LLVM 17 bug workaround

2025-06-22 06:18:04 +00:00 · 2023-12-29 10:03:02 +01:00
parent 25f9c1f4fb
commit 88cbaeb3e1
4 changed files with 63 additions and 29 deletions
--- a/TODO.md
+++ b/TODO.md
@ -10,6 +10,15 @@
 - when trimming then perform crash detection
 - either -L0 and/or -p mmopt results in zero new coverage

+afl-clang-fast  -Iapps -I. -Iinclude -Iapps/include  -pthread -m64 -fsanitize=address -fno-omit-frame-pointer -g -Wa,--noexecstack -Qunused-arguments -fno-inline-functions -g -pthread -Wno-unused-command-line-argument -O3 -fno-sanitize=alignment -DOPENSSL_BUILDING_OPENSSL -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -MMD -MF apps/openssl-bin-speed.d.tmp -MT apps/openssl-bin-speed.o -c -o apps/openssl-bin-speed.o apps/speed.c
+afl-cc++4.10a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
+Split-compare-newpass by laf.intel@gmail.com, extended by heiko@hexco.de (splitting icmp to 8 bit)
+Split-floatingpoint-compare-pass: 2 FP comparisons split
+724 comparisons found
+SanitizerCoveragePCGUARD++4.10a
+[+] Instrumented 7356 locations with no collisions (non-hardened mode) of which are 99 handled and 7 unhandled selects.
+
+
 ## Should

 <<<<<<< Updated upstream
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -11,6 +11,11 @@
      reporting!
  - instrumentation:
    - LLVM 18 support, thanks to @devnexen!
+    - compcov/LAF-intel:
+      - floating point splitting bug fix by @hexcoder
+      - due a bug in LLVM 17 integer splitting is disabled!
+      - when splitting floats was selected, integers were always split as well,
+        fixed to require AFL_LLVM_LAF_SPLIT_COMPARES as it should


 ### Version ++4.09c (release)
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@ -952,6 +952,7 @@ bool ModuleSanitizerCoverageAFL::InjectCoverage(
 #endif
        {

+          // fprintf(stderr, "UNHANDLED: %u\n", t->getTypeID());
          unhandled++;
          continue;

--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@ -1707,12 +1707,6 @@ bool SplitComparesTransform::runOnModule(Module &M) {

 #endif

-  char *bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW");
-  if (!bitw_env) bitw_env = getenv("LAF_SPLIT_COMPARES_BITW");
-  if (bitw_env) { target_bitwidth = atoi(bitw_env); }
-
-  enableFPSplit = getenv("AFL_LLVM_LAF_SPLIT_FLOATS") != NULL;
-
  if ((isatty(2) && getenv("AFL_QUIET") == NULL) ||
      getenv("AFL_DEBUG") != NULL) {

@ -1728,6 +1722,27 @@ bool SplitComparesTransform::runOnModule(Module &M) {

  }

+  char *bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW");
+  if (!bitw_env) bitw_env = getenv("LAF_SPLIT_COMPARES_BITW");
+  if (bitw_env) { target_bitwidth = atoi(bitw_env); }
+
+  if (getenv("AFL_LLVM_LAF_SPLIT_FLOATS")) { enableFPSplit = true; }
+
+  bool split_comp = false;
+
+  if (getenv("AFL_LLVM_LAF_SPLIT_COMPARES")) {
+
+#if LLVM_MAJOR == 17
+    if (!be_quiet)
+      fprintf(stderr,
+              "WARNING: AFL++ splitting integer comparisons is disabled in "
+              "LLVM 17 due bugs, switch to 16 or 18!\n");
+#else
+    split_comp = true;
+#endif
+
+  }
+
 #if LLVM_MAJOR >= 11
  auto PA = PreservedAnalyses::all();
 #endif
@ -1746,36 +1761,40 @@ bool SplitComparesTransform::runOnModule(Module &M) {

  }

-  std::vector<CmpInst *> worklist;
-  /* iterate over all functions, bbs and instruction search for all integer
-   * compare instructions. Save them into the worklist for later. */
-  for (auto &F : M) {
+  if (split_comp) {

-    if (!isInInstrumentList(&F, MNAME)) continue;
+    std::vector<CmpInst *> worklist;
+    /* iterate over all functions, bbs and instruction search for all integer
+     * compare instructions. Save them into the worklist for later. */
+    for (auto &F : M) {

-    for (auto &BB : F) {
+      if (!isInInstrumentList(&F, MNAME)) continue;

-      for (auto &IN : BB) {
+      for (auto &BB : F) {

-        if (auto CI = dyn_cast<CmpInst>(&IN)) {
+        for (auto &IN : BB) {

-          auto op0 = CI->getOperand(0);
-          auto op1 = CI->getOperand(1);
-          if (!op0 || !op1) {
+          if (auto CI = dyn_cast<CmpInst>(&IN)) {
+
+            auto op0 = CI->getOperand(0);
+            auto op1 = CI->getOperand(1);
+            if (!op0 || !op1) {

 #if LLVM_MAJOR >= 11
-            return PA;
+              return PA;
 #else
-            return false;
+              return false;
 #endif

-          }
+            }

-          auto iTy1 = dyn_cast<IntegerType>(op0->getType());
-          if (iTy1 && isa<IntegerType>(op1->getType())) {
+            auto iTy1 = dyn_cast<IntegerType>(op0->getType());
+            if (iTy1 && isa<IntegerType>(op1->getType())) {

-            unsigned bitw = iTy1->getBitWidth();
-            if (isSupportedBitWidth(bitw)) { worklist.push_back(CI); }
+              unsigned bitw = iTy1->getBitWidth();
+              if (isSupportedBitWidth(bitw)) { worklist.push_back(CI); }
+
+            }

          }

@ -1785,13 +1804,13 @@ bool SplitComparesTransform::runOnModule(Module &M) {

    }

-  }
+    // now that we have a list of all integer comparisons we can start replacing
+    // them with the splitted alternatives.
+    for (auto CI : worklist) {

-  // now that we have a list of all integer comparisons we can start replacing
-  // them with the splitted alternatives.
-  for (auto CI : worklist) {
+      simplifyAndSplit(CI, M);

-    simplifyAndSplit(CI, M);
+    }

  }