small improvements to Marcel's patch, fix laf-intel + redqueen crashes

ShortonX · Sep 29, 2020 · 383cd48 · 383cd48
1 parent fe08482
commit 383cd48
Show file tree

Hide file tree

Showing 12 changed files with 104 additions and 74 deletions.
diff --git a/docs/Changelog.md b/docs/Changelog.md
@@ -14,6 +14,7 @@ sending a mail to <[email protected]>.
   - all compilers combined to afl-cc which emulates the previous ones
   - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
   - afl-fuzz
+    - Marcel Boehme submitted a patch that improves all AFFast schedules :)
     - reading testcases from -i now descends into subdirectories
     - allow up to 4 -x command line options
     - loaded extras now have a duplicate protection

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
@@ -151,7 +151,8 @@ struct queue_entry {
       is_ascii;                         /* Is the input just ascii text?    */
 
   u32 bitmap_size,                      /* Number of bits set in bitmap     */
-      fuzz_level;                       /* Number of fuzzing iterations     */
+      fuzz_level,                       /* Number of fuzzing iterations     */
+      n_fuzz_entry;                     /* offset in n_fuzz                 */
 
   u64 exec_us,                          /* Execution time (us)              */
       handicap,                         /* Number of queue cycles behind    */
@@ -491,7 +492,7 @@ typedef struct afl_state {
 
   u8 *var_bytes;                        /* Bytes that appear to be variable */
 
-  #define n_fuzz_size (1 << 21)
+#define N_FUZZ_SIZE (1 << 21)
   u32 *n_fuzz;
 
   volatile u8 stop_soon,                /* Ctrl-C pressed?                  */

diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
@@ -381,8 +381,9 @@ bool AFLdict2filePass::runOnModule(Module &M) {
 
           if (debug)
             fprintf(stderr, "F:%s %p(%s)->\"%s\"(%s) %p(%s)->\"%s\"(%s)\n",
-                    FuncName.c_str(), (void*)Str1P, Str1P->getName().str().c_str(),
-                    Str1.c_str(), HasStr1 == true ? "true" : "false", (void*)Str2P,
+                    FuncName.c_str(), (void *)Str1P,
+                    Str1P->getName().str().c_str(), Str1.c_str(),
+                    HasStr1 == true ? "true" : "false", (void *)Str2P,
                     Str2P->getName().str().c_str(), Str2.c_str(),
                     HasStr2 == true ? "true" : "false");
 
@@ -436,7 +437,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
               valueMap[Str1P] = new std::string(Str2);
 
               if (debug)
-                fprintf(stderr, "Saved: %s for %p\n", Str2.c_str(), (void*)Str1P);
+                fprintf(stderr, "Saved: %s for %p\n", Str2.c_str(),
+                        (void *)Str1P);
               continue;
 
             }
@@ -455,7 +457,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
               Str2 = *strng;
               HasStr2 = true;
               if (debug)
-                fprintf(stderr, "Filled2: %s for %p\n", strng->c_str(), (void*)Str2P);
+                fprintf(stderr, "Filled2: %s for %p\n", strng->c_str(),
+                        (void *)Str2P);
 
             }
 
@@ -497,7 +500,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
               Str1 = *strng;
               HasStr1 = true;
               if (debug)
-                fprintf(stderr, "Filled1: %s for %p\n", strng->c_str(), (void*)Str1P);
+                fprintf(stderr, "Filled1: %s for %p\n", strng->c_str(),
+                        (void *)Str1P);
 
             }
 

diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc
@@ -210,7 +210,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
   }
 
   if (!icomps.size()) return false;
-  if (!be_quiet) errs() << "Hooking " << icomps.size() << " cmp instructions\n";
+  // if (!be_quiet) errs() << "Hooking " << icomps.size() << " cmp
+  // instructions\n";
 
   for (auto &selectcmpInst : icomps) {
 
@@ -259,8 +260,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
 bool CmpLogInstructions::runOnModule(Module &M) {
 
   if (getenv("AFL_QUIET") == NULL)
-    llvm::errs()
-        << "Running cmplog-instructions-pass by [email protected]\n";
+    printf("Running cmplog-instructions-pass by [email protected]\n");
   else
     be_quiet = 1;
   hookInstrs(M);

diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
@@ -149,9 +149,11 @@ bool CmpLogRoutines::hookRtns(Module &M) {
   }
 
   if (!calls.size()) return false;
-  if (!be_quiet)
-    errs() << "Hooking " << calls.size()
-           << " calls with pointers as arguments\n";
+  /*
+    if (!be_quiet)
+      errs() << "Hooking " << calls.size()
+             << " calls with pointers as arguments\n";
+  */
 
   for (auto &callInst : calls) {
 
@@ -179,8 +181,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
 bool CmpLogRoutines::runOnModule(Module &M) {
 
   if (getenv("AFL_QUIET") == NULL)
-    llvm::errs()
-        << "Running cmplog-routines-pass by [email protected]\n";
+    printf("Running cmplog-routines-pass by [email protected]\n");
   else
     be_quiet = 1;
   hookRtns(M);

diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
@@ -339,8 +339,9 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
 
   if (!calls.size()) return false;
   if (!be_quiet)
-    errs() << "Replacing " << calls.size()
-           << " calls to strcmp/memcmp/strncmp/strcasecmp/strncasecmp\n";
+    printf(
+        "Replacing %lu calls to strcmp/memcmp/strncmp/strcasecmp/strncasecmp\n",
+        calls.size());
 
   for (auto &callInst : calls) {
 
@@ -426,11 +427,14 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
     else
       unrollLen = constStrLen;
 
-    if (!be_quiet)
-      errs() << callInst->getCalledFunction()->getName() << ": unroll len "
-             << unrollLen
-             << ((isSizedcmp && !isConstSized) ? ", variable n" : "") << ": "
-             << ConstStr << "\n";
+    /*
+        if (!be_quiet)
+          errs() << callInst->getCalledFunction()->getName() << ": unroll len "
+                 << unrollLen
+                 << ((isSizedcmp && !isConstSized) ? ", variable n" : "") << ":
+       "
+                 << ConstStr << "\n";
+    */
 
     /* split before the call instruction */
     BasicBlock *bb = callInst->getParent();
@@ -556,10 +560,12 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
 bool CompareTransform::runOnModule(Module &M) {
 
   if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
-    llvm::errs() << "Running compare-transform-pass by [email protected], "
-                    "extended by [email protected]\n";
+    printf(
+        "Running compare-transform-pass by [email protected], extended by "
+        "[email protected]\n");
   else
     be_quiet = 1;
+
   transformCmps(M, true, true, true, true, true);
   verifyModule(M);
 

diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
@@ -1262,8 +1262,9 @@ bool SplitComparesTransform::runOnModule(Module &M) {
   if ((isatty(2) && getenv("AFL_QUIET") == NULL) ||
       getenv("AFL_DEBUG") != NULL) {
 
-    errs() << "Split-compare-pass by [email protected], extended by "
-              "[email protected]\n";
+    printf(
+        "Split-compare-pass by [email protected], extended by "
+        "[email protected]\n");
 
   } else {
 
@@ -1275,13 +1276,15 @@ bool SplitComparesTransform::runOnModule(Module &M) {
 
     count = splitFPCompares(M);
 
-    if (!be_quiet) {
+    /*
+        if (!be_quiet) {
 
-      errs() << "Split-floatingpoint-compare-pass: " << count
-             << " FP comparisons split\n";
+          errs() << "Split-floatingpoint-compare-pass: " << count
+                 << " FP comparisons split\n";
 
-    }
+        }
 
+    */
     simplifyFPCompares(M);
 
