improve cmplog

2025-06-20 05:23:43 +00:00 · 2023-11-28 10:26:37 +01:00
parent dd9a04c901
commit 74f8ca6b46
4 changed files with 35 additions and 21 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -10,7 +10,9 @@
    - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead
      of exiting with an error message
    - allow -S/-M naming up to 50 characters (from 24)
-    - added scale support to CMPLOG (-l S)
+    - CMPLOG:
+      - added scale support (-l S)
+      - skip unhelpful insertions (u8)
    - added --version and --help command line parameters
    - fixed endless loop when reading malformed dictionaries
    - new custom mutator function: post_run - thanks to yangzao!
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@ -1910,6 +1910,10 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) {
  // fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n",
  //         (u8) arg1, (u8) arg2, attr);

+  return;
+
+  /*
+
  if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;

  uintptr_t k = (uintptr_t)__builtin_return_address(0);
@ -1936,6 +1940,8 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) {
  __afl_cmp_map->log[k][hits].v0 = arg1;
  __afl_cmp_map->log[k][hits].v1 = arg2;

+  */
+
 }

 void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) {
@ -2142,13 +2148,13 @@ void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) {

 void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) {

-  __cmplog_ins_hook1(arg1, arg2, 0);
+  //__cmplog_ins_hook1(arg1, arg2, 0);

 }

 void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) {

-  __cmplog_ins_hook1(arg1, arg2, 0);
+  //__cmplog_ins_hook1(arg1, arg2, 0);

 }

--- a/instrumentation/cmplog-instructions-pass.cc
+++ b/instrumentation/cmplog-instructions-pass.cc
@ -165,6 +165,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
  IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
  IntegerType *Int128Ty = IntegerType::getInt128Ty(C);

+  /*
  #if LLVM_VERSION_MAJOR >= 9
    FunctionCallee
  #else
@ -182,6 +183,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
  #else
    Function *cmplogHookIns1 = cast<Function>(c1);
  #endif
+  */

 #if LLVM_VERSION_MAJOR >= 9
  FunctionCallee
@ -619,7 +621,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
          switch (cast_size) {

            case 8:
-              IRB.CreateCall(cmplogHookIns1, args);
+              // IRB.CreateCall(cmplogHookIns1, args);
              break;
            case 16:
              IRB.CreateCall(cmplogHookIns2, args);
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@ -1906,6 +1906,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,

 #endif

+  if (hshape < 2) { return 0; }
+
  for (i = 0; i < loggeds; ++i) {

    struct cmp_operands *o = &afl->shm.cmp_map->log[key][i];
@ -2698,6 +2700,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,

  hshape = SHAPE_BYTES(h->shape);

+  if (hshape < 2) { return 0; }
+
  if (h->hits > CMP_MAP_RTN_H) {

    loggeds = CMP_MAP_RTN_H;