ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-17 20:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

document AFL_LLVM_INSTRUMENT option NATIVE

Browse Source
This commit is contained in:
van Hauser
2020-12-20 22:53:41 +01:00
parent 59c1c6a431
commit 2e3cf10070
4 changed files with 8 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/Changelog.md
View File

@ -17,6 +17,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- allow instrumenting LLVMFuzzerTestOneInput - allow instrumenting LLVMFuzzerTestOneInput
- fixed endless loop for allow/blocklist lines starting with a - fixed endless loop for allow/blocklist lines starting with a
comment (thanks to Zherya for reporting) comment (thanks to Zherya for reporting)
- added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard support
(less performant than our own)
### Version ++3.00c (release) ### Version ++3.00c (release)

2
docs/env_variables.md
View File

@ -113,6 +113,8 @@ Then there are a few specific features that are only available in instrumentatio
- `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode. - `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode.
Available options: Available options:
PCGUARD - our own pcgard based instrumentation (default)
NATIVE - clang's original pcguard based instrumentation
CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default)
CFG - InsTrim instrumentation (see below) CFG - InsTrim instrumentation (see below)
LTO - LTO instrumentation (see below) LTO - LTO instrumentation (see below)

21
instrumentation/README.llvm.md
View File

@ -168,26 +168,7 @@ This is the most powerful and effective fuzzing you can do.
Please see [README.persistent_mode.md](README.persistent_mode.md) for a Please see [README.persistent_mode.md](README.persistent_mode.md) for a
full explanation. full explanation.
## 7) Bonus feature: 'trace-pc-guard' mode ## 7) Bonus feature: 'dict2file' pass
LLVM is shipping with a built-in execution tracing feature
that provides AFL with the necessary tracing data without the need to
post-process the assembly or install any compiler plugins. See:
http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards
If you have not an outdated compiler and want to give it a try, build
targets this way:
```
AFL_LLVM_INSTRUMENT=PCGUARD make
```
Note that this is currently the default if you use LLVM >= 7, as it is the best
mode. Recommended is LLVM >= 9.
If you have llvm 11+ and compiled afl-clang-lto - this is the only better mode.
## 8) Bonus feature: 'dict2file' pass
Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation
all constant string compare parameters will be written to this file to be all constant string compare parameters will be written to this file to be

3
src/afl-cc.c
View File

@ -1346,6 +1346,9 @@ int main(int argc, char **argv, char **envp) {
"Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best " "Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best "
"available)\n" "available)\n"
" PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)\n" " PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)\n"
#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
" NATIVE: use llvm's native PCGUARD instrumentation (less performant)\n"
#endif
" CLASSIC: decision target instrumentation (README.llvm.md)\n" " CLASSIC: decision target instrumentation (README.llvm.md)\n"
" CTX: CLASSIC + callee context (instrumentation/README.ctx.md)\n" " CTX: CLASSIC + callee context (instrumentation/README.ctx.md)\n"
" NGRAM-x: CLASSIC + previous path " " NGRAM-x: CLASSIC + previous path "