   }
@@ -1294,37 +1297,43 @@ bool SplitComparesTransform::runOnModule(Module &M) {
 
     case 64:
       count = splitIntCompares(M, bitw);
-      if (!be_quiet)
-        errs() << "Split-integer-compare-pass " << bitw << "bit: " << count
-               << " split\n";
-
+      /*
+            if (!be_quiet)
+              errs() << "Split-integer-compare-pass " << bitw << "bit: " <<
+         count
+                     << " split\n";
+      */
       bitw >>= 1;
 #if LLVM_VERSION_MAJOR > 3 || \
     (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7)
       [[clang::fallthrough]]; /*FALLTHRU*/                   /* FALLTHROUGH */
 #endif
     case 32:
       count = splitIntCompares(M, bitw);
-      if (!be_quiet)
-        errs() << "Split-integer-compare-pass " << bitw << "bit: " << count
-               << " split\n";
-
+      /*
+            if (!be_quiet)
+              errs() << "Split-integer-compare-pass " << bitw << "bit: " <<
+         count
+                     << " split\n";
+      */
       bitw >>= 1;
 #if LLVM_VERSION_MAJOR > 3 || \
     (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7)
       [[clang::fallthrough]]; /*FALLTHRU*/                   /* FALLTHROUGH */
 #endif
     case 16:
       count = splitIntCompares(M, bitw);
-      if (!be_quiet)
-        errs() << "Split-integer-compare-pass " << bitw << "bit: " << count
-               << " split\n";
-
+      /*
+            if (!be_quiet)
+              errs() << "Split-integer-compare-pass " << bitw << "bit: " <<
+         count
+                     << " split\n";
+      */
       bitw >>= 1;
       break;
 
     default:
-      if (!be_quiet) errs() << "NOT Running split-compare-pass \n";
+      // if (!be_quiet) errs() << "NOT Running split-compare-pass \n";
       return false;
       break;
 

diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc
@@ -327,10 +327,11 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
   }
 
   if (!switches.size()) return false;
-  if (!be_quiet)
-    errs() << "Rewriting " << switches.size() << " switch statements "
-           << "\n";
-
+  /*
+    if (!be_quiet)
+      errs() << "Rewriting " << switches.size() << " switch statements "
+             << "\n";
+  */
   for (auto &SI : switches) {
 
     BasicBlock *CurBlock = SI->getParent();
@@ -341,15 +342,17 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
     BasicBlock *Default = SI->getDefaultDest();
     unsigned    bitw = Val->getType()->getIntegerBitWidth();
 
-    if (!be_quiet)
-      errs() << "switch: " << SI->getNumCases() << " cases " << bitw
-             << " bit\n";
+    /*
+        if (!be_quiet)
+          errs() << "switch: " << SI->getNumCases() << " cases " << bitw
+                 << " bit\n";
+    */
 
     /* If there is only the default destination or the condition checks 8 bit or
      * less, don't bother with the code below. */
     if (!SI->getNumCases() || bitw <= 8) {
 
-      if (!be_quiet) errs() << "skip trivial switch..\n";
+      // if (!be_quiet) errs() << "skip trivial switch..\n";
       continue;
 
     }
@@ -415,7 +418,7 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
 bool SplitSwitchesTransform::runOnModule(Module &M) {
 
   if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
-    llvm::errs() << "Running split-switches-pass by [email protected]\n";
+    printf("Running split-switches-pass by [email protected]\n");
   else
     be_quiet = 1;
   splitSwitches(M);

diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
@@ -556,8 +556,8 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
     cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
 
     /* Saturated increment */
-    if (afl->n_fuzz[cksum % n_fuzz_size] < 0xFFFFFFFF)
-      afl->n_fuzz[cksum % n_fuzz_size]++;
+    if (afl->n_fuzz[cksum % N_FUZZ_SIZE] < 0xFFFFFFFF)
+      afl->n_fuzz[cksum % N_FUZZ_SIZE]++;
 
   }
 
@@ -597,10 +597,15 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
     if (cksum)
       afl->queue_top->exec_cksum = cksum;
     else
-      afl->queue_top->exec_cksum =
+      cksum = afl->queue_top->exec_cksum =
           hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
 
-    afl->n_fuzz[cksum % n_fuzz_size] = 1;
+    if (afl->schedule >= FAST && afl->schedule <= RARE) {
+
+      afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
+      afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
+
+    }
 
     /* Try to calibrate inline; this also calls update_bitmap_score() when
        successful. */

diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
@@ -732,8 +732,8 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
     if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
 
       u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
-
-      afl->n_fuzz[cksum % n_fuzz_size] = 1;
+      afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
+      afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
 
     }