Merge pull request #2401 from AFLplusplus/dev

v4.32c release

README.md

@@ -2,9 +2,9 @@
 
 <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" height="250">
 
-Release version: [4.31c](https://github.com/AFLplusplus/AFLplusplus/releases)
+Release version: [4.32c](https://github.com/AFLplusplus/AFLplusplus/releases)
 
-GitHub version: 4.32a
+GitHub version: 4.32c
 
 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
@@ -16,7 +16,6 @@ AFL++ is maintained by:
 * Andrea Fioraldi <andreafioraldi@gmail.com>
 * Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de>
 * frida_mode is maintained by @Worksbutnottested
-* Documentation: Jana Aydinbas <jana.aydinbas@gmail.com>
 
 Originally developed by Michal "lcamtuf" Zalewski.
 
@@ -230,7 +229,8 @@ Thank you! (For people sending pull requests - please add yourself to this list
     Ruben ten Hove                        Joey Jiao
     fuzzah                                @intrigus-lgtm
     Yaakov Saxon                          Sergej Schumilo
-    Ziqiao Kong
+    Ziqiao Kong                           Ryan Berger
+    Sangjun Park
   ```
 
 </details>

afl-cmin

@@ -331,7 +331,7 @@ BEGIN {
   }
 
   if (0 == system ( "grep -aq AFL_DUMP_MAP_SIZE " target_bin )) {
-    echo "[!] Trying to obtain the map size of the target ..."
+    print "[!] Trying to obtain the map size of the target ..."
     get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin
     get_map_size | getline mapsize
     close(get_map_size)

docs/Changelog.md

@@ -3,15 +3,22 @@
   This is the list of all noteworthy changes made in every public
   release of the tool. See README.md for the general instruction manual.
 
-### Version ++4.32a (dev)
+### Version ++4.32c (release)
   - Fixed a bug where after a fast restart of a full fuzzed corpus afl-fuzz
     terminates with "need at least one valid input seed that does not crash"
   - Small improvements to afl-*-config
   - afl-fuzz:
     - memory leak fixes by @kcwu - thanks!
-    - some more nits and small memory saves thanks to @kcwu
+    - many more nits and small memory saves thanks to @kcwu
     - remove deprecated files from queue/.state
     - fix bitmap update function if no current trace is present 
+    - fix for afl_custom_queue_get
+    - various small nits
+  - afl-cc:
+    - fix pass support for LLVM 20 (passes were run too early)
+    - dropped plugin support for LLVM 13
+    - fix AFL_OLD_FORKSERVER
+    - various minor fixes
   - frida_mode:
     - fixes for new MacOS + M4 hardware
 

include/config.h

@@ -26,7 +26,7 @@
 /* Version string: */
 
 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.32a"
+#define VERSION "++4.32c"
 
 /******************************************************
  *                                                    *

instrumentation/SanitizerCoveragePCGUARD.so.cc

@@ -226,20 +226,28 @@ llvmGetPassPluginInfo() {
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
 #endif
 #if LLVM_VERSION_MAJOR >= 16
+            PB.registerOptimizerEarlyEPCallback([](ModulePassManager &MPM,
+                                                   OptimizationLevel  OL
   #if LLVM_VERSION_MAJOR >= 20
-            PB.registerPipelineStartEPCallback(
-  #else
-            PB.registerOptimizerEarlyEPCallback(
+                                                   ,
+                                                   ThinOrFullLTOPhase Phase
   #endif
+                                                ) {
+
+              MPM.addPass(ModuleSanitizerCoverageAFL());
+
+            });
+
 #else
             PB.registerOptimizerLastEPCallback(
