ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 18:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

update instrumenation/README.instrument_file.md for gcc_plugin

Browse Source
This commit is contained in:
van Hauser
2020-09-08 17:15:32 +02:00
parent c091340a85
commit 2802245da7
4 changed files with 64 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
instrumentation/README.instrument_list.md
View File

@ -1,8 +1,8 @@
# Using afl++ with partial instrumentation
This file describes how to selectively instrument only source files
or functions that are of interest to you using the LLVM instrumentation
provided by afl++.
or functions that are of interest to you using the LLVM and GCC_PLUGIN
instrumentation provided by afl++.
## 1) Description and purpose
@ -22,11 +22,17 @@ https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumen
The llvm sancov list format is fully supported by afl++, however afl++ has
more flexibility.
## 2) Building the LLVM module
## 2a) Building the LLVM module
The new code is part of the existing afl++ LLVM module in the instrumentation/
subdirectory. There is nothing specifically to do for the build :)
## 2b) Building the GCC module
The new code is part of the existing afl++ GCC_PLUGIN module in the
instrumentation/ subdirectory. There is nothing specifically to do for
the build :)
## 3) How to use the partial instrumentation mode
In order to build with partial instrumentation, you need to build with
@ -37,6 +43,9 @@ AFL_LLVM_ALLOWLIST or AFL_LLVM_DENYLIST set with a filename.
That file should contain the file names or functions that are to be instrumented
(AFL_LLVM_ALLOWLIST) or are specifically NOT to be instrumented (AFL_LLVM_DENYLIST).
GCC_PLUGIN: you can use either AFL_LLVM_ALLOWLIST or AFL_GCC_ALLOWLIST (or the
same for _DENYLIST), both work.
For matching to succeed, the function/file name that is being compiled must end in the
function/file name entry contained in this instrument file list. That is to avoid
breaking the match when absolute paths are used during compilation.

3
src/afl-fuzz-init.c
View File

@ -1775,7 +1775,6 @@ int check_main_node_exists(afl_state_t *afl) {
void setup_dirs_fds(afl_state_t *afl) {
u8 *tmp;
s32 fd;
ACTF("Setting up output directories...");
@ -1901,7 +1900,7 @@ void setup_dirs_fds(afl_state_t *afl) {
/* Gnuplot output file. */
tmp = alloc_printf("%s/plot_data", afl->out_dir);
fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600);
int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
ck_free(tmp);

4
src/afl-fuzz-mutators.c
View File

@ -93,9 +93,9 @@ void setup_custom_mutators(afl_state_t *afl) {
}
struct custom_mutator *mutator = load_custom_mutator_py(afl, module_name);
struct custom_mutator *m = load_custom_mutator_py(afl, module_name);
afl->custom_mutators_count++;
list_append(&afl->custom_mutator_list, mutator);
list_append(&afl->custom_mutator_list, m);
}

