ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-10 09:11:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixing commit fuckup

Browse Source
This commit is contained in:
van Hauser 2019-07-15 11:22:54 +02:00
parent 2628f9f61b
commit 3252523823
8 changed files with 52 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -194,7 +194,7 @@ install: all
rm -f $${DESTDIR}$(BIN_PATH)/afl-as
if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
ifndef AFL_TRACE_PC
if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
else
if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
endif

8
docs/ChangeLog
View File

@ -17,9 +17,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
Version ++2.52d (tbd):
-----------------------------
- added instrim a much better llvm_mode instrumentation
(https://github.com/csienslab/instrim)
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode
- added instrim, a much faster llvm_mode instrumentation at the cost of
path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
- added code to make it more portable to other platforms than Intel Linux
- added never zero counters for afl-gcc and optional (because of an
optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
@ -41,8 +41,6 @@ Version ++2.52d (tbd):
tests as the random numbers are deterministic then
- llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_...
that is longer but in line with other llvm specific env vars
- ... your idea or patch?
-----------------------------

3
docs/README
View File

@ -23,8 +23,7 @@ american fuzzy lop plus plus
https://github.com/puppet-meteor/MOpt-AFL
Also newly integrated is instrim, a very effective CFG llvm_mode
instrumentation implementation which replaced the original afl one and is
from https://github.com/csienslab/instrim
instrumentation implementation from https://github.com/csienslab/instrim
A more thorough list is available in the PATCHES file.

22
docs/env_variables.txt
View File

@ -109,11 +109,21 @@ Then there are a few specific features that are only available in llvm_mode:
See llvm_mode/README.whitelist for more information.
OTHER
=====
- Setting LOOPHEAD=1 optimized loops. afl-fuzz will only be able to
see the path the loop took, but not how many times it was called
(unless its a complex loop).
INSTRIM
=======
This feature increases the speed by whopping 20% but at the cost of a
lower path discovery and thefore coverage.
- Setting AFL_LLVM_INSTRIM activates this mode
- Setting AFL_LLVM_INSTRIM LOOPHEAD=1 expands on INSTRIM to optimize loops.
afl-fuzz will only be able to see the path the loop took, but not how
many times it was called (unless its a complex loop).
See llvm_mode/README.instrim
NOT_ZERO
========
- Setting AFL_LLVM_NOT_ZERO=1 during compilation will use counters
that skip zero on overflow. This is the default for llvm >= 9,
@ -121,6 +131,8 @@ Then there are a few specific features that are only available in llvm_mode:
slowdown due a performance issue that is only fixed in llvm 9+.
This feature increases path discovery by a little bit.
See llvm_mode/README.neverzero
3) Settings for afl-fuzz
------------------------

2
llvm_mode/LLVMInsTrim.so.cc
View File

@ -96,7 +96,7 @@ namespace {
OKF("LLVM neverZero activated (by hexcoder)\n");
#endif
if (getenv("LOOPHEAD")) {
if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL || getenv("LOOPHEAD") != NULL) {
LoopHeadOpt = true;
}

13
llvm_mode/Makefile
View File

@ -94,7 +94,7 @@ endif
ifndef AFL_TRACE_PC
PROGS = ../afl-clang-fast ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
else
PROGS = ../afl-clang-fast ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
endif
@ -104,7 +104,7 @@ ifneq "$(CLANGVER)" "$(LLVMVER)"
CXX = $(shell llvm-config --bindir)/clang++
endif
all: test_deps test_shm $(PROGS) test_build all_done
all: test_shm test_deps $(PROGS) test_build all_done
ifeq "$(SHMAT_OK)" "1"
@ -132,10 +132,10 @@ endif
@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
@echo "[*] Checking for matching versions of '$(CC)' and '$(LLVM_CONFIG)'"
ifneq "$(CLANGVER)" "$(LLVMVER)"
@echo "WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)"
@echo "Retrying with the clang compiler from llvm: CC=`llvm-config --bindir`/clang"
@echo "[!] WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)"
@echo "[!] Retrying with the clang compiler from llvm: CC=`llvm-config --bindir`/clang"
else
@echo "we have llvm-config version $(LLVMVER) with a clang version $(CLANGVER), good."
@echo "[*] We have llvm-config version $(LLVMVER) with a clang version $(CLANGVER), good."
endif
@echo "[*] Checking for '../afl-showmap'..."
@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
@ -148,6 +148,9 @@ endif
../libLLVMInsTrim.so: LLVMInsTrim.so.cc MarkNodes.cc | test_deps
$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< MarkNodes.cc -o $@ $(CLANG_LFL)
../afl-llvm-pass.so: afl-llvm-pass.so.cc | test_deps
$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< -o $@ $(CLANG_LFL)
# laf
../split-switches-pass.so: split-switches-pass.so.cc | test_deps
$(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL)

19
llvm_mode/README.llvm
View File

@ -88,13 +88,18 @@ which C/C++ files to actually intrument. See README.whitelist
For splitting memcmp, strncmp, etc. please see README.laf-intel
As the original afl llvm_mode implementation has been replaced with
then much more effective instrim (https://github.com/csienslab/instrim/)
there is an option for optimizing loops. This optimization shows which
part of the loop has been selected, but not how many time a loop has been
called in a row (unless its a complex loop and a block inside was
instrumented). If you want to enable this set the environment variable
LOOPHEAD=1
Then there is an optimized instrumentation strategy that uses CFGs and
markers to just instrument what is needed. This increases speed by 20-25%
however has a lower path discovery.
If you want to use this, set AFL_LLVM_INSTRIM=1
See README.instrim
Finally if your llvm version is 8 or lower, you can activate a mode that
prevents that a counter overflow result in a 0 value. This is good for
path discovery, but the llvm implementation for intel for this functionality
is not optimal and was only fixed in llvm 9.
You can set this with AFL_LLVM_NOT_ZERO=1
See README.neverzero
4) Gotchas, feedback, bugs

16
llvm_mode/afl-clang-fast.c
View File

@ -88,7 +88,7 @@ static void find_obj(u8* argv0) {
return;
}
FATAL("Unable to find 'afl-llvm-rt.o' or 'libLLVMInsTrim.so'. Please set AFL_PATH");
FATAL("Unable to find 'afl-llvm-rt.o' or 'afl-llvm-pass.so.cc'. Please set AFL_PATH");
}
@ -113,11 +113,11 @@ static void edit_params(u32 argc, char** argv) {
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
}
/* There are two ways to compile afl-clang-fast. In the traditional mode, we
use libLLVMInsTrim.so to inject instrumentation. In the experimental
/* There are three ways to compile with afl-clang-fast. In the traditional
mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is
much faster but has less coverage. Finally tere is the experimental
'trace-pc-guard' mode, we use native LLVM instrumentation callbacks
instead. The latter is a very recent addition - see:
instead. For trace-pc-guard see:
http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards */
// laf
@ -151,8 +151,10 @@ static void edit_params(u32 argc, char** argv) {
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
// cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL)
cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
else
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
#endif /* ^USE_TRACE_PC */
cc_params[cc_par_cnt++] = "-Qunused-arguments";