-#endif
                 [](ModulePassManager &MPM, OptimizationLevel OL) {
 
                   MPM.addPass(ModuleSanitizerCoverageAFL());
 
                 });
 
+#endif
+
           }};
 
 }

instrumentation/afl-compiler-rt.o.c

@@ -891,10 +891,10 @@ static void __afl_start_forkserver(void) {
   /* Phone home and tell the parent that we're OK. If parent isn't there,
      assume we're not running in forkserver mode and just execute program. */
 
-  if (!__afl_old_forkserver) {
+  // return because possible non-forkserver usage
+  if (write(FORKSRV_FD + 1, msg, 4) != 4) { return; }
 
-    // return because possible non-forkserver usage
-    if (write(FORKSRV_FD + 1, msg, 4) != 4) { return; }
+  if (!__afl_old_forkserver) {
 
     if (read(FORKSRV_FD, reply, 4) != 4) { _exit(1); }
     if (tmp != status2) {

instrumentation/afl-llvm-pass.so.cc

@@ -121,15 +121,16 @@ extern "C" LLVM_ATTRIBUTE_WEAK PassPluginLibraryInfo llvmGetPassPluginInfo() {
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
     #endif
     #if LLVM_VERSION_MAJOR >= 16
-      #if LLVM_VERSION_MAJOR >= 20
-            PB.registerPipelineStartEPCallback(
-      #else
             PB.registerOptimizerEarlyEPCallback(
-      #endif
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+                ) {
 
                   MPM.addPass(AFLCoverage());
 

instrumentation/compare-transform-pass.so.cc

@@ -130,15 +130,16 @@ llvmGetPassPluginInfo() {
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
     #endif
     #if LLVM_VERSION_MAJOR >= 16
-      #if LLVM_VERSION_MAJOR >= 20
-            PB.registerPipelineStartEPCallback(
-      #else
             PB.registerOptimizerEarlyEPCallback(
-      #endif
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+                ) {
 
                   MPM.addPass(CompareTransform());
 

instrumentation/split-compares-pass.so.cc

@@ -190,15 +190,16 @@ llvmGetPassPluginInfo() {
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
     #endif
     #if LLVM_VERSION_MAJOR >= 16
-      #if LLVM_VERSION_MAJOR >= 20
-            PB.registerPipelineStartEPCallback(
-      #else
             PB.registerOptimizerEarlyEPCallback(
-      #endif
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+                ) {
 
                   MPM.addPass(SplitComparesTransform());
 

instrumentation/split-switches-pass.so.cc

@@ -138,15 +138,17 @@ llvmGetPassPluginInfo() {
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
     #endif
     #if LLVM_VERSION_MAJOR >= 16
-      #if LLVM_VERSION_MAJOR >= 20
-            PB.registerPipelineStartEPCallback(
-      #else
             PB.registerOptimizerEarlyEPCallback(
-      #endif
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+
+                ) {
 
                   MPM.addPass(SplitSwitchesTransform());
 

src/afl-cc.c

@@ -253,7 +253,11 @@ static inline void load_llvm_pass(aflcc_state_t *aflcc, u8 *pass) {
 
 #if LLVM_MAJOR >= 11                                /* use new pass manager */
   #if LLVM_MAJOR < 16
+    #if LLVM_MAJOR < 15
+  insert_param(aflcc, "-fno-legacy-pass-manager");
+    #else
   insert_param(aflcc, "-fexperimental-new-pass-manager");
+    #endif
   #endif
   insert_object(aflcc, pass, "-fpass-plugin=%s", 0);
 #else
@@ -2163,7 +2167,11 @@ void add_optimized_pcguard(aflcc_state_t *aflcc) {
 
     /* Since LLVM_MAJOR >= 13 we use new pass manager */
     #if LLVM_MAJOR < 16
+      #if LLVM_MAJOR < 15
+    insert_param(aflcc, "-fno-legacy-pass-manager");
+      #else
     insert_param(aflcc, "-fexperimental-new-pass-manager");
