ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 12:48:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

AFL_LLVM_SKIP_NEVERZERO added

Browse Source
This commit is contained in:
van Hauser
2020-05-02 00:39:13 +02:00
parent 33ddf6ea0e
commit 378573ab8b
8 changed files with 45 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/Changelog.md
View File

@ -20,6 +20,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
address for the shared memory map is used as this increases the address for the shared memory map is used as this increases the
fuzzing speed fuzzing speed
- fixes to LTO mode if instrumented edges > MAP_SIZE - fixes to LTO mode if instrumented edges > MAP_SIZE
- added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
implmentation. For targets with little or no loops or heavy called
functions. Gives a small performance boost.
- qemu_mode: - qemu_mode:
- add information on PIE/PIC load addresses for 32 bit - add information on PIE/PIC load addresses for 32 bit
- better dependency checks - better dependency checks

4
docs/env_variables.md
View File

@ -204,6 +204,10 @@ Then there are a few specific features that are only available in llvm_mode:
slowdown due a performance issue that is only fixed in llvm 9+. slowdown due a performance issue that is only fixed in llvm 9+.
This feature increases path discovery by a little bit. This feature increases path discovery by a little bit.
- Setting AFL_LLVM_SKIP_NEVERZERO=1 will not implement the skip zero
test. If the target performs only few loops then this will give a
small performance boost.
See llvm_mode/README.neverzero.md See llvm_mode/README.neverzero.md
### CMPLOG ### CMPLOG

5
llvm_mode/LLVMInsTrim.so.cc
View File

@ -56,6 +56,7 @@ struct InsTrim : public ModulePass {
protected: protected:
uint32_t function_minimum_size = 1; uint32_t function_minimum_size = 1;
uint32_t debug = 0; uint32_t debug = 0;
char * skip_nozero = NULL;
private: private:
std::mt19937 generator; std::mt19937 generator;
@ -112,6 +113,7 @@ struct InsTrim : public ModulePass {
if ((neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO")) != NULL) if ((neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO")) != NULL)
if (!be_quiet) OKF("LLVM neverZero activated (by hexcoder)\n"); if (!be_quiet) OKF("LLVM neverZero activated (by hexcoder)\n");
#endif #endif
skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL || if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL ||
getenv("LOOPHEAD") != NULL) { getenv("LOOPHEAD") != NULL) {
@ -304,8 +306,7 @@ struct InsTrim : public ModulePass {
NULL) // with llvm 9 we make this the default as the bug in llvm is NULL) // with llvm 9 we make this the default as the bug in llvm is
// then fixed // then fixed
#else #else
if (1) // with llvm 9 we make this the default as the bug in llvm is if (!skip_nozero)
// then fixed
#endif #endif
{ {

10
llvm_mode/README.neverzero.md
View File

@ -20,8 +20,16 @@ This is implemented in afl-gcc, however for llvm_mode this is optional if
the llvm version is below 9 - as there is a perfomance bug that is only fixed the llvm version is below 9 - as there is a perfomance bug that is only fixed
in version 9 and onwards. in version 9 and onwards.
If you want to enable this for llvm < 9 then set If you want to enable this for llvm versions below 9 then set
``` ```
export AFL_LLVM_NOT_ZERO=1 export AFL_LLVM_NOT_ZERO=1
``` ```
In case you are on llvm 9 or greater and you do not want this behaviour then
you can set:
```
AFL_LLVM_SKIP_NEVERZERO=1
```
If the target does not have extensive loops or functions that are called
a lot then this can give a small performance boost.

6
llvm_mode/afl-clang-fast.c
View File

@ -562,6 +562,11 @@ int main(int argc, char **argv, char **envp) {
instrument_mode = INSTRUMENT_PCGUARD; instrument_mode = INSTRUMENT_PCGUARD;
#endif #endif
if (getenv("AFL_LLVM_SKIP_NEVERZERO") && getenv("AFL_LLVM_NOT_ZERO"))
FATAL(
"AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set "
"together");
if ((ptr = getenv("AFL_LLVM_INSTRUMENT")) != NULL) { if ((ptr = getenv("AFL_LLVM_INSTRUMENT")) != NULL) {
if (strncasecmp(ptr, "default", strlen("default")) == 0 || if (strncasecmp(ptr, "default", strlen("default")) == 0 ||
@ -726,6 +731,7 @@ int main(int argc, char **argv, char **envp) {
"AFL_HARDEN: adds code hardening to catch memory bugs\n" "AFL_HARDEN: adds code hardening to catch memory bugs\n"
"AFL_INST_RATIO: percentage of branches to instrument\n" "AFL_INST_RATIO: percentage of branches to instrument\n"
"AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" "AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n"
"AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n"
"AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons\n" "AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons\n"
"AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to " "AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to "
"cascaded " "cascaded "

