whitelist features works now

docs/PATCHES

@@ -17,6 +17,7 @@ afl-qemu-optimize-entrypoint.diff	by mh(at)mh-sec(dot)de
 afl-qemu-speed.diff			by abiondo on github
 afl-qemu-optimize-map.diff		by mh(at)mh-sec(dot)de
 
++ instrim (https://github.com/csienslab/instrim) was integrated
 + MOpt (github.com/puppet-meteor/MOpt-AFL) was imported
 + AFLfast additions (github.com/mboehme/aflfast) were incorporated.
 + Qemu 3.1 upgrade with enhancement patches (github.com/andreafioraldi/afl)

docs/README

@@ -19,9 +19,13 @@ american fuzzy lop plus plus
   C. Hollers afl-fuzz Python mutator module and llvm_mode whitelist support
   was added too (https://github.com/choller/afl)
 
-  The newest additions is the excellent MOpt mutator from
+  New is the excellent MOpt mutator from
   https://github.com/puppet-meteor/MOpt-AFL  
 
+  Also newly integrated is instrim, a very effective CFG llvm_mode
+  instrumentation implementation which replaced the original afl one and is
+  from https://github.com/csienslab/instrim
+
   A more thorough list is available in the PATCHES file.
 
   So all in all this is the best-of AFL that is currently out there :-)

llvm_mode/LLVMInsTrim.so.cc

@@ -1,3 +1,6 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
 #include <unistd.h>
 
 #include "llvm/ADT/DenseMap.h"
@@ -131,11 +134,15 @@ namespace {
 
         if (!myWhitelist.empty()) {
           bool instrumentBlock = false;
-          BasicBlock &BB = F.getEntryBlock();
+          DebugLoc Loc;
+          StringRef instFilename;
+
+          for (auto &BB : F) {
             BasicBlock::iterator IP = BB.getFirstInsertionPt();
             IRBuilder<> IRB(&(*IP));
-          DebugLoc Loc = IP->getDebugLoc();
+            if (!Loc)
-          StringRef instFilename;
+              Loc = IP->getDebugLoc();
+          }
 
           if ( Loc ) {
               DILocation *cDILoc = dyn_cast<DILocation>(Loc.getAsMDNode());
@@ -169,7 +176,9 @@ namespace {
            * not whitelisted, so we skip instrumentation. */
           if (!instrumentBlock) {
             if (!instFilename.str().empty())
-              SAYF( "Not in whitelist, skipping %s ...\n", instFilename.str().c_str());
+              SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s ...\n", instFilename.str().c_str());
+            else
+              SAYF(cYEL "[!] " cBRI "No filename information found, skipping it");
             continue;
           }
         }

llvm_mode/README.llvm

@@ -38,8 +38,8 @@ co-exists with the original code.
 
 The idea and much of the implementation comes from Laszlo Szekeres.
 
-2) How to use
+2) How to use this
--------------
+------------------
 
 In order to leverage this mechanism, you need to have clang installed on your
 system. You should also make sure that the llvm-config tool is in your path
@@ -69,8 +69,10 @@ operating mode of AFL, e.g.:
 Be sure to also include CXX set to afl-clang-fast++ for C++ code.
 
 The tool honors roughly the same environmental variables as afl-gcc (see
-../docs/env_variables.txt). This includes AFL_INST_RATIO, AFL_USE_ASAN,
+../docs/env_variables.txt). This includes AFL_USE_ASAN,
-AFL_HARDEN, and AFL_DONT_OPTIMIZE.
+AFL_HARDEN, and AFL_DONT_OPTIMIZE. However AFL_INST_RATIO is not honored
+as it does not serve a good purpose with the more effective instrim CFG
+analysis.
 
 Note: if you want the LLVM helper to be installed on your system for all
 users, you need to build it before issuing 'make install' in the parent