so ../cmplog-instructions-pass.so + PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-lto-whitelist.so ../afl-llvm-lto-instrumentation.so ../afl-llvm-lto-instrim.so ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so ../cmplog-routines-pass.so ../cmplog-instructions-pass.so # If prerequisites are not given, warn, do not build anything, and exit with code 0 ifeq "$(LLVMVER)" "" @@ -330,6 +330,11 @@ ifeq "$(LLVM_LTO)" "1" @$(CLANG_BIN) $(CFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m32 -fPIC -c afl-llvm-rt-lto.o.c -o ../afl-llvm-rt-lto-32.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi endif +../afl-llvm-lto-instrim.so: afl-llvm-lto-instrim.so.cc afl-llvm-common.o +ifeq "$(LLVM_LTO)" "1" + $(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -Wno-writable-strings -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< MarkNodes.cc -o $@ $(CLANG_LFL) afl-llvm-common.o +endif + # laf ../split-switches-pass.so: split-switches-pass.so.cc afl-llvm-common.o | test_deps $(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL) afl-llvm-common.o @@ -373,7 +378,7 @@ all_done: test_build install: all install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH) if [ -f ../afl-clang-fast -a -f ../libLLVMInsTrim.so -a -f ../afl-llvm-rt.o ]; then set -e; install -m 755 ../afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 ../libLLVMInsTrim.so ../afl-llvm-pass.so ../afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi - if [ -f ../afl-clang-lto ]; then set -e; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto++; install -m 755 ../afl-llvm-lto-instrumentation.so ../afl-llvm-rt-lto*.o ../afl-llvm-lto-whitelist.so $${DESTDIR}$(HELPER_PATH); fi + if [ -f ../afl-clang-lto ]; then set -e; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto++; install -m 755 ../afl-llvm-lto-instrumentation.so ../afl-llvm-lto-instrim.so ../afl-llvm-rt-lto*.o ../afl-llvm-lto-whitelist.so $${DESTDIR}$(HELPER_PATH); fi if [ -f ../afl-llvm-rt-32.o ]; then set -e; install -m 755 ../afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi if [ -f ../afl-llvm-rt-64.o ]; then set -e; install -m 755 ../afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi if [ -f ../compare-transform-pass.so ]; then set -e; install -m 755 ../compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index d8e4766d..674531f5 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -6,6 +6,8 @@ This version requires a current llvm 11 compiled from the github master. 1. Use afl-clang-lto/afl-clang-lto++ because it is faster and gives better coverage than anything else that is out there in the AFL world + 1a. Set AFL_LLVM_INSTRUMENT=CFG if you want the InsTrimLTO version + (recommended) 2. You can use it together with llvm_mode: laf-intel and whitelisting features and can be combined with cmplog/Redqueen @@ -41,7 +43,7 @@ and many dead ends until we got to this: -fsanitize=coverage edge coverage mode :) The result: - * 10-20% speed gain compared to llvm_mode + * 10-25% speed gain compared to llvm_mode * guaranteed non-colliding edge coverage :-) * The compile time especially for libraries can be longer @@ -80,11 +82,13 @@ Just use afl-clang-lto like you did with afl-clang-fast or afl-gcc. Also whitelisting (AFL_LLVM_WHITELIST -> [README.whitelist.md](README.whitelist.md)) and laf-intel/compcov (AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work. -Instrim does not - but we can not really use it anyway for our approach. +InsTrim (control flow graph instrumentation) is supported and recommended! + (set `AFL_LLVM_INTRUMENT=CFG`) Example: ``` -CC=afl-clang-lto CXX=afl-clang-lto++ ./configure +CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar ./configure +export AFL_LLVM_INTRUMENT=CFG make ``` diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 2d1b427c..6a6414ad 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -43,7 +43,7 @@ static u8 * obj_path; /* Path to runtime libraries */ static u8 **cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u8 llvm_fullpath[PATH_MAX]; -static u8 instrument_mode, instrument_opt_mode, ngram_size; +static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode; static u8 * lto_flag = AFL_CLANG_FLTO; static u8 * march_opt = CFLAGS_OPT; static u8 debug; @@ -170,7 +170,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { else ++name; - if (instrument_mode == INSTRUMENT_LTO) + if (lto_mode) if (lto_flag[0] != '-') FATAL( "Using afl-clang-lto is not possible because Makefile magic did not " @@ -227,8 +227,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (getenv("LAF_TRANSFORM_COMPARES") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) { - if (!be_quiet && getenv("AFL_LLVM_LTO_AUTODICTIONARY") && - instrument_mode != INSTRUMENT_LTO) + if (!be_quiet && getenv("AFL_LLVM_LTO_AUTODICTIONARY") && lto_mode) WARNF( "using AFL_LLVM_LAF_TRANSFORM_COMPARES together with " "AFL_LLVM_LTO_AUTODICTIONARY makes no sense. Use only " @@ -281,7 +280,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if (instrument_mode == INSTRUMENT_LTO) { + if (lto_mode) { if (getenv("AFL_LLVM_WHITELIST") != NULL) { @@ -295,8 +294,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = alloc_printf("-fuse-ld=%s", AFL_REAL_LD); cc_params[cc_par_cnt++] = "-Wl,--allow-multiple-definition"; - cc_params[cc_par_cnt++] = alloc_printf( - "-Wl,-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", obj_path); + if (instrument_mode == INSTRUMENT_CFG) + cc_params[cc_par_cnt++] = + alloc_printf("-Wl,-mllvm=-load=%s/afl-llvm-lto-instrim.so", obj_path); + else + cc_params[cc_par_cnt++] = alloc_printf( + "-Wl,-mllvm=-load=%s/afl-llvm-lto-instrumentation.so", obj_path); cc_params[cc_par_cnt++] = lto_flag; } else { @@ -391,7 +394,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (getenv("AFL_USE_CFISAN")) { - if (instrument_mode != INSTRUMENT_LTO) { + if (!lto_mode) { uint32_t i = 0, found = 0; while (envp[i] != NULL && !found) @@ -417,9 +420,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (getenv("AFL_NO_BUILTIN") || getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") || getenv("LAF_TRANSFORM_COMPARES") || - (instrument_mode == INSTRUMENT_LTO && - (getenv("AFL_LLVM_LTO_AUTODICTIONARY") || - getenv("AFL_LLVM_AUTODICTIONARY")))) { + (lto_mode && (getenv("AFL_LLVM_LTO_AUTODICTIONARY") || + getenv("AFL_LLVM_AUTODICTIONARY")))) { cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; @@ -500,7 +502,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { case 0: cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path); - if (instrument_mode == INSTRUMENT_LTO) + if (lto_mode) cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-lto.o", obj_path); break; @@ -509,7 +511,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m32 is not supported by your compiler"); - if (instrument_mode == INSTRUMENT_LTO) { + if (lto_mode) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-lto-32.o", obj_path); @@ -524,7 +526,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path); if (access(cc_params[cc_par_cnt - 1], R_OK)) FATAL("-m64 is not supported by your compiler"); - if (instrument_mode == INSTRUMENT_LTO) { + if (lto_mode) { cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-lto-64.o", obj_path); @@ -548,7 +550,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { int main(int argc, char **argv, char **envp) { int i; - char *callname = "afl-clang-fast", *ptr; + char *callname = "afl-clang-fast", *ptr = NULL; if (getenv("AFL_DEBUG")) { @@ -630,7 +632,13 @@ int main(int argc, char **argv, char **envp) { if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 || strncasecmp(ptr, "instrim", strlen("instrim")) == 0) { - if (!instrument_mode || instrument_mode == INSTRUMENT_CFG) + if (instrument_mode == INSTRUMENT_LTO) { + + instrument_mode = INSTRUMENT_CFG; + lto_mode = 1; + + } else if (!instrument_mode || instrument_mode == INSTRUMENT_CFG) + instrument_mode = INSTRUMENT_CFG; else FATAL("main instrumentation mode already set with %s", @@ -640,9 +648,10 @@ int main(int argc, char **argv, char **envp) { if (strncasecmp(ptr, "lto", strlen("lto")) == 0) { + lto_mode = 1; if (!instrument_mode || instrument_mode == INSTRUMENT_LTO) instrument_mode = INSTRUMENT_LTO; - else + else if (instrument_mode != INSTRUMENT_CFG) FATAL("main instrumentation mode already set with %s", instrument_mode_string[instrument_mode]); @@ -684,37 +693,49 @@ int main(int argc, char **argv, char **envp) { } - if (!instrument_opt_mode) - ptr = instrument_mode_string[instrument_mode]; - else if (instrument_opt_mode == INSTRUMENT_OPT_CTX) - ptr = alloc_printf("%s + CTX", instrument_mode_string[instrument_mode]); - else if (instrument_opt_mode == INSTRUMENT_OPT_NGRAM) - ptr = alloc_printf("%s + NGRAM-%u", instrument_mode_string[instrument_mode], - ngram_size); - else - ptr = alloc_printf("%s + CTX + NGRAM-%u", - instrument_mode_string[instrument_mode], ngram_size); - if (strstr(argv[0], "afl-clang-lto") != NULL) { - if (instrument_mode == 0 || instrument_mode == INSTRUMENT_LTO) { + if (instrument_mode == 0 || instrument_mode == INSTRUMENT_LTO || + instrument_mode == INSTRUMENT_CFG) { + lto_mode = 1; callname = "afl-clang-lto"; - instrument_mode = INSTRUMENT_LTO; - ptr = instrument_mode_string[instrument_mode]; + if (!instrument_mode) { + + instrument_mode = INSTRUMENT_LTO; + ptr = instrument_mode_string[instrument_mode]; + + } } else { if (!be_quiet) WARNF("afl-clang-lto called with mode %s, using that mode instead", - ptr); + instrument_mode_string[instrument_mode]); } } + if (!instrument_opt_mode) { + + if (lto_mode && instrument_mode == INSTRUMENT_CFG) + ptr = alloc_printf("InsTrimLTO"); + else + ptr = instrument_mode_string[instrument_mode]; + + } else if (instrument_opt_mode == INSTRUMENT_OPT_CTX) + + ptr = alloc_printf("%s + CTX", instrument_mode_string[instrument_mode]); + else if (instrument_opt_mode == INSTRUMENT_OPT_NGRAM) + ptr = alloc_printf("%s + NGRAM-%u", instrument_mode_string[instrument_mode], + ngram_size); + else + ptr = alloc_printf("%s + CTX + NGRAM-%u", + instrument_mode_string[instrument_mode], ngram_size); + #ifndef AFL_CLANG_FLTO - if (instrument_mode == INSTRUMENT_LTO) + if (lto_mode) FATAL( "instrumentation mode LTO specified but LLVM support not available " "(requires LLVM 11 or higher)"); @@ -733,7 +754,7 @@ int main(int argc, char **argv, char **envp) { if (argc < 2 || strcmp(argv[1], "-h") == 0) { - if (instrument_mode != INSTRUMENT_LTO) + if (!lto_mode) printf("afl-clang-fast" VERSION " by in %s mode\n", ptr); else @@ -831,7 +852,7 @@ int main(int argc, char **argv, char **envp) { getenv("AFL_DEBUG") != NULL) { - if (instrument_mode != INSTRUMENT_LTO) + if (!lto_mode) SAYF(cCYA "afl-clang-fast" VERSION cRST " by in %s mode\n", @@ -846,7 +867,7 @@ int main(int argc, char **argv, char **envp) { } u8 *ptr2; - if (!be_quiet && instrument_mode != INSTRUMENT_LTO && + if (!be_quiet && !lto_mode && ((ptr2 = getenv("AFL_MAP_SIZE")) || (ptr2 = getenv("AFL_MAPSIZE")))) { u32 map_size = atoi(ptr2); diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index 04dd9475..c62b4c14 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -201,3 +201,20 @@ bool isInWhitelist(llvm::Function *F) { } +// Calculate the number of average collisions that would occur if all +// location IDs would be assigned randomly (like normal afl/afl++). +// This uses the "balls in bins" algorithm. +unsigned long long int calculateCollisions(uint32_t edges) { + + double bins = MAP_SIZE; + double balls = edges; + double step1 = 1 - (1 / bins); + double step2 = pow(step1, balls); + double step3 = bins * step2; + double step4 = round(step3); + unsigned long long int empty = step4; + unsigned long long int collisions = edges - (MAP_SIZE - empty); + return collisions; + +} + diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index 5b5e08d0..cf14d2e1 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -32,10 +32,11 @@ typedef long double max_align_t; #include "llvm/Support/CFG.h" #endif -char *getBBName(const llvm::BasicBlock *BB); -bool isBlacklisted(const llvm::Function *F); -void initWhitelist(); -bool isInWhitelist(llvm::Function *F); +char * getBBName(const llvm::BasicBlock *BB); +bool isBlacklisted(const llvm::Function *F); +void initWhitelist(); +bool isInWhitelist(llvm::Function *F); +unsigned long long int calculateCollisions(uint32_t edges); #endif diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc new file mode 100644 index 00000000..a5bc337f --- /dev/null +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -0,0 +1,898 @@ +/* + american fuzzy lop++ - LLVM-mode instrumentation pass + --------------------------------------------------- + + Copyright 2019-2020 AFLplusplus Project. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + This library is plugged into LLVM when invoking clang through afl-clang-fast. + + */ + +#define AFL_LLVM_PASS + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "llvm/Config/llvm-config.h" +#include "llvm/ADT/DenseMap.h" +#include "llvm/ADT/DenseSet.h" +#include "llvm/ADT/Statistic.h" +#include "llvm/IR/BasicBlock.h" +#include "llvm/IR/CFG.h" +#include "llvm/IR/Dominators.h" +#include "llvm/IR/DebugInfo.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/Instructions.h" +#include "llvm/IR/LegacyPassManager.h" +#include "llvm/IR/Module.h" +#include "llvm/IR/Verifier.h" +#include "llvm/Pass.h" +#include "llvm/Support/Debug.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Transforms/IPO/PassManagerBuilder.h" +#include "llvm/Transforms/Utils/BasicBlockUtils.h" +#include "llvm/Analysis/LoopInfo.h" +#include "llvm/Analysis/MemorySSAUpdater.h" +#include "llvm/Analysis/ValueTracking.h" + +#include "MarkNodes.h" +#include "afl-llvm-common.h" + +#include "config.h" +#include "debug.h" + +using namespace llvm; + +static cl::opt MarkSetOpt("markset", cl::desc("MarkSet"), + cl::init(false)); +static cl::opt LoopHeadOpt("loophead", cl::desc("LoopHead"), + cl::init(false)); + +namespace { + +struct InsTrimLTO : public ModulePass { + + protected: + uint32_t function_minimum_size = 1; + char * skip_nozero = NULL; + int afl_global_id = 1, debug = 0, autodictionary = 0; + uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0; + uint64_t map_addr = 0x10000; + + public: + static char ID; + + InsTrimLTO() : ModulePass(ID) { + + char *ptr; + + if (getenv("AFL_DEBUG")) debug = 1; + if ((ptr = getenv("AFL_LLVM_LTO_STARTID")) != NULL) + if ((afl_global_id = atoi(ptr)) < 0 || afl_global_id >= MAP_SIZE) + FATAL("AFL_LLVM_LTO_STARTID value of \"%s\" is not between 0 and %d\n", + ptr, MAP_SIZE - 1); + + skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); + + } + + void getAnalysisUsage(AnalysisUsage &AU) const override { + + ModulePass::getAnalysisUsage(AU); + AU.addRequired(); + AU.addRequired(); + + } + + StringRef getPassName() const override { + + return "InstTrim LTO Instrumentation"; + + } + + bool runOnModule(Module &M) override { + + char be_quiet = 0; + char *ptr; + + if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { + + SAYF(cCYA "LLVMInsTrimLTO" VERSION cRST + " by csienslab and Marc \"vanHauser\" Heuse\n"); + + } else + + be_quiet = 1; + + /* Process environment variables */ + + if (getenv("AFL_LLVM_AUTODICTIONARY") || + getenv("AFL_LLVM_LTO_AUTODICTIONARY")) + autodictionary = 1; + + if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; + + if ((ptr = getenv("AFL_LLVM_MAP_ADDR"))) { + + uint64_t val; + if (!*ptr || !strcmp(ptr, "0") || !strcmp(ptr, "0x0")) { + + map_addr = 0; + + } else if (map_addr == 0) { + + FATAL( + "AFL_LLVM_MAP_ADDR and AFL_LLVM_MAP_DYNAMIC cannot be used " + "together"); + + } else if (strncmp(ptr, "0x", 2) != 0) { + + map_addr = 0x10000; // the default + + } else { + + val = strtoull(ptr, NULL, 16); + if (val < 0x100 || val > 0xffffffff00000000) { + + FATAL( + "AFL_LLVM_MAP_ADDR must be a value between 0x100 and " + "0xffffffff00000000"); + + } + + map_addr = val; + + } + + } + + if (debug) { fprintf(stderr, "map address is %lu\n", map_addr); } + + if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL || + getenv("LOOPHEAD") != NULL) { + + LoopHeadOpt = true; + + } + + if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") != NULL) + function_minimum_size = 2; + + // this is our default + MarkSetOpt = true; + + /* Initialize LLVM instrumentation */ + + LLVMContext & C = M.getContext(); + std::vector dictionary; + std::vector calls; + DenseMap valueMap; + + IntegerType *Int8Ty = IntegerType::getInt8Ty(C); + IntegerType *Int32Ty = IntegerType::getInt32Ty(C); + IntegerType *Int64Ty = IntegerType::getInt64Ty(C); + + ConstantInt *Zero = ConstantInt::get(Int8Ty, 0); + ConstantInt *One = ConstantInt::get(Int8Ty, 1); + + /* Get/set globals for the SHM region. */ + + GlobalVariable *AFLMapPtr = NULL; + Value * MapPtrFixed = NULL; + + if (!map_addr) { + + AFLMapPtr = + new GlobalVariable(M, PointerType::get(Int8Ty, 0), false, + GlobalValue::ExternalLinkage, 0, "__afl_area_ptr"); + + } else { + + ConstantInt *MapAddr = ConstantInt::get(Int64Ty, map_addr); + MapPtrFixed = + ConstantExpr::getIntToPtr(MapAddr, PointerType::getUnqual(Int8Ty)); + + } + + if (autodictionary) { + + /* Some implementation notes. + * + * We try to handle 3 cases: + * - memcmp("foo", arg, 3) <- literal string + * - static char globalvar[] = "foo"; + * memcmp(globalvar, arg, 3) <- global variable + * - char localvar[] = "foo"; + * memcmp(locallvar, arg, 3) <- local variable + * + * The local variable case is the hardest. We can only detect that + * case if there is no reassignment or change in the variable. + * And it might not work across llvm version. + * What we do is hooking the initializer function for local variables + * (llvm.memcpy.p0i8.p0i8.i64) and note the string and the assigned + * variable. And if that variable is then used in a compare function + * we use that noted string. + * This seems not to work for tokens that have a size <= 4 :-( + * + * - if the compared length is smaller than the string length we + * save the full string. This is likely better for fuzzing but + * might be wrong in a few cases depending on optimizers + * + * - not using StringRef because there is a bug in the llvm 11 + * checkout I am using which sometimes points to wrong strings + * + * Over and out. Took me a full day. damn. mh/vh + */ + + for (Function &F : M) { + + for (auto &BB : F) { + + for (auto &IN : BB) { + + CallInst *callInst = nullptr; + + if ((callInst = dyn_cast(&IN))) { + + bool isStrcmp = true; + bool isMemcmp = true; + bool isStrncmp = true; + bool isStrcasecmp = true; + bool isStrncasecmp = true; + bool isIntMemcpy = true; + bool addedNull = false; + uint8_t optLen = 0; + + Function *Callee = callInst->getCalledFunction(); + if (!Callee) continue; + if (callInst->getCallingConv() != llvm::CallingConv::C) continue; + std::string FuncName = Callee->getName().str(); + isStrcmp &= !FuncName.compare("strcmp"); + isMemcmp &= !FuncName.compare("memcmp"); + isStrncmp &= !FuncName.compare("strncmp"); + isStrcasecmp &= !FuncName.compare("strcasecmp"); + isStrncasecmp &= !FuncName.compare("strncasecmp"); + isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); + + if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && + !isStrncasecmp && !isIntMemcpy) + continue; + + /* Verify the strcmp/memcmp/strncmp/strcasecmp/strncasecmp + * function prototype */ + FunctionType *FT = Callee->getFunctionType(); + + isStrcmp &= FT->getNumParams() == 2 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()); + isStrcasecmp &= FT->getNumParams() == 2 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()); + isMemcmp &= FT->getNumParams() == 3 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0)->isPointerTy() && + FT->getParamType(1)->isPointerTy() && + FT->getParamType(2)->isIntegerTy(); + isStrncmp &= FT->getNumParams() == 3 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()) && + FT->getParamType(2)->isIntegerTy(); + isStrncasecmp &= FT->getNumParams() == 3 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()) && + FT->getParamType(2)->isIntegerTy(); + + if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && + !isStrncasecmp && !isIntMemcpy) + continue; + + /* is a str{n,}{case,}cmp/memcmp, check if we have + * str{case,}cmp(x, "const") or str{case,}cmp("const", x) + * strn{case,}cmp(x, "const", ..) or strn{case,}cmp("const", x, + * ..) memcmp(x, "const", ..) or memcmp("const", x, ..) */ + Value *Str1P = callInst->getArgOperand(0), + *Str2P = callInst->getArgOperand(1); + std::string Str1, Str2; + StringRef TmpStr; + bool HasStr1 = getConstantStringInfo(Str1P, TmpStr); + if (TmpStr.empty()) + HasStr1 = false; + else + Str1 = TmpStr.str(); + bool HasStr2 = getConstantStringInfo(Str2P, TmpStr); + if (TmpStr.empty()) + HasStr2 = false; + else + Str2 = TmpStr.str(); + + if (debug) + fprintf(stderr, "F:%s %p(%s)->\"%s\"(%s) %p(%s)->\"%s\"(%s)\n", + FuncName.c_str(), Str1P, Str1P->getName().str().c_str(), + Str1.c_str(), HasStr1 == true ? "true" : "false", Str2P, + Str2P->getName().str().c_str(), Str2.c_str(), + HasStr2 == true ? "true" : "false"); + + // we handle the 2nd parameter first because of llvm memcpy + if (!HasStr2) { + + auto *Ptr = dyn_cast(Str2P); + if (Ptr && Ptr->isGEPWithNoNotionalOverIndexing()) { + + if (auto *Var = + dyn_cast(Ptr->getOperand(0))) { + + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr2 = true; + Str2 = Array->getAsString().str(); + + } + + } + + } + + } + + // for the internal memcpy routine we only care for the second + // parameter and are not reporting anything. + if (isIntMemcpy == true) { + + if (HasStr2 == true) { + + Value * op2 = callInst->getArgOperand(2); + ConstantInt *ilen = dyn_cast(op2); + if (ilen) { + + uint64_t literalLength = Str2.size(); + uint64_t optLength = ilen->getZExtValue(); + if (literalLength + 1 == optLength) { + + Str2.append("\0", 1); // add null byte + addedNull = true; + + } + + } + + valueMap[Str1P] = new std::string(Str2); + + if (debug) + fprintf(stderr, "Saved: %s for %p\n", Str2.c_str(), Str1P); + continue; + + } + + continue; + + } + + // Neither a literal nor a global variable? + // maybe it is a local variable that we saved + if (!HasStr2) { + + std::string *strng = valueMap[Str2P]; + if (strng && !strng->empty()) { + + Str2 = *strng; + HasStr2 = true; + if (debug) + fprintf(stderr, "Filled2: %s for %p\n", strng->c_str(), + Str2P); + + } + + } + + if (!HasStr1) { + + auto Ptr = dyn_cast(Str1P); + + if (Ptr && Ptr->isGEPWithNoNotionalOverIndexing()) { + + if (auto *Var = + dyn_cast(Ptr->getOperand(0))) { + + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr1 = true; + Str1 = Array->getAsString().str(); + + } + + } + + } + + } + + // Neither a literal nor a global variable? + // maybe it is a local variable that we saved + if (!HasStr1) { + + std::string *strng = valueMap[Str1P]; + if (strng && !strng->empty()) { + + Str1 = *strng; + HasStr1 = true; + if (debug) + fprintf(stderr, "Filled1: %s for %p\n", strng->c_str(), + Str1P); + + } + + } + + /* handle cases of one string is const, one string is variable */ + if (!