fixing commit fuckup

Makefile

@@ -194,7 +194,7 @@ install: all
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
 	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
 ifndef AFL_TRACE_PC
-	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
 else
 	if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
 endif

docs/ChangeLog

@@ -17,9 +17,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
 Version ++2.52d (tbd):
 -----------------------------
 
-  - added instrim a much better llvm_mode instrumentation
+  - added instrim, a much faster llvm_mode instrumentation at the cost of
-    (https://github.com/csienslab/instrim)
+    path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
-  - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode
+  - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
   - added code to make it more portable to other platforms than Intel Linux
   - added never zero counters for afl-gcc and optional (because of an
     optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
@@ -41,8 +41,6 @@ Version ++2.52d (tbd):
     tests as the random numbers are deterministic then
   - llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_...
     that is longer but in line with other llvm specific env vars
-  - ... your idea or patch?
-
 
 
 -----------------------------

docs/README

@@ -23,8 +23,7 @@ american fuzzy lop plus plus
   https://github.com/puppet-meteor/MOpt-AFL  
 
   Also newly integrated is instrim, a very effective CFG llvm_mode
-  instrumentation implementation which replaced the original afl one and is
+  instrumentation implementation from https://github.com/csienslab/instrim
-  from https://github.com/csienslab/instrim
 
   A more thorough list is available in the PATCHES file.
 

docs/env_variables.txt

@@ -109,11 +109,21 @@ Then there are a few specific features that are only available in llvm_mode:
 
     See llvm_mode/README.whitelist for more information.
 
-  OTHER
+  INSTRIM
-  =====
+  =======
-    - Setting LOOPHEAD=1 optimized loops. afl-fuzz will only be able to
+    This feature increases the speed by whopping 20% but at the cost of a
-      see the path the loop took, but not how many times it was called
+    lower path discovery and thefore coverage.
-      (unless its a complex loop).
+
+    - Setting AFL_LLVM_INSTRIM activates this mode
+
+    - Setting AFL_LLVM_INSTRIM LOOPHEAD=1 expands on INSTRIM to optimize loops.
+      afl-fuzz will only be able to see the path the loop took, but not how
+      many times it was called (unless its a complex loop).
+
+    See llvm_mode/README.instrim
+
+  NOT_ZERO
+  ========
 
     - Setting AFL_LLVM_NOT_ZERO=1 during compilation will use counters
       that skip zero on overflow. This is the default for llvm >= 9,
@@ -121,6 +131,8 @@ Then there are a few specific features that are only available in llvm_mode:
       slowdown due a performance issue that is only fixed in llvm 9+.
       This feature increases path discovery by a little bit.
 
+    See llvm_mode/README.neverzero
+
 3) Settings for afl-fuzz
 ------------------------
 

llvm_mode/LLVMInsTrim.so.cc

@@ -96,7 +96,7 @@ namespace {
         OKF("LLVM neverZero activated (by hexcoder)\n");
 #endif
     
-      if (getenv("LOOPHEAD")) {
+      if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL || getenv("LOOPHEAD") != NULL) {
         LoopHeadOpt = true;
       }
 

llvm_mode/Makefile

@@ -94,7 +94,7 @@ endif
 
 
 ifndef AFL_TRACE_PC
-  PROGS      = ../afl-clang-fast ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
+  PROGS      = ../afl-clang-fast ../afl-llvm-pass.so ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
 else
   PROGS      = ../afl-clang-fast ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
 endif
@@ -104,7 +104,7 @@ ifneq "$(CLANGVER)" "$(LLVMVER)"
   CXX = $(shell llvm-config --bindir)/clang++
 endif
 
