ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-21 21:54:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

set instrim as default and updated documentation

Browse Source
This commit is contained in:
van Hauser
2019-07-14 19:48:28 +02:00
parent e664024853
commit 013a1731d5
3 changed files with 34 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/env_variables.txt
View File

@ -82,6 +82,9 @@ discussed in section #1, with the exception of:
- TMPDIR and AFL_KEEP_ASSEMBLY, since no temporary assembly files are - TMPDIR and AFL_KEEP_ASSEMBLY, since no temporary assembly files are
created. created.
- AFL_INST_RATIO, as we switched for instrim instrumentation which
is more effective but makes not much sense together with this option.
Then there are a few specific features that are only available in llvm_mode: Then there are a few specific features that are only available in llvm_mode:
LAF-INTEL LAF-INTEL
@ -108,16 +111,16 @@ Then there are a few specific features that are only available in llvm_mode:
OTHER OTHER
===== =====
- Setting export AFL_LLVM_NOT_ZERO=1 during compilation will use counters - Setting LOOPHEAD=1 optimized loops. afl-fuzz will only be able to
see the path the loop took, but not how many times it was called
(unless its a complex loop).
- Setting AFL_LLVM_NOT_ZERO=1 during compilation will use counters
that skip zero on overflow. This is the default for llvm >= 9, that skip zero on overflow. This is the default for llvm >= 9,
however for llvm versions below that this will increase an unnecessary however for llvm versions below that this will increase an unnecessary
slowdown due a performance issue that is only fixed in llvm 9+. slowdown due a performance issue that is only fixed in llvm 9+.
This feature increases path discovery by a little bit. This feature increases path discovery by a little bit.
Note that AFL_INST_RATIO will behave a bit differently than for afl-gcc,
because functions are *not* instrumented unconditionally - so low values
will have a more striking effect. For this tool, 0 is not a valid choice.
3) Settings for afl-fuzz 3) Settings for afl-fuzz
------------------------ ------------------------

6
llvm_mode/LLVMInsTrim.so.cc
View File

@ -98,11 +98,11 @@ namespace {
if (getenv("LOOPHEAD")) { if (getenv("LOOPHEAD")) {
LoopHeadOpt = true; LoopHeadOpt = true;
MarkSetOpt = true;
} else if (getenv("MARKSET")) {
MarkSetOpt = true;
} }
// this is our default
MarkSetOpt = true;
/* // I dont think this makes sense to port into LLVMInsTrim /* // I dont think this makes sense to port into LLVMInsTrim
char* inst_ratio_str = getenv("AFL_INST_RATIO"); char* inst_ratio_str = getenv("AFL_INST_RATIO");
unsigned int inst_ratio = 100; unsigned int inst_ratio = 100;

27
llvm_mode/README.llvm
View File

@ -78,13 +78,32 @@ Note: if you want the LLVM helper to be installed on your system for all
users, you need to build it before issuing 'make install' in the parent users, you need to build it before issuing 'make install' in the parent
directory. directory.
3) Gotchas, feedback, bugs 3) Options
Several options are present to make llvm_mode faster or help it rearrange
the code to make afl-fuzz path discovery easier.
If you need just to instrument specific parts of the code, you can whitelist
which C/C++ files to actually intrument. See README.whitelist
For splitting memcmp, strncmp, etc. please see README.laf-intel
As the original afl llvm_mode implementation has been replaced with
then much more effective instrim (https://github.com/csienslab/instrim/)
there is an option for optimizing loops. This optimization shows which
part of the loop has been selected, but not how many time a loop has been
called in a row (unless its a complex loop and a block inside was
instrumented). If you want to enable this set the environment variable
LOOPHEAD=1
4) Gotchas, feedback, bugs
-------------------------- --------------------------
This is an early-stage mechanism, so field reports are welcome. You can send bug This is an early-stage mechanism, so field reports are welcome. You can send bug
reports to <afl-users@googlegroups.com>. reports to <afl-users@googlegroups.com>.
4) Bonus feature #1: deferred instrumentation 5) Bonus feature #1: deferred instrumentation
--------------------------------------------- ---------------------------------------------
AFL tries to optimize performance by executing the targeted binary just once, AFL tries to optimize performance by executing the targeted binary just once,
@ -131,7 +150,7 @@ will keep working normally when compiled with a tool other than afl-clang-fast.
Finally, recompile the program with afl-clang-fast (afl-gcc or afl-clang will Finally, recompile the program with afl-clang-fast (afl-gcc or afl-clang will
*not* generate a deferred-initialization binary) - and you should be all set! *not* generate a deferred-initialization binary) - and you should be all set!
5) Bonus feature #2: persistent mode 6) Bonus feature #2: persistent mode
------------------------------------ ------------------------------------
Some libraries provide APIs that are stateless, or whose state can be reset in Some libraries provide APIs that are stateless, or whose state can be reset in
@ -171,7 +190,7 @@ PS. Because there are task switches still involved, the mode isn't as fast as
faster than the normal fork() model, and compared to in-process fuzzing, faster than the normal fork() model, and compared to in-process fuzzing,
should be a lot more robust. should be a lot more robust.
6) Bonus feature #3: new 'trace-pc-guard' mode 8) Bonus feature #3: new 'trace-pc-guard' mode
---------------------------------------------- ----------------------------------------------
Recent versions of LLVM are shipping with a built-in execution tracing feature Recent versions of LLVM are shipping with a built-in execution tracing feature