(HasStr1 ^ HasStr2)) continue; + + std::string thestring; + + if (HasStr1) + thestring = Str1; + else + thestring = Str2; + + optLen = thestring.length(); + + if (isMemcmp || isStrncmp || isStrncasecmp) { + + Value * op2 = callInst->getArgOperand(2); + ConstantInt *ilen = dyn_cast(op2); + if (ilen) { + + uint64_t literalLength = optLen; + optLen = ilen->getZExtValue(); + if (literalLength + 1 == optLen) { // add null byte + thestring.append("\0", 1); + addedNull = true; + + } + + } + + } + + // add null byte if this is a string compare function and a null + // was not already added + if (addedNull == false && !isMemcmp) { + + thestring.append("\0", 1); // add null byte + optLen++; + + } + + if (!be_quiet) { + + std::string outstring; + fprintf(stderr, "%s: length %u/%u \"", FuncName.c_str(), optLen, + (unsigned int)thestring.length()); + for (uint8_t i = 0; i < thestring.length(); i++) { + + uint8_t c = thestring[i]; + if (c <= 32 || c >= 127) + fprintf(stderr, "\\x%02x", c); + else + fprintf(stderr, "%c", c); + + } + + fprintf(stderr, "\"\n"); + + } + + // we take the longer string, even if the compare was to a + // shorter part. Note that depending on the optimizer of the + // compiler this can be wrong, but it is more likely that this + // is helping the fuzzer + if (optLen != thestring.length()) optLen = thestring.length(); + if (optLen > MAX_AUTO_EXTRA) optLen = MAX_AUTO_EXTRA; + if (optLen < MIN_AUTO_EXTRA) // too short? skip + continue; + + dictionary.push_back(thestring.substr(0, optLen)); + + } + + } + + } + + } + + } + + /* InsTrim instrumentation starts here */ + + u64 total_rs = 0; + u64 total_hs = 0; + + for (Function &F : M) { + + if (debug) { + + uint32_t bb_cnt = 0; + + for (auto &BB : F) + if (BB.size() > 0) ++bb_cnt; + SAYF(cMGN "[D] " cRST "Function %s size %zu %u\n", + F.getName().str().c_str(), F.size(), bb_cnt); + + } + + // if the function below our minimum size skip it (1 or 2) + if (F.size() < function_minimum_size) continue; + if (isBlacklisted(&F)) continue; + + std::unordered_set MS; + if (!MarkSetOpt) { + + for (auto &BB : F) { + + MS.insert(&BB); + + } + + total_rs += F.size(); + + } else { + + auto Result = markNodes(&F); + auto RS = Result.first; + auto HS = Result.second; + + MS.insert(RS.begin(), RS.end()); + if (!LoopHeadOpt) { + + MS.insert(HS.begin(), HS.end()); + total_rs += MS.size(); + + } else { + + DenseSet> EdgeSet; + DominatorTreeWrapperPass * DTWP = + &getAnalysis(F); + auto DT = &DTWP->getDomTree(); + + total_rs += RS.size(); + total_hs += HS.size(); + + for (BasicBlock *BB : HS) { + + bool Inserted = false; + for (auto BI = pred_begin(BB), BE = pred_end(BB); BI != BE; ++BI) { + + auto Edge = BasicBlockEdge(*BI, BB); + if (Edge.isSingleEdge() && DT->dominates(Edge, BB)) { + + EdgeSet.insert({*BI, BB}); + Inserted = true; + break; + + } + + } + + if (!Inserted) { + + MS.insert(BB); + total_rs += 1; + total_hs -= 1; + + } + + } + + for (auto I = EdgeSet.begin(), E = EdgeSet.end(); I != E; ++I) { + + auto PredBB = I->first; + auto SuccBB = I->second; + auto NewBB = SplitBlockPredecessors(SuccBB, {PredBB}, ".split", DT, + nullptr, nullptr, false); + MS.insert(NewBB); + + } + + } + + } + + for (BasicBlock &BB : F) { + + auto PI = pred_begin(&BB); + auto PE = pred_end(&BB); + IRBuilder<> IRB(&*BB.getFirstInsertionPt()); + Value * L = NULL; + + if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; } + + if (PI == PE) { + + L = ConstantInt::get(Int32Ty, afl_global_id++); + + } else { + + auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin()); + DenseMap PredMap; + for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) { + + BasicBlock *PBB = *PI; + auto It = PredMap.insert({PBB, afl_global_id++}); + unsigned Label = It.first->second; + PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB); + + } + + L = PN; + + } + + /* Load SHM pointer */ + Value *MapPtrIdx; + + if (map_addr) { + + MapPtrIdx = IRB.CreateGEP(MapPtrFixed, L); + + } else { + + LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + MapPtr->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + MapPtrIdx = IRB.CreateGEP(MapPtr, L); + + } + + /* Update bitmap */ + LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + Value *Incr = IRB.CreateAdd(Counter, One); + + if (skip_nozero) { + + auto cf = IRB.CreateICmpEQ(Incr, Zero); + auto carry = IRB.CreateZExt(cf, Int8Ty); + Incr = IRB.CreateAdd(Incr, carry); + + } + + IRB.CreateStore(Incr, MapPtrIdx) + ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); + + // done :) + + inst_blocks++; + + } + + } + + // save highest location ID to global variable + // do this after each function to fail faster + if (!be_quiet && afl_global_id > MAP_SIZE && + afl_global_id > FS_OPT_MAX_MAPSIZE) { + + uint32_t pow2map = 1, map = afl_global_id; + while ((map = map >> 1)) + pow2map++; + WARNF( + "We have %u blocks to instrument but the map size is only %u. Either " + "edit config.h and set MAP_SIZE_POW2 from %u to %u, then recompile " + "afl-fuzz and llvm_mode and then make this target - or set " + "AFL_MAP_SIZE with at least size %u when running afl-fuzz with this " + "target.", + afl_global_id, MAP_SIZE, MAP_SIZE_POW2, pow2map, afl_global_id); + + } + + if (!getenv("AFL_LLVM_LTO_DONTWRITEID") || dictionary.size() || map_addr) { + + // yes we could create our own function, insert it into ctors ... + // but this would be a pain in the butt ... so we use afl-llvm-rt-lto.o + + Function *f = M.getFunction("__afl_auto_init_globals"); + + if (!f) { + + fprintf(stderr, + "Error: init function could not be found (this should not " + "happen)\n"); + exit(-1); + + } + + BasicBlock *bb = &f->getEntryBlock(); + if (!bb) { + + fprintf(stderr, + "Error: init function does not have an EntryBlock (this should " + "not happen)\n"); + exit(-1); + + } + + BasicBlock::iterator IP = bb->getFirstInsertionPt(); + IRBuilder<> IRB(&(*IP)); + + if (map_addr) { + + GlobalVariable *AFLMapAddrFixed = + new GlobalVariable(M, Int64Ty, true, GlobalValue::ExternalLinkage, + 0, "__afl_map_addr"); + ConstantInt *MapAddr = ConstantInt::get(Int64Ty, map_addr); + StoreInst * StoreMapAddr = IRB.CreateStore(MapAddr, AFLMapAddrFixed); + StoreMapAddr->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } + + if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL) { + + uint32_t write_loc = afl_global_id; + + if (afl_global_id % 8) write_loc = (((afl_global_id + 8) >> 3) << 3); + + GlobalVariable *AFLFinalLoc = + new GlobalVariable(M, Int32Ty, true, GlobalValue::ExternalLinkage, + 0, "__afl_final_loc"); + ConstantInt *const_loc = ConstantInt::get(Int32Ty, write_loc); + StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } + + if (dictionary.size()) { + + size_t memlen = 0, count = 0, offset = 0; + char * ptr; + + for (auto token : dictionary) { + + memlen += token.length(); + count++; + + } + + if (!be_quiet) + printf("AUTODICTIONARY: %lu string%s found\n", count, + count == 1 ? "" : "s"); + + if (count) { + + if ((ptr = (char *)malloc(memlen + count)) == NULL) { + + fprintf(stderr, "Error: malloc for %lu bytes failed!\n", + memlen + count); + exit(-1); + + } + + count = 0; + + for (auto token : dictionary) { + + if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) { + + ptr[offset++] = (uint8_t)token.length(); + memcpy(ptr + offset, token.c_str(), token.length()); + offset += token.length(); + count++; + + } + + } + + GlobalVariable *AFLDictionaryLen = new GlobalVariable( + M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, + "__afl_dictionary_len"); + ConstantInt *const_len = ConstantInt::get(Int32Ty, offset); + StoreInst * StoreDictLen = + IRB.CreateStore(const_len, AFLDictionaryLen); + StoreDictLen->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + ArrayType *ArrayTy = ArrayType::get(IntegerType::get(C, 8), offset); + GlobalVariable *AFLInternalDictionary = new GlobalVariable( + M, ArrayTy, true, GlobalValue::ExternalLinkage, + ConstantDataArray::get( + C, *(new ArrayRef((char *)ptr, offset))), + "__afl_internal_dictionary"); + AFLInternalDictionary->setInitializer(ConstantDataArray::get( + C, *(new ArrayRef((char *)ptr, offset)))); + AFLInternalDictionary->setConstant(true); + + GlobalVariable *AFLDictionary = new GlobalVariable( + M, PointerType::get(Int8Ty, 0), false, + GlobalValue::ExternalLinkage, 0, "__afl_dictionary"); + + Value *AFLDictOff = IRB.CreateGEP(AFLInternalDictionary, Zero); + Value *AFLDictPtr = + IRB.CreatePointerCast(AFLDictOff, PointerType::get(Int8Ty, 0)); + StoreInst *StoreDict = IRB.CreateStore(AFLDictPtr, AFLDictionary); + StoreDict->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } + + } + + } + + /* Say something nice. */ + + if (!be_quiet) { + + if (!inst_blocks) + WARNF("No instrumentation targets found."); + else { + + char modeline[100]; + snprintf(modeline, sizeof(modeline), "%s%s%s%s%s", + getenv("AFL_HARDEN") ? "hardened" : "non-hardened", + getenv("AFL_USE_ASAN") ? ", ASAN" : "", + getenv("AFL_USE_MSAN") ? ", MSAN" : "", + getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", + getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); + OKF("Instrumented %u locations (%llu, %llu) with no collisions (on " + "average %llu " + "collisions would be in afl-gcc/afl-clang-fast) (%s mode).", + inst_blocks, total_rs, total_hs, calculateCollisions(inst_blocks), + modeline); + + } + + } + + return true; + + } + +}; // end of struct InsTrim + +} // end of anonymous namespace + +char InsTrimLTO::ID = 0; + +static void registerInsTrimLTO(const PassManagerBuilder &, + legacy::PassManagerBase &PM) { + + PM.add(new InsTrimLTO()); + +} + +static RegisterPass X("afl-lto-instrim", + "afl++ InsTrim LTO instrumentation pass", + false, false); + +static RegisterStandardPasses RegisterInsTrimLTO( + PassManagerBuilder::EP_FullLinkTimeOptimizationLast, registerInsTrimLTO); + diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 838e45af..79081d37 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -1,14 +1,9 @@ /* - american fuzzy lop++ - LLVM-mode instrumentation pass - --------------------------------------------------- + american fuzzy lop++ - LLVM LTO instrumentation pass + ---------------------------------------------------- - Written by Laszlo Szekeres and - Michal Zalewski + Written by Marc Heuse - LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted - from afl-as.c are Michal's fault. - - Copyright 2015, 2016 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,9 +12,7 @@ http://www.apache.org/licenses/LICENSE-2.0 - This library is plugged into LLVM when invoking clang through afl-clang-fast. - It tells the compiler to add code roughly equivalent to the bits discussed - in ../afl-as.h. + This library is plugged into LLVM when invoking clang through afl-clang-lto. */ @@ -32,11 +25,12 @@ #include #include #include +#include #include #include #include -#include +#include #include "llvm/Config/llvm-config.h" #include "llvm/ADT/Statistic.h" @@ -56,7 +50,6 @@ #include "llvm/Analysis/ValueTracking.h" #include "llvm/Pass.h" -#include #include "afl-llvm-common.h" using namespace llvm; @@ -90,23 +83,6 @@ class AFLLTOPass : public ModulePass { } - // Calculate the number of average collisions that would occur if all - // location IDs would be assigned randomly (like normal afl/afl++). - // This uses the "balls in bins" algorithm. - unsigned long long int calculateCollisions(uint32_t edges) { - - double bins = MAP_SIZE; - double balls = edges; - double step1 = 1 - (1 / bins); - double step2 = pow(step1, balls); - double step3 = bins * step2; - double step4 = round(step3); - unsigned long long int empty = step4; - unsigned long long int collisions = edges - (MAP_SIZE - empty); - return collisions; - - } - bool runOnModule(Module &M) override; protected: @@ -131,8 +107,6 @@ bool AFLLTOPass::runOnModule(Module &M) { IntegerType *Int32Ty = IntegerType::getInt32Ty(C); IntegerType *Int64Ty = IntegerType::getInt64Ty(C); - if (getenv("AFL_DEBUG")) debug = 1; - /* Show a banner */ if ((isatty(2) && !getenv("AFL_QUIET")) || debug) { @@ -185,12 +159,10 @@ bool AFLLTOPass::runOnModule(Module &M) { if (debug) { fprintf(stderr, "map address is %lu\n", map_addr); } - /* Get globals for the SHM region and the previous location. Note that - __afl_prev_loc is thread-local. */ + /* Get/set the globals for the SHM region. */ GlobalVariable *AFLMapPtr = NULL; - ; - Value *MapPtrFixed = NULL; + Value * MapPtrFixed = NULL; if (!map_addr) { -- cgit 1.4.1 From ec5b1924c4f004e67d50769cb1a33f77855be77a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 11:55:50 +0200 Subject: CTX+NGRAM != LTO --- llvm_mode/afl-clang-fast.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'llvm_mode') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 6a6414ad..1f3463eb 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -716,6 +716,9 @@ int main(int argc, char **argv, char **envp) { } } + + if (instrument_opt_mode && lto_mode) + FATAL("CTX and NGRAM can not be used in LTO mode (and would make LTO useless)"); if (!instrument_opt_mode) { -- cgit 1.4.1 From b7e574607c1b153a1c64fa1108a3b1b157cbd77c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 13:27:12 +0200 Subject: rename pass --- llvm_mode/afl-llvm-lto-instrim.so.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'llvm_mode') diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index a5bc337f..9fd3e3ec 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -114,7 +114,7 @@ struct InsTrimLTO : public ModulePass { if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { - SAYF(cCYA "LLVMInsTrimLTO" VERSION cRST + SAYF(cCYA "InsTrimLTO" VERSION cRST " by csienslab and Marc \"vanHauser\" Heuse\n"); } else -- cgit 1.4.1 From 140053502bd5ce162ab7e6bfbb151494381d704c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 08:08:20 +0200 Subject: import transform fix into autodict, code-format --- examples/afl_untracer/afl-untracer.c | 40 +++++++++++++++------------- llvm_mode/afl-clang-fast.c | 6 +++-- llvm_mode/afl-llvm-lto-instrim.so.cc | 24 +++++++++++------ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 24 +++++++++++------ 4 files changed, 58 insertions(+), 36 deletions(-) (limited to 'llvm_mode') diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 99f06f36..5dbc71bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -279,12 +279,13 @@ library_list_t *find_library(char *name) { /* for having an easy breakpoint after load the shared library */ // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options -#pragma GCC optimize ("O0") -void breakpoint() { +#pragma GCC optimize("O0") +void breakpoint() { if (debug) fprintf(stderr, "Breakpoint function \"breakpoint\" reached.\n"); } + #pragma GCC pop_options /* Error reporting to forkserver controller */ @@ -470,7 +471,7 @@ void setup_trap_instrumentation() { FILE *patches = fopen(filename, "r"); if (!patches) FATAL("Couldn't open AFL_UNTRACER_FILE file %s", filename); - // Index into the coverage bitmap for the current trap instruction. + // Index into the coverage bitmap for the current trap instruction. #ifdef __aarch64__ uint64_t bitmap_index = 0; #else @@ -507,11 +508,13 @@ void setup_trap_instrumentation() { PROT_READ | PROT_WRITE | PROT_EXEC) != 0) FATAL("Failed to mprotect library %s writable", line); - // Create shadow memory. + // Create shadow memory. #ifdef __aarch64__ for (int i = 0; i < 8; i++) { + #else for (int i = 0; i < 4; i++) { + #endif void *shadow_addr = SHADOW(lib_addr + i); @@ -540,16 +543,17 @@ void setup_trap_instrumentation() { FATAL("Too many basic blocks to instrument"); #ifdef __arch64__ - uint64_t + uint64_t #else - uint32_t + uint32_t #endif - *shadow = SHADOW(lib_addr + offset); + *shadow = SHADOW(lib_addr + offset); if (*shadow != 0) continue; // skip duplicates // Make lookup entry in shadow memory. -#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || defined(__i386__)) +#if ((defined(__APPLE__) && defined(__LP64__)) || defined(__x86_64__) || \ + defined(__i386__)) // this is for Intel x64 @@ -566,10 +570,10 @@ void setup_trap_instrumentation() { // this is for aarch64 - uint32_t *patch_bytes = (uint32_t*)(lib_addr + offset); - uint32_t orig_bytes = *patch_bytes; + uint32_t *patch_bytes = (uint32_t *)(lib_addr + offset); + uint32_t orig_bytes = *patch_bytes; *shadow = (bitmap_index << 32) | orig_bytes; - *patch_bytes = 0xd4200000; // replace instruction with debug trap + *patch_bytes = 0xd4200000; // replace instruction with debug trap if (debug) fprintf(stderr, "Patch entry: %p[%x] = %p = %02x -> SHADOW(%p) #%d -> %016x\n", @@ -577,14 +581,14 @@ void setup_trap_instrumentation() { bitmap_index, *shadow); #else - // this will be ARM and AARCH64 - // for ARM we will need to identify if the code is in thumb or ARM + // this will be ARM and AARCH64 + // for ARM we will need to identify if the code is in thumb or ARM #error "non x86_64/aarch64 not supported yet" - //__arm__: - // linux thumb: 0xde01 - // linux arm: 0xe7f001f0 - //__aarch64__: - // linux aarch64: 0xd4200000 + //__arm__: + // linux thumb: 0xde01 + // linux arm: 0xe7f001f0 + //__aarch64__: + // linux aarch64: 0xd4200000 #endif bitmap_index++; diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 1f3463eb..42b02bdd 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -716,9 +716,11 @@ int main(int argc, char **argv, char **envp) { } } - + if (instrument_opt_mode && lto_mode) - FATAL("CTX and NGRAM can not be used in LTO mode (and would make LTO useless)"); + FATAL( + "CTX and NGRAM can not be used in LTO mode (and would make LTO " + "useless)"); if (!instrument_opt_mode) { diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 9fd3e3ec..f862e091 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -346,11 +346,15 @@ struct InsTrimLTO : public ModulePass { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = dyn_cast( - Var->getInitializer())) { + if (Var->hasInitializer()) { - HasStr2 = true; - Str2 = Array->getAsString().str(); + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr2 = true; + Str2 = Array->getAsString().str(); + + } } @@ -419,11 +423,15 @@ struct InsTrimLTO : public ModulePass { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = dyn_cast( - Var->getInitializer())) { + if (Var->hasInitializer()) { + + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr1 = true; + Str1 = Array->getAsString().str(); - HasStr1 = true; - Str1 = Array->getAsString().str(); + } } diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 79081d37..0e353fdf 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -326,11 +326,15 @@ bool AFLLTOPass::runOnModule(Module &M) { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = - dyn_cast(Var->getInitializer())) { + if (Var->hasInitializer()) { - HasStr2 = true; - Str2 = Array->getAsString().str(); + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr2 = true; + Str2 = Array->getAsString().str(); + + } } @@ -398,11 +402,15 @@ bool AFLLTOPass::runOnModule(Module &M) { if (auto *Var = dyn_cast(Ptr->getOperand(0))) { - if (auto *Array = - dyn_cast(Var->getInitializer())) { + if (Var->hasInitializer()) { + + if (auto *Array = dyn_cast( + Var->getInitializer())) { + + HasStr1 = true; + Str1 = Array->getAsString().str(); - HasStr1 = true; - Str1 = Array->getAsString().str(); + } } -- cgit 1.4.1 From 0559d1d171a8d8a1585cc7dffa802642d3e6f90a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 10:27:24 +0200 Subject: fix typos --- llvm_mode/README.lto.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 674531f5..110b5e9c 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -83,12 +83,12 @@ Just use afl-clang-lto like you did with afl-clang-fast or afl-gcc. Also whitelisting (AFL_LLVM_WHITELIST -> [README.whitelist.md](README.whitelist.md)) and laf-intel/compcov (AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work. InsTrim (control flow graph instrumentation) is supported and recommended! - (set `AFL_LLVM_INTRUMENT=CFG`) + (set `AFL_LLVM_INSTRUMENT=CFG`) Example: ``` CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar ./configure -export AFL_LLVM_INTRUMENT=CFG +export AFL_LLVM_INSTRUMENT=CFG make ``` -- cgit 1.4.1 From d048af11cd43caf9fc9a8dc2e39a41b33600448f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 11:57:12 +0200 Subject: calculate correct collisions for classic in InsTrimLTO --- GNUmakefile | 2 +- llvm_mode/afl-llvm-lto-instrim.so.cc | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) (limited to 'llvm_mode') diff --git a/GNUmakefile b/GNUmakefile index df1434a0..de89c836 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -204,7 +204,7 @@ ifdef ASAN_BUILD endif ifdef PROFILING - $(info Compiling profiling version of binaries) + $(info Compiling with profiling information, for analysis: gprof ./afl-fuzz gmon.out > prof.txt) CFLAGS+=-pg LDFLAGS+=-pg endif diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index f862e091..6371a3cc 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -855,6 +855,33 @@ struct InsTrimLTO : public ModulePass { } + // count basic blocks for comparison with classic instrumentation + + u32 edges = 0; + for (auto &F : M) { + + if (F.size() < function_minimum_size) continue; + + for (auto &BB : F) { + + bool would_instrument = false; + + for (BasicBlock *Pred : predecessors(&BB)) { + + int count = 0; + for (BasicBlock *Succ : successors(Pred)) + if (Succ != NULL) count++; + + if (count > 1) return true; + + } + + if (would_instrument == true) edges++; + + } + + } + /* Say something nice. */ if (!be_quiet) { @@ -871,9 +898,9 @@ struct InsTrimLTO : public ModulePass { getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); OKF("Instrumented %u locations (%llu, %llu) with no collisions (on " - "average %llu " - "collisions would be in afl-gcc/afl-clang-fast) (%s mode).", - inst_blocks, total_rs, total_hs, calculateCollisions(inst_blocks), + "average %llu collisions would be in afl-gcc/afl-clang-fast for %u " + "edges) (%s mode).", + inst_blocks, total_rs, total_hs, calculateCollisions(edges), edges, modeline); } -- cgit 1.4.1 From ef2ccc8117bb899616472e2d95525ae0ca1a2098 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 14:59:12 +0200 Subject: added AFL_LLVM_SKIPSINGLEBLOCK and changed default behaviour to instrument single block functions --- docs/Changelog.md | 2 ++ docs/env_variables.md | 8 ++++---- llvm_mode/LLVMInsTrim.so.cc | 5 +++-- llvm_mode/afl-llvm-lto-instrim.so.cc | 3 ++- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 7 ++++++- llvm_mode/afl-llvm-pass.so.cc | 17 ++++++++++++----- src/afl-common.c | 18 +++++++++--------- 7 files changed, 38 insertions(+), 22 deletions(-) (limited to 'llvm_mode') diff --git a/docs/Changelog.md b/docs/Changelog.md index 35240021..8bcc8949 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,8 @@ sending a mail to . - an old, old bug in afl that would show negative stability in rare circumstances is now hopefully fixed - llvm_mode: + - afl-clang-fast/lto now do not skip single block functions. This + behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed address for the shared memory map is used as this increases the fuzzing speed diff --git a/docs/env_variables.md b/docs/env_variables.md index f5d28981..36e5a432 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -83,6 +83,10 @@ tools make fairly broad use of environmental variables: The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset of the settings discussed in section #1, with the exception of: + - Setting AFL_LLVM_SKIPSINGLEBLOCK=1 will skip instrumenting + functions with a single basic block. This is useful for most C and + some C++ targets. This works for all instrumentation modes. + - AFL_AS, since this toolchain does not directly invoke GNU as. - TMPDIR and AFL_KEEP_ASSEMBLY, since no temporary assembly files are @@ -156,10 +160,6 @@ Then there are a few specific features that are only available in llvm_mode: afl-fuzz will only be able to see the path the loop took, but not how many times it was called (unless it is a complex loop). - - Setting AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 will skip instrumenting - functions with a single basic block. This is useful for most C and - some C++ targets. - See llvm_mode/README.instrim.md ### NGRAM diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index ad046a8b..ed6c79e8 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -134,7 +134,8 @@ struct InsTrim : public ModulePass { } - if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") != NULL) + if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || + getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2; unsigned PrevLocSize = 0; @@ -394,7 +395,7 @@ struct InsTrim : public ModulePass { if ((callInst = dyn_cast(&IN))) { Function *Callee = callInst->getCalledFunction(); - if (!Callee || Callee->size() < 2) + if (!Callee || Callee->size() < function_minimum_size) continue; else { diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 6371a3cc..a686bb81 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -172,7 +172,8 @@ struct InsTrimLTO : public ModulePass { } - if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") != NULL) + if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || + getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2; // this is our default diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 0e353fdf..f44b336e 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -87,6 +87,7 @@ class AFLLTOPass : public ModulePass { protected: int afl_global_id = 1, debug = 0, autodictionary = 0; + uint32_t function_minimum_size = 1; uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0; uint64_t map_addr = 0x10000; char * skip_nozero = NULL; @@ -124,6 +125,10 @@ bool AFLLTOPass::runOnModule(Module &M) { if (getenv("AFL_LLVM_MAP_DYNAMIC")) map_addr = 0; + if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || + getenv("AFL_LLVM_SKIPSINGLEBLOCK")) + function_minimum_size = 2; + if ((ptr = getenv("AFL_LLVM_MAP_ADDR"))) { uint64_t val; @@ -189,7 +194,7 @@ bool AFLLTOPass::runOnModule(Module &M) { // fprintf(stderr, "DEBUG: Function %s\n", F.getName().str().c_str()); - if (F.size() < 2) continue; + if (F.size() < function_minimum_size) continue; if (isBlacklisted(&F)) continue; std::vector InsBlocks; diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 0d9e0aba..2d23ad21 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -84,6 +84,7 @@ class AFLCoverage : public ModulePass { uint32_t ngram_size = 0; uint32_t debug = 0; uint32_t map_size = MAP_SIZE; + uint32_t function_minimum_size = 1; char * ctx_str = NULL, *skip_nozero = NULL; }; @@ -182,6 +183,10 @@ bool AFLCoverage::runOnModule(Module &M) { #endif skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); + if (getenv("AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK") || + getenv("AFL_LLVM_SKIPSINGLEBLOCK")) + function_minimum_size = 2; + unsigned PrevLocSize = 0; char *ngram_size_str = getenv("AFL_LLVM_NGRAM_SIZE"); @@ -294,13 +299,15 @@ bool AFLCoverage::runOnModule(Module &M) { if (!isInWhitelist(&F)) continue; + if (F.size() < function_minimum_size) continue; + for (auto &BB : F) { BasicBlock::iterator IP = BB.getFirstInsertionPt(); IRBuilder<> IRB(&(*IP)); // Context sensitive coverage - if (ctx_str && &BB == &F.getEntryBlock() && F.size() > 1) { + if (ctx_str && &BB == &F.getEntryBlock()) { // load the context ID of the previous function and write to to a local // variable on the stack @@ -318,7 +325,7 @@ bool AFLCoverage::runOnModule(Module &M) { if ((callInst = dyn_cast(&IN))) { Function *Callee = callInst->getCalledFunction(); - if (!Callee || Callee->size() < 2) + if (!Callee || Callee->size() < function_minimum_size) continue; else { @@ -389,11 +396,11 @@ bool AFLCoverage::runOnModule(Module &M) { } // fprintf(stderr, " == %d\n", more_than_one); - if (more_than_one != 1) { + if (F.size() > 1 && more_than_one != 1) { // in CTX mode we have to restore the original context for the caller - // she might be calling other functions which need the correct CTX - if (ctx_str && has_calls && F.size() > 1) { + if (ctx_str && has_calls) { Instruction *Inst = BB.getTerminator(); if (isa(Inst) || isa(Inst)) { @@ -526,7 +533,7 @@ bool AFLCoverage::runOnModule(Module &M) { // in CTX mode we have to restore the original context for the caller - // she might be calling other functions which need the correct CTX. // Currently this is only needed for the Ubuntu clang-6.0 bug - if (ctx_str && has_calls && F.size() > 1) { + if (ctx_str && has_calls) { Instruction *Inst = BB.getTerminator(); if (isa(Inst) || isa(Inst)) { diff --git a/src/afl-common.c b/src/afl-common.c index 54b2e790..d9d57863 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -64,15 +64,15 @@ char *afl_environment_variables[] = { "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", "AFL_LLVM_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CTX", "AFL_LLVM_INSTRUMENT", "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_LTO_AUTODICTIONARY", "AFL_LLVM_AUTODICTIONARY", - "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES", - "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS", - "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES", - "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", - "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", - "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", - "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", - "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", - "AFL_UNTRACER_FILE", + "AFL_LLVM_SKIPSINGLEBLOCK", "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", + "AFL_LLVM_LAF_SPLIT_COMPARES", "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", + "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", + "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_MAP_ADDR", + "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", + "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_SKIP_NEVERZERO", + "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", + "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", + "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally -- cgit 1.4.1 From 768053b6f25d5abd1b25f104e0233421bd1f73f9 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 8 May 2020 16:28:39 +0200 Subject: add AFL_DEBUG check to all isatty checks --- llvm_mode/afl-llvm-lto-whitelist.so.cc | 2 +- llvm_mode/compare-transform-pass.so.cc | 2 +- llvm_mode/split-switches-pass.so.cc | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/afl-llvm-lto-whitelist.so.cc b/llvm_mode/afl-llvm-lto-whitelist.so.cc index 5e157472..a116c4ea 100644 --- a/llvm_mode/afl-llvm-lto-whitelist.so.cc +++ b/llvm_mode/afl-llvm-lto-whitelist.so.cc @@ -111,7 +111,7 @@ bool AFLwhitelist::runOnModule(Module &M) { char be_quiet = 0; - if (isatty(2) && !getenv("AFL_QUIET")) { + if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { SAYF(cCYA "afl-llvm-lto-whitelist" VERSION cRST " by Marc \"vanHauser\" Heuse \n"); diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 2111b646..00732dbc 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -506,7 +506,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, bool CompareTransform::runOnModule(Module &M) { - if (isatty(2) && getenv("AFL_QUIET") == NULL) + if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL) llvm::errs() << "Running compare-transform-pass by laf.intel@gmail.com, " "extended by heiko@hexco.de\n"; else diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index 3444d6a1..e8639347 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -418,7 +418,7 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) { bool SplitSwitchesTransform::runOnModule(Module &M) { - if (isatty(2) && getenv("AFL_QUIET") == NULL) + if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL) llvm::errs() << "Running split-switches-pass by laf.intel@gmail.com\n"; else be_quiet = 1; -- cgit 1.4.1 From 102067d43d7476997b2ffd6faceae4510f753d89 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 9 May 2020 19:08:54 +0200 Subject: LLVMInsTrim.so.cc: fix for LLVM 3.8.0 --- llvm_mode/LLVMInsTrim.so.cc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index ed6c79e8..41d4397b 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -103,7 +103,6 @@ struct InsTrim : public ModulePass { bool runOnModule(Module &M) override { char be_quiet = 0; - int ngram_size = 0; if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { @@ -144,6 +143,7 @@ struct InsTrim : public ModulePass { char *ctx_str = getenv("AFL_LLVM_CTX"); #ifdef AFL_HAVE_VECTOR_INTRINSICS + int ngram_size = 0; /* Decide previous location vector size (must be a power of two) */ VectorType *PrevLocTy; @@ -341,6 +341,7 @@ struct InsTrim : public ModulePass { if (MS.find(&BB) == MS.end()) { continue; } IRBuilder<> IRB(&*BB.getFirstInsertionPt()); +#ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) { LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc); @@ -357,7 +358,9 @@ struct InsTrim : public ModulePass { ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); - } else { + } else +#endif + { IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), AFLPrevLoc); -- cgit 1.4.1 From d02cfc54b63578f1887d9042466f59ac0cff91ad Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 10 May 2020 08:51:40 +0200 Subject: LTO fixes for fuzzbench --- llvm_mode/GNUmakefile | 6 ++++-- llvm_mode/afl-clang-fast.c | 43 ++++++++++++++++++++++++++++++++----------- 2 files changed, 36 insertions(+), 13 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index 6a58f6a5..beebf696 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -43,6 +43,7 @@ LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\. LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 ) LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//') LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) +LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) LLVM_STDCXX = gnu++11 LLVM_APPLE = $(shell clang -v 2>&1 | grep -iq apple && echo 1 || echo 0) LLVM_LTO = 0 @@ -200,7 +201,8 @@ override CFLAGS += -Wall \ -g -Wno-pointer-sign -I ../include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \ - -DLLVM_VERSION=\"$(LLVMVER)\" -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \ + -DLLVM_LIBDIR=\"$(LLVM_LIBDIR)\" -DLLVM_VERSION=\"$(LLVMVER)\" \ + -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \ -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \ -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) -Wno-unused-function ifdef AFL_TRACE_PC @@ -296,7 +298,7 @@ afl-common.o: ../src/afl-common.c $(CC) $(CFLAGS) -c $< -o $@ $(LDFLAGS) ../afl-clang-fast: afl-clang-fast.c afl-common.o | test_deps - $(CC) $(CFLAGS) $< afl-common.o -o $@ $(LDFLAGS) -DCFLAGS_OPT=\"$(CFLAGS_OPT)\" + $(CC) $(CFLAGS) $< afl-common.o -o $@ $(LDFLAGS) -DCFLAGS_OPT=\"$(CFLAGS_OPT)\" -Dxxx ln -sf afl-clang-fast ../afl-clang-fast++ ifneq "$(AFL_CLANG_FLTO)" "" ifeq "$(LLVM_LTO)" "1" diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 42b02bdd..027f4035 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -43,13 +43,13 @@ static u8 * obj_path; /* Path to runtime libraries */ static u8 **cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u8 llvm_fullpath[PATH_MAX]; -static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode; -static u8 * lto_flag = AFL_CLANG_FLTO; -static u8 * march_opt = CFLAGS_OPT; -static u8 debug; -static u8 cwd[4096]; -static u8 cmplog_mode; -u8 use_stdin = 0; /* dummy */ +static u8 instrument_mode, instrument_opt_mode, ngram_size, lto_mode, cpp_mode; +static u8 *lto_flag = AFL_CLANG_FLTO; +static u8 *march_opt = CFLAGS_OPT; +static u8 debug; +static u8 cwd[4096]; +static u8 cmplog_mode; +u8 use_stdin = 0; /* dummy */ enum { @@ -184,6 +184,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { else sprintf(llvm_fullpath, CLANGPP_BIN); cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath; + cpp_mode = 1; } else if (!strcmp(name, "afl-clang-fast") || @@ -205,12 +206,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - /* There are three ways to compile with afl-clang-fast. In the traditional + if (lto_mode && cpp_mode) + cc_params[cc_par_cnt++] = "-lc++"; // needed by fuzzbench, early + + /* There are several ways to compile with afl-clang-fast. In the traditional mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is - much faster but has less coverage. Finally there is the experimental - 'trace-pc-guard' mode, we use native LLVM instrumentation callbacks - instead. For trace-pc-guard see: + faster and creates less map pollution. + Then there is the 'trace-pc-guard' mode, we use native LLVM + instrumentation callbacks instead. For trace-pc-guard see: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards + The best instrumentatation is with the LTO modes, the classic and + InsTrimLTO, the latter is faster. The LTO modes are activated by using + afl-clang-lto(++) */ // laf @@ -326,6 +333,20 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-Qunused-arguments"; + // in case LLVM is installed not via a package manager or "make install" + // e.g. compiled download or compiled from github then it's ./lib directory + // might not be in the search path. Add it if so. + u8 *libdir = strdup(LLVM_LIBDIR); + if (strlen(libdir) && strncmp(libdir, "/usr", 4) && + strncmp(libdir, "/lib", 4)) { + + cc_params[cc_par_cnt++] = "-rpath"; + cc_params[cc_par_cnt++] = libdir; + + } else + + free(libdir); + /* Detect stray -v calls from ./configure scripts. */ while (--argc) { -- cgit 1.4.1 From 2e553bcd69a6852e7feb7e87ce757babfcb26df0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 10 May 2020 10:24:24 +0200 Subject: code-format --- include/types.h | 24 ++++++++++++------------ llvm_mode/LLVMInsTrim.so.cc | 3 ++- llvm_mode/afl-clang-fast.c | 6 ++++-- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- src/afl-showmap.c | 3 ++- 5 files changed, 21 insertions(+), 17 deletions(-) (limited to 'llvm_mode') diff --git a/include/types.h b/include/types.h index 647044c4..f89221cd 100644 --- a/include/types.h +++ b/include/types.h @@ -154,19 +154,19 @@ typedef int64_t s64; #define MEM_BARRIER() __asm__ volatile("" ::: "memory") #if __GNUC__ < 6 -# ifndef likely -# define likely(_x) (_x) -# endif -# ifndef unlikely -# define unlikely(_x) (_x) -# endif +#ifndef likely +#define likely(_x) (_x) +#endif +#ifndef unlikely +#define unlikely(_x) (_x) +#endif #else -# ifndef likely -# define likely(_x) __builtin_expect(!!(_x), 1) -# endif -# ifndef unlikely -# define unlikely(_x) __builtin_expect(!!(_x), 0) -# endif +#ifndef likely +#define likely(_x) __builtin_expect(!!(_x), 1) +#endif +#ifndef unlikely +#define unlikely(_x) __builtin_expect(!!(_x), 0) +#endif #endif #endif /* ! _HAVE_TYPES_H */ diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 41d4397b..69fc079b 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -143,7 +143,7 @@ struct InsTrim : public ModulePass { char *ctx_str = getenv("AFL_LLVM_CTX"); #ifdef AFL_HAVE_VECTOR_INTRINSICS - int ngram_size = 0; + int ngram_size = 0; /* Decide previous location vector size (must be a power of two) */ VectorType *PrevLocTy; @@ -359,6 +359,7 @@ struct InsTrim : public ModulePass { MDNode::get(C, None)); } else + #endif { diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 027f4035..07754d1d 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -337,16 +337,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { // e.g. compiled download or compiled from github then it's ./lib directory // might not be in the search path. Add it if so. u8 *libdir = strdup(LLVM_LIBDIR); - if (strlen(libdir) && strncmp(libdir, "/usr", 4) && + if (cpp_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { cc_params[cc_par_cnt++] = "-rpath"; cc_params[cc_par_cnt++] = libdir; - } else + } else { free(libdir); + } + /* Detect stray -v calls from ./configure scripts. */ while (--argc) { diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index a6136722..78a8f800 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -127,7 +127,7 @@ static inline TranslationBlock *tb_find(CPUState *, TranslationBlock *, int, uint32_t); static inline void tb_add_jump(TranslationBlock *tb, int n, TranslationBlock *tb_next); -int open_self_maps(void *cpu_env, int fd); +int open_self_maps(void *cpu_env, int fd); /************************* * ACTUAL IMPLEMENTATION * diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 784d323d..ed59f2f5 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -865,7 +865,8 @@ int main(int argc, char **argv_orig, char **envp) { } - stdin_file = alloc_printf("%s/.afl-showmap-temp-%u", use_dir, (u32)getpid()); + stdin_file = + alloc_printf("%s/.afl-showmap-temp-%u", use_dir, (u32)getpid()); unlink(stdin_file); atexit(at_exit_handler); fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); -- cgit 1.4.1 From 26f8708fede1b15e6a93709d0baa2e5f481e082d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 10 May 2020 11:35:31 +0200 Subject: fix warning, code format --- examples/afl_network_proxy/afl-network-client.c | 12 +- examples/afl_network_proxy/afl-network-server.c | 4 +- examples/afl_proxy/afl-proxy.c | 2 +- examples/afl_untracer/afl-untracer.c | 42 ++-- gcc_plugin/afl-gcc-pass.so.cc | 10 +- gcc_plugin/afl-gcc-rt.o.c | 4 +- include/afl-as.h | 12 +- include/afl-fuzz.h | 86 ++++---- include/alloc-inl.h | 264 ++++++++++++------------ include/android-ashmem.h | 42 ++-- include/config.h | 26 +-- include/debug.h | 204 +++++++++--------- include/forkserver.h | 18 +- include/hash.h | 4 +- include/types.h | 84 ++++---- libdislocator/libdislocator.so.c | 78 +++---- libtokencap/libtokencap.so.c | 46 ++--- llvm_mode/LLVMInsTrim.so.cc | 26 +-- llvm_mode/MarkNodes.cc | 4 +- llvm_mode/afl-llvm-common.h | 8 +- llvm_mode/afl-llvm-pass.so.cc | 16 +- llvm_mode/afl-llvm-rt.o.c | 24 +-- llvm_mode/cmplog-instructions-pass.cc | 10 +- llvm_mode/cmplog-routines-pass.cc | 10 +- llvm_mode/compare-transform-pass.so.cc | 10 +- llvm_mode/split-compares-pass.so.cc | 10 +- llvm_mode/split-switches-pass.so.cc | 10 +- qbdi_mode/template.cpp | 18 +- qemu_mode/libcompcov/libcompcov.so.c | 4 +- qemu_mode/patches/afl-qemu-common.h | 24 +-- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 4 +- src/afl-analyze.c | 2 +- src/afl-as.c | 6 +- src/afl-common.c | 2 +- src/afl-fuzz-init.c | 68 +++--- src/afl-fuzz-python.c | 62 +++--- src/afl-fuzz.c | 12 +- src/afl-gotcpu.c | 56 ++--- src/afl-sharedmem.c | 6 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 42 files changed, 667 insertions(+), 669 deletions(-) (limited to 'llvm_mode') diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index cf09b2ad..fca2a9f1 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -15,7 +15,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -42,7 +42,7 @@ #include #ifdef USE_DEFLATE -#include +# include #endif u8 *__afl_area_ptr; @@ -321,7 +321,7 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES +# ifdef COMPRESS_TESTCASES // we only compress the testcase if it does not fit in the TCP packet if (*lenptr > 1500 - 20 - 32 - 4) { @@ -341,17 +341,17 @@ int main(int argc, char *argv[]) { } else { -#endif +# endif #endif if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) PFATAL("sending test data failed"); #ifdef USE_DEFLATE -#ifdef COMPRESS_TESTCASES +# ifdef COMPRESS_TESTCASES // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); } -#endif +# endif #endif received = 0; diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 2de91cbd..7d97e2db 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -25,7 +25,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" @@ -62,7 +62,7 @@ #include #ifdef USE_DEFLATE -#include +# include struct libdeflate_compressor * compressor; struct libdeflate_decompressor *decompressor; #endif diff --git a/examples/afl_proxy/afl-proxy.c b/examples/afl_proxy/afl-proxy.c index 36121e17..46861008 100644 --- a/examples/afl_proxy/afl-proxy.c +++ b/examples/afl_proxy/afl-proxy.c @@ -24,7 +24,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 5dbc71bf..cc614f67 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -34,7 +34,7 @@ #define _GNU_SOURCE #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -58,14 +58,14 @@ #include #if defined(__linux__) -#include +# include #elif defined(__APPLE__) && defined(__LP64__) -#include +# include #elif defined(__FreeBSD__) -#include -#include +# include +# include #else -#error "Unsupported platform" +# error "Unsupported platform" #endif #define MEMORY_MAP_DECREMENT 0x200000000000 @@ -446,15 +446,15 @@ static void __afl_end_testcase(int status) { } #ifdef __aarch64__ -#define SHADOW(addr) \ - ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x7) * 0x10000000000)) +# define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) #else -#define SHADOW(addr) \ - ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x3) * 0x10000000000)) +# define SHADOW(addr) \ + ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif void setup_trap_instrumentation() { @@ -583,7 +583,7 @@ void setup_trap_instrumentation() { #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -#error "non x86_64/aarch64 not supported yet" +# error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -622,20 +622,20 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) -#if defined(__x86_64__) || defined(__i386__) +# if defined(__x86_64__) || defined(__i386__) ctx->uc_mcontext.gregs[REG_RIP] -= 1; addr = ctx->uc_mcontext.gregs[REG_RIP]; -#elif defined(__aarch64__) +# elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -#else -#error "Unsupported processor" -#endif +# else +# error "Unsupported processor" +# endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; #else -#error "Unsupported platform" +# error "Unsupported platform" #endif // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 6e4e1335..b5ff9e25 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -55,10 +55,10 @@ /* clear helper macros AFL types pull in, which intervene with gcc-plugin * headers from GCC-8 */ #ifdef likely -#undef likely +# undef likely #endif #ifdef unlikely -#undef unlikely +# undef unlikely #endif #include @@ -295,16 +295,16 @@ static unsigned int inline_instrument(function *fun) { update_stmt(g); #if 1 -#if 0 +# if 0 tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -#else +# else g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -#endif +# endif // gimple_assign tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 0a2246e7..e0e221b3 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -20,13 +20,13 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "../config.h" #include "../types.h" #ifdef USEMMAP -#include +# include #endif #include #include diff --git a/include/afl-as.h b/include/afl-as.h index a2bf1f9c..d539b082 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -404,9 +404,9 @@ static const u8 *main_payload_32 = recognize .string. */ #ifdef __APPLE__ -#define CALL_L64(str) "call _" str "\n" +# define CALL_L64(str) "call _" str "\n" #else -#define CALL_L64(str) "call " str "@PLT\n" +# define CALL_L64(str) "call " str "@PLT\n" #endif /* ^__APPLE__ */ static const u8 *main_payload_64 = @@ -744,9 +744,9 @@ static const u8 *main_payload_64 = #ifdef __APPLE__ " .comm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY +# ifndef COVERAGE_ONLY " .comm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ +# endif /* !COVERAGE_ONLY */ " .comm __afl_fork_pid, 4\n" " .comm __afl_temp, 4\n" " .comm __afl_setup_failure, 1\n" @@ -754,9 +754,9 @@ static const u8 *main_payload_64 = #else " .lcomm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY +# ifndef COVERAGE_ONLY " .lcomm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ +# endif /* !COVERAGE_ONLY */ " .lcomm __afl_fork_pid, 4\n" " .lcomm __afl_temp, 4\n" " .lcomm __afl_setup_failure, 1\n" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9f306b7e..96d03ae2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -31,14 +31,14 @@ #define MESSAGES_TO_STDOUT #ifndef _GNU_SOURCE -#define _GNU_SOURCE 1 +# define _GNU_SOURCE 1 #endif #ifndef _FILE_OFFSET_BITS -#define _FILE_OFFSET_BITS 64 +# define _FILE_OFFSET_BITS 64 #endif #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" @@ -76,7 +76,7 @@ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ defined(__NetBSD__) || defined(__DragonFly__) -#include +# include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ /* For systems that have sched_setaffinity; right now just Linux, but one @@ -84,31 +84,31 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include -#if defined(__FreeBSD__) -#include -#endif -#include -#include -#include -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include -#endif +# define HAVE_AFFINITY 1 +# if defined(__FreeBSD__) || defined(__DragonFly__) +# include +# if defined(__FreeBSD__) +# include +# endif +# include +# include +# include +# define cpu_set_t cpuset_t +# elif defined(__NetBSD__) +# include +# endif #endif /* __linux__ */ #ifdef __APPLE__ -#include +# include #endif #undef LIST_FOREACH /* clashes with FreeBSD */ #include "list.h" #ifndef SIMPLE_FILES -#define CASE_PREFIX "id:" +# define CASE_PREFIX "id:" #else -#define CASE_PREFIX "id_" +# define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */ @@ -232,29 +232,29 @@ enum { #ifdef USE_PYTHON // because Python sets stuff it should not ... -#ifdef _POSIX_C_SOURCE -#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE -#undef _POSIX_C_SOURCE -#endif -#ifdef _XOPEN_SOURCE -#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE -#undef _XOPEN_SOURCE -#endif - -#include - -#ifdef _SAVE_POSIX_C_SOURCE -#ifdef _POSIX_C_SOURCE -#undef _POSIX_C_SOURCE -#endif -#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE -#endif -#ifdef _SAVE_XOPEN_SOURCE -#ifdef _XOPEN_SOURCE -#undef _XOPEN_SOURCE -#endif -#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE -#endif +# ifdef _POSIX_C_SOURCE +# define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE +# undef _POSIX_C_SOURCE +# endif +# ifdef _XOPEN_SOURCE +# define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE +# undef _XOPEN_SOURCE +# endif + +# include + +# ifdef _SAVE_POSIX_C_SOURCE +# ifdef _POSIX_C_SOURCE +# undef _POSIX_C_SOURCE +# endif +# define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE +# endif +# ifdef _SAVE_XOPEN_SOURCE +# ifdef _XOPEN_SOURCE +# undef _XOPEN_SOURCE +# endif +# define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE +# endif enum { diff --git a/include/alloc-inl.h b/include/alloc-inl.h index e5547fe0..7c8bab58 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -45,40 +45,39 @@ /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) \ - ({ \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - \ - }) +# define alloc_printf(_str...) \ + ({ \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + + }) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) \ - do { \ - \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - } while (0) +# define ALLOC_CHECK_SIZE(_s) \ + do { \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + + } while (0) /* Macro to check malloc() failures and the like. */ -#define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - } while (0) +# define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + + } while (0) /* Allocator increments for ck_realloc_block(). */ -#define ALLOC_BLK_INC 256 +# define ALLOC_BLK_INC 256 /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -217,102 +216,100 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { /* In non-debug mode, we just do straightforward aliasing of the above functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free +# define ck_alloc DFL_ck_alloc +# define ck_alloc_nozero DFL_ck_alloc_nozero +# define ck_realloc DFL_ck_realloc +# define ck_realloc_block DFL_ck_realloc_block +# define ck_strdup DFL_ck_strdup +# define ck_memdup DFL_ck_memdup +# define ck_memdup_str DFL_ck_memdup_str +# define ck_free DFL_ck_free -#define alloc_report() +# define alloc_report() #else // This is the original alloc-inl of stock afl /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) \ - ({ \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - \ - }) +# define alloc_printf(_str...) \ + ({ \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + + }) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ -#define ALLOC_CHECK_SIZE(_s) \ - do { \ - \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - } while (0) +# define ALLOC_CHECK_SIZE(_s) \ + do { \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + + } while (0) /* Macro to check malloc() failures and the like. */ -#define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - } while (0) +# define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + + } while (0) /* Magic tokens used to mark used / freed chunks. */ -#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ +# define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ +# define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ +# define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ /* Positions of guard tokens in relation to the user-visible pointer. */ -#define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) -#define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) -#define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) +# define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) +# define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) +# define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) -#define ALLOC_OFF_HEAD 8 -#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) +# define ALLOC_OFF_HEAD 8 +# define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) /* Allocator increments for ck_realloc_block(). */ -#define ALLOC_BLK_INC 256 +# define ALLOC_BLK_INC 256 /* Sanity-checking macros for pointers. */ -#define CHECK_PTR(_p) \ - do { \ - \ - if (_p) { \ - \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ - \ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else \ - ABORT("Corrupted head alloc canary."); \ - \ - } \ - if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ - ABORT("Corrupted tail alloc canary."); \ - \ - } \ - \ - } while (0) - -#define CHECK_PTR_EXPR(_p) \ - ({ \ - \ - typeof(_p) _tmp = (_p); \ - CHECK_PTR(_tmp); \ - _tmp; \ - \ - }) +# define CHECK_PTR(_p) \ + do { \ + if (_p) { \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Corrupted head alloc canary."); \ + + } \ + + if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ + ABORT("Corrupted tail alloc canary."); \ + + } \ + + \ + + } while (0) + +# define CHECK_PTR_EXPR(_p) \ + ({ \ + typeof(_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + + }) /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -359,12 +356,12 @@ static inline void DFL_ck_free(void *mem) { CHECK_PTR(mem); -#ifdef DEBUG_BUILD +# ifdef DEBUG_BUILD /* Catch pointer issues sooner. */ memset(mem, 0xFF, ALLOC_S(mem)); -#endif /* DEBUG_BUILD */ +# endif /* DEBUG_BUILD */ ALLOC_C1(mem) = ALLOC_MAGIC_F; @@ -392,9 +389,9 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { CHECK_PTR(orig); -#ifndef DEBUG_BUILD +# ifndef DEBUG_BUILD ALLOC_C1(orig) = ALLOC_MAGIC_F; -#endif /* !DEBUG_BUILD */ +# endif /* !DEBUG_BUILD */ old_size = ALLOC_S(orig); orig -= ALLOC_OFF_HEAD; @@ -405,12 +402,12 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { ALLOC_CHECK_SIZE(size); -#ifndef DEBUG_BUILD +# ifndef DEBUG_BUILD ret = realloc(orig, size + ALLOC_OFF_TOTAL); ALLOC_CHECK_RESULT(ret, size); -#else +# else /* Catch pointer issues sooner: force relocation and make sure that the original buffer is wiped. */ @@ -429,7 +426,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { } -#endif /* ^!DEBUG_BUILD */ +# endif /* ^!DEBUG_BUILD */ ret += ALLOC_OFF_HEAD; @@ -448,7 +445,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { static inline void *DFL_ck_realloc_block(void *orig, u32 size) { -#ifndef DEBUG_BUILD +# ifndef DEBUG_BUILD if (orig) { @@ -460,7 +457,7 @@ static inline void *DFL_ck_realloc_block(void *orig, u32 size) { } -#endif /* !DEBUG_BUILD */ +# endif /* !DEBUG_BUILD */ return DFL_ck_realloc(orig, size); @@ -540,30 +537,30 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -#ifndef DEBUG_BUILD +# ifndef DEBUG_BUILD /* In non-debug mode, we just do straightforward aliasing of the above functions to user-visible names such as ck_alloc(). */ -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free +# define ck_alloc DFL_ck_alloc +# define ck_alloc_nozero DFL_ck_alloc_nozero +# define ck_realloc DFL_ck_realloc +# define ck_realloc_block DFL_ck_realloc_block +# define ck_strdup DFL_ck_strdup +# define ck_memdup DFL_ck_memdup +# define ck_memdup_str DFL_ck_memdup_str +# define ck_free DFL_ck_free -#define alloc_report() +# define alloc_report() -#else +# else /* In debugging mode, we also track allocations to detect memory leaks, and the flow goes through one more layer of indirection. */ /* Alloc tracking data structures: */ -#define ALLOC_BUCKETS 4096 +# define ALLOC_BUCKETS 4096 struct TRK_obj { @@ -573,25 +570,25 @@ struct TRK_obj { }; -#ifdef AFL_MAIN +# ifdef AFL_MAIN struct TRK_obj *TRK[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS]; -#define alloc_report() TRK_report() +# define alloc_report() TRK_report() -#else +# else extern struct TRK_obj *TRK[ALLOC_BUCKETS]; extern u32 TRK_cnt[ALLOC_BUCKETS]; -#define alloc_report() +# define alloc_report() -#endif /* ^AFL_MAIN */ +# endif /* ^AFL_MAIN */ /* Bucket-assigning function for a given pointer: */ -#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) +# define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) /* Add a new entry to the list of allocated objects. */ @@ -743,27 +740,28 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func, /* Aliasing user-facing names to tracking functions: */ -#define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_alloc_nozero(_p1) \ + TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc(_p1, _p2) \ - TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +# define ck_realloc(_p1, _p2) \ + TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_realloc_block(_p1, _p2) \ - TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +# define ck_realloc_block(_p1, _p2) \ + TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup(_p1, _p2) \ - TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +# define ck_memdup(_p1, _p2) \ + TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_memdup_str(_p1, _p2) \ - TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +# define ck_memdup_str(_p1, _p2) \ + TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -#define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) +# define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) -#endif /* ^!DEBUG_BUILD */ +# endif /* ^!DEBUG_BUILD */ #endif /* _WANT_ORIGINAL_AFL_ALLOC */ diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 77914c35..9502f2fb 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -28,27 +28,27 @@ #ifdef __ANDROID__ -#include -#include -#include -#include -#include - -#if __ANDROID_API__ >= 26 -#define shmat bionic_shmat -#define shmctl bionic_shmctl -#define shmdt bionic_shmdt -#define shmget bionic_shmget -#endif - -#include -#undef shmat -#undef shmctl -#undef shmdt -#undef shmget -#include - -#define ASHMEM_DEVICE "/dev/ashmem" +# include +# include +# include +# include +# include + +# if __ANDROID_API__ >= 26 +# define shmat bionic_shmat +# define shmctl bionic_shmctl +# define shmdt bionic_shmdt +# define shmget bionic_shmget +# endif + +# include +# undef shmat +# undef shmctl +# undef shmdt +# undef shmget +# include + +# define ASHMEM_DEVICE "/dev/ashmem" static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { diff --git a/include/config.h b/include/config.h index c21d775a..7d348149 100644 --- a/include/config.h +++ b/include/config.h @@ -49,7 +49,7 @@ /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ #ifndef ANDROID_DISABLE_FANCY // Fancy boxes are ugly from adb -#define FANCY_BOXES +# define FANCY_BOXES #endif /* Default timeout for fuzzed code (milliseconds). This is the upper bound, @@ -63,20 +63,20 @@ /* 64bit arch MACRO */ #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) -#define WORD_SIZE_64 1 +# define WORD_SIZE_64 1 #endif /* Default memory limit for child process (MB): */ #ifndef __NetBSD__ -#ifndef WORD_SIZE_64 -#define MEM_LIMIT 25 -#else -#define MEM_LIMIT 50 -#endif /* ^!WORD_SIZE_64 */ -#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ - #165 */ -#define MEM_LIMIT 200 +# ifndef WORD_SIZE_64 +# define MEM_LIMIT 25 +# else +# define MEM_LIMIT 50 +# endif /* ^!WORD_SIZE_64 */ +#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ + #165 */ +# define MEM_LIMIT 200 #endif /* Default memory limit when running in QEMU mode (MB): */ @@ -395,9 +395,9 @@ /* for *BSD: use ARC4RANDOM and save a file descriptor */ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) -#ifndef HAVE_ARC4RANDOM -#define HAVE_ARC4RANDOM 1 -#endif +# ifndef HAVE_ARC4RANDOM +# define HAVE_ARC4RANDOM 1 +# endif #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/debug.h b/include/debug.h index 4cce56b5..ea2ee87a 100644 --- a/include/debug.h +++ b/include/debug.h @@ -30,7 +30,7 @@ /* __FUNCTION__ is non-iso */ #ifdef __func__ -#define __FUNCTION__ __func__ +# define __FUNCTION__ __func__ #endif /******************* @@ -38,82 +38,82 @@ *******************/ #ifndef MESSAGES_TO_STDOUT -#define MESSAGES_TO_STDOUT +# define MESSAGES_TO_STDOUT #endif #ifdef USE_COLOR -#define cBLK "\x1b[0;30m" -#define cRED "\x1b[0;31m" -#define cGRN "\x1b[0;32m" -#define cBRN "\x1b[0;33m" -#define cBLU "\x1b[0;34m" -#define cMGN "\x1b[0;35m" -#define cCYA "\x1b[0;36m" -#define cLGR "\x1b[0;37m" -#define cGRA "\x1b[1;90m" -#define cLRD "\x1b[1;91m" -#define cLGN "\x1b[1;92m" -#define cYEL "\x1b[1;93m" -#define cLBL "\x1b[1;94m" -#define cPIN "\x1b[1;95m" -#define cLCY "\x1b[1;96m" -#define cBRI "\x1b[1;97m" -#define cRST "\x1b[0m" - -#define bgBLK "\x1b[40m" -#define bgRED "\x1b[41m" -#define bgGRN "\x1b[42m" -#define bgBRN "\x1b[43m" -#define bgBLU "\x1b[44m" -#define bgMGN "\x1b[45m" -#define bgCYA "\x1b[46m" -#define bgLGR "\x1b[47m" -#define bgGRA "\x1b[100m" -#define bgLRD "\x1b[101m" -#define bgLGN "\x1b[102m" -#define bgYEL "\x1b[103m" -#define bgLBL "\x1b[104m" -#define bgPIN "\x1b[105m" -#define bgLCY "\x1b[106m" -#define bgBRI "\x1b[107m" +# define cBLK "\x1b[0;30m" +# define cRED "\x1b[0;31m" +# define cGRN "\x1b[0;32m" +# define cBRN "\x1b[0;33m" +# define cBLU "\x1b[0;34m" +# define cMGN "\x1b[0;35m" +# define cCYA "\x1b[0;36m" +# define cLGR "\x1b[0;37m" +# define cGRA "\x1b[1;90m" +# define cLRD "\x1b[1;91m" +# define cLGN "\x1b[1;92m" +# define cYEL "\x1b[1;93m" +# define cLBL "\x1b[1;94m" +# define cPIN "\x1b[1;95m" +# define cLCY "\x1b[1;96m" +# define cBRI "\x1b[1;97m" +# define cRST "\x1b[0m" + +# define bgBLK "\x1b[40m" +# define bgRED "\x1b[41m" +# define bgGRN "\x1b[42m" +# define bgBRN "\x1b[43m" +# define bgBLU "\x1b[44m" +# define bgMGN "\x1b[45m" +# define bgCYA "\x1b[46m" +# define bgLGR "\x1b[47m" +# define bgGRA "\x1b[100m" +# define bgLRD "\x1b[101m" +# define bgLGN "\x1b[102m" +# define bgYEL "\x1b[103m" +# define bgLBL "\x1b[104m" +# define bgPIN "\x1b[105m" +# define bgLCY "\x1b[106m" +# define bgBRI "\x1b[107m" #else -#define cBLK "" -#define cRED "" -#define cGRN "" -#define cBRN "" -#define cBLU "" -#define cMGN "" -#define cCYA "" -#define cLGR "" -#define cGRA "" -#define cLRD "" -#define cLGN "" -#define cYEL "" -#define cLBL "" -#define cPIN "" -#define cLCY "" -#define cBRI "" -#define cRST "" - -#define bgBLK "" -#define bgRED "" -#define bgGRN "" -#define bgBRN "" -#define bgBLU "" -#define bgMGN "" -#define bgCYA "" -#define bgLGR "" -#define bgGRA "" -#define bgLRD "" -#define bgLGN "" -#define bgYEL "" -#define bgLBL "" -#define bgPIN "" -#define bgLCY "" -#define bgBRI "" +# define cBLK "" +# define cRED "" +# define cGRN "" +# define cBRN "" +# define cBLU "" +# define cMGN "" +# define cCYA "" +# define cLGR "" +# define cGRA "" +# define cLRD "" +# define cLGN "" +# define cYEL "" +# define cLBL "" +# define cPIN "" +# define cLCY "" +# define cBRI "" +# define cRST "" + +# define bgBLK "" +# define bgRED "" +# define bgGRN "" +# define bgBRN "" +# define bgBLU "" +# define bgMGN "" +# define bgCYA "" +# define bgLGR "" +# define bgGRA "" +# define bgLRD "" +# define bgLGN "" +# define bgYEL "" +# define bgLBL "" +# define bgPIN "" +# define bgLCY "" +# define bgBRI "" #endif /* ^USE_COLOR */ @@ -123,39 +123,39 @@ #ifdef FANCY_BOXES -#define SET_G1 "\x1b)0" /* Set G1 for box drawing */ -#define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ -#define bSTART "\x0e" /* Enter G1 drawing mode */ -#define bSTOP "\x0f" /* Leave G1 drawing mode */ -#define bH "q" /* Horizontal line */ -#define bV "x" /* Vertical line */ -#define bLT "l" /* Left top corner */ -#define bRT "k" /* Right top corner */ -#define bLB "m" /* Left bottom corner */ -#define bRB "j" /* Right bottom corner */ -#define bX "n" /* Cross */ -#define bVR "t" /* Vertical, branch right */ -#define bVL "u" /* Vertical, branch left */ -#define bHT "v" /* Horizontal, branch top */ -#define bHB "w" /* Horizontal, branch bottom */ +# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ +# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ +# define bSTART "\x0e" /* Enter G1 drawing mode */ +# define bSTOP "\x0f" /* Leave G1 drawing mode */ +# define bH "q" /* Horizontal line */ +# define bV "x" /* Vertical line */ +# define bLT "l" /* Left top corner */ +# define bRT "k" /* Right top corner */ +# define bLB "m" /* Left bottom corner */ +# define bRB "j" /* Right bottom corner */ +# define bX "n" /* Cross */ +# define bVR "t" /* Vertical, branch right */ +# define bVL "u" /* Vertical, branch left */ +# define bHT "v" /* Horizontal, branch top */ +# define bHB "w" /* Horizontal, branch bottom */ #else -#define SET_G1 "" -#define RESET_G1 "" -#define bSTART "" -#define bSTOP "" -#define bH "-" -#define bV "|" -#define bLT "+" -#define bRT "+" -#define bLB "+" -#define bRB "+" -#define bX "+" -#define bVR "+" -#define bVL "+" -#define bHT "+" -#define bHB "+" +# define SET_G1 "" +# define RESET_G1 "" +# define bSTART "" +# define bSTOP "" +# define bH "-" +# define bV "|" +# define bLT "+" +# define bRT "+" +# define bLB "+" +# define bRB "+" +# define bX "+" +# define bVR "+" +# define bVL "+" +# define bHT "+" +# define bHB "+" #endif /* ^FANCY_BOXES */ @@ -176,9 +176,9 @@ /* Just print stuff to the appropriate stream. */ #ifdef MESSAGES_TO_STDOUT -#define SAYF(x...) printf(x) +# define SAYF(x...) printf(x) #else -#define SAYF(x...) fprintf(stderr, x) +# define SAYF(x...) fprintf(stderr, x) #endif /* ^MESSAGES_TO_STDOUT */ /* Show a prefixed warning. */ diff --git a/include/forkserver.h b/include/forkserver.h index 7e7784f5..81112594 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -110,20 +110,20 @@ void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ -#define MSG_FORK_ON_APPLE \ - " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ - "may\n" \ - " break afl-fuzz performance optimizations when running " \ - "platform-specific\n" \ - " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" +# define MSG_FORK_ON_APPLE \ + " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ + "may\n" \ + " break afl-fuzz performance optimizations when running " \ + "platform-specific\n" \ + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" #else -#define MSG_FORK_ON_APPLE "" +# define MSG_FORK_ON_APPLE "" #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" +# define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" +# define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/include/hash.h b/include/hash.h index 3751ac33..75a72ad0 100644 --- a/include/hash.h +++ b/include/hash.h @@ -32,7 +32,7 @@ #ifdef __x86_64__ -#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) +# define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { @@ -67,7 +67,7 @@ static inline u32 hash32(const void *key, u32 len, u32 seed) { #else -#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) +# define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { diff --git a/include/types.h b/include/types.h index f89221cd..15b618fa 100644 --- a/include/types.h +++ b/include/types.h @@ -81,22 +81,22 @@ typedef int32_t s32; typedef int64_t s64; #ifndef MIN -#define MIN(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a < _b ? _a : _b; \ - \ - }) -#define MAX(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a > _b ? _a : _b; \ - \ - }) +# define MIN(a, b) \ + ({ \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a < _b ? _a : _b; + +}) + +# define MAX(a, b) \ + ({ \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; + +}) + #endif /* !MIN */ #define SWAP16(_x) \ @@ -131,21 +131,21 @@ typedef int64_t s64; }) #ifdef AFL_LLVM_PASS -#if defined(__linux__) || !defined(__ANDROID__) -#define AFL_SR(s) (srandom(s)) -#define AFL_R(x) (random() % (x)) -#else -#define AFL_SR(s) ((void)s) -#define AFL_R(x) (arc4random_uniform(x)) -#endif -#else -#if defined(__linux__) || !defined(__ANDROID__) -#define SR(s) (srandom(s)) -#define R(x) (random() % (x)) +# if defined(__linux__) || !defined(__ANDROID__) +# define AFL_SR(s) (srandom(s)) +# define AFL_R(x) (random() % (x)) +# else +# define AFL_SR(s) ((void)s) +# define AFL_R(x) (arc4random_uniform(x)) +# endif #else -#define SR(s) ((void)s) -#define R(x) (arc4random_uniform(x)) -#endif +# if defined(__linux__) || !defined(__ANDROID__) +# define SR(s) (srandom(s)) +# define R(x) (random() % (x)) +# else +# define SR(s) ((void)s) +# define R(x) (arc4random_uniform(x)) +# endif #endif /* ^AFL_LLVM_PASS */ #define STRINGIFY_INTERNAL(x) #x @@ -154,19 +154,19 @@ typedef int64_t s64; #define MEM_BARRIER() __asm__ volatile("" ::: "memory") #if __GNUC__ < 6 -#ifndef likely -#define likely(_x) (_x) -#endif -#ifndef unlikely -#define unlikely(_x) (_x) -#endif +# ifndef likely +# define likely(_x) (_x) +# endif +# ifndef unlikely +# define unlikely(_x) (_x) +# endif #else -#ifndef likely -#define likely(_x) __builtin_expect(!!(_x), 1) -#endif -#ifndef unlikely -#define unlikely(_x) __builtin_expect(!!(_x), 0) -#endif +# ifndef likely +# define likely(_x) __builtin_expect(!!(_x), 1) +# endif +# ifndef unlikely +# define unlikely(_x) __builtin_expect(!!(_x), 0) +# endif #endif #endif /* ! _HAVE_TYPES_H */ diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 73ddc292..496cf0f0 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -30,39 +30,39 @@ #include #ifdef __APPLE__ -#include +# include #endif #ifdef __FreeBSD__ -#include +# include #endif #if defined(__linux__) && !defined(__ANDROID__) -#include -#include -#ifdef __NR_getrandom -#define arc4random_buf(p, l) \ - do { \ - \ - ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ - if (rd != l) DEBUGF("getrandom failed"); \ - \ - } while (0) - -#else -#include -#define arc4random_buf(p, l) \ - do { \ - \ - srand(time(NULL)); \ - u32 i; \ - u8 *ptr = (u8 *)p; \ - for (i = 0; i < l; i++) \ - ptr[i] = rand() % INT_MAX; \ - \ - } while (0) - -#endif +# include +# include +# ifdef __NR_getrandom +# define arc4random_buf(p, l) \ + do { \ + ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ + if (rd != l) DEBUGF("getrandom failed"); \ + \ + + } while (0) + +# else +# include +# define arc4random_buf(p, l) \ + do { \ + srand(time(NULL)); \ + u32 i; \ + u8 *ptr = (u8 *)p; \ + for (i = 0; i < l; i++) \ + ptr[i] = rand() % INT_MAX; \ + \ + + } while (0) + +# endif #endif #include "config.h" @@ -83,11 +83,11 @@ typedef struct { #define ALLOC_ALIGN_SIZE (_Alignof(max_align_t)) #ifndef PAGE_SIZE -#define PAGE_SIZE 4096 +# define PAGE_SIZE 4096 #endif /* !PAGE_SIZE */ #ifndef MAP_ANONYMOUS -#define MAP_ANONYMOUS MAP_ANON +# define MAP_ANONYMOUS MAP_ANON #endif /* !MAP_ANONYMOUS */ #define SUPER_PAGE_SIZE 1 << 21 @@ -148,8 +148,8 @@ static u8 alloc_verbose, /* Additional debug messages */ align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ -#define __thread -#warning no thread support available +# define __thread +# warning no thread support available #endif static __thread size_t total_mem; /* Currently allocated mem */ @@ -192,13 +192,13 @@ static void *__dislocator_alloc(size_t len) { #if defined(USEHUGEPAGE) sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE)); -#if defined(__APPLE__) +# if defined(__APPLE__) if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB; -#elif defined(__linux__) +# elif defined(__linux__) if (sp) flags |= MAP_HUGETLB; -#elif defined(__FreeBSD__) +# elif defined(__FreeBSD__) if (sp) flags |= MAP_ALIGNED_SUPER; -#endif +# endif #else (void)sp; #endif @@ -208,13 +208,13 @@ static void *__dislocator_alloc(size_t len) { /* We try one more time with regular call */ if (ret == MAP_FAILED) { -#if defined(__APPLE__) +# if defined(__APPLE__) fd = -1; -#elif defined(__linux__) +# elif defined(__linux__) flags &= -MAP_HUGETLB; -#elif defined(__FreeBSD__) +# elif defined(__FreeBSD__) flags &= -MAP_ALIGNED_SUPER; -#endif +# endif ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); } diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 56b2cd4b..785f0e57 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -21,7 +21,7 @@ */ #ifndef _GNU_SOURCE -#define _GNU_SOURCE +# define _GNU_SOURCE #endif #include #include @@ -35,20 +35,20 @@ #if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \ !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ -#error "Sorry, this library is unsupported in this platform for now!" +# error "Sorry, this library is unsupported in this platform for now!" #endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \ !