ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 10:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

code-format

Browse Source
This commit is contained in:
van Hauser
2020-02-28 00:19:36 +01:00
parent d83ab141f6
commit 4e37e12c06
10 changed files with 158 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gcc_plugin/afl-gcc-fast.c
View File

@ -330,7 +330,9 @@ int main(int argc, char** argv, char** envp) {
exit(1); exit(1);
} else if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) { } else if ((isatty(2) && !getenv("AFL_QUIET")) ||
getenv("AFL_DEBUG") != NULL) {
SAYF(cCYA "afl-gcc-fast" VERSION cRST SAYF(cCYA "afl-gcc-fast" VERSION cRST
" initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"); " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n");

199
include/alloc-inl.h
View File

@ -36,70 +36,87 @@
/* User-facing macro to sprintf() to a dynamically allocated buffer. */ /* User-facing macro to sprintf() to a dynamically allocated buffer. */
#define alloc_printf(_str...) ({ \ #define alloc_printf(_str...) \
u8* _tmp; \ ({ \
s32 _len = snprintf(NULL, 0, _str); \ \
u8* _tmp; \
s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
_tmp = ck_alloc(_len + 1); \ _tmp = ck_alloc(_len + 1); \
snprintf((char*)_tmp, _len + 1, _str); \ snprintf((char*)_tmp, _len + 1, _str); \
_tmp; \ _tmp; \
\
}) })
/* Macro to enforce allocation limits as a last-resort defense against /* Macro to enforce allocation limits as a last-resort defense against
integer overflows. */ integer overflows. */
#define ALLOC_CHECK_SIZE(_s) do { \ #define ALLOC_CHECK_SIZE(_s) \
if ((_s) > MAX_ALLOC) \ do { \
ABORT("Bad alloc request: %u bytes", (_s)); \ \
if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \
\
} while (0) } while (0)
/* Macro to check malloc() failures and the like. */ /* Macro to check malloc() failures and the like. */
#define ALLOC_CHECK_RESULT(_r, _s) do { \ #define ALLOC_CHECK_RESULT(_r, _s) \
if (!(_r)) \ do { \
ABORT("Out of memory: can't allocate %u bytes", (_s)); \ \
if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \
\
} while (0) } while (0)
/* Magic tokens used to mark used / freed chunks. */ /* Magic tokens used to mark used / freed chunks. */
#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ #define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */
#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ #define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */
#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ #define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */
/* Positions of guard tokens in relation to the user-visible pointer. */ /* Positions of guard tokens in relation to the user-visible pointer. */
#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) #define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2])
#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) #define ALLOC_S(_ptr) (((u32*)(_ptr))[-1])
#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) #define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)])
#define ALLOC_OFF_HEAD 8 #define ALLOC_OFF_HEAD 8
#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
/* Allocator increments for ck_realloc_block(). */ /* Allocator increments for ck_realloc_block(). */
#define ALLOC_BLK_INC 256 #define ALLOC_BLK_INC 256
/* Sanity-checking macros for pointers. */ /* Sanity-checking macros for pointers. */
#define CHECK_PTR(_p) do { \ #define CHECK_PTR(_p) \
if (_p) { \ do { \
if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ \
if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ if (_p) { \
ABORT("Use after free."); \ \
else ABORT("Corrupted head alloc canary."); \ if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \
} \ \
if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
ABORT("Corrupted tail alloc canary."); \ ABORT("Use after free."); \
} \ else \
ABORT("Corrupted head alloc canary."); \
