mozilla-central/taskcluster/scripts/misc/afl-nyx.patch

Source code

Revision control

Copy as Markdown

Other Tools

commit 1e1e67d0a7d16db0a4331702af713a163c40b87f
Author: Jesse Schwartzentruber <truber@mozilla.com>
Date: Fri Jul 14 11:04:04 2023 -0400
Increase MAP_SIZE for Nyx
diff --git a/include/config.h b/include/config.h
index 988e536e..5e9870c0 100644
--- a/include/config.h
+++ b/include/config.h
@@ -459,7 +459,7 @@
problems with complex programs). You need to recompile the target binary
after changing this - otherwise, SEGVs may ensue. */
-#define MAP_SIZE_POW2 16
+#define MAP_SIZE_POW2 23
/* Do not change this unless you really know what you are doing. */
commit a6e42d98d9d3e936dc74729f17ab1208d477c944
Author: vanhauser-thc <vh@thc.org>
Date: Tue Jun 18 15:09:11 2024 +0200
llvm 19 fixes
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index a09f28a90..63ea71c1b 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -214,8 +214,12 @@ class ModuleSanitizerCoverageLTO
void SetNoSanitizeMetadata(Instruction *I) {
+#if LLVM_VERSION_MAJOR >= 19
+ I->setNoSanitizeMetadata();
+#else
I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
MDNode::get(*C, None));
+#endif
}
@@ -225,7 +229,7 @@ class ModuleSanitizerCoverageLTO
FunctionCallee SanCovTracePCIndir;
FunctionCallee SanCovTracePC /*, SanCovTracePCGuard*/;
Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
- *