__NetBSD__*/ #if defined __APPLE__ -#include -#include +# include +# include #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -#include -#include -#if !defined __NetBSD__ -#include -#endif -#include +# include +# include +# if !defined __NetBSD__ +# include +# endif +# include #endif #include @@ -154,25 +154,25 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -#if defined __FreeBSD__ +# if defined __FreeBSD__ int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; -#elif defined __OpenBSD__ +# elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; -#elif defined __NetBSD__ +# elif defined __NetBSD__ int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)}; -#endif +# endif char * buf, *low, *high; size_t miblen = sizeof(mib) / sizeof(mib[0]); size_t len; if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return; -#if defined __FreeBSD__ || defined __NetBSD__ +# if defined __FreeBSD__ || defined __NetBSD__ len = len * 4 / 3; -#elif defined __OpenBSD__ +# elif defined __OpenBSD__ len -= len % sizeof(struct kinfo_vmentry); -#endif +# endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); if (buf == MAP_FAILED) return; @@ -193,22 +193,22 @@ static void __tokencap_load_mappings(void) { struct kinfo_vmentry *region = (struct kinfo_vmentry *)low; -#if defined __FreeBSD__ || defined __NetBSD__ +# if defined __FreeBSD__ || defined __NetBSD__ -#if defined __FreeBSD__ +# if defined __FreeBSD__ size_t size = region->kve_structsize; if (size == 0) break; -#elif defined __NetBSD__ +# elif defined __NetBSD__ size_t size = sizeof(*region); -#endif +# endif /* We go through the whole mapping of the process and track read-only * addresses */ if ((region->kve_protection & KVME_PROT_READ) && !(region->kve_protection & KVME_PROT_WRITE)) { -#elif defined __OpenBSD__ +# elif defined __OpenBSD__ size_t size = sizeof(*region); @@ -217,7 +217,7 @@ static void __tokencap_load_mappings(void) { if ((region->kve_protection & KVE_PROT_READ) && !(region->kve_protection & KVE_PROT_WRITE)) { -#endif +# endif __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start; __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end; diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index 69fc079b..a072ae55 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -12,13 +12,13 @@ typedef long double max_align_t; #include "llvm/ADT/DenseSet.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/CFG.h" -#include "llvm/IR/Dominators.h" -#include "llvm/IR/DebugInfo.h" +# include "llvm/IR/CFG.h" +# include "llvm/IR/Dominators.h" +# include "llvm/IR/DebugInfo.h" #else -#include "llvm/Support/CFG.h" -#include "llvm/Analysis/Dominators.h" -#include "llvm/DebugInfo.h" +# include "llvm/Support/CFG.h" +# include "llvm/Analysis/Dominators.h" +# include "llvm/DebugInfo.h" #endif #include "llvm/IR/IRBuilder.h" #include "llvm/IR/Instructions.h" @@ -97,7 +97,7 @@ struct InsTrim : public ModulePass { #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -#define AFL_HAVE_VECTOR_INTRINSICS 1 +# define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool runOnModule(Module &M) override { @@ -137,13 +137,13 @@ struct InsTrim : public ModulePass { getenv("AFL_LLVM_SKIPSINGLEBLOCK")) function_minimum_size = 2; - unsigned PrevLocSize = 0; - char * ngram_size_str = getenv("AFL_LLVM_NGRAM_SIZE"); + unsigned int PrevLocSize = 0; + char * ngram_size_str = getenv("AFL_LLVM_NGRAM_SIZE"); if (!ngram_size_str) ngram_size_str = getenv("AFL_NGRAM_SIZE"); char *ctx_str = getenv("AFL_LLVM_CTX"); #ifdef AFL_HAVE_VECTOR_INTRINSICS - int ngram_size = 0; + unsigned int ngram_size = 0; /* Decide previous location vector size (must be a power of two) */ VectorType *PrevLocTy; @@ -196,17 +196,17 @@ struct InsTrim : public ModulePass { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -#ifdef __ANDROID__ +# ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -#else +# else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -#endif +# endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/MarkNodes.cc b/llvm_mode/MarkNodes.cc index cff6c90a..66e6a728 100644 --- a/llvm_mode/MarkNodes.cc +++ b/llvm_mode/MarkNodes.cc @@ -15,9 +15,9 @@ typedef long double max_align_t; #include "llvm/IR/BasicBlock.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/CFG.h" +# include "llvm/IR/CFG.h" #else -#include "llvm/Support/CFG.h" +# include "llvm/Support/CFG.h" #endif #include "llvm/IR/Constants.h" #include "llvm/IR/Function.h" diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index cf14d2e1..c0982e10 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -25,11 +25,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" +# include "llvm/IR/DebugInfo.h" +# include "llvm/IR/CFG.h" #else -#include "llvm/DebugInfo.h" -#include "llvm/Support/CFG.h" +# include "llvm/DebugInfo.h" +# include "llvm/Support/CFG.h" #endif char * getBBName(const llvm::BasicBlock *BB); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 2d23ad21..2bcd661b 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -54,11 +54,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" +# include "llvm/IR/DebugInfo.h" +# include "llvm/IR/CFG.h" #else -#include "llvm/DebugInfo.h" -#include "llvm/Support/CFG.h" +# include "llvm/DebugInfo.h" +# include "llvm/Support/CFG.h" #endif #include "afl-llvm-common.h" @@ -115,7 +115,7 @@ uint64_t PowerOf2Ceil(unsigned in) { /* #if LLVM_VERSION_STRING >= "4.0.1" */ #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -#define AFL_HAVE_VECTOR_INTRINSICS 1 +# define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool AFLCoverage::runOnModule(Module &M) { @@ -242,17 +242,17 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -#ifdef __ANDROID__ +# ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -#else +# else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -#endif +# endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 56038f7a..6306ae30 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -21,7 +21,7 @@ */ #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -43,7 +43,7 @@ #include #ifdef __linux__ -#include "snapshot-inl.h" +# include "snapshot-inl.h" #endif /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode. @@ -53,7 +53,7 @@ #define CONST_PRIO 5 #ifndef MAP_FIXED_NOREPLACE -#define MAP_FIXED_NOREPLACE MAP_FIXED +# define MAP_FIXED_NOREPLACE MAP_FIXED #endif #include @@ -822,15 +822,15 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) { } #if defined(__APPLE__) -#pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 -#pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 -#pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 -#pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 - -#pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 -#pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 -#pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 -#pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 +# pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 +# pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 +# pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 +# pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 + +# pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 +# pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 +# pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 +# pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 #else void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__cmplog_ins_hook1"))); diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index 628151c6..61ff58b7 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" +# include "llvm/IR/Verifier.h" +# include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 +# include "llvm/Analysis/Verifier.h" +# include "llvm/DebugInfo.h" +# define nullptr 0 #endif #include diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index b74fb712..c61374a7 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" +# include "llvm/IR/Verifier.h" +# include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 +# include "llvm/Analysis/Verifier.h" +# include "llvm/DebugInfo.h" +# define nullptr 0 #endif #include diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 00732dbc..5fe0d908 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" +# include "llvm/IR/Verifier.h" +# include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 +# include "llvm/Analysis/Verifier.h" +# include "llvm/DebugInfo.h" +# define nullptr 0 #endif #include diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 9c91e44f..190b0717 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -37,12 +37,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" +# include "llvm/IR/Verifier.h" +# include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 +# include "llvm/Analysis/Verifier.h" +# include "llvm/DebugInfo.h" +# define nullptr 0 #endif using namespace llvm; diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index e8639347..f0b26fce 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -40,12 +40,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -#include "llvm/IR/Verifier.h" -#include "llvm/IR/DebugInfo.h" +# include "llvm/IR/Verifier.h" +# include "llvm/IR/DebugInfo.h" #else -#include "llvm/Analysis/Verifier.h" -#include "llvm/DebugInfo.h" -#define nullptr 0 +# include "llvm/Analysis/Verifier.h" +# include "llvm/DebugInfo.h" +# define nullptr 0 #endif #include diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index d4ac25e3..af360eb0 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -11,7 +11,7 @@ #include #ifdef __ANDROID__ -#include "../include/android-ashmem.h" +# include "../include/android-ashmem.h" #endif #include @@ -23,15 +23,15 @@ /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -#define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") +# define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ +# define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif using namespace QBDI; diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index bffdd5d8..dde65325 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -20,7 +20,7 @@ */ #ifndef _GNU_SOURCE -#define _GNU_SOURCE +# define _GNU_SOURCE #endif #include #include @@ -36,7 +36,7 @@ #include "pmparser.h" #ifndef __linux__ -#error "Sorry, this library is Linux-specific for now!" +# error "Sorry, this library is Linux-specific for now!" #endif /* !__linux__ */ /* Change this value to tune the compare coverage */ diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 94f853cc..af73ff8c 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -40,27 +40,27 @@ #define PERSISTENT_DEFAULT_MAX_CNT 1000 #ifdef CPU_NB_REGS -#define AFL_REGS_NUM CPU_NB_REGS +# define AFL_REGS_NUM CPU_NB_REGS #elif TARGET_ARM -#define AFL_REGS_NUM 32 +# define AFL_REGS_NUM 32 #elif TARGET_AARCH64 -#define AFL_REGS_NUM 32 +# define AFL_REGS_NUM 32 #else -#define AFL_REGS_NUM 100 +# define AFL_REGS_NUM 100 #endif /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -#define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") +# define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ +# define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 78a8f800..de271f9f 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -35,7 +35,7 @@ #include "afl-qemu-common.h" #ifndef AFL_QEMU_STATIC_BUILD -#include +# include #endif /*************************** diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 2e740ad9..1fdfb247 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -36,9 +36,9 @@ #include "tcg-op.h" #if TCG_TARGET_REG_BITS == 64 -#define _DEFAULT_MO MO_64 +# define _DEFAULT_MO MO_64 #else -#define _DEFAULT_MO MO_32 +# define _DEFAULT_MO MO_32 #endif static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 4e973672..6b67da43 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-as.c b/src/afl-as.c index cf7f8bb6..83bb7e96 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -79,9 +79,9 @@ static u8 use_64bit = 1; static u8 use_64bit = 0; -#ifdef __APPLE__ -#error "Sorry, 32-bit Apple platforms are not supported." -#endif /* __APPLE__ */ +# ifdef __APPLE__ +# error "Sorry, 32-bit Apple platforms are not supported." +# endif /* __APPLE__ */ #endif /* ^WORD_SIZE_64 */ diff --git a/src/afl-common.c b/src/afl-common.c index d9d57863..70dde2f0 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -34,7 +34,7 @@ /* Detect @@ in args. */ #ifndef __glibc__ -#include +# include #endif #include #include diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 32481887..7f4fa3d9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -33,11 +33,11 @@ void bind_to_free_cpu(afl_state_t *afl) { -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) +# if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; -#elif defined(__NetBSD__) +# elif defined(__NetBSD__) cpuset_t * c; -#endif +# endif u8 cpu_used[4096] = {0}; u32 i; @@ -51,7 +51,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#if defined(__linux__) +# if defined(__linux__) DIR * d; struct dirent *de; d = opendir("/proc"); @@ -112,7 +112,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } closedir(d); -#elif defined(__FreeBSD__) || defined(__DragonFly__) +# elif defined(__FreeBSD__) || defined(__DragonFly__) struct kinfo_proc *procs; size_t nprocs; size_t proccount; @@ -133,7 +133,7 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { -#if defined(__FreeBSD__) +# if defined(__FreeBSD__) if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 @@ -143,16 +143,16 @@ void bind_to_free_cpu(afl_state_t *afl) { if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; -#elif defined(__DragonFly__) +# elif defined(__DragonFly__) if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; -#endif +# endif } ck_free(procs); -#elif defined(__NetBSD__) +# elif defined(__NetBSD__) struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; @@ -181,15 +181,15 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); -#else -#warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" -#endif +# else +# warning \ + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" +# endif size_t cpu_start = 0; try: -#ifndef __ANDROID__ +# ifndef __ANDROID__ for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -198,12 +198,12 @@ void bind_to_free_cpu(afl_state_t *afl) { if (i == afl->cpu_core_count) { -#else +# else for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) if (!cpu_used[i]) break; if (i == -1) { -#endif +# endif SAYF("\n" cLRD "[-] " cRST "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" @@ -221,16 +221,16 @@ void bind_to_free_cpu(afl_state_t *afl) { afl->cpu_aff = i; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) +# if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) +# elif defined(__NetBSD__) c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#endif +# endif -#if defined(__linux__) +# if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) { @@ -246,7 +246,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__FreeBSD__) || defined(__DragonFly__) +# elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) @@ -258,7 +258,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__NetBSD__) +# elif defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { if (cpu_start == afl->cpu_core_count) @@ -271,10 +271,10 @@ if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { } cpuset_destroy(c); -#else +# else // this will need something for other platforms // TODO: Solaris/Illumos has processor_bind ... might worth a try -#endif +# endif } @@ -1565,7 +1565,7 @@ void check_crash_handling(void) { until I get a box to test the code. So, for now, we check for crash reporting the awful way. */ -#if !TARGET_OS_IPHONE +# if !TARGET_OS_IPHONE if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; SAYF( @@ -1583,7 +1583,7 @@ void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); -#endif +# endif if (!get_afl_env("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); @@ -1778,26 +1778,26 @@ void get_core_count(afl_state_t *afl) { /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ -#ifdef __APPLE__ +# ifdef __APPLE__ if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#else +# else int s_name[2] = {CTL_HW, HW_NCPU}; if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#endif /* ^__APPLE__ */ +# endif /* ^__APPLE__ */ #else -#ifdef HAVE_AFFINITY +# ifdef HAVE_AFFINITY afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); -#else +# else FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -1809,7 +1809,7 @@ void get_core_count(afl_state_t *afl) { fclose(f); -#endif /* ^HAVE_AFFINITY */ +# endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ @@ -2102,12 +2102,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { #else -#if !defined(__arm__) && !defined(__arm64__) +# if !defined(__arm__) && !defined(__arm64__) if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) && (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", afl->fsrv.target_path); -#endif +# endif #endif /* ^!__APPLE__ */ diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index e90d91d1..c8b58a1b 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -37,9 +37,9 @@ static void *unsupported(afl_state_t *afl, unsigned int seed) { /* sorry for this makro... it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ -#define BUF_PARAMS(name) \ - (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ - &((py_mutator_t *)py_mutator)->name##_size +# define BUF_PARAMS(name) \ + (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ + &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { @@ -72,11 +72,11 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, PyTuple_SetItem(py_args, 1, py_value); /* max_size */ -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else +# else py_value = PyInt_FromLong(max_size); -#endif +# endif if (!py_value) { Py_DECREF(py_args); @@ -118,11 +118,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { Py_Initialize(); -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 PyObject *py_name = PyUnicode_FromString(module_name); -#else +# else PyObject *py_name = PyString_FromString(module_name); -#endif +# endif py->py_module = PyImport_Import(py_name); Py_DECREF(py_name); @@ -243,11 +243,11 @@ static void init_py(afl_state_t *afl, py_mutator_t *py_mutator, /* Provide the init function a seed for the Python RNG */ py_args = PyTuple_New(1); -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(seed); -#else +# else py_value = PyInt_FromLong(seed); -#endif +# endif if (!py_value) { @@ -440,11 +440,11 @@ s32 init_trim_py(void *py_mutator, u8 *buf, size_t buf_size) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else +# else u32 retcnt = PyInt_AsLong(py_value); -#endif +# endif Py_DECREF(py_value); return retcnt; @@ -479,11 +479,11 @@ s32 post_trim_py(void *py_mutator, u8 success) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else +# else u32 retcnt = PyInt_AsLong(py_value); -#endif +# endif Py_DECREF(py_value); return retcnt; @@ -543,11 +543,11 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, PyTuple_SetItem(py_args, 0, py_value); /* max_size */ -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else +# else py_value = PyInt_FromLong(max_size); -#endif +# endif if (!py_value) { Py_DECREF(py_args); @@ -625,11 +625,11 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { py_args = PyTuple_New(1); // File name -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename); -#else +# else py_value = PyString_FromString(filename); -#endif +# endif if (!py_value) { Py_DECREF(py_args); @@ -675,11 +675,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args = PyTuple_New(2); // New queue -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_new_queue); -#else +# else py_value = PyString_FromString(filename_new_queue); -#endif +# endif if (!py_value) { Py_DECREF(py_args); @@ -693,11 +693,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_value = Py_None; if (filename_orig_queue) { -#if PY_MAJOR_VERSION >= 3 +# if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_orig_queue); -#else +# else py_value = PyString_FromString(filename_orig_queue); -#endif +# endif if (!py_value) { Py_DECREF(py_args); @@ -724,7 +724,7 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, } -#undef BUF_PARAMS +# undef BUF_PARAMS #endif /* USE_PYTHON */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aaf615e9..29ec8fd5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -853,7 +853,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#if defined(__SANITIZE_ADDRESS__) +# if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { WARNF("in the ASAN build we disable all memory limits"); @@ -861,7 +861,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#endif +# endif setup_signal_handlers(); check_asan_opts(); @@ -1054,9 +1054,9 @@ int main(int argc, char **argv_orig, char **envp) { get_core_count(afl); -#ifdef HAVE_AFFINITY +# ifdef HAVE_AFFINITY bind_to_free_cpu(afl); -#endif /* HAVE_AFFINITY */ +# endif /* HAVE_AFFINITY */ check_crash_handling(); check_cpu_governor(afl); @@ -1352,12 +1352,12 @@ stop_fuzzing: } -#ifdef PROFILING +# ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", time_spent_working / 1000000, time_spent_working / afl->fsrv.total_execs); -#endif +# endif fclose(afl->fsrv.plot_file); destroy_queue(afl); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index ab7aad5c..573ad4dc 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -32,11 +32,11 @@ #define AFL_MAIN #ifndef _GNU_SOURCE -#define _GNU_SOURCE +# define _GNU_SOURCE #endif #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include #include @@ -55,22 +55,22 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__APPLE__) || defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include -#include -#if defined(__FreeBSD__) -#include -#endif -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include -#include -#elif defined(__APPLE__) -#include -#include -#include -#endif +# define HAVE_AFFINITY 1 +# if defined(__FreeBSD__) || defined(__DragonFly__) +# include +# include +# if defined(__FreeBSD__) +# include +# endif +# define cpu_set_t cpuset_t +# elif defined(__NetBSD__) +# include +# include +# elif defined(__APPLE__) +# include +# include +# include +# endif #endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get CPU usage in microseconds. */ @@ -163,46 +163,46 @@ int main(int argc, char **argv) { if (!fr) { u32 util_perc; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) +# if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) +# elif defined(__NetBSD__) cpuset_t *c; c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#elif defined(__APPLE__) +# elif defined(__APPLE__) thread_affinity_policy_data_t c = {i}; thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, (thread_policy_t)&c, 1) != KERN_SUCCESS) PFATAL("thread_policy_set failed"); -#endif +# endif -#if defined(__FreeBSD__) || defined(__DragonFly__) +# if defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity_np failed"); -#endif +# endif -#if defined(__NetBSD__) +# if defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) PFATAL("pthread_setaffinity_np failed"); cpuset_destroy(c); -#endif +# endif -#if defined(__linux__) +# if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { PFATAL("sched_setaffinity failed for cpu %d", i); } -#endif +# endif util_perc = measure_preemption(CTEST_CORE_TRG_MS); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index e024eb18..d52a8e0d 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -56,8 +56,8 @@ #include #ifndef USEMMAP -#include -#include +# include +# include #endif static list_t shm_list = {.element_prealloc_count = 0}; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index ed59f2f5..6d16e9c4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -32,7 +32,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index e15dc72d..7ac76366 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -30,7 +30,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" +# include "android-ashmem.h" #endif #include "config.h" -- cgit 1.4.1 From 30bfd44dfd9f442d5514a7100d76d1fd3d9deb74 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 10 May 2020 12:09:37 +0200 Subject: indenting preprocessor directives breaks compilation and cant be fixed, reverting ... :-( --- .clang-format | 1 - examples/afl_network_proxy/afl-network-client.c | 12 +- examples/afl_network_proxy/afl-network-server.c | 4 +- examples/afl_proxy/afl-proxy.c | 2 +- examples/afl_untracer/afl-untracer.c | 42 ++-- gcc_plugin/afl-gcc-pass.so.cc | 10 +- gcc_plugin/afl-gcc-rt.o.c | 4 +- include/afl-as.h | 12 +- include/afl-fuzz.h | 86 ++++----- include/alloc-inl.h | 246 ++++++++++++------------ include/android-ashmem.h | 42 ++-- include/config.h | 26 +-- include/debug.h | 204 ++++++++++---------- include/forkserver.h | 18 +- include/hash.h | 4 +- include/types.h | 82 ++++---- libdislocator/libdislocator.so.c | 98 +++++----- libtokencap/libtokencap.so.c | 46 ++--- llvm_mode/LLVMInsTrim.so.cc | 20 +- llvm_mode/MarkNodes.cc | 4 +- llvm_mode/afl-llvm-common.h | 8 +- llvm_mode/afl-llvm-pass.so.cc | 16 +- llvm_mode/afl-llvm-rt.o.c | 24 +-- llvm_mode/cmplog-instructions-pass.cc | 10 +- llvm_mode/cmplog-routines-pass.cc | 10 +- llvm_mode/compare-transform-pass.so.cc | 10 +- llvm_mode/split-compares-pass.so.cc | 10 +- llvm_mode/split-switches-pass.so.cc | 10 +- qbdi_mode/template.cpp | 18 +- qemu_mode/libcompcov/libcompcov.so.c | 4 +- qemu_mode/patches/afl-qemu-common.h | 24 +-- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 4 +- src/afl-analyze.c | 2 +- src/afl-as.c | 6 +- src/afl-common.c | 2 +- src/afl-fuzz-init.c | 68 +++---- src/afl-fuzz-python.c | 70 +++---- src/afl-fuzz.c | 12 +- src/afl-gotcpu.c | 56 +++--- src/afl-sharedmem.c | 6 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 43 files changed, 676 insertions(+), 663 deletions(-) (limited to 'llvm_mode') diff --git a/.clang-format b/.clang-format index d1051cb8..bf15cdc0 100644 --- a/.clang-format +++ b/.clang-format @@ -72,7 +72,6 @@ IncludeCategories: Priority: 3 IncludeIsMainRegex: '([-_](test|unittest))?