+      #endif
     #endif
     insert_object(aflcc, "SanitizerCoveragePCGUARD.so", "-fpass-plugin=%s", 0);
 
@@ -3591,6 +3599,64 @@ int main(int argc, char **argv, char **envp) {
 
   }
 
+  // We only support plugins with LLVM 14 onwards
+#if LLVM_MAJOR < 14
+  if (aflcc->instrument_mode != INSTRUMENT_LLVMNATIVE &&
+      aflcc->compiler_mode != GCC_PLUGIN) {
+
+    aflcc->instrument_mode = INSTRUMENT_LLVMNATIVE;
+    aflcc->compiler_mode = LLVM;
+
+  }
+
+  if (aflcc->compiler_mode == LLVM) {
+
+    if (aflcc->cmplog_mode) {
+
+      WARNF("CMPLOG support requires LLVM 14+");
+      aflcc->cmplog_mode = 0;
+
+    }
+
+    if (getenv("AFL_LLVM_DICT2FILE")) {
+
+      WARNF("DICT2FILE support requires LLVM14+");
+      unsetenv("AFL_LLVM_DICT2FILE");
+
+    }
+
+    if (getenv("AFL_LLVM_LAF_SPLIT_SWITCHES") ||
+        getenv("AFL_LLVM_LAF_SPLIT_COMPARES") ||
+        getenv("AFL_LLVM_LAF_SPLIT_FLOATS") ||
+        getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES") ||
+        getenv("AFL_LLVM_LAF_ALL")) {
+
+      WARNF("AFL_LLVM_LAF support requires LLVM14+");
+      unsetenv("AFL_LLVM_LAF_SPLIT_SWITCHES");
+      unsetenv("AFL_LLVM_LAF_SPLIT_COMPARES");
+      unsetenv("AFL_LLVM_LAF_SPLIT_FLOATS");
+      unsetenv("AFL_LLVM_LAF_TRANSFORM_COMPARES");
+      unsetenv("AFL_LLVM_LAF_ALL");
+
+    }
+
+    if (getenv("AFL_LLVM_INJECTIONS_ALL") ||
+        getenv("AFL_LLVM_INJECTIONS_SQL") ||
+        getenv("AFL_LLVM_INJECTIONS_LDAP") ||
+        getenv("AFL_LLVM_INJECTIONS_XSS")) {
+
+      WARNF("AFL_LLVM_INJECTIONS support requires LLVM14+");
+      unsetenv("AFL_LLVM_INJECTIONS_ALL");
+      unsetenv("AFL_LLVM_INJECTIONS_SQL");
+      unsetenv("AFL_LLVM_INJECTIONS_LDAP");
+      unsetenv("AFL_LLVM_INJECTIONS_XSS");
+
+    }
+
+  }
+
+#endif
+
   mode_notification(aflcc);
 
   if (aflcc->debug) debugf_args(argc, argv);

src/afl-fuzz-bitmap.c

@@ -686,7 +686,7 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
 #else
 
     queue_fn = alloc_printf(
-        "%s/queue/id_%06u", afl->out_dir, afl->queued_items,
+        "%s/queue/id_%06u%s%s", afl->out_dir, afl->queued_items,
         afl->file_extension ? "." : "",
         afl->file_extension ? (const char *)afl->file_extension : "");
 

src/afl-fuzz-one.c

@@ -356,7 +356,12 @@ u8 fuzz_one_original(afl_state_t *afl) {
       if (el->afl_custom_queue_get &&
           !el->afl_custom_queue_get(el->data, afl->queue_cur->fname)) {
 
-        return 1;
+        /* Abandon the entry and return that we skipped it.
+           If we don't do this then when the entry is smallest_favored then
+           we get caught in an infinite loop calling afl_custom_queue_get
+           on smallest_favored */
+        ret_val = 1;
+        goto abandon_entry;
 
       }
 

src/afl-fuzz.c

@@ -1555,13 +1555,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
   #endif
 
-  // silently disable deterministic mutation if custom mutators are used
-  if (!afl->skip_deterministic && afl->afl_env.afl_custom_mutator_only) {
-
-    afl->skip_deterministic = 1;
-
-  }
-
   if (afl->fixed_seed) {
 
     OKF("Running with fixed seed: %u", (u32)afl->init_seed);

src/afl-showmap.c

@@ -1261,8 +1261,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
         break;
 
-      /* FIXME: We want to use -P for consistency, but it is already unused for
-       * undocumenetd feature "Another afl-cmin specific feature." */
       case 'A':                                           /* CoreSight mode */
 
 #if !defined(__aarch64__) || !defined(__linux__)