98
src/afl-fuzz.c
View File

@ -698,7 +698,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->swarm_now = 0;
if (afl->limit_time_puppet == 0) { afl->key_puppet = 1; }
int i;
int j;
int tmp_swarm = 0;
if (afl->g_now > afl->g_max) { afl->g_now = 0; }
@ -711,70 +711,70 @@ int main(int argc, char **argv_orig, char **envp) {
double total_puppet_temp = 0.0;
afl->swarm_fitness[tmp_swarm] = 0.0;
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->stage_finds_puppet[tmp_swarm][i] = 0;
afl->probability_now[tmp_swarm][i] = 0.0;
afl->x_now[tmp_swarm][i] =
afl->stage_finds_puppet[tmp_swarm][j] = 0;
afl->probability_now[tmp_swarm][j] = 0.0;
afl->x_now[tmp_swarm][j] =
((double)(random() % 7000) * 0.0001 + 0.1);
total_puppet_temp += afl->x_now[tmp_swarm][i];
afl->v_now[tmp_swarm][i] = 0.1;
afl->L_best[tmp_swarm][i] = 0.5;
afl->G_best[i] = 0.5;
afl->eff_best[tmp_swarm][i] = 0.0;
total_puppet_temp += afl->x_now[tmp_swarm][j];
afl->v_now[tmp_swarm][j] = 0.1;
afl->L_best[tmp_swarm][j] = 0.5;
afl->G_best[j] = 0.5;
afl->eff_best[tmp_swarm][j] = 0.0;
}
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->stage_cycles_puppet_v2[tmp_swarm][i] =
afl->stage_cycles_puppet[tmp_swarm][i];
afl->stage_finds_puppet_v2[tmp_swarm][i] =
afl->stage_finds_puppet[tmp_swarm][i];
afl->x_now[tmp_swarm][i] =
afl->x_now[tmp_swarm][i] / total_puppet_temp;
afl->stage_cycles_puppet_v2[tmp_swarm][j] =
afl->stage_cycles_puppet[tmp_swarm][j];
afl->stage_finds_puppet_v2[tmp_swarm][j] =
afl->stage_finds_puppet[tmp_swarm][j];
afl->x_now[tmp_swarm][j] =
afl->x_now[tmp_swarm][j] / total_puppet_temp;
}
double x_temp = 0.0;
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->probability_now[tmp_swarm][i] = 0.0;
afl->v_now[tmp_swarm][i] =
afl->w_now * afl->v_now[tmp_swarm][i] +
afl->probability_now[tmp_swarm][j] = 0.0;
afl->v_now[tmp_swarm][j] =
afl->w_now * afl->v_now[tmp_swarm][j] +
RAND_C *
(afl->L_best[tmp_swarm][i] - afl->x_now[tmp_swarm][i]) +
RAND_C * (afl->G_best[i] - afl->x_now[tmp_swarm][i]);
(afl->L_best[tmp_swarm][j] - afl->x_now[tmp_swarm][j]) +
RAND_C * (afl->G_best[j] - afl->x_now[tmp_swarm][j]);
afl->x_now[tmp_swarm][i] += afl->v_now[tmp_swarm][i];
afl->x_now[tmp_swarm][j] += afl->v_now[tmp_swarm][j];
if (afl->x_now[tmp_swarm][i] > v_max) {
if (afl->x_now[tmp_swarm][j] > v_max) {
afl->x_now[tmp_swarm][i] = v_max;
afl->x_now[tmp_swarm][j] = v_max;
} else if (afl->x_now[tmp_swarm][i] < v_min) {
} else if (afl->x_now[tmp_swarm][j] < v_min) {
afl->x_now[tmp_swarm][i] = v_min;
afl->x_now[tmp_swarm][j] = v_min;
}
x_temp += afl->x_now[tmp_swarm][i];
x_temp += afl->x_now[tmp_swarm][j];
}
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->x_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i] / x_temp;
if (likely(i != 0)) {
afl->x_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j] / x_temp;
if (likely(j != 0)) {
afl->probability_now[tmp_swarm][i] =
afl->probability_now[tmp_swarm][i - 1] +
afl->x_now[tmp_swarm][i];
afl->probability_now[tmp_swarm][j] =
afl->probability_now[tmp_swarm][j - 1] +
afl->x_now[tmp_swarm][j];
} else {
afl->probability_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i];
afl->probability_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j];
}
@ -789,13 +789,13 @@ int main(int argc, char **argv_orig, char **envp) {
}
for (i = 0; i < operator_num; ++i) {
for (j = 0; j < operator_num; ++j) {
afl->core_operator_finds_puppet[i] = 0;
afl->core_operator_finds_puppet_v2[i] = 0;
afl->core_operator_cycles_puppet[i] = 0;
afl->core_operator_cycles_puppet_v2[i] = 0;
afl->core_operator_cycles_puppet_v3[i] = 0;
afl->core_operator_finds_puppet[j] = 0;
afl->core_operator_finds_puppet_v2[j] = 0;
afl->core_operator_cycles_puppet[j] = 0;
afl->core_operator_cycles_puppet_v2[j] = 0;
afl->core_operator_cycles_puppet_v3[j] = 0;
}
@ -1010,10 +1010,10 @@ int main(int argc, char **argv_orig, char **envp) {
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
s32 j, afl_preload_size = strlen(afl_preload);
for (j = 0; j < afl_preload_size; ++j) {
if (afl_preload[i] == ',') {
if (afl_preload[j] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
@ -1188,10 +1188,10 @@ int main(int argc, char **argv_orig, char **envp) {
if (!afl->fsrv.out_file) {
u32 i = optind + 1;
while (argv[i]) {
u32 j = optind + 1;
while (argv[j]) {
u8 *aa_loc = strstr(argv[i], "@@");
u8 *aa_loc = strstr(argv[j], "@@");
if (aa_loc && !afl->fsrv.out_file) {
@ -1214,7 +1214,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
++i;
++j;
}