14
llvm_mode/afl-llvm-lto-instrumentation.so.cc
View File

@ -78,6 +78,8 @@ class AFLLTOPass : public ModulePass {
FATAL("AFL_LLVM_LTO_STARTID value of \"%s\" is not between 0 and %d\n", FATAL("AFL_LLVM_LTO_STARTID value of \"%s\" is not between 0 and %d\n",
ptr, MAP_SIZE - 1); ptr, MAP_SIZE - 1);
skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
} }
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
@ -111,6 +113,7 @@ class AFLLTOPass : public ModulePass {
int afl_global_id = 1, debug = 0, autodictionary = 0; int afl_global_id = 1, debug = 0, autodictionary = 0;
uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0; uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0;
uint64_t map_addr = 0x10000; uint64_t map_addr = 0x10000;
char * skip_nozero = NULL;
}; };
@ -614,9 +617,14 @@ bool AFLLTOPass::runOnModule(Module &M) {
Value *Incr = IRB.CreateAdd(Counter, One); Value *Incr = IRB.CreateAdd(Counter, One);
auto cf = IRB.CreateICmpEQ(Incr, Zero); if (skip_nozero) {
auto carry = IRB.CreateZExt(cf, Int8Ty);
Incr = IRB.CreateAdd(Incr, carry); auto cf = IRB.CreateICmpEQ(Incr, Zero);
auto carry = IRB.CreateZExt(cf, Int8Ty);
Incr = IRB.CreateAdd(Incr, carry);
}
IRB.CreateStore(Incr, MapPtrIdx) IRB.CreateStore(Incr, MapPtrIdx)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));

10
llvm_mode/afl-llvm-pass.so.cc
View File

@ -84,7 +84,7 @@ class AFLCoverage : public ModulePass {
uint32_t ngram_size = 0; uint32_t ngram_size = 0;
uint32_t debug = 0; uint32_t debug = 0;
uint32_t map_size = MAP_SIZE; uint32_t map_size = MAP_SIZE;
char * ctx_str = NULL; char * ctx_str = NULL, *skip_nozero = NULL;
}; };
@ -180,6 +180,7 @@ bool AFLCoverage::runOnModule(Module &M) {
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
char *neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO"); char *neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO");
#endif #endif
skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
unsigned PrevLocSize; unsigned PrevLocSize;
@ -467,6 +468,9 @@ bool AFLCoverage::runOnModule(Module &M) {
if (neverZero_counters_str != if (neverZero_counters_str !=
NULL) { // with llvm 9 we make this the default as the bug in llvm is NULL) { // with llvm 9 we make this the default as the bug in llvm is
// then fixed // then fixed
#else
if (!skip_nozero) {
#endif #endif
/* hexcoder: Realize a counter that skips zero during overflow. /* hexcoder: Realize a counter that skips zero during overflow.
* Once this counter reaches its maximum value, it next increments to 1 * Once this counter reaches its maximum value, it next increments to 1
@ -482,12 +486,8 @@ bool AFLCoverage::runOnModule(Module &M) {
auto carry = IRB.CreateZExt(cf, Int8Ty); auto carry = IRB.CreateZExt(cf, Int8Ty);
Incr = IRB.CreateAdd(Incr, carry); Incr = IRB.CreateAdd(Incr, carry);
#if LLVM_VERSION_MAJOR < 9
} }
#endif
IRB.CreateStore(Incr, MapPtrIdx) IRB.CreateStore(Incr, MapPtrIdx)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));

7
src/afl-common.c
View File

@ -69,9 +69,10 @@ char *afl_environment_variables[] = {
"AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES",
"AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE",
"AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST",
"AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID",
"AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN",
"AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON",
"AFL_UNTRACER_FILE",
"AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE",
//"AFL_PERSISTENT", // not implemented anymore, so warn additionally //"AFL_PERSISTENT", // not implemented anymore, so warn additionally