mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-17 20:28:08 +00:00
updated docs and crash issues with gcc_plugin
This commit is contained in:
van Hauser
4
TODO
4
TODO
@ -4,6 +4,8 @@ Roadmap 2.53d:
|
|||||||
|
|
||||||
- README.md
|
- README.md
|
||||||
|
|
||||||
|
- update docs/sister_projects.txt
|
||||||
|
|
||||||
- better defaults:
|
- better defaults:
|
||||||
* laf-intel activated, needs deactiatation
|
* laf-intel activated, needs deactiatation
|
||||||
* fast mode schedule
|
* fast mode schedule
|
||||||
@ -15,7 +17,7 @@ afl-fuzz:
|
|||||||
- reuse forkserver for showmap, afl-cmin, etc.
|
- reuse forkserver for showmap, afl-cmin, etc.
|
||||||
|
|
||||||
gcc_plugin:
|
gcc_plugin:
|
||||||
(see TODOs)
|
- fix crashes when compiling :(
|
||||||
- whitelist support
|
- whitelist support
|
||||||
- skip over uninteresting blocks
|
- skip over uninteresting blocks
|
||||||
- laf-intel
|
- laf-intel
|
||||||
|
|||||||
@ -11247,7 +11247,7 @@ static void usage(u8* argv0) {
|
|||||||
" -Q - use binary-only instrumentation (QEMU mode)\n"
|
" -Q - use binary-only instrumentation (QEMU mode)\n"
|
||||||
" -L minutes - use MOpt(imize) mode and set the limit time for entering the\n"
|
" -L minutes - use MOpt(imize) mode and set the limit time for entering the\n"
|
||||||
" pacemaker mode (minutes of no new paths, 0 = immediately).\n"
|
" pacemaker mode (minutes of no new paths, 0 = immediately).\n"
|
||||||
" see docs/README.MOpt\n\n"
|
" a recommended value is 10-60. see docs/README.MOpt\n\n"
|
||||||
|
|
||||||
"Fuzzing behavior settings:\n"
|
"Fuzzing behavior settings:\n"
|
||||||
" -d - quick & dirty mode (skips deterministic steps)\n"
|
" -d - quick & dirty mode (skips deterministic steps)\n"
|
||||||
|
|||||||
@ -6,6 +6,10 @@ Sister projects
|
|||||||
designed for, or meant to integrate with AFL. See README for the general
|
designed for, or meant to integrate with AFL. See README for the general
|
||||||
instruction manual.
|
instruction manual.
|
||||||
|
|
||||||
|
!!!
|
||||||
|
!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz
|
||||||
|
!!!
|
||||||
|
|
||||||
-------------------------------------------
|
-------------------------------------------
|
||||||
Support for other languages / environments:
|
Support for other languages / environments:
|
||||||
-------------------------------------------
|
-------------------------------------------
|
||||||
@ -263,7 +267,7 @@ Static binary-only instrumentation (Aleksandar Nikolich)
|
|||||||
reports better performance compared to QEMU, but occasional translation
|
reports better performance compared to QEMU, but occasional translation
|
||||||
errors with stripped binaries.
|
errors with stripped binaries.
|
||||||
|
|
||||||
https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
|
https://github.com/vanhauser-thc/afl-dyninst
|
||||||
|
|
||||||
AFL PIN (Parker Thompson)
|
AFL PIN (Parker Thompson)
|
||||||
-------------------------
|
-------------------------
|
||||||
|
|||||||
23
gcc_plugin/CRASH
Normal file
23
gcc_plugin/CRASH
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
to reproduce:
|
||||||
|
=============
|
||||||
|
tiff-4.0.4.tar.gz
|
||||||
|
CC=afl-gcc-fast CXX=afl-g++-fast ./configure --disable-shared
|
||||||
|
make
|
||||||
|
|
||||||
|
result
|
||||||
|
======
|
||||||
|
[+] Instrumented 11 locations in TIFFInitJPEG
|
||||||
|
during GIMPLE pass: evrp
|
||||||
|
tif_jpeg.c: In function ‘JPEGFixupTagsSubsamplingSec’:
|
||||||
|
tif_jpeg.c:2388:1: internal compiler error: Segmentation fault
|
||||||
|
}
|
||||||
|
^
|
||||||
|
0x7ffff758e83f ???