\
} \
if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
ABORT("Corrupted tail alloc canary."); \
\
} \
\
} while (0) } while (0)
#define CHECK_PTR_EXPR(_p) ({ \ #define CHECK_PTR_EXPR(_p) \
typeof (_p) _tmp = (_p); \ ({ \
CHECK_PTR(_tmp); \ \
_tmp; \ typeof(_p) _tmp = (_p); \
CHECK_PTR(_tmp); \
_tmp; \
\
}) })
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */ requests. */
@ -116,14 +133,13 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
ret += ALLOC_OFF_HEAD; ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1; ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size; ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2; ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return ret; return ret;
} }
/* Allocate a buffer, returning zeroed memory. */ /* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) { static inline void* DFL_ck_alloc(u32 size) {
@ -137,7 +153,6 @@ static inline void* DFL_ck_alloc(u32 size) {
} }
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD /* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */ is set, the old memory will be also clobbered with 0xFF. */
@ -152,7 +167,7 @@ static inline void DFL_ck_free(void* mem) {
/* Catch pointer issues sooner. */ /* Catch pointer issues sooner. */
memset(mem, 0xFF, ALLOC_S(mem)); memset(mem, 0xFF, ALLOC_S(mem));
#endif /* DEBUG_BUILD */ #endif /* DEBUG_BUILD */
ALLOC_C1(mem) = ALLOC_MAGIC_F; ALLOC_C1(mem) = ALLOC_MAGIC_F;
@ -160,7 +175,6 @@ static inline void DFL_ck_free(void* mem) {
} }
/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail. /* Re-allocate a buffer, checking for issues and zeroing any newly-added tail.
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */ old memory is clobbered with 0xFF. */
@ -183,10 +197,10 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
#ifndef DEBUG_BUILD #ifndef DEBUG_BUILD
ALLOC_C1(orig) = ALLOC_MAGIC_F; ALLOC_C1(orig) = ALLOC_MAGIC_F;
#endif /* !DEBUG_BUILD */ #endif /* !DEBUG_BUILD */
old_size = ALLOC_S(orig); old_size = ALLOC_S(orig);
orig -= ALLOC_OFF_HEAD; orig -= ALLOC_OFF_HEAD;
ALLOC_CHECK_SIZE(old_size); ALLOC_CHECK_SIZE(old_size);
@ -218,22 +232,20 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
} }
#endif /* ^!DEBUG_BUILD */ #endif /* ^!DEBUG_BUILD */
ret += ALLOC_OFF_HEAD; ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1; ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size; ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2; ALLOC_C2(ret) = ALLOC_MAGIC_C2;
if (size > old_size) if (size > old_size) memset(ret + old_size, 0, size - old_size);
memset(ret + old_size, 0, size - old_size);
return ret; return ret;
} }
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up /* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */ repeated small reallocs without complicating the user code). */
@ -251,13 +263,12 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
} }
#endif /* !DEBUG_BUILD */ #endif /* !DEBUG_BUILD */
return DFL_ck_realloc(orig, size); return DFL_ck_realloc(orig, size);
} }
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ /* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) { static inline u8* DFL_ck_strdup(u8* str) {
@ -276,14 +287,13 @@ static inline u8* DFL_ck_strdup(u8* str) {
ret += ALLOC_OFF_HEAD; ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1; ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size; ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2; ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return memcpy(ret, str, size); return memcpy(ret, str, size);
} }
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized /* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */ or NULL inputs. */
@ -296,18 +306,17 @@ static inline void* DFL_ck_memdup(void* mem, u32 size) {
ALLOC_CHECK_SIZE(size); ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL); ret = malloc(size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size); ALLOC_CHECK_RESULT(ret, size);