-all: test_deps test_shm $(PROGS) test_build all_done
+all: test_shm test_deps $(PROGS) test_build all_done
 
 
 ifeq "$(SHMAT_OK)" "1"
@@ -132,10 +132,10 @@ endif
 	@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
 	@echo "[*] Checking for matching versions of '$(CC)' and '$(LLVM_CONFIG)'"
 ifneq "$(CLANGVER)" "$(LLVMVER)"
-	@echo "WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)"
+	@echo "[!] WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)"
-	@echo "Retrying with the clang compiler from llvm: CC=`llvm-config --bindir`/clang"
+	@echo "[!] Retrying with the clang compiler from llvm: CC=`llvm-config --bindir`/clang"
 else
-	@echo "we have llvm-config version $(LLVMVER) with a clang version $(CLANGVER), good."
+	@echo "[*] We have llvm-config version $(LLVMVER) with a clang version $(CLANGVER), good."
 endif
 	@echo "[*] Checking for '../afl-showmap'..."
 	@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
@@ -148,6 +148,9 @@ endif
 ../libLLVMInsTrim.so: LLVMInsTrim.so.cc MarkNodes.cc | test_deps
 	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< MarkNodes.cc -o $@ $(CLANG_LFL)
 
+../afl-llvm-pass.so: afl-llvm-pass.so.cc | test_deps
+	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< -o $@ $(CLANG_LFL)
+
 # laf
 ../split-switches-pass.so:	split-switches-pass.so.cc | test_deps
 	$(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL)

llvm_mode/README.llvm

@@ -88,13 +88,18 @@ which C/C++ files to actually intrument. See README.whitelist
 
 For splitting memcmp, strncmp, etc. please see README.laf-intel
 
-As the original afl llvm_mode implementation has been replaced with
+Then there is an optimized instrumentation strategy that uses CFGs and
-then much more effective instrim (https://github.com/csienslab/instrim/) 
+markers to just instrument what is needed. This increases speed by 20-25%
-there is an option for optimizing loops. This optimization shows which
+however has a lower path discovery.
-part of the loop has been selected, but not how many time a loop has been
+If you want to use this, set AFL_LLVM_INSTRIM=1
-called in a row (unless its a complex loop and a block inside was
+See README.instrim
-instrumented). If you want to enable this set the environment variable
+
-LOOPHEAD=1
+Finally if your llvm version is 8 or lower, you can activate a mode that
+prevents that a counter overflow result in a 0 value. This is good for
+path discovery, but the llvm implementation for intel for this functionality
+is not optimal and was only fixed in llvm 9.
+You can set this with AFL_LLVM_NOT_ZERO=1
+See README.neverzero
 
 
 4) Gotchas, feedback, bugs

llvm_mode/afl-clang-fast.c

@@ -88,7 +88,7 @@ static void find_obj(u8* argv0) {
     return;
   }
 
-  FATAL("Unable to find 'afl-llvm-rt.o' or 'libLLVMInsTrim.so'. Please set AFL_PATH");
+  FATAL("Unable to find 'afl-llvm-rt.o' or 'afl-llvm-pass.so.cc'. Please set AFL_PATH");
  
 }
 
@@ -113,11 +113,11 @@ static void edit_params(u32 argc, char** argv) {
     cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
   }
 
-  /* There are two ways to compile afl-clang-fast. In the traditional mode, we
+  /* There are three ways to compile with afl-clang-fast. In the traditional
-     use libLLVMInsTrim.so to inject instrumentation. In the experimental
+     mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is
+     much faster but has less coverage. Finally tere is the experimental
      'trace-pc-guard' mode, we use native LLVM instrumentation callbacks
-     instead. The latter is a very recent addition - see:
+     instead. For trace-pc-guard see:
-
      http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards */
 
   // laf
@@ -151,8 +151,10 @@ static void edit_params(u32 argc, char** argv) {
   cc_params[cc_par_cnt++] = "-Xclang";
   cc_params[cc_par_cnt++] = "-load";
   cc_params[cc_par_cnt++] = "-Xclang";
-  cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
+  if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL)
-//  cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
+    cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
+  else
+    cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
 #endif /* ^USE_TRACE_PC */
 
   cc_params[cc_par_cnt++] = "-Qunused-arguments";