$' IndentCaseLabels: true -IndentPPDirectives: AfterHash IndentWidth: 2 IndentWrappedFunctionNames: false JavaScriptQuotes: Leave diff --git a/examples/afl_network_proxy/afl-network-client.c b/examples/afl_network_proxy/afl-network-client.c index fca2a9f1..cf09b2ad 100644 --- a/examples/afl_network_proxy/afl-network-client.c +++ b/examples/afl_network_proxy/afl-network-client.c @@ -15,7 +15,7 @@ */ #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -42,7 +42,7 @@ #include #ifdef USE_DEFLATE -# include +#include #endif u8 *__afl_area_ptr; @@ -321,7 +321,7 @@ int main(int argc, char *argv[]) { // fprintf(stderr, "Sending testcase with len %u\n", *lenptr); #ifdef USE_DEFLATE -# ifdef COMPRESS_TESTCASES +#ifdef COMPRESS_TESTCASES // we only compress the testcase if it does not fit in the TCP packet if (*lenptr > 1500 - 20 - 32 - 4) { @@ -341,17 +341,17 @@ int main(int argc, char *argv[]) { } else { -# endif +#endif #endif if (send(s, buf, *lenptr + 4, 0) != *lenptr + 4) PFATAL("sending test data failed"); #ifdef USE_DEFLATE -# ifdef COMPRESS_TESTCASES +#ifdef COMPRESS_TESTCASES // fprintf(stderr, "unCOMPRESS (%u)\n", *lenptr); } -# endif +#endif #endif received = 0; diff --git a/examples/afl_network_proxy/afl-network-server.c b/examples/afl_network_proxy/afl-network-server.c index 7d97e2db..2de91cbd 100644 --- a/examples/afl_network_proxy/afl-network-server.c +++ b/examples/afl_network_proxy/afl-network-server.c @@ -25,7 +25,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" @@ -62,7 +62,7 @@ #include #ifdef USE_DEFLATE -# include +#include struct libdeflate_compressor * compressor; struct libdeflate_decompressor *decompressor; #endif diff --git a/examples/afl_proxy/afl-proxy.c b/examples/afl_proxy/afl-proxy.c index 46861008..36121e17 100644 --- a/examples/afl_proxy/afl-proxy.c +++ b/examples/afl_proxy/afl-proxy.c @@ -24,7 +24,7 @@ */ #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index cc614f67..5dbc71bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -34,7 +34,7 @@ #define _GNU_SOURCE #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -58,14 +58,14 @@ #include #if defined(__linux__) -# include +#include #elif defined(__APPLE__) && defined(__LP64__) -# include +#include #elif defined(__FreeBSD__) -# include -# include +#include +#include #else -# error "Unsupported platform" +#error "Unsupported platform" #endif #define MEMORY_MAP_DECREMENT 0x200000000000 @@ -446,15 +446,15 @@ static void __afl_end_testcase(int status) { } #ifdef __aarch64__ -# define SHADOW(addr) \ - ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x7) * 0x10000000000)) +#define SHADOW(addr) \ + ((uint64_t *)(((uintptr_t)addr & 0xfffffffffffffff8) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x7) * 0x10000000000)) #else -# define SHADOW(addr) \ - ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ - MEMORY_MAP_DECREMENT - \ - ((uintptr_t)addr & 0x3) * 0x10000000000)) +#define SHADOW(addr) \ + ((uint32_t *)(((uintptr_t)addr & 0xfffffffffffffffc) - \ + MEMORY_MAP_DECREMENT - \ + ((uintptr_t)addr & 0x3) * 0x10000000000)) #endif void setup_trap_instrumentation() { @@ -583,7 +583,7 @@ void setup_trap_instrumentation() { #else // this will be ARM and AARCH64 // for ARM we will need to identify if the code is in thumb or ARM -# error "non x86_64/aarch64 not supported yet" +#error "non x86_64/aarch64 not supported yet" //__arm__: // linux thumb: 0xde01 // linux arm: 0xe7f001f0 @@ -622,20 +622,20 @@ static void sigtrap_handler(int signum, siginfo_t *si, void *context) { ctx->uc_mcontext->__ss.__rip -= 1; addr = ctx->uc_mcontext->__ss.__rip; #elif defined(__linux__) -# if defined(__x86_64__) || defined(__i386__) +#if defined(__x86_64__) || defined(__i386__) ctx->uc_mcontext.gregs[REG_RIP] -= 1; addr = ctx->uc_mcontext.gregs[REG_RIP]; -# elif defined(__aarch64__) +#elif defined(__aarch64__) ctx->uc_mcontext.pc -= 4; addr = ctx->uc_mcontext.pc; -# else -# error "Unsupported processor" -# endif +#else +#error "Unsupported processor" +#endif #elif defined(__FreeBSD__) && defined(__LP64__) ctx->uc_mcontext.mc_rip -= 1; addr = ctx->uc_mcontext.mc_rip; #else -# error "Unsupported platform" +#error "Unsupported platform" #endif // fprintf(stderr, "TRAP at context addr = %lx, fault addr = %lx\n", addr, diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index b5ff9e25..6e4e1335 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -55,10 +55,10 @@ /* clear helper macros AFL types pull in, which intervene with gcc-plugin * headers from GCC-8 */ #ifdef likely -# undef likely +#undef likely #endif #ifdef unlikely -# undef unlikely +#undef unlikely #endif #include @@ -295,16 +295,16 @@ static unsigned int inline_instrument(function *fun) { update_stmt(g); #if 1 -# if 0 +#if 0 tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off); g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -# else +#else g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off); gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off update_stmt(g); -# endif +#endif // gimple_assign tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1"); diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index e0e221b3..0a2246e7 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -20,13 +20,13 @@ */ #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "../config.h" #include "../types.h" #ifdef USEMMAP -# include +#include #endif #include #include diff --git a/include/afl-as.h b/include/afl-as.h index d539b082..a2bf1f9c 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -404,9 +404,9 @@ static const u8 *main_payload_32 = recognize .string. */ #ifdef __APPLE__ -# define CALL_L64(str) "call _" str "\n" +#define CALL_L64(str) "call _" str "\n" #else -# define CALL_L64(str) "call " str "@PLT\n" +#define CALL_L64(str) "call " str "@PLT\n" #endif /* ^__APPLE__ */ static const u8 *main_payload_64 = @@ -744,9 +744,9 @@ static const u8 *main_payload_64 = #ifdef __APPLE__ " .comm __afl_area_ptr, 8\n" -# ifndef COVERAGE_ONLY +#ifndef COVERAGE_ONLY " .comm __afl_prev_loc, 8\n" -# endif /* !COVERAGE_ONLY */ +#endif /* !COVERAGE_ONLY */ " .comm __afl_fork_pid, 4\n" " .comm __afl_temp, 4\n" " .comm __afl_setup_failure, 1\n" @@ -754,9 +754,9 @@ static const u8 *main_payload_64 = #else " .lcomm __afl_area_ptr, 8\n" -# ifndef COVERAGE_ONLY +#ifndef COVERAGE_ONLY " .lcomm __afl_prev_loc, 8\n" -# endif /* !COVERAGE_ONLY */ +#endif /* !COVERAGE_ONLY */ " .lcomm __afl_fork_pid, 4\n" " .lcomm __afl_temp, 4\n" " .lcomm __afl_setup_failure, 1\n" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 96d03ae2..9f306b7e 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -31,14 +31,14 @@ #define MESSAGES_TO_STDOUT #ifndef _GNU_SOURCE -# define _GNU_SOURCE 1 +#define _GNU_SOURCE 1 #endif #ifndef _FILE_OFFSET_BITS -# define _FILE_OFFSET_BITS 64 +#define _FILE_OFFSET_BITS 64 #endif #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" @@ -76,7 +76,7 @@ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ defined(__NetBSD__) || defined(__DragonFly__) -# include +#include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ /* For systems that have sched_setaffinity; right now just Linux, but one @@ -84,31 +84,31 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__DragonFly__) -# define HAVE_AFFINITY 1 -# if defined(__FreeBSD__) || defined(__DragonFly__) -# include -# if defined(__FreeBSD__) -# include -# endif -# include -# include -# include -# define cpu_set_t cpuset_t -# elif defined(__NetBSD__) -# include -# endif +#define HAVE_AFFINITY 1 +#if defined(__FreeBSD__) || defined(__DragonFly__) +#include +#if defined(__FreeBSD__) +#include +#endif +#include +#include +#include +#define cpu_set_t cpuset_t +#elif defined(__NetBSD__) +#include +#endif #endif /* __linux__ */ #ifdef __APPLE__ -# include +#include #endif #undef LIST_FOREACH /* clashes with FreeBSD */ #include "list.h" #ifndef SIMPLE_FILES -# define CASE_PREFIX "id:" +#define CASE_PREFIX "id:" #else -# define CASE_PREFIX "id_" +#define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */ @@ -232,29 +232,29 @@ enum { #ifdef USE_PYTHON // because Python sets stuff it should not ... -# ifdef _POSIX_C_SOURCE -# define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE -# undef _POSIX_C_SOURCE -# endif -# ifdef _XOPEN_SOURCE -# define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE -# undef _XOPEN_SOURCE -# endif - -# include - -# ifdef _SAVE_POSIX_C_SOURCE -# ifdef _POSIX_C_SOURCE -# undef _POSIX_C_SOURCE -# endif -# define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE -# endif -# ifdef _SAVE_XOPEN_SOURCE -# ifdef _XOPEN_SOURCE -# undef _XOPEN_SOURCE -# endif -# define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE -# endif +#ifdef _POSIX_C_SOURCE +#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE +#undef _POSIX_C_SOURCE +#endif +#ifdef _XOPEN_SOURCE +#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE +#undef _XOPEN_SOURCE +#endif + +#include + +#ifdef _SAVE_POSIX_C_SOURCE +#ifdef _POSIX_C_SOURCE +#undef _POSIX_C_SOURCE +#endif +#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE +#endif +#ifdef _SAVE_XOPEN_SOURCE +#ifdef _XOPEN_SOURCE +#undef _XOPEN_SOURCE +#endif +#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE +#endif enum { diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 7c8bab58..cc394040 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -45,39 +45,40 @@ /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -# define alloc_printf(_str...) \ - ({ \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ - - }) +#define alloc_printf(_str...) \ + ({ \ + \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + \ + }) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ -# define ALLOC_CHECK_SIZE(_s) \ - do { \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ - - } while (0) +#define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ + \ + } while (0) /* Macro to check malloc() failures and the like. */ -# define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ - - } while (0) +#define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + \ + } while (0) /* Allocator increments for ck_realloc_block(). */ -# define ALLOC_BLK_INC 256 +#define ALLOC_BLK_INC 256 /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -213,103 +214,112 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -/* In non-debug mode, we just do straightforward aliasing of the above functions - to user-visible names such as ck_alloc(). */ +/* In non-debug mode, we just do straightforward aliasing of the above + functions to user-visible names such as ck_alloc(). */ -# define ck_alloc DFL_ck_alloc -# define ck_alloc_nozero DFL_ck_alloc_nozero -# define ck_realloc DFL_ck_realloc -# define ck_realloc_block DFL_ck_realloc_block -# define ck_strdup DFL_ck_strdup -# define ck_memdup DFL_ck_memdup -# define ck_memdup_str DFL_ck_memdup_str -# define ck_free DFL_ck_free +#define ck_alloc DFL_ck_alloc +#define ck_alloc_nozero DFL_ck_alloc_nozero +#define ck_realloc DFL_ck_realloc +#define ck_realloc_block DFL_ck_realloc_block +#define ck_strdup DFL_ck_strdup +#define ck_memdup DFL_ck_memdup +#define ck_memdup_str DFL_ck_memdup_str +#define ck_free DFL_ck_free -# define alloc_report() +#define alloc_report() #else // This is the original alloc-inl of stock afl /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -# define alloc_printf(_str...) \ +#define alloc_printf(_str...) \ ({ \ + \ + \ u8 *_tmp; \ s32 _len = snprintf(NULL, 0, _str); \ if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ _tmp = ck_alloc(_len + 1); \ snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; \ + _tmp; - }) +}) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ +#define ALLOC_CHECK_SIZE(_s) \ + do { \ + \ + if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); -# define ALLOC_CHECK_SIZE(_s) \ - do { \ - if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \ - \ +} - } while (0) +while (0) /* Macro to check malloc() failures and the like. */ -# define ALLOC_CHECK_RESULT(_r, _s) \ - do { \ - if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - \ +#define ALLOC_CHECK_RESULT(_r, _s) \ + do { \ + \ + if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); - } while (0) +} + +while (0) /* Magic tokens used to mark used / freed chunks. */ -# define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -# define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -# define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ +#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ +#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ +#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ /* Positions of guard tokens in relation to the user-visible pointer. */ -# define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) -# define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) -# define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) +#define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2]) +#define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1]) +#define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)]) -# define ALLOC_OFF_HEAD 8 -# define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) +#define ALLOC_OFF_HEAD 8 +#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) /* Allocator increments for ck_realloc_block(). */ -# define ALLOC_BLK_INC 256 +#define ALLOC_BLK_INC 256 /* Sanity-checking macros for pointers. */ -# define CHECK_PTR(_p) \ - do { \ - if (_p) { \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else \ - ABORT("Corrupted head alloc canary."); \ +#define CHECK_PTR(_p) \ + do { \ + \ + if (_p) { \ + \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \ + \ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else \ + ABORT("Corrupted head alloc canary."); - } \ +} - if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ - ABORT("Corrupted tail alloc canary."); \ +if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) ABORT("Corrupted tail alloc canary."); - } \ +} - \ +} - } while (0) +while (0) -# define CHECK_PTR_EXPR(_p) \ +#define CHECK_PTR_EXPR(_p) \ ({ \ + \ + \ typeof(_p) _tmp = (_p); \ CHECK_PTR(_tmp); \ - _tmp; \ + _tmp; - }) +}) /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized requests. */ @@ -355,13 +365,12 @@ static inline void DFL_ck_free(void *mem) { if (!mem) return; CHECK_PTR(mem); - -# ifdef DEBUG_BUILD +#ifdef DEBUG_BUILD /* Catch pointer issues sooner. */ memset(mem, 0xFF, ALLOC_S(mem)); -# endif /* DEBUG_BUILD */ +#endif /* DEBUG_BUILD */ ALLOC_C1(mem) = ALLOC_MAGIC_F; @@ -389,9 +398,9 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { CHECK_PTR(orig); -# ifndef DEBUG_BUILD +#ifndef DEBUG_BUILD ALLOC_C1(orig) = ALLOC_MAGIC_F; -# endif /* !DEBUG_BUILD */ +#endif /* !DEBUG_BUILD */ old_size = ALLOC_S(orig); orig -= ALLOC_OFF_HEAD; @@ -402,12 +411,12 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { ALLOC_CHECK_SIZE(size); -# ifndef DEBUG_BUILD +#ifndef DEBUG_BUILD ret = realloc(orig, size + ALLOC_OFF_TOTAL); ALLOC_CHECK_RESULT(ret, size); -# else +#else /* Catch pointer issues sooner: force relocation and make sure that the original buffer is wiped. */ @@ -426,7 +435,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { } -# endif /* ^!DEBUG_BUILD */ +#endif /* ^!DEBUG_BUILD */ ret += ALLOC_OFF_HEAD; @@ -445,7 +454,7 @@ static inline void *DFL_ck_realloc(void *orig, u32 size) { static inline void *DFL_ck_realloc_block(void *orig, u32 size) { -# ifndef DEBUG_BUILD +#ifndef DEBUG_BUILD if (orig) { @@ -457,7 +466,7 @@ static inline void *DFL_ck_realloc_block(void *orig, u32 size) { } -# endif /* !DEBUG_BUILD */ +#endif /* !DEBUG_BUILD */ return DFL_ck_realloc(orig, size); @@ -537,30 +546,30 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { } -# ifndef DEBUG_BUILD +#ifndef DEBUG_BUILD -/* In non-debug mode, we just do straightforward aliasing of the above functions - to user-visible names such as ck_alloc(). */ +/* In non-debug mode, we just do straightforward aliasing of the above + functions to user-visible names such as ck_alloc(). */ -# define ck_alloc DFL_ck_alloc -# define ck_alloc_nozero DFL_ck_alloc_nozero -# define ck_realloc DFL_ck_realloc -# define ck_realloc_block DFL_ck_realloc_block -# define ck_strdup DFL_ck_strdup -# define ck_memdup DFL_ck_memdup -# define ck_memdup_str DFL_ck_memdup_str -# define ck_free DFL_ck_free +#define ck_alloc DFL_ck_alloc +#define ck_alloc_nozero DFL_ck_alloc_nozero +#define ck_realloc DFL_ck_realloc +#define ck_realloc_block DFL_ck_realloc_block +#define ck_strdup DFL_ck_strdup +#define ck_memdup DFL_ck_memdup +#define ck_memdup_str DFL_ck_memdup_str +#define ck_free DFL_ck_free -# define alloc_report() +#define alloc_report() -# else +#else -/* In debugging mode, we also track allocations to detect memory leaks, and the - flow goes through one more layer of indirection. */ +/* In debugging mode, we also track allocations to detect memory leaks, and + the flow goes through one more layer of indirection. */ /* Alloc tracking data structures: */ -# define ALLOC_BUCKETS 4096 +#define ALLOC_BUCKETS 4096 struct TRK_obj { @@ -570,25 +579,25 @@ struct TRK_obj { }; -# ifdef AFL_MAIN +#ifdef AFL_MAIN struct TRK_obj *TRK[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS]; -# define alloc_report() TRK_report() +#define alloc_report() TRK_report() -# else +#else extern struct TRK_obj *TRK[ALLOC_BUCKETS]; extern u32 TRK_cnt[ALLOC_BUCKETS]; -# define alloc_report() +#define alloc_report() -# endif /* ^AFL_MAIN */ +#endif /* ^AFL_MAIN */ /* Bucket-assigning function for a given pointer: */ -# define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) +#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) /* Add a new entry to the list of allocated objects. */ @@ -740,28 +749,27 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func, /* Aliasing user-facing names to tracking functions: */ -# define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -# define ck_alloc_nozero(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) -# define ck_realloc(_p1, _p2) \ - TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +#define ck_realloc(_p1, _p2) \ + TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -# define ck_realloc_block(_p1, _p2) \ - TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +#define ck_realloc_block(_p1, _p2) \ + TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -# define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) -# define ck_memdup(_p1, _p2) \ - TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +#define ck_memdup(_p1, _p2) \ + TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -# define ck_memdup_str(_p1, _p2) \ - TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) +#define ck_memdup_str(_p1, _p2) \ + TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) -# define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) +#define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) -# endif /* ^!DEBUG_BUILD */ +#endif /* ^!DEBUG_BUILD */ #endif /* _WANT_ORIGINAL_AFL_ALLOC */ diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 9502f2fb..77914c35 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -28,27 +28,27 @@ #ifdef __ANDROID__ -# include -# include -# include -# include -# include - -# if __ANDROID_API__ >= 26 -# define shmat bionic_shmat -# define shmctl bionic_shmctl -# define shmdt bionic_shmdt -# define shmget bionic_shmget -# endif - -# include -# undef shmat -# undef shmctl -# undef shmdt -# undef shmget -# include - -# define ASHMEM_DEVICE "/dev/ashmem" +#include +#include +#include +#include +#include + +#if __ANDROID_API__ >= 26 +#define shmat bionic_shmat +#define shmctl bionic_shmctl +#define shmdt bionic_shmdt +#define shmget bionic_shmget +#endif + +#include +#undef shmat +#undef shmctl +#undef shmdt +#undef shmget +#include + +#define ASHMEM_DEVICE "/dev/ashmem" static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { diff --git a/include/config.h b/include/config.h index 7d348149..c21d775a 100644 --- a/include/config.h +++ b/include/config.h @@ -49,7 +49,7 @@ /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ #ifndef ANDROID_DISABLE_FANCY // Fancy boxes are ugly from adb -# define FANCY_BOXES +#define FANCY_BOXES #endif /* Default timeout for fuzzed code (milliseconds). This is the upper bound, @@ -63,20 +63,20 @@ /* 64bit arch MACRO */ #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) -# define WORD_SIZE_64 1 +#define WORD_SIZE_64 1 #endif /* Default memory limit for child process (MB): */ #ifndef __NetBSD__ -# ifndef WORD_SIZE_64 -# define MEM_LIMIT 25 -# else -# define MEM_LIMIT 50 -# endif /* ^!WORD_SIZE_64 */ -#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ - #165 */ -# define MEM_LIMIT 200 +#ifndef WORD_SIZE_64 +#define MEM_LIMIT 25 +#else +#define MEM_LIMIT 50 +#endif /* ^!WORD_SIZE_64 */ +#else /* NetBSD's kernel needs more space for stack, see discussion for issue \ + #165 */ +#define MEM_LIMIT 200 #endif /* Default memory limit when running in QEMU mode (MB): */ @@ -395,9 +395,9 @@ /* for *BSD: use ARC4RANDOM and save a file descriptor */ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) -# ifndef HAVE_ARC4RANDOM -# define HAVE_ARC4RANDOM 1 -# endif +#ifndef HAVE_ARC4RANDOM +#define HAVE_ARC4RANDOM 1 +#endif #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/debug.h b/include/debug.h index ea2ee87a..4cce56b5 100644 --- a/include/debug.h +++ b/include/debug.h @@ -30,7 +30,7 @@ /* __FUNCTION__ is non-iso */ #ifdef __func__ -# define __FUNCTION__ __func__ +#define __FUNCTION__ __func__ #endif /******************* @@ -38,82 +38,82 @@ *******************/ #ifndef MESSAGES_TO_STDOUT -# define MESSAGES_TO_STDOUT +#define MESSAGES_TO_STDOUT #endif #ifdef USE_COLOR -# define cBLK "\x1b[0;30m" -# define cRED "\x1b[0;31m" -# define cGRN "\x1b[0;32m" -# define cBRN "\x1b[0;33m" -# define cBLU "\x1b[0;34m" -# define cMGN "\x1b[0;35m" -# define cCYA "\x1b[0;36m" -# define cLGR "\x1b[0;37m" -# define cGRA "\x1b[1;90m" -# define cLRD "\x1b[1;91m" -# define cLGN "\x1b[1;92m" -# define cYEL "\x1b[1;93m" -# define cLBL "\x1b[1;94m" -# define cPIN "\x1b[1;95m" -# define cLCY "\x1b[1;96m" -# define cBRI "\x1b[1;97m" -# define cRST "\x1b[0m" - -# define bgBLK "\x1b[40m" -# define bgRED "\x1b[41m" -# define bgGRN "\x1b[42m" -# define bgBRN "\x1b[43m" -# define bgBLU "\x1b[44m" -# define bgMGN "\x1b[45m" -# define bgCYA "\x1b[46m" -# define bgLGR "\x1b[47m" -# define bgGRA "\x1b[100m" -# define bgLRD "\x1b[101m" -# define bgLGN "\x1b[102m" -# define bgYEL "\x1b[103m" -# define bgLBL "\x1b[104m" -# define bgPIN "\x1b[105m" -# define bgLCY "\x1b[106m" -# define bgBRI "\x1b[107m" +#define cBLK "\x1b[0;30m" +#define cRED "\x1b[0;31m" +#define cGRN "\x1b[0;32m" +#define cBRN "\x1b[0;33m" +#define cBLU "\x1b[0;34m" +#define cMGN "\x1b[0;35m" +#define cCYA "\x1b[0;36m" +#define cLGR "\x1b[0;37m" +#define cGRA "\x1b[1;90m" +#define cLRD "\x1b[1;91m" +#define cLGN "\x1b[1;92m" +#define cYEL "\x1b[1;93m" +#define cLBL "\x1b[1;94m" +#define cPIN "\x1b[1;95m" +#define cLCY "\x1b[1;96m" +#define cBRI "\x1b[1;97m" +#define cRST "\x1b[0m" + +#define bgBLK "\x1b[40m" +#define bgRED "\x1b[41m" +#define bgGRN "\x1b[42m" +#define bgBRN "\x1b[43m" +#define bgBLU "\x1b[44m" +#define bgMGN "\x1b[45m" +#define bgCYA "\x1b[46m" +#define bgLGR "\x1b[47m" +#define bgGRA "\x1b[100m" +#define bgLRD "\x1b[101m" +#define bgLGN "\x1b[102m" +#define bgYEL "\x1b[103m" +#define bgLBL "\x1b[104m" +#define bgPIN "\x1b[105m" +#define bgLCY "\x1b[106m" +#define bgBRI "\x1b[107m" #else -# define cBLK "" -# define cRED "" -# define cGRN "" -# define cBRN "" -# define cBLU "" -# define cMGN "" -# define cCYA "" -# define cLGR "" -# define cGRA "" -# define cLRD "" -# define cLGN "" -# define cYEL "" -# define cLBL "" -# define cPIN "" -# define cLCY "" -# define cBRI "" -# define cRST "" - -# define bgBLK "" -# define bgRED "" -# define bgGRN "" -# define bgBRN "" -# define bgBLU "" -# define bgMGN "" -# define bgCYA "" -# define bgLGR "" -# define bgGRA "" -# define bgLRD "" -# define bgLGN "" -# define bgYEL "" -# define bgLBL "" -# define bgPIN "" -# define bgLCY "" -# define bgBRI "" +#define cBLK "" +#define cRED "" +#define cGRN "" +#define cBRN "" +#define cBLU "" +#define cMGN "" +#define cCYA "" +#define cLGR "" +#define cGRA "" +#define cLRD "" +#define cLGN "" +#define cYEL "" +#define cLBL "" +#define cPIN "" +#define cLCY "" +#define cBRI "" +#define cRST "" + +#define bgBLK "" +#define bgRED "" +#define bgGRN "" +#define bgBRN "" +#define bgBLU "" +#define bgMGN "" +#define bgCYA "" +#define bgLGR "" +#define bgGRA "" +#define bgLRD "" +#define bgLGN "" +#define bgYEL "" +#define bgLBL "" +#define bgPIN "" +#define bgLCY "" +#define bgBRI "" #endif /* ^USE_COLOR */ @@ -123,39 +123,39 @@ #ifdef FANCY_BOXES -# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ -# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ -# define bSTART "\x0e" /* Enter G1 drawing mode */ -# define bSTOP "\x0f" /* Leave G1 drawing mode */ -# define bH "q" /* Horizontal line */ -# define bV "x" /* Vertical line */ -# define bLT "l" /* Left top corner */ -# define bRT "k" /* Right top corner */ -# define bLB "m" /* Left bottom corner */ -# define bRB "j" /* Right bottom corner */ -# define bX "n" /* Cross */ -# define bVR "t" /* Vertical, branch right */ -# define bVL "u" /* Vertical, branch left */ -# define bHT "v" /* Horizontal, branch top */ -# define bHB "w" /* Horizontal, branch bottom */ +#define SET_G1 "\x1b)0" /* Set G1 for box drawing */ +#define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ +#define bSTART "\x0e" /* Enter G1 drawing mode */ +#define bSTOP "\x0f" /* Leave G1 drawing mode */ +#define bH "q" /* Horizontal line */ +#define bV "x" /* Vertical line */ +#define bLT "l" /* Left top corner */ +#define bRT "k" /* Right top corner */ +#define bLB "m" /* Left bottom corner */ +#define bRB "j" /* Right bottom corner */ +#define bX "n" /* Cross */ +#define bVR "t" /* Vertical, branch right */ +#define bVL "u" /* Vertical, branch left */ +#define bHT "v" /* Horizontal, branch top */ +#define bHB "w" /* Horizontal, branch bottom */ #else -# define SET_G1 "" -# define RESET_G1 "" -# define bSTART "" -# define bSTOP "" -# define bH "-" -# define bV "|" -# define bLT "+" -# define bRT "+" -# define bLB "+" -# define bRB "+" -# define bX "+" -# define bVR "+" -# define bVL "+" -# define bHT "+" -# define bHB "+" +#define SET_G1 "" +#define RESET_G1 "" +#define bSTART "" +#define bSTOP "" +#define bH "-" +#define bV "|" +#define bLT "+" +#define bRT "+" +#define bLB "+" +#define bRB "+" +#define bX "+" +#define bVR "+" +#define bVL "+" +#define bHT "+" +#define bHB "+" #endif /* ^FANCY_BOXES */ @@ -176,9 +176,9 @@ /* Just print stuff to the appropriate stream. */ #ifdef MESSAGES_TO_STDOUT -# define SAYF(x...) printf(x) +#define SAYF(x...) printf(x) #else -# define SAYF(x...) fprintf(stderr, x) +#define SAYF(x...) fprintf(stderr, x) #endif /* ^MESSAGES_TO_STDOUT */ /* Show a prefixed warning. */ diff --git a/include/forkserver.h b/include/forkserver.h index 81112594..7e7784f5 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -110,20 +110,20 @@ void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ -# define MSG_FORK_ON_APPLE \ - " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ - "may\n" \ - " break afl-fuzz performance optimizations when running " \ - "platform-specific\n" \ - " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" +#define MSG_FORK_ON_APPLE \ + " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ + "may\n" \ + " break afl-fuzz performance optimizations when running " \ + "platform-specific\n" \ + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" #else -# define MSG_FORK_ON_APPLE "" +#define MSG_FORK_ON_APPLE "" #endif #ifdef RLIMIT_AS -# define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else -# define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/include/hash.h b/include/hash.h index 75a72ad0..3751ac33 100644 --- a/include/hash.h +++ b/include/hash.h @@ -32,7 +32,7 @@ #ifdef __x86_64__ -# define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) +#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { @@ -67,7 +67,7 @@ static inline u32 hash32(const void *key, u32 len, u32 seed) { #else -# define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) +#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) static inline u32 hash32(const void *key, u32 len, u32 seed) { diff --git a/include/types.h b/include/types.h index 15b618fa..72d2ba51 100644 --- a/include/types.h +++ b/include/types.h @@ -81,21 +81,23 @@ typedef int32_t s32; typedef int64_t s64; #ifndef MIN -# define MIN(a, b) \ - ({ \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a < _b ? _a : _b; - -}) - -# define MAX(a, b) \ - ({ \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a > _b ? _a : _b; +#define MIN(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a < _b ? _a : _b; \ + \ + }) -}) +#define MAX(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; \ + \ + }) #endif /* !MIN */ @@ -131,21 +133,21 @@ typedef int64_t s64; }) #ifdef AFL_LLVM_PASS -# if defined(__linux__) || !defined(__ANDROID__) -# define AFL_SR(s) (srandom(s)) -# define AFL_R(x) (random() % (x)) -# else -# define AFL_SR(s) ((void)s) -# define AFL_R(x) (arc4random_uniform(x)) -# endif +#if defined(__linux__) || !defined(__ANDROID__) +#define AFL_SR(s) (srandom(s)) +#define AFL_R(x) (random() % (x)) +#else +#define AFL_SR(s) ((void)s) +#define AFL_R(x) (arc4random_uniform(x)) +#endif #else -# if defined(__linux__) || !defined(__ANDROID__) -# define SR(s) (srandom(s)) -# define R(x) (random() % (x)) -# else -# define SR(s) ((void)s) -# define R(x) (arc4random_uniform(x)) -# endif +#if defined(__linux__) || !defined(__ANDROID__) +#define SR(s) (srandom(s)) +#define R(x) (random() % (x)) +#else +#define SR(s) ((void)s) +#define R(x) (arc4random_uniform(x)) +#endif #endif /* ^AFL_LLVM_PASS */ #define STRINGIFY_INTERNAL(x) #x @@ -154,19 +156,19 @@ typedef int64_t s64; #define MEM_BARRIER() __asm__ volatile("" ::: "memory") #if __GNUC__ < 6 -# ifndef likely -# define likely(_x) (_x) -# endif -# ifndef unlikely -# define unlikely(_x) (_x) -# endif +#ifndef likely +#define likely(_x) (_x) +#endif +#ifndef unlikely +#define unlikely(_x) (_x) +#endif #else -# ifndef likely -# define likely(_x) __builtin_expect(!!(_x), 1) -# endif -# ifndef unlikely -# define unlikely(_x) __builtin_expect(!!(_x), 0) -# endif +#ifndef likely +#define likely(_x) __builtin_expect(!!(_x), 1) +#endif +#ifndef unlikely +#define unlikely(_x) __builtin_expect(!!(_x), 0) +#endif #endif #endif /* ! _HAVE_TYPES_H */ diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index 496cf0f0..0a7d2867 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -30,39 +30,43 @@ #include #ifdef __APPLE__ -# include +#include #endif #ifdef __FreeBSD__ -# include +#include #endif #if defined(__linux__) && !defined(__ANDROID__) -# include -# include -# ifdef __NR_getrandom -# define arc4random_buf(p, l) \ - do { \ - ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ - if (rd != l) DEBUGF("getrandom failed"); \ - \ - - } while (0) - -# else -# include -# define arc4random_buf(p, l) \ - do { \ - srand(time(NULL)); \ - u32 i; \ - u8 *ptr = (u8 *)p; \ - for (i = 0; i < l; i++) \ - ptr[i] = rand() % INT_MAX; \ - \ - - } while (0) - -# endif +#include +#include +#ifdef __NR_getrandom +#define arc4random_buf(p, l) \ + do { \ + \ + ssize_t rd = syscall(__NR_getrandom, p, l, 0); \ + if (rd != l) DEBUGF("getrandom failed"); + +} + +while (0) + +#else +#include +#define arc4random_buf(p, l) \ + do { \ + \ + srand(time(NULL)); \ + u32 i; \ + u8 *ptr = (u8 *)p; \ + for (i = 0; i < l; i++) \ + ptr[i] = rand() % INT_MAX; + +} + +while (0) + +#endif #endif #include "config.h" @@ -70,29 +74,29 @@ #if __STDC_VERSION__ < 201112L || \ (defined(__FreeBSD__) && __FreeBSD_version < 1200000) -// use this hack if not C11 -typedef struct { + // use this hack if not C11 + typedef struct { - long long __ll; - long double __ld; + long long __ll; + long double __ld; -} max_align_t; + } max_align_t; #endif #define ALLOC_ALIGN_SIZE (_Alignof(max_align_t)) #ifndef PAGE_SIZE -# define PAGE_SIZE 4096 +#define PAGE_SIZE 4096 #endif /* !PAGE_SIZE */ #ifndef MAP_ANONYMOUS -# define MAP_ANONYMOUS MAP_ANON +#define MAP_ANONYMOUS MAP_ANON #endif /* !MAP_ANONYMOUS */ #define SUPER_PAGE_SIZE 1 << 21 -/* Error / message handling: */ + /* Error / message handling: */ #define DEBUGF(_x...) \ do { \ @@ -125,11 +129,11 @@ typedef struct { \ } while (0) -/* Macro to count the number of pages needed to store a buffer: */ + /* Macro to count the number of pages needed to store a buffer: */ #define PG_COUNT(_l) (((_l) + (PAGE_SIZE - 1)) / PAGE_SIZE) -/* Canary & clobber bytes: */ + /* Canary & clobber bytes: */ #define ALLOC_CANARY 0xAACCAACC #define ALLOC_CLOBBER 0xCC @@ -148,8 +152,8 @@ static u8 alloc_verbose, /* Additional debug messages */ align_allocations; /* Force alignment to sizeof(void*) */ #if defined __OpenBSD__ || defined __APPLE__ -# define __thread -# warning no thread support available +#define __thread +#warning no thread support available #endif static __thread size_t total_mem; /* Currently allocated mem */ @@ -192,13 +196,13 @@ static void *__dislocator_alloc(size_t len) { #if defined(USEHUGEPAGE) sp = (rlen >= SUPER_PAGE_SIZE && !(rlen % SUPER_PAGE_SIZE)); -# if defined(__APPLE__) +#if defined(__APPLE__) if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB; -# elif defined(__linux__) +#elif defined(__linux__) if (sp) flags |= MAP_HUGETLB; -# elif defined(__FreeBSD__) +#elif defined(__FreeBSD__) if (sp) flags |= MAP_ALIGNED_SUPER; -# endif +#endif #else (void)sp; #endif @@ -208,13 +212,13 @@ static void *__dislocator_alloc(size_t len) { /* We try one more time with regular call */ if (ret == MAP_FAILED) { -# if defined(__APPLE__) +#if defined(__APPLE__) fd = -1; -# elif defined(__linux__) +#elif defined(__linux__) flags &= -MAP_HUGETLB; -# elif defined(__FreeBSD__) +#elif defined(__FreeBSD__) flags &= -MAP_ALIGNED_SUPER; -# endif +#endif ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); } diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index 785f0e57..56b2cd4b 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -21,7 +21,7 @@ */ #ifndef _GNU_SOURCE -# define _GNU_SOURCE +#define _GNU_SOURCE #endif #include #include @@ -35,20 +35,20 @@ #if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \ !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__ -# error "Sorry, this library is unsupported in this platform for now!" +#error "Sorry, this library is unsupported in this platform for now!" #endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \ !__NetBSD__*/ #if defined __APPLE__ -# include -# include +#include +#include #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -# include -# include -# if !defined __NetBSD__ -# include -# endif -# include +#include +#include +#if !defined __NetBSD__ +#include +#endif +#include #endif #include @@ -154,25 +154,25 @@ static void __tokencap_load_mappings(void) { #elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__ -# if defined __FreeBSD__ +#if defined __FreeBSD__ int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid}; -# elif defined __OpenBSD__ +#elif defined __OpenBSD__ int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid}; -# elif defined __NetBSD__ +#elif defined __NetBSD__ int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)}; -# endif +#endif char * buf, *low, *high; size_t miblen = sizeof(mib) / sizeof(mib[0]); size_t len; if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return; -# if defined __FreeBSD__ || defined __NetBSD__ +#if defined __FreeBSD__ || defined __NetBSD__ len = len * 4 / 3; -# elif defined __OpenBSD__ +#elif defined __OpenBSD__ len -= len % sizeof(struct kinfo_vmentry); -# endif +#endif buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0); if (buf == MAP_FAILED) return; @@ -193,22 +193,22 @@ static void __tokencap_load_mappings(void) { struct kinfo_vmentry *region = (struct kinfo_vmentry *)low; -# if defined __FreeBSD__ || defined __NetBSD__ +#if defined __FreeBSD__ || defined __NetBSD__ -# if defined __FreeBSD__ +#if defined __FreeBSD__ size_t size = region->kve_structsize; if (size == 0) break; -# elif defined __NetBSD__ +#elif defined __NetBSD__ size_t size = sizeof(*region); -# endif +#endif /* We go through the whole mapping of the process and track read-only * addresses */ if ((region->kve_protection & KVME_PROT_READ) && !(region->kve_protection & KVME_PROT_WRITE)) { -# elif defined __OpenBSD__ +#elif defined __OpenBSD__ size_t size = sizeof(*region); @@ -217,7 +217,7 @@ static void __tokencap_load_mappings(void) { if ((region->kve_protection & KVE_PROT_READ) && !(region->kve_protection & KVE_PROT_WRITE)) { -# endif +#endif __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start; __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end; diff --git a/llvm_mode/LLVMInsTrim.so.cc b/llvm_mode/LLVMInsTrim.so.cc index a072ae55..837b093a 100644 --- a/llvm_mode/LLVMInsTrim.so.cc +++ b/llvm_mode/LLVMInsTrim.so.cc @@ -12,13 +12,13 @@ typedef long double max_align_t; #include "llvm/ADT/DenseSet.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/CFG.h" -# include "llvm/IR/Dominators.h" -# include "llvm/IR/DebugInfo.h" +#include "llvm/IR/CFG.h" +#include "llvm/IR/Dominators.h" +#include "llvm/IR/DebugInfo.h" #else -# include "llvm/Support/CFG.h" -# include "llvm/Analysis/Dominators.h" -# include "llvm/DebugInfo.h" +#include "llvm/Support/CFG.h" +#include "llvm/Analysis/Dominators.h" +#include "llvm/DebugInfo.h" #endif #include "llvm/IR/IRBuilder.h" #include "llvm/IR/Instructions.h" @@ -97,7 +97,7 @@ struct InsTrim : public ModulePass { #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -# define AFL_HAVE_VECTOR_INTRINSICS 1 +#define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool runOnModule(Module &M) override { @@ -196,17 +196,17 @@ struct InsTrim : public ModulePass { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -# ifdef __ANDROID__ +#ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -# else +#else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -# endif +#endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/MarkNodes.cc b/llvm_mode/MarkNodes.cc index 66e6a728..cff6c90a 100644 --- a/llvm_mode/MarkNodes.cc +++ b/llvm_mode/MarkNodes.cc @@ -15,9 +15,9 @@ typedef long double max_align_t; #include "llvm/IR/BasicBlock.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/CFG.h" +#include "llvm/IR/CFG.h" #else -# include "llvm/Support/CFG.h" +#include "llvm/Support/CFG.h" #endif #include "llvm/IR/Constants.h" #include "llvm/IR/Function.h" diff --git a/llvm_mode/afl-llvm-common.h b/llvm_mode/afl-llvm-common.h index c0982e10..cf14d2e1 100644 --- a/llvm_mode/afl-llvm-common.h +++ b/llvm_mode/afl-llvm-common.h @@ -25,11 +25,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/DebugInfo.h" -# include "llvm/IR/CFG.h" +#include "llvm/IR/DebugInfo.h" +#include "llvm/IR/CFG.h" #else -# include "llvm/DebugInfo.h" -# include "llvm/Support/CFG.h" +#include "llvm/DebugInfo.h" +#include "llvm/Support/CFG.h" #endif char * getBBName(const llvm::BasicBlock *BB); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index 2bcd661b..2d23ad21 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -54,11 +54,11 @@ typedef long double max_align_t; #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/DebugInfo.h" -# include "llvm/IR/CFG.h" +#include "llvm/IR/DebugInfo.h" +#include "llvm/IR/CFG.h" #else -# include "llvm/DebugInfo.h" -# include "llvm/Support/CFG.h" +#include "llvm/DebugInfo.h" +#include "llvm/Support/CFG.h" #endif #include "afl-llvm-common.h" @@ -115,7 +115,7 @@ uint64_t PowerOf2Ceil(unsigned in) { /* #if LLVM_VERSION_STRING >= "4.0.1" */ #if LLVM_VERSION_MAJOR >= 4 || \ (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1) -# define AFL_HAVE_VECTOR_INTRINSICS 1 +#define AFL_HAVE_VECTOR_INTRINSICS 1 #endif bool AFLCoverage::runOnModule(Module &M) { @@ -242,17 +242,17 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) -# ifdef __ANDROID__ +#ifdef __ANDROID__ AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc"); -# else +#else AFLPrevLoc = new GlobalVariable( M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage, /* Initializer */ nullptr, "__afl_prev_loc", /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel, /* AddressSpace */ 0, /* IsExternallyInitialized */ false); -# endif +#endif else #endif #ifdef __ANDROID__ diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 6306ae30..56038f7a 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -21,7 +21,7 @@ */ #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -43,7 +43,7 @@ #include #ifdef __linux__ -# include "snapshot-inl.h" +#include "snapshot-inl.h" #endif /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode. @@ -53,7 +53,7 @@ #define CONST_PRIO 5 #ifndef MAP_FIXED_NOREPLACE -# define MAP_FIXED_NOREPLACE MAP_FIXED +#define MAP_FIXED_NOREPLACE MAP_FIXED #endif #include @@ -822,15 +822,15 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) { } #if defined(__APPLE__) -# pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 -# pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 -# pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 -# pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 - -# pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 -# pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 -# pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 -# pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 +#pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1 +#pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2 +#pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4 +#pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8 + +#pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1 +#pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2 +#pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 +#pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 #else void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__cmplog_ins_hook1"))); diff --git a/llvm_mode/cmplog-instructions-pass.cc b/llvm_mode/cmplog-instructions-pass.cc index 61ff58b7..628151c6 100644 --- a/llvm_mode/cmplog-instructions-pass.cc +++ b/llvm_mode/cmplog-instructions-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/Verifier.h" -# include "llvm/IR/DebugInfo.h" +#include "llvm/IR/Verifier.h" +#include "llvm/IR/DebugInfo.h" #else -# include "llvm/Analysis/Verifier.h" -# include "llvm/DebugInfo.h" -# define nullptr 0 +#include "llvm/Analysis/Verifier.h" +#include "llvm/DebugInfo.h" +#define nullptr 0 #endif #include diff --git a/llvm_mode/cmplog-routines-pass.cc b/llvm_mode/cmplog-routines-pass.cc index c61374a7..b74fb712 100644 --- a/llvm_mode/cmplog-routines-pass.cc +++ b/llvm_mode/cmplog-routines-pass.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/Verifier.h" -# include "llvm/IR/DebugInfo.h" +#include "llvm/IR/Verifier.h" +#include "llvm/IR/DebugInfo.h" #else -# include "llvm/Analysis/Verifier.h" -# include "llvm/DebugInfo.h" -# define nullptr 0 +#include "llvm/Analysis/Verifier.h" +#include "llvm/DebugInfo.h" +#define nullptr 0 #endif #include diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 5fe0d908..00732dbc 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -38,12 +38,12 @@ #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/Verifier.h" -# include "llvm/IR/DebugInfo.h" +#include "llvm/IR/Verifier.h" +#include "llvm/IR/DebugInfo.h" #else -# include "llvm/Analysis/Verifier.h" -# include "llvm/DebugInfo.h" -# define nullptr 0 +#include "llvm/Analysis/Verifier.h" +#include "llvm/DebugInfo.h" +#define nullptr 0 #endif #include diff --git a/llvm_mode/split-compares-pass.so.cc b/llvm_mode/split-compares-pass.so.cc index 190b0717..9c91e44f 100644 --- a/llvm_mode/split-compares-pass.so.cc +++ b/llvm_mode/split-compares-pass.so.cc @@ -37,12 +37,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/Verifier.h" -# include "llvm/IR/DebugInfo.h" +#include "llvm/IR/Verifier.h" +#include "llvm/IR/DebugInfo.h" #else -# include "llvm/Analysis/Verifier.h" -# include "llvm/DebugInfo.h" -# define nullptr 0 +#include "llvm/Analysis/Verifier.h" +#include "llvm/DebugInfo.h" +#define nullptr 0 #endif using namespace llvm; diff --git a/llvm_mode/split-switches-pass.so.cc b/llvm_mode/split-switches-pass.so.cc index f0b26fce..e8639347 100644 --- a/llvm_mode/split-switches-pass.so.cc +++ b/llvm_mode/split-switches-pass.so.cc @@ -40,12 +40,12 @@ #include "llvm/IR/IRBuilder.h" #if LLVM_VERSION_MAJOR > 3 || \ (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4) -# include "llvm/IR/Verifier.h" -# include "llvm/IR/DebugInfo.h" +#include "llvm/IR/Verifier.h" +#include "llvm/IR/DebugInfo.h" #else -# include "llvm/Analysis/Verifier.h" -# include "llvm/DebugInfo.h" -# define nullptr 0 +#include "llvm/Analysis/Verifier.h" +#include "llvm/DebugInfo.h" +#define nullptr 0 #endif #include diff --git a/qbdi_mode/template.cpp b/qbdi_mode/template.cpp index af360eb0..d4ac25e3 100755 --- a/qbdi_mode/template.cpp +++ b/qbdi_mode/template.cpp @@ -11,7 +11,7 @@ #include #ifdef __ANDROID__ -# include "../include/android-ashmem.h" +#include "../include/android-ashmem.h" #endif #include @@ -23,15 +23,15 @@ /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -# define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") +#define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -# define INC_AFL_AREA(loc) afl_area_ptr[loc]++ +#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif using namespace QBDI; diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c index dde65325..bffdd5d8 100644 --- a/qemu_mode/libcompcov/libcompcov.so.c +++ b/qemu_mode/libcompcov/libcompcov.so.c @@ -20,7 +20,7 @@ */ #ifndef _GNU_SOURCE -# define _GNU_SOURCE +#define _GNU_SOURCE #endif #include #include @@ -36,7 +36,7 @@ #include "pmparser.h" #ifndef __linux__ -# error "Sorry, this library is Linux-specific for now!" +#error "Sorry, this library is Linux-specific for now!" #endif /* !