updated docs and crash issues with gcc_plugin

2025-06-17 12:18:08 +00:00 · 2019-07-20 09:06:47 +02:00
parent 907c054142
commit 322b5a736b
7 changed files with 46 additions and 6 deletions
--- a/4
+++ b/4
@ -4,6 +4,8 @@ Roadmap 2.53d:

 - README.md

+ - update docs/sister_projects.txt
+
 - better defaults:
   * laf-intel activated, needs deactiatation
   * fast mode schedule
@ -15,7 +17,7 @@ afl-fuzz:
 - reuse forkserver for showmap, afl-cmin, etc.

 gcc_plugin:
- (see TODOs)
+ - fix crashes when compiling :(
 - whitelist support
 - skip over uninteresting blocks
 - laf-intel
--- a/afl-fuzz.c
+++ b/afl-fuzz.c
@ -11247,7 +11247,7 @@ static void usage(u8* argv0) {
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
       "  -L minutes    - use MOpt(imize) mode and set the limit time for entering the\n"
       "                  pacemaker mode (minutes of no new paths, 0 = immediately).\n"
-       "                  see docs/README.MOpt\n\n"
+       "                  a recommended value is 10-60. see docs/README.MOpt\n\n"
 
       "Fuzzing behavior settings:\n"
       "  -d            - quick & dirty mode (skips deterministic steps)\n"
--- a/docs/sister_projects.txt
+++ b/docs/sister_projects.txt
@ -6,6 +6,10 @@ Sister projects
  designed for, or meant to integrate with AFL. See README for the general
  instruction manual.

+!!!
+!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz
+!!!
+
 -------------------------------------------
 Support for other languages / environments:
 -------------------------------------------
@ -263,7 +267,7 @@ Static binary-only instrumentation (Aleksandar Nikolich)
  reports better performance compared to QEMU, but occasional translation
  errors with stripped binaries.

-  https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
+  https://github.com/vanhauser-thc/afl-dyninst

 AFL PIN (Parker Thompson)
 -------------------------
--- a/gcc_plugin/CRASH
+++ b/gcc_plugin/CRASH
@ -0,0 +1,23 @@
+to reproduce:
+=============
+tiff-4.0.4.tar.gz
+CC=afl-gcc-fast CXX=afl-g++-fast ./configure --disable-shared
+make
+
+result
+======
+[+] Instrumented 11 locations in TIFFInitJPEG
+during GIMPLE pass: evrp
+tif_jpeg.c: In function ‘JPEGFixupTagsSubsamplingSec’:
+tif_jpeg.c:2388:1: internal compiler error: Segmentation fault
+ }
+ ^
+0x7ffff758e83f ???
+	/build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
+0x7ffff757b09a __libc_start_main
+	../csu/libc-start.c:308
+Please submit a full bug report,
+with preprocessed source if appropriate.
+Please include the complete backtrace with any bug report.
+See <file:///usr/share/doc/gcc-8/README.Bugs> for instructions.
+make[2]: *** [Makefile:696: tif_jpeg.lo] Error 1
--- a/gcc_plugin/README.gcc
+++ b/gcc_plugin/README.gcc
@ -5,6 +5,12 @@ Fast GCC-based instrumentation for afl-fuzz
  (See ../docs/README for the general instruction manual.)
  (See ../llvm_mode/README.llvm for the LLVM-based instrumentation.)

+
+!!!
+!!! gcc_plugin is not stable yet and can crash when compiling
+!!!
+
+
 1) Introduction
 ---------------

--- a/gcc_plugin/afl-gcc-pass.so.cc
+++ b/gcc_plugin/afl-gcc-pass.so.cc
@ -1,7 +1,9 @@
 //
-// There are two TODOs in this file:
+// There are some TODOs in this file:
 //   - dont instrument blocks that are uninterested
 //   - implement whitelist feature
+//   - implement notZero
+//   - fix crash
 //

 /*
@ -102,7 +104,7 @@ static unsigned int ext_call_instrument(function *fun) {

 		if (!fcnt_blocks++) continue; /* skip block 0 */
 		
-		// TODO: if the predecessor does not have to destinations
+		// TODO: if the predecessor does not have ast least two destinations
 		// then skip this block :TODO

 		/* Bail on this block if we trip the specified ratio */
@ -223,6 +225,9 @@ static unsigned int inline_instrument(function *fun) {
 		g = gimple_build_assign(tmp3, PLUS_EXPR, tmp2, one);
 		gimple_seq_add_stmt(&seq, g); // tmp3 = tmp2 + 1

+		// TODO: neverZero: here we have to check if tmp3 == 0
+		//                  and add 1 if so
+
 //		tree tmp4 = create_tmp_var(map_type, "tmp4");
 //		g = gimple_build_assign(tmp4, PLUS_EXPR, map_ptr_g, area_off);
 //		gimple_seq_add_stmt(&seq, g); // tmp4 = __afl_area_ptr + area_off
--- a/qemu_mode/README.qemu
+++ b/qemu_mode/README.qemu
@ -117,7 +117,7 @@ program control flow without actually executing each and every code path.
 If you want to experiment with this mode of operation, there is a module
 contributed by Aleksandar Nikolich:

-  https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
+  https://github.com/vanhauser-thc/afl-dyninst
  https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg

 At this point, the author reports the possibility of hiccups with stripped