ret += ALLOC_OFF_HEAD; ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1; ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size; ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2; ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return memcpy(ret, mem, size); return memcpy(ret, mem, size);
} }
/* Create a buffer with a block of text, appending a NUL terminator at the end. /* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */ Returns NULL for zero-sized or NULL inputs. */
@ -320,11 +329,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
ALLOC_CHECK_SIZE(size); ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL + 1); ret = malloc(size + ALLOC_OFF_TOTAL + 1);
ALLOC_CHECK_RESULT(ret, size); ALLOC_CHECK_RESULT(ret, size);
ret += ALLOC_OFF_HEAD; ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1; ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size; ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2; ALLOC_C2(ret) = ALLOC_MAGIC_C2;
memcpy(ret, mem, size); memcpy(ret, mem, size);
@ -334,20 +343,19 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
} }
#ifndef DEBUG_BUILD #ifndef DEBUG_BUILD
/* In non-debug mode, we just do straightforward aliasing of the above functions /* In non-debug mode, we just do straightforward aliasing of the above functions
to user-visible names such as ck_alloc(). */ to user-visible names such as ck_alloc(). */
#define ck_alloc DFL_ck_alloc #define ck_alloc DFL_ck_alloc
#define ck_alloc_nozero DFL_ck_alloc_nozero #define ck_alloc_nozero DFL_ck_alloc_nozero
#define ck_realloc DFL_ck_realloc #define ck_realloc DFL_ck_realloc
#define ck_realloc_block DFL_ck_realloc_block #define ck_realloc_block DFL_ck_realloc_block
#define ck_strdup DFL_ck_strdup #define ck_strdup DFL_ck_strdup
#define ck_memdup DFL_ck_memdup #define ck_memdup DFL_ck_memdup
#define ck_memdup_str DFL_ck_memdup_str #define ck_memdup_str DFL_ck_memdup_str
#define ck_free DFL_ck_free #define ck_free DFL_ck_free
#define alloc_report() #define alloc_report()
@ -358,12 +366,14 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
/* Alloc tracking data structures: */ /* Alloc tracking data structures: */
#define ALLOC_BUCKETS 4096 #define ALLOC_BUCKETS 4096
struct TRK_obj { struct TRK_obj {
void *ptr;
void* ptr;
char *file, *func; char *file, *func;
u32 line; u32 line;
}; };
#ifdef AFL_MAIN #ifdef AFL_MAIN
@ -371,22 +381,21 @@ struct TRK_obj {
struct TRK_obj* TRK[ALLOC_BUCKETS]; struct TRK_obj* TRK[ALLOC_BUCKETS];
u32 TRK_cnt[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS];
# define alloc_report() TRK_report() #define alloc_report() TRK_report()
#else #else
extern struct TRK_obj* TRK[ALLOC_BUCKETS]; extern struct TRK_obj* TRK[ALLOC_BUCKETS];
extern u32 TRK_cnt[ALLOC_BUCKETS]; extern u32 TRK_cnt[ALLOC_BUCKETS];
# define alloc_report() #define alloc_report()
#endif /* ^AFL_MAIN */ #endif /* ^AFL_MAIN */
/* Bucket-assigning function for a given pointer: */ /* Bucket-assigning function for a given pointer: */
#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) #define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS)
/* Add a new entry to the list of allocated objects. */ /* Add a new entry to the list of allocated objects. */
static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
@ -404,7 +413,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
if (!TRK[bucket][i].ptr) { if (!TRK[bucket][i].ptr) {
TRK[bucket][i].ptr = ptr; TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file; TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func; TRK[bucket][i].func = (char*)func;
TRK[bucket][i].line = line; TRK[bucket][i].line = line;
@ -414,10 +423,10 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
/* No space available - allocate more. */ /* No space available - allocate more. */
TRK[bucket] = DFL_ck_realloc_block(TRK[bucket], TRK[bucket] = DFL_ck_realloc_block(
(TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
TRK[bucket][i].ptr = ptr; TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file; TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func; TRK[bucket][i].func = (char*)func;
TRK[bucket][i].line = line; TRK[bucket][i].line = line;
@ -426,7 +435,6 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
} }
/* Remove entry from the list of allocated objects. */ /* Remove entry from the list of allocated objects. */
static inline void TRK_free_buf(void* ptr, const char* file, const char* func, static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
@ -449,12 +457,11 @@ static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
} }
WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", func, file,
func, file, line); line);
} }
/* Do a final report on all non-deallocated objects. */ /* Do a final report on all non-deallocated objects. */
static inline void TRK_report(void) { static inline void TRK_report(void) {
@ -471,7 +478,6 @@ static inline void TRK_report(void) {
} }
/* Simple wrappers for non-debugging functions: */ /* Simple wrappers for non-debugging functions: */
static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
@ -483,7 +489,6 @@ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
} }
static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
const char* func, u32 line) { const char* func, u32 line) {
@ -494,7 +499,6 @@ static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
} }
static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
const char* func, u32 line) { const char* func, u32 line) {
@ -505,7 +509,6 @@ static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
} }
static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
u32 line) { u32 line) {
@ -515,7 +518,6 @@ static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
} }
static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
const char* func, u32 line) { const char* func, u32 line) {
@ -525,7 +527,6 @@ static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
} }
static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
const char* func, u32 line) { const char* func, u32 line) {
@ -535,9 +536,8 @@ static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
} }
static inline void TRK_ck_free(void* ptr, const char* file, const char* func,
static inline void TRK_ck_free(void* ptr, const char* file, u32 line) {
const char* func, u32 line) {
TRK_free_buf(ptr, file, func, line); TRK_free_buf(ptr, file, func, line);
DFL_ck_free(ptr); DFL_ck_free(ptr);
@ -546,11 +546,9 @@ static inline void TRK_ck_free(void* ptr, const char* file,
/* Aliasing user-facing names to tracking functions: */ /* Aliasing user-facing names to tracking functions: */
#define ck_alloc(_p1) \ #define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
#define ck_alloc_nozero(_p1) \ #define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
#define ck_realloc(_p1, _p2) \ #define ck_realloc(_p1, _p2) \
TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
@ -558,8 +556,7 @@ static inline void TRK_ck_free(void* ptr, const char* file,
#define ck_realloc_block(_p1, _p2) \ #define ck_realloc_block(_p1, _p2) \
TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
#define ck_strdup(_p1) \ #define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
#define ck_memdup(_p1, _p2) \ #define ck_memdup(_p1, _p2) \
TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
@ -567,9 +564,9 @@ static inline void TRK_ck_free(void* ptr, const char* file,
#define ck_memdup_str(_p1, _p2) \ #define ck_memdup_str(_p1, _p2) \
TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
#define ck_free(_p1) \ #define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
#endif /* ^!DEBUG_BUILD */ #endif /* ^!DEBUG_BUILD */
#endif /* ! _HAVE_ALLOC_INL_H */
#endif /* ! _HAVE_ALLOC_INL_H */