__linux__ */ /* Change this value to tune the compare coverage */ diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index af73ff8c..94f853cc 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -40,27 +40,27 @@ #define PERSISTENT_DEFAULT_MAX_CNT 1000 #ifdef CPU_NB_REGS -# define AFL_REGS_NUM CPU_NB_REGS +#define AFL_REGS_NUM CPU_NB_REGS #elif TARGET_ARM -# define AFL_REGS_NUM 32 +#define AFL_REGS_NUM 32 #elif TARGET_AARCH64 -# define AFL_REGS_NUM 32 +#define AFL_REGS_NUM 32 #else -# define AFL_REGS_NUM 100 +#define AFL_REGS_NUM 100 #endif /* NeverZero */ #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO) -# define INC_AFL_AREA(loc) \ - asm volatile( \ - "incb (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") +#define INC_AFL_AREA(loc) \ + asm volatile( \ + "incb (%0, %1, 1)\n" \ + "adcb $0, (%0, %1, 1)\n" \ + : /* no out */ \ + : "r"(afl_area_ptr), "r"(loc) \ + : "memory", "eax") #else -# define INC_AFL_AREA(loc) afl_area_ptr[loc]++ +#define INC_AFL_AREA(loc) afl_area_ptr[loc]++ #endif typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index de271f9f..78a8f800 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -35,7 +35,7 @@ #include "afl-qemu-common.h" #ifndef AFL_QEMU_STATIC_BUILD -# include +#include #endif /*************************** diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 1fdfb247..2e740ad9 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -36,9 +36,9 @@ #include "tcg-op.h" #if TCG_TARGET_REG_BITS == 64 -# define _DEFAULT_MO MO_64 +#define _DEFAULT_MO MO_64 #else -# define _DEFAULT_MO MO_32 +#define _DEFAULT_MO MO_32 #endif static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6b67da43..4e973672 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-as.c b/src/afl-as.c index 83bb7e96..cf7f8bb6 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -79,9 +79,9 @@ static u8 use_64bit = 1; static u8 use_64bit = 0; -# ifdef __APPLE__ -# error "Sorry, 32-bit Apple platforms are not supported." -# endif /* __APPLE__ */ +#ifdef __APPLE__ +#error "Sorry, 32-bit Apple platforms are not supported." +#endif /* __APPLE__ */ #endif /* ^WORD_SIZE_64 */ diff --git a/src/afl-common.c b/src/afl-common.c index 70dde2f0..d9d57863 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -34,7 +34,7 @@ /* Detect @@ in args. */ #ifndef __glibc__ -# include +#include #endif #include #include diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 7f4fa3d9..32481887 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -33,11 +33,11 @@ void bind_to_free_cpu(afl_state_t *afl) { -# if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; -# elif defined(__NetBSD__) +#elif defined(__NetBSD__) cpuset_t * c; -# endif +#endif u8 cpu_used[4096] = {0}; u32 i; @@ -51,7 +51,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -# if defined(__linux__) +#if defined(__linux__) DIR * d; struct dirent *de; d = opendir("/proc"); @@ -112,7 +112,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } closedir(d); -# elif defined(__FreeBSD__) || defined(__DragonFly__) +#elif defined(__FreeBSD__) || defined(__DragonFly__) struct kinfo_proc *procs; size_t nprocs; size_t proccount; @@ -133,7 +133,7 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { -# if defined(__FreeBSD__) +#if defined(__FreeBSD__) if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 @@ -143,16 +143,16 @@ void bind_to_free_cpu(afl_state_t *afl) { if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; -# elif defined(__DragonFly__) +#elif defined(__DragonFly__) if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; -# endif +#endif } ck_free(procs); -# elif defined(__NetBSD__) +#elif defined(__NetBSD__) struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; @@ -181,15 +181,15 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); -# else -# warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" -# endif +#else +#warning \ + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" +#endif size_t cpu_start = 0; try: -# ifndef __ANDROID__ +#ifndef __ANDROID__ for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -198,12 +198,12 @@ void bind_to_free_cpu(afl_state_t *afl) { if (i == afl->cpu_core_count) { -# else +#else for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) if (!cpu_used[i]) break; if (i == -1) { -# endif +#endif SAYF("\n" cLRD "[-] " cRST "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" @@ -221,16 +221,16 @@ void bind_to_free_cpu(afl_state_t *afl) { afl->cpu_aff = i; -# if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) CPU_ZERO(&c); CPU_SET(i, &c); -# elif defined(__NetBSD__) +#elif defined(__NetBSD__) c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -# endif +#endif -# if defined(__linux__) +#if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) { @@ -246,7 +246,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -# elif defined(__FreeBSD__) || defined(__DragonFly__) +#elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) @@ -258,7 +258,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -# elif defined(__NetBSD__) +#elif defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { if (cpu_start == afl->cpu_core_count) @@ -271,10 +271,10 @@ if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { } cpuset_destroy(c); -# else +#else // this will need something for other platforms // TODO: Solaris/Illumos has processor_bind ... might worth a try -# endif +#endif } @@ -1565,7 +1565,7 @@ void check_crash_handling(void) { until I get a box to test the code. So, for now, we check for crash reporting the awful way. */ -# if !TARGET_OS_IPHONE +#if !TARGET_OS_IPHONE if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; SAYF( @@ -1583,7 +1583,7 @@ void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); -# endif +#endif if (!get_afl_env("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); @@ -1778,26 +1778,26 @@ void get_core_count(afl_state_t *afl) { /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ -# ifdef __APPLE__ +#ifdef __APPLE__ if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0) return; -# else +#else int s_name[2] = {CTL_HW, HW_NCPU}; if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return; -# endif /* ^__APPLE__ */ +#endif /* ^__APPLE__ */ #else -# ifdef HAVE_AFFINITY +#ifdef HAVE_AFFINITY afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); -# else +#else FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -1809,7 +1809,7 @@ void get_core_count(afl_state_t *afl) { fclose(f); -# endif /* ^HAVE_AFFINITY */ +#endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ @@ -2102,12 +2102,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { #else -# if !defined(__arm__) && !defined(__arm64__) +#if !defined(__arm__) && !defined(__arm64__) if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) && (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", afl->fsrv.target_path); -# endif +#endif #endif /* ^!__APPLE__ */ diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index c8b58a1b..832dba06 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -37,9 +37,9 @@ static void *unsupported(afl_state_t *afl, unsigned int seed) { /* sorry for this makro... it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ -# define BUF_PARAMS(name) \ - (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ - &((py_mutator_t *)py_mutator)->name##_size +#define BUF_PARAMS(name) \ + (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ + &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { @@ -71,12 +71,12 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, PyTuple_SetItem(py_args, 1, py_value); - /* max_size */ -# if PY_MAJOR_VERSION >= 3 +/* max_size */ +#if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -# else +#else py_value = PyInt_FromLong(max_size); -# endif +#endif if (!py_value) { Py_DECREF(py_args); @@ -118,11 +118,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { Py_Initialize(); -# if PY_MAJOR_VERSION >= 3 +#if PY_MAJOR_VERSION >= 3 PyObject *py_name = PyUnicode_FromString(module_name); -# else +#else PyObject *py_name = PyString_FromString(module_name); -# endif +#endif py->py_module = PyImport_Import(py_name); Py_DECREF(py_name); @@ -243,11 +243,11 @@ static void init_py(afl_state_t *afl, py_mutator_t *py_mutator, /* Provide the init function a seed for the Python RNG */ py_args = PyTuple_New(1); -# if PY_MAJOR_VERSION >= 3 +#if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(seed); -# else +#else py_value = PyInt_FromLong(seed); -# endif +#endif if (!py_value) { @@ -440,11 +440,11 @@ s32 init_trim_py(void *py_mutator, u8 *buf, size_t buf_size) { if (py_value != NULL) { -# if PY_MAJOR_VERSION >= 3 +#if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -# else +#else u32 retcnt = PyInt_AsLong(py_value); -# endif +#endif Py_DECREF(py_value); return retcnt; @@ -479,11 +479,11 @@ s32 post_trim_py(void *py_mutator, u8 success) { if (py_value != NULL) { -# if PY_MAJOR_VERSION >= 3 +#if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -# else +#else u32 retcnt = PyInt_AsLong(py_value); -# endif +#endif Py_DECREF(py_value); return retcnt; @@ -542,12 +542,12 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, PyTuple_SetItem(py_args, 0, py_value); - /* max_size */ -# if PY_MAJOR_VERSION >= 3 +/* max_size */ +#if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -# else +#else py_value = PyInt_FromLong(max_size); -# endif +#endif if (!py_value) { Py_DECREF(py_args); @@ -624,12 +624,12 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { py_args = PyTuple_New(1); - // File name -# if PY_MAJOR_VERSION >= 3 +// File name +#if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename); -# else +#else py_value = PyString_FromString(filename); -# endif +#endif if (!py_value) { Py_DECREF(py_args); @@ -674,12 +674,12 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args = PyTuple_New(2); - // New queue -# if PY_MAJOR_VERSION >= 3 +// New queue +#if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_new_queue); -# else +#else py_value = PyString_FromString(filename_new_queue); -# endif +#endif if (!py_value) { Py_DECREF(py_args); @@ -693,11 +693,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_value = Py_None; if (filename_orig_queue) { -# if PY_MAJOR_VERSION >= 3 +#if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_orig_queue); -# else +#else py_value = PyString_FromString(filename_orig_queue); -# endif +#endif if (!py_value) { Py_DECREF(py_args); @@ -724,7 +724,7 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, } -# undef BUF_PARAMS +#undef BUF_PARAMS #endif /* USE_PYTHON */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 29ec8fd5..aaf615e9 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -853,7 +853,7 @@ int main(int argc, char **argv_orig, char **envp) { } -# if defined(__SANITIZE_ADDRESS__) +#if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { WARNF("in the ASAN build we disable all memory limits"); @@ -861,7 +861,7 @@ int main(int argc, char **argv_orig, char **envp) { } -# endif +#endif setup_signal_handlers(); check_asan_opts(); @@ -1054,9 +1054,9 @@ int main(int argc, char **argv_orig, char **envp) { get_core_count(afl); -# ifdef HAVE_AFFINITY +#ifdef HAVE_AFFINITY bind_to_free_cpu(afl); -# endif /* HAVE_AFFINITY */ +#endif /* HAVE_AFFINITY */ check_crash_handling(); check_cpu_governor(afl); @@ -1352,12 +1352,12 @@ stop_fuzzing: } -# ifdef PROFILING +#ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", time_spent_working / 1000000, time_spent_working / afl->fsrv.total_execs); -# endif +#endif fclose(afl->fsrv.plot_file); destroy_queue(afl); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 573ad4dc..ab7aad5c 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -32,11 +32,11 @@ #define AFL_MAIN #ifndef _GNU_SOURCE -# define _GNU_SOURCE +#define _GNU_SOURCE #endif #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include #include @@ -55,22 +55,22 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__APPLE__) || defined(__DragonFly__) -# define HAVE_AFFINITY 1 -# if defined(__FreeBSD__) || defined(__DragonFly__) -# include -# include -# if defined(__FreeBSD__) -# include -# endif -# define cpu_set_t cpuset_t -# elif defined(__NetBSD__) -# include -# include -# elif defined(__APPLE__) -# include -# include -# include -# endif +#define HAVE_AFFINITY 1 +#if defined(__FreeBSD__) || defined(__DragonFly__) +#include +#include +#if defined(__FreeBSD__) +#include +#endif +#define cpu_set_t cpuset_t +#elif defined(__NetBSD__) +#include +#include +#elif defined(__APPLE__) +#include +#include +#include +#endif #endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get CPU usage in microseconds. */ @@ -163,46 +163,46 @@ int main(int argc, char **argv) { if (!fr) { u32 util_perc; -# if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) +#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; CPU_ZERO(&c); CPU_SET(i, &c); -# elif defined(__NetBSD__) +#elif defined(__NetBSD__) cpuset_t *c; c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -# elif defined(__APPLE__) +#elif defined(__APPLE__) thread_affinity_policy_data_t c = {i}; thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, (thread_policy_t)&c, 1) != KERN_SUCCESS) PFATAL("thread_policy_set failed"); -# endif +#endif -# if defined(__FreeBSD__) || defined(__DragonFly__) +#if defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity_np failed"); -# endif +#endif -# if defined(__NetBSD__) +#if defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) PFATAL("pthread_setaffinity_np failed"); cpuset_destroy(c); -# endif +#endif -# if defined(__linux__) +#if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { PFATAL("sched_setaffinity failed for cpu %d", i); } -# endif +#endif util_perc = measure_preemption(CTEST_CORE_TRG_MS); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index d52a8e0d..e024eb18 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -56,8 +56,8 @@ #include #ifndef USEMMAP -# include -# include +#include +#include #endif static list_t shm_list = {.element_prealloc_count = 0}; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6d16e9c4..ed59f2f5 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -32,7 +32,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 7ac76366..e15dc72d 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -30,7 +30,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -# include "android-ashmem.h" +#include "android-ashmem.h" #endif #include "config.h" -- cgit 1.4.1 From 41f6aa794022d9cd34642ac7b57a70c9094f0e8c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 10:45:20 +0200 Subject: bigger initial map when LTO --- include/alloc-inl.h | 28 ++++++++++++---------------- llvm_mode/afl-llvm-rt-lto.o.c | 3 +++ llvm_mode/afl-llvm-rt.o.c | 6 +++++- 3 files changed, 20 insertions(+), 17 deletions(-) (limited to 'llvm_mode') diff --git a/include/alloc-inl.h b/include/alloc-inl.h index a8483a9e..485446de 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -233,19 +233,17 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { /* User-facing macro to sprintf() to a dynamically allocated buffer. */ -#define alloc_printf(_str...) \ - ({ \ - \ - \ - \ - u8 *_tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char *)_tmp, _len + 1, _str); \ - _tmp; - -}) +#define alloc_printf(_str...) \ + ({ \ + \ + u8 *_tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char *)_tmp, _len + 1, _str); \ + _tmp; \ + \ + }) /* Macro to enforce allocation limits as a last-resort defense against integer overflows. */ @@ -263,9 +261,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { \ if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \ \ - } - -while (0) + } while (0) /* Magic tokens used to mark used / freed chunks. */ diff --git a/llvm_mode/afl-llvm-rt-lto.o.c b/llvm_mode/afl-llvm-rt-lto.o.c index 5921f968..3606cedd 100644 --- a/llvm_mode/afl-llvm-rt-lto.o.c +++ b/llvm_mode/afl-llvm-rt-lto.o.c @@ -10,6 +10,8 @@ */ +#include + // to prevent the function from being removed unsigned char __afl_lto_mode = 0; @@ -17,6 +19,7 @@ unsigned char __afl_lto_mode = 0; __attribute__((constructor(0))) void __afl_auto_init_globals(void) { + if (getenv("AFL_DEBUG")) fprintf(stderr, "[__afl_auto_init_globals]\n"); __afl_lto_mode = 1; } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 56038f7a..ce8df332 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -63,7 +63,11 @@ is used for instrumentation output before __afl_map_shm() has a chance to run. It will end up as .comm, so it shouldn't be too wasteful. */ -u8 __afl_area_initial[MAP_SIZE]; +#ifdef AFL_REAL_LD +u8 __afl_area_initial[256000]; +#else +u8 __afl_area_initial[MAP_SIZE]; +#endif u8 *__afl_area_ptr = __afl_area_initial; u8 *__afl_dictionary; -- cgit 1.4.1 From d91640392763ac84cb9fc1dab9b86d870172b549 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 11:33:33 +0200 Subject: document workaround for targets with _init for LTO --- llvm_mode/README.lto.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'llvm_mode') diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 110b5e9c..f930c560 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -16,6 +16,11 @@ This version requires a current llvm 11 compiled from the github master. 4. AUTODICTIONARY feature! see below +5. If any problems arise be sure to set `AR=llvm-ar RANLIB=llvm-ranlib` also + note that if that target uses _init functions or early constructors then + also set `AFL_LLVM_MAP_DYNAMIC=1` as your target will crash otherwise + + ## Introduction and problem description A big issue with how afl/afl++ works is that the basic block IDs that are @@ -134,7 +139,7 @@ Other targets ignore environment variables and need the parameters set via afl-clang-lto is still work in progress. Known issues: - * Anything that llvm11 cannot compile, afl-clang-lto can not compile either - obviously + * Anything that llvm 11 cannot compile, afl-clang-lto can not compile either - obviously * Anything that does not compile with LTO, afl-clang-lto can not compile either - obviously Hence if building a target with afl-clang-lto fails try to build it with llvm11 @@ -143,6 +148,13 @@ and LTO enabled (`CC=clang-11` `CXX=clang++-11` `CFLAGS=-flto=full` and If this succeeeds then there is an issue with afl-clang-lto. Please report at [https://github.com/AFLplusplus/AFLplusplus/issues/226](https://github.com/AFLplusplus/AFLplusplus/issues/226) +### Target crashes immediately + +If the target is using early constructors (values smaller than 6) or have their +own _init/.init functions and these are instrumented then the target will +likely crash when started. This can be avoided by compiling with +`AFL_LLVM_MAP_DYNAMIC=1` . + ## Upcoming Work 1. Currently the LTO whitelist feature does not allow to instrument main, -- cgit 1.4.1 From ed877f5e3e6ee8eee25b867cb9e0617fa9c56d8a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 12:46:27 +0200 Subject: add missing include --- llvm_mode/afl-llvm-rt-lto.o.c | 1 + 1 file changed, 1 insertion(+) (limited to 'llvm_mode') diff --git a/llvm_mode/afl-llvm-rt-lto.o.c b/llvm_mode/afl-llvm-rt-lto.o.c index 3606cedd..e53785ff 100644 --- a/llvm_mode/afl-llvm-rt-lto.o.c +++ b/llvm_mode/afl-llvm-rt-lto.o.c @@ -11,6 +11,7 @@ */ #include +#include // to prevent the function from being removed unsigned char __afl_lto_mode = 0; -- cgit 1.4.1 From 38dac93f631356d6a1288931e01f9effec9c8c88 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 22:44:44 +0200 Subject: fix typos --- examples/afl_untracer/README.md | 4 ++-- examples/afl_untracer/afl-untracer.c | 2 +- llvm_mode/README.lto.md | 11 ++++++++--- llvm_mode/afl-llvm-lto-instrim.so.cc | 3 ++- 4 files changed, 13 insertions(+), 7 deletions(-) (limited to 'llvm_mode') diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 29234889..05fd8776 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -16,7 +16,7 @@ Supported is so far Intel (i386/x86_64) and AARCH64. ### Modify afl-untracer.c Read and modify afl-untracer.c then `make`. -To adapt afl-untracer.c to your need read the header of the file and then +To adapt afl-untracer.c to your needs, read the header of the file and then search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. ### Generate patches.txt file @@ -25,7 +25,7 @@ To generate the `patches.txt` file for your target library use the `ida_get_patchpoints.py` script for IDA Pro or `ghidra_get_patchpoints.java` for Ghidra. -The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. +The patches.txt file has to be pointed to by `AFL_UNTRACER_FILE`. To easily run the scripts without needing to run the GUI with Ghidra: ``` diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 5dbc71bf..af16a6bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -276,7 +276,7 @@ library_list_t *find_library(char *name) { } -/* for having an easy breakpoint after load the shared library */ +/* for having an easy breakpoint location after loading the shared library */ // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options #pragma GCC optimize("O0") diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index f930c560..fa5b8665 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -145,16 +145,21 @@ Known issues: Hence if building a target with afl-clang-lto fails try to build it with llvm11 and LTO enabled (`CC=clang-11` `CXX=clang++-11` `CFLAGS=-flto=full` and `CXXFLAGS=-flto=full`). + +An example that does not build with llvm 11 and LTO is ffmpeg. + If this succeeeds then there is an issue with afl-clang-lto. Please report at [https://github.com/AFLplusplus/AFLplusplus/issues/226](https://github.com/AFLplusplus/AFLplusplus/issues/226) ### Target crashes immediately -If the target is using early constructors (values smaller than 6) or have their -own _init/.init functions and these are instrumented then the target will -likely crash when started. This can be avoided by compiling with +If the target is using early constructors (priority values smaller than 6) +or have their own _init/.init functions and these are instrumented then the +target will likely crash when started. This can be avoided by compiling with `AFL_LLVM_MAP_DYNAMIC=1` . +This can e.g. happen with OpenSSL. + ## Upcoming Work 1. Currently the LTO whitelist feature does not allow to instrument main, diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index a686bb81..a7d9b756 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -10,7 +10,8 @@ http://www.apache.org/licenses/LICENSE-2.0 - This library is plugged into LLVM when invoking clang through afl-clang-fast. + This library is plugged into LLVM when invoking clang through afl-clang-fast + or afl-clang-lto with AFL_LLVM_INSTRUMENT=CFG or =INSTRIM */ -- cgit 1.4.1 From b920cd2f236c26e6dcc1231b5121b04d0bc3f650 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 23:30:28 +0200 Subject: blacklist llvmfuzzer functions --- llvm_mode/afl-llvm-common.cc | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/afl-llvm-common.cc b/llvm_mode/afl-llvm-common.cc index c62b4c14..db604e14 100644 --- a/llvm_mode/afl-llvm-common.cc +++ b/llvm_mode/afl-llvm-common.cc @@ -43,10 +43,29 @@ char *getBBName(const llvm::BasicBlock *BB) { /* Note: this blacklist check is also called in isInWhitelist() */ bool isBlacklisted(const llvm::Function *F) { + // Starting from "LLVMFuzzer" these are functions used in libfuzzer based + // fuzzing campaign installations, e.g. oss-fuzz + static const char *Blacklist[] = { - "asan.", "llvm.", "sancov.", "__ubsan_handle_", "ign.", "__afl_", - "_fini", "__libc_csu", "__asan", "__msan", "msan." + "asan.", + "llvm.", + "sancov.", + "__ubsan_handle_", + "ign.", + "__afl_", + "_fini", + "__libc_csu", + "__asan", + "__msan", + "msan.", + "LLVMFuzzer", + "maybe_duplicate_stderr", + "discard_output", + "close_stdout", + "dup_and_close_stderr", + "maybe_close_fd_mask", + "ExecuteFilesOnyByOne" }; -- cgit 1.4.1 From a578d719e1f556db07ca3c7e2fe38b7668c204d8 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 12 May 2020 10:34:52 +0200 Subject: llvm_mode: more support for Darwin/MacOSX (WIP) --- llvm_mode/GNUmakefile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'llvm_mode') diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index beebf696..ab14e545 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -45,7 +45,7 @@ LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//') LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) LLVM_STDCXX = gnu++11 -LLVM_APPLE = $(shell clang -v 2>&1 | grep -iq apple && echo 1 || echo 0) +LLVM_APPLE_XCODE = $(shell clang -v 2>&1 | grep -q Apple && echo 1 || echo 0) LLVM_LTO = 0 ifeq "$(LLVMVER)" "" @@ -75,7 +75,7 @@ ifeq "$(LLVM_LTO)" "0" $(info [+] llvm_mode detected llvm < 11, afl-clang-lto LTO will not be build.) endif -ifeq "$(LLVM_APPLE)" "1" +ifeq "$(LLVM_APPLE_XCODE)" "1" $(warning llvm_mode will not compile with Xcode clang...) endif @@ -213,13 +213,15 @@ CXXFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 override CXXFLAGS += -Wall -g -I ../include/ \ -DVERSION=\"$(VERSION)\" -Wno-variadic-macros -CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -Wl,-znodelete -fno-rtti -fpic $(CXXFLAGS) +CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS) CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) # User teor2345 reports that this is required to make things work on MacOS X. ifeq "$(shell uname)" "Darwin" CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress +else + CLANG_CFL += -Wl,-znodelete endif ifeq "$(shell uname)" "OpenBSD" @@ -247,7 +249,7 @@ ifeq "$(LLVMVER)" "" NO_BUILD = 1 endif -ifneq "$(LLVM_UNSUPPORTED)$(LLVM_APPLE)" "00" +ifneq "$(LLVM_UNSUPPORTED)$(LLVM_APPLE_XCODE)" "00" NO_BUILD = 1 endif @@ -279,7 +281,7 @@ no_build: test_deps: @echo "[*] Checking for working 'llvm-config'..." - ifneq "$(LLVM_APPLE)" "1" + ifneq "$(LLVM_APPLE_XCODE)" "1" @type $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 ) endif @echo "[*] Checking for working '$(CC)'..." -- cgit 1.4.1