|
||||||
|
/build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
|
||||||
|
0x7ffff757b09a __libc_start_main
|
||||||
|
../csu/libc-start.c:308
|
||||||
|
Please submit a full bug report,
|
||||||
|
with preprocessed source if appropriate.
|
||||||
|
Please include the complete backtrace with any bug report.
|
||||||
|
See <file:///usr/share/doc/gcc-8/README.Bugs> for instructions.
|
||||||
|
make[2]: *** [Makefile:696: tif_jpeg.lo] Error 1
|
||||||
@ -5,6 +5,12 @@ Fast GCC-based instrumentation for afl-fuzz
|
|||||||
(See ../docs/README for the general instruction manual.)
|
(See ../docs/README for the general instruction manual.)
|
||||||
(See ../llvm_mode/README.llvm for the LLVM-based instrumentation.)
|
(See ../llvm_mode/README.llvm for the LLVM-based instrumentation.)
|
||||||
|
|
||||||
|
|
||||||
|
!!!
|
||||||
|
!!! gcc_plugin is not stable yet and can crash when compiling
|
||||||
|
!!!
|
||||||
|
|
||||||
|
|
||||||
1) Introduction
|
1) Introduction
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
|
|||||||
@ -1,7 +1,9 @@
|
|||||||
//
|
//
|
||||||
// There are two TODOs in this file:
|
// There are some TODOs in this file:
|
||||||
// - dont instrument blocks that are uninterested
|
// - dont instrument blocks that are uninterested
|
||||||
// - implement whitelist feature
|
// - implement whitelist feature
|
||||||
|
// - implement notZero
|
||||||
|
// - fix crash
|
||||||
//
|
//
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -102,7 +104,7 @@ static unsigned int ext_call_instrument(function *fun) {
|
|||||||
|
|
||||||
if (!fcnt_blocks++) continue; /* skip block 0 */
|
if (!fcnt_blocks++) continue; /* skip block 0 */
|
||||||
|
|
||||||
// TODO: if the predecessor does not have to destinations
|
// TODO: if the predecessor does not have ast least two destinations
|
||||||
// then skip this block :TODO
|
// then skip this block :TODO
|
||||||
|
|
||||||
/* Bail on this block if we trip the specified ratio */
|
/* Bail on this block if we trip the specified ratio */
|
||||||
@ -223,6 +225,9 @@ static unsigned int inline_instrument(function *fun) {
|
|||||||
g = gimple_build_assign(tmp3, PLUS_EXPR, tmp2, one);
|
g = gimple_build_assign(tmp3, PLUS_EXPR, tmp2, one);
|
||||||
gimple_seq_add_stmt(&seq, g); // tmp3 = tmp2 + 1
|
gimple_seq_add_stmt(&seq, g); // tmp3 = tmp2 + 1
|
||||||
|
|
||||||
|
// TODO: neverZero: here we have to check if tmp3 == 0
|
||||||
|
// and add 1 if so
|
||||||
|
|
||||||
// tree tmp4 = create_tmp_var(map_type, "tmp4");
|
// tree tmp4 = create_tmp_var(map_type, "tmp4");
|
||||||
// g = gimple_build_assign(tmp4, PLUS_EXPR, map_ptr_g, area_off);
|
// g = gimple_build_assign(tmp4, PLUS_EXPR, map_ptr_g, area_off);
|
||||||
// gimple_seq_add_stmt(&seq, g); // tmp4 = __afl_area_ptr + area_off
|
// gimple_seq_add_stmt(&seq, g); // tmp4 = __afl_area_ptr + area_off
|
||||||
|
|||||||
@ -117,7 +117,7 @@ program control flow without actually executing each and every code path.
|
|||||||
If you want to experiment with this mode of operation, there is a module
|
If you want to experiment with this mode of operation, there is a module
|
||||||
contributed by Aleksandar Nikolich:
|
contributed by Aleksandar Nikolich:
|
||||||
|
|
||||||
https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
|
https://github.com/vanhauser-thc/afl-dyninst
|
||||||
https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
|
https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
|
||||||
|
|
||||||
At this point, the author reports the possibility of hiccups with stripped
|
At this point, the author reports the possibility of hiccups with stripped
|
||||||
|
|||||||
Reference in New Issue
Block a user