9
llvm_mode/afl-clang-fast.c
View File

@ -206,20 +206,20 @@ static void edit_params(u32 argc, char** argv) {
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-routines-pass.so", obj_path); alloc_printf("%s/cmplog-routines-pass.so", obj_path);
// reuse split switches from laf // reuse split switches from laf
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/split-switches-pass.so", obj_path); alloc_printf("%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path); alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-fno-inline"; cc_params[cc_par_cnt++] = "-fno-inline";
} }
@ -245,8 +245,7 @@ static void edit_params(u32 argc, char** argv) {
cc_params[cc_par_cnt++] = "-load"; cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-Xclang";
if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL) if (getenv("AFL_LLVM_INSTRIM") != NULL || getenv("INSTRIM_LIB") != NULL)
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
alloc_printf("%s/libLLVMInsTrim.so", obj_path);
else else
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path); cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);

3
llvm_mode/afl-llvm-rt.o.c
View File

@ -260,7 +260,8 @@ static void __afl_start_forkserver(void) {
} }
/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ /* A simplified persistent mode handler, used as explained in
* llvm_mode/README.md. */
int __afl_persistent_loop(unsigned int max_cnt) { int __afl_persistent_loop(unsigned int max_cnt) {

41
llvm_mode/cmplog-instructions-pass.cc
View File

@ -105,14 +105,14 @@ char CmpLogInstructions::ID = 0;
bool CmpLogInstructions::hookInstrs(Module &M) { bool CmpLogInstructions::hookInstrs(Module &M) {
std::vector<Instruction *> icomps; std::vector<Instruction *> icomps;
LLVMContext & C = M.getContext(); LLVMContext & C = M.getContext();
Type * VoidTy = Type::getVoidTy(C); Type * VoidTy = Type::getVoidTy(C);
IntegerType * Int8Ty = IntegerType::getInt8Ty(C); IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
IntegerType * Int16Ty = IntegerType::getInt16Ty(C); IntegerType *Int16Ty = IntegerType::getInt16Ty(C);
IntegerType * Int32Ty = IntegerType::getInt32Ty(C); IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
IntegerType * Int64Ty = IntegerType::getInt64Ty(C); IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
Constant * Constant *
#else #else
@ -120,8 +120,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#endif #endif
c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
#endif #endif
); );
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
@ -137,8 +137,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#endif #endif
c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
#endif #endif
); );
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
@ -154,8 +154,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#endif #endif
c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
#endif #endif
); );
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
@ -171,8 +171,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#endif #endif
c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty
#if LLVM_VERSION_MAJOR < 5 #if LLVM_VERSION_MAJOR < 5
, ,
NULL NULL
#endif #endif
); );
#if LLVM_VERSION_MAJOR < 9 #if LLVM_VERSION_MAJOR < 9
@ -339,29 +339,32 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
errs() << "Hooking " << icomps.size() << " cmp instructions\n"; errs() << "Hooking " << icomps.size() << " cmp instructions\n";
for (auto &selectcmpInst : icomps) { for (auto &selectcmpInst : icomps) {
IRBuilder<> IRB(selectcmpInst->getParent()); IRBuilder<> IRB(selectcmpInst->getParent());
IRB.SetInsertPoint(selectcmpInst); IRB.SetInsertPoint(selectcmpInst);
auto op0 = selectcmpInst->getOperand(0); auto op0 = selectcmpInst->getOperand(0);
auto op1 = selectcmpInst->getOperand(1); auto op1 = selectcmpInst->getOperand(1);
IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType()); IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType()); IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
unsigned max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth() ? unsigned max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth()
intTyOp0->getBitWidth() : intTyOp1->getBitWidth(); ? intTyOp0->getBitWidth()
: intTyOp1->getBitWidth();
std::vector<Value *> args; std::vector<Value *> args;
args.push_back(op0); args.push_back(op0);
args.push_back(op1); args.push_back(op1);
switch (max_size) { switch (max_size) {
case 8: IRB.CreateCall(cmplogHookIns1, args, "tmp"); break; case 8: IRB.CreateCall(cmplogHookIns1, args, "tmp"); break;
case 16: IRB.CreateCall(cmplogHookIns2, args, "tmp"); break; case 16: IRB.CreateCall(cmplogHookIns2, args, "tmp"); break;
case 32: IRB.CreateCall(cmplogHookIns4, args, "tmp"); break; case 32: IRB.CreateCall(cmplogHookIns4, args, "tmp"); break;
case 64: IRB.CreateCall(cmplogHookIns8, args, "tmp"); break; case 64: IRB.CreateCall(cmplogHookIns8, args, "tmp"); break;
default: break; default: break;
} }
} }
@ -383,7 +386,7 @@ bool CmpLogInstructions::runOnModule(Module &M) {
} }
static void registerCmpLogInstructionsPass(const PassManagerBuilder &, static void registerCmpLogInstructionsPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) { legacy::PassManagerBase &PM) {
auto p = new CmpLogInstructions(); auto p = new CmpLogInstructions();
PM.add(p); PM.add(p);

3
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -407,7 +407,8 @@ void afl_forkserver(CPUState *cpu) {
} }
/* A simplified persistent mode handler, used as explained in llvm_mode/README.md. */ /* A simplified persistent mode handler, used as explained in
* llvm_mode/README.md. */
void afl_persistent_loop(void) { void afl_persistent_loop(void) {

