add documentation for LTO fixed map address feature

docs/Changelog.md

@@ -17,6 +17,10 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - better dependency checks
   - unicorn_mode:
     - better submodule handling
+  - llvm_mode:
+     - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
+       address for the shared memory map is used as this increases the
+       fuzzing speed
   - all:
     - fix 32 bit build options
     - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory

docs/env_variables.md

@@ -123,6 +123,11 @@ Then there are a few specific features that are only available in llvm_mode:
     These are used if several seperated instrumentation are performed which
     are then later combined.
 
+
+   - AFL_LLVM_MAP_ADDR sets the fixed map address to a different address than
+     the default 0x10000. A value of 0 or empty sets the map address to be
+     dynamic (the original afl way, which is slower)
+   - AFL_LLVM_MAP_DYNAMIC sets the shared memory address to be dynamic
    - AFL_LLVM_LTO_STARTID sets the starting location ID for the instrumentation.
      This defaults to 1
    - AFL_LLVM_LTO_DONTWRITEID prevents that the highest location ID written

llvm_mode/NOTES

@@ -1,88 +0,0 @@
-
-markNodes
- ->
-
-whitelist:
-  set meta information/context to functions? ask llvm-dev
-    setAttribute/hasAttribute?
-
-afl-ld:
-  handle(=instrument) .a archives on the cmdline
-
-afl-pass-lto-instrument.so:
-  either a or b:
-  a) use instrim
-  b) start in main() or _init() and first otherwise (warn!)
-     keep list of done functions
-     final: go through function list and instrument those missing
-
-
-
----------------------------
-
-
-
-for (auto &module : Ctx.getModules()) {
-  auto &functionList = module->getModule()->getFunctionList();
-  for (auto &function : functionList) {
-    for (auto &bb : function) {
-      for (auto &instruction : bb) {
-        if (CallInst *callInst = dyn_cast<CallInst>(&instruction)) {
-          if (Function *calledFunction = callInst->getCalledFunction()) {
-            if (calledFunction->getName().startswith("llvm.dbg.declare")) {
-
-
-for (auto &U : F.getUsers()) { <- unbekannt
-  if (auto CS = CallSite(U)) {
-    if (CS->getCalledFunction() == F)
-
-getCalledValue()->stripPointerCasts()
- -> for indirect calls
-
-
-CallGraph(M)
-
-
-
-#include "llvm/IR/CallSite.h"
-
-unsigned int indirect_call_cnt = 0;
- 
-  printf("Function: %s\n", F.getName().str().c_str());
-  int cnt=0;
-  for (auto *U : F.users()) {
-//    auto *I = dyn_cast<Instruction>(U);
-//    if (I) {
-//      if (cast<CallInst>(I)->getCalledFunction()->getName() == F.getName()) {
-//       printf("DIRECT CALL %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), cast<CallInst>(I)->getCalledFunction()->getName().str().c_str(), F.getName().str().c_str());
-//     }
-printf("Callsite #%d\n", ++cnt);
-    CallSite CS(U);
-    auto *I = CS.getInstruction();
-    if (I) {
-      Value *called = CS.getCalledValue()->stripPointerCasts();
-      Function* f = dyn_cast<Function>(called);
-      if (f->getName().size() > 0) {
-        printf("test %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), f->getName().str().c_str(), F.getName().str().c_str());
-        if (f->getName() == F.getName()) {
-          printf("CALL %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), f->getName().str().c_str(), F.getName().str().c_str());
-        }
-      } else
-        printf("FOO  %s->...->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), F.getName().str().c_str());
-      if (cast<CallInst>(I)->getCalledFunction()->getName() == F.getName()) {
-        printf("DIRECT %s->%s->%s\n", cast<CallInst>(I)->getParent()->getParent()->getName().str().c_str(), cast<CallInst>(I)->getCalledFunction()->getName().str().c_str(), F.getName().str().c_str());
-      }
-    } else {
-      printf("WE MISSED SOMETHING HERE!!\n");
-      indirect_call_cnt++;
-    }
-  }
-
-oder:
-  for (auto *U : F.users()) {
-    if (auto CS = CallSite(U->getUser())) {
-      if (CS->isCallee(&U)) {
-        // foo
-      }
-    }
-  }

llvm_mode/README.lto.md

@@ -95,6 +95,18 @@ target binary based on string compare and memory compare functions.
 afl-fuzz will automatically get these transmitted when starting to fuzz.
 This improves coverage on a lot of targets.
 
+## Fixed memory map
+
+To sped up fuzzing, the shared memory map is hard set to a specific address,
+by default 0x10000.
+In most cases this will work without any problems.
+On unusual operating systems/processors/kernels or weird libraries this might
+fail so to change the fixed address at compile time set
+AFL_LLVM_MAP_ADDR (a value of 0 or empty sets the map address to be
+dynamic - the original afl way, which is slower).
+AFL_LLVM_MAP_DYNAMIC can be set so the shared memory address is dynamic (which
+is safer but also slower).
+
 ## Potential issues
 
 ### compiling libraries fails