AFL_LLVM_SKIP_NEVERZERO added

2025-06-18 04:38:08 +00:00 · 2020-05-02 00:39:13 +02:00
parent 33ddf6ea0e
commit 378573ab8b
8 changed files with 45 additions and 14 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -20,6 +20,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
       address for the shared memory map is used as this increases the
       fuzzing speed
     - fixes to LTO mode if instrumented edges > MAP_SIZE
+     - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
+       implmentation. For targets with little or no loops or heavy called
+       functions. Gives a small performance boost.
  - qemu_mode:
    - add information on PIE/PIC load addresses for 32 bit
    - better dependency checks
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@ -204,6 +204,10 @@ Then there are a few specific features that are only available in llvm_mode:
      slowdown due a performance issue that is only fixed in llvm 9+.
      This feature increases path discovery by a little bit.

+    - Setting AFL_LLVM_SKIP_NEVERZERO=1 will not implement the skip zero
+      test. If the target performs only few loops then this will give a
+      small performance boost.
+
    See llvm_mode/README.neverzero.md

 ### CMPLOG
--- a/llvm_mode/LLVMInsTrim.so.cc
+++ b/llvm_mode/LLVMInsTrim.so.cc
@ -56,6 +56,7 @@ struct InsTrim : public ModulePass {
 protected:
  uint32_t function_minimum_size = 1;
  uint32_t debug = 0;
+  char *   skip_nozero = NULL;

 private:
  std::mt19937 generator;
@ -112,6 +113,7 @@ struct InsTrim : public ModulePass {
    if ((neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO")) != NULL)
      if (!be_quiet) OKF("LLVM neverZero activated (by hexcoder)\n");
 #endif
+    skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");

    if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL ||
        getenv("LOOPHEAD") != NULL) {
@ -304,8 +306,7 @@ struct InsTrim : public ModulePass {
            NULL)  // with llvm 9 we make this the default as the bug in llvm is
                   // then fixed
 #else
-        if (1)  // with llvm 9 we make this the default as the bug in llvm is
-                // then fixed
+        if (!skip_nozero)
 #endif
        {

--- a/llvm_mode/README.neverzero.md
+++ b/llvm_mode/README.neverzero.md
@ -20,8 +20,16 @@ This is implemented in afl-gcc, however for llvm_mode this is optional if
 the llvm version is below 9 - as there is a perfomance bug that is only fixed
 in version 9 and onwards.

-If you want to enable this for llvm < 9 then set
+If you want to enable this for llvm versions below 9 then set

 ```
 export AFL_LLVM_NOT_ZERO=1
 ```
+
+In case you are on llvm 9 or greater and you do not want this behaviour then
+you can set:
+```
+AFL_LLVM_SKIP_NEVERZERO=1
+```
+If the target does not have extensive loops or functions that are called
+a lot then this can give a small performance boost.
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@ -562,6 +562,11 @@ int main(int argc, char **argv, char **envp) {
  instrument_mode = INSTRUMENT_PCGUARD;
 #endif

+  if (getenv("AFL_LLVM_SKIP_NEVERZERO") && getenv("AFL_LLVM_NOT_ZERO"))
+    FATAL(
+        "AFL_LLVM_NOT_ZERO and AFL_LLVM_SKIP_NEVERZERO can not be set "
+        "together");
+
  if ((ptr = getenv("AFL_LLVM_INSTRUMENT")) != NULL) {

    if (strncasecmp(ptr, "default", strlen("default")) == 0 ||
@ -726,6 +731,7 @@ int main(int argc, char **argv, char **envp) {
        "AFL_HARDEN: adds code hardening to catch memory bugs\n"
        "AFL_INST_RATIO: percentage of branches to instrument\n"
        "AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n"
+        "AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters\n"
        "AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons\n"
        "AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to "
        "cascaded "
--- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc
+++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc
@ -78,6 +78,8 @@ class AFLLTOPass : public ModulePass {
        FATAL("AFL_LLVM_LTO_STARTID value of \"%s\" is not between 0 and %d\n",
              ptr, MAP_SIZE - 1);

+    skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
+
  }

  void getAnalysisUsage(AnalysisUsage &AU) const override {
@ -111,6 +113,7 @@ class AFLLTOPass : public ModulePass {
  int      afl_global_id = 1, debug = 0, autodictionary = 0;
  uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0;
  uint64_t map_addr = 0x10000;
+  char *   skip_nozero = NULL;

 };

@ -614,9 +617,14 @@ bool AFLLTOPass::runOnModule(Module &M) {

          Value *Incr = IRB.CreateAdd(Counter, One);

-          auto cf = IRB.CreateICmpEQ(Incr, Zero);
-          auto carry = IRB.CreateZExt(cf, Int8Ty);
-          Incr = IRB.CreateAdd(Incr, carry);
+          if (skip_nozero) {
+
+            auto cf = IRB.CreateICmpEQ(Incr, Zero);
+            auto carry = IRB.CreateZExt(cf, Int8Ty);
+            Incr = IRB.CreateAdd(Incr, carry);
+
+          }
+
          IRB.CreateStore(Incr, MapPtrIdx)
              ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));

--- a/llvm_mode/afl-llvm-pass.so.cc
+++ b/llvm_mode/afl-llvm-pass.so.cc
@ -84,7 +84,7 @@ class AFLCoverage : public ModulePass {
  uint32_t ngram_size = 0;
  uint32_t debug = 0;
  uint32_t map_size = MAP_SIZE;
-  char *   ctx_str = NULL;
+  char *   ctx_str = NULL, *skip_nozero = NULL;

 };

@ -180,6 +180,7 @@ bool AFLCoverage::runOnModule(Module &M) {
 #if LLVM_VERSION_MAJOR < 9
  char *neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO");
 #endif
+  skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");

  unsigned PrevLocSize;

@ -467,6 +468,9 @@ bool AFLCoverage::runOnModule(Module &M) {
      if (neverZero_counters_str !=
          NULL) {  // with llvm 9 we make this the default as the bug in llvm is
                   // then fixed
+#else
+      if (!skip_nozero) {
+
 #endif
        /* hexcoder: Realize a counter that skips zero during overflow.
         * Once this counter reaches its maximum value, it next increments to 1
@ -482,12 +486,8 @@ bool AFLCoverage::runOnModule(Module &M) {
        auto carry = IRB.CreateZExt(cf, Int8Ty);
        Incr = IRB.CreateAdd(Incr, carry);

-#if LLVM_VERSION_MAJOR < 9
-
      }

-#endif
-
      IRB.CreateStore(Incr, MapPtrIdx)
          ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));

--- a/src/afl-common.c
+++ b/src/afl-common.c
@ -69,9 +69,10 @@ char *afl_environment_variables[] = {
    "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES",
    "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE",
    "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST",
-    "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID",
-    "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV",
-    "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE",
+    "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID",
+    "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN",
+    "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON",
+    "AFL_UNTRACER_FILE",
    "AFL_NO_X86",  // not really an env but we dont want to warn on it
    "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE",
    //"AFL_PERSISTENT", // not implemented anymore, so warn additionally