10
src/afl-as.c
View File

@ -520,8 +520,10 @@ int main(int argc, char** argv) {
if (argc < 2 || (argc == 2 && strcmp(argv[1], "-h") == 0)) { if (argc < 2 || (argc == 2 && strcmp(argv[1], "-h") == 0)) {
fprintf(stdout, fprintf(
"afl-as" VERSION " by Michal Zalewski\n" stdout,
"afl-as" VERSION
" by Michal Zalewski\n"
"\n%s [-h]\n\n" "\n%s [-h]\n\n"
"This is a helper application for afl-fuzz. It is a wrapper around GNU " "This is a helper application for afl-fuzz. It is a wrapper around GNU "
"'as',\n" "'as',\n"
@ -546,8 +548,8 @@ int main(int argc, char** argv) {
"AFL_KEEP_ASSEMBLY: leave instrumented assembly files\n" "AFL_KEEP_ASSEMBLY: leave instrumented assembly files\n"
"AFL_AS_FORCE_INSTRUMENT: force instrumentation for asm sources\n" "AFL_AS_FORCE_INSTRUMENT: force instrumentation for asm sources\n"
"AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN:\n" "AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN:\n"
" used in the instrumentation summary message\n" " used in the instrumentation summary message\n",
,argv[0]); argv[0]);
exit(1); exit(1);

34
src/afl-fuzz-init.c
View File

@ -1972,25 +1972,25 @@ void check_binary(u8* fname) {
if (!qemu_mode && !unicorn_mode && !dumb_mode && if (!qemu_mode && !unicorn_mode && !dumb_mode &&
!memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
SAYF( SAYF("\n" cLRD "[-] " cRST
"\n" cLRD "[-] " cRST "Looks like the target binary is not instrumented! The fuzzer depends "
"Looks like the target binary is not instrumented! The fuzzer depends " "on\n"
"on\n" " compile-time instrumentation to isolate interesting test cases "
" compile-time instrumentation to isolate interesting test cases " "while\n"
"while\n" " mutating the input data. For more information, and for tips on "
" mutating the input data. For more information, and for tips on " "how to\n"
"how to\n" " instrument binaries, please see %s/README.md.\n\n"
" instrument binaries, please see %s/README.md.\n\n"
" When source code is not available, you may be able to leverage " " When source code is not available, you may be able to leverage "
"QEMU\n" "QEMU\n"
" mode support. Consult the README.md for tips on how to enable this.\n" " mode support. Consult the README.md for tips on how to enable "
"this.\n"
" (It is also possible to use afl-fuzz as a traditional, \"dumb\" " " (It is also possible to use afl-fuzz as a traditional, \"dumb\" "
"fuzzer.\n" "fuzzer.\n"
" For that, you can use the -n option - but expect much worse " " For that, you can use the -n option - but expect much worse "
"results.)\n", "results.)\n",
doc_path); doc_path);
FATAL("No instrumentation detected"); FATAL("No instrumentation detected");

3
src/afl-fuzz.c
View File

@ -112,7 +112,8 @@ static void usage(u8* argv0) {
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths, 0 = " " pacemaker mode (minutes of no new paths, 0 = "
"immediately).\n" "immediately).\n"
" a recommended value is 10-60. see docs/README.MOpt.md\n" " a recommended value is 10-60. see "
"docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for " " -c program - enable CmpLog by specifying a binary compiled for "
"it.\n" "it.\n"
" if using QEMU, just use -c 0.\n\n" " if using QEMU, just use -c 0.\n\n"

4
src/afl-showmap.c
View File

@ -647,8 +647,8 @@ static void usage(u8* argv0) {
" -c - allow core dumps\n\n" " -c - allow core dumps\n\n"
"This tool displays raw tuple data captured by AFL instrumentation.\n" "This tool displays raw tuple data captured by AFL instrumentation.\n"
"For additional help, consult %s/README.md.\n" "For additional help, consult %s/README.md.\n",
, argv0, MEM_LIMIT, doc_path); argv0, MEM_LIMIT, doc_path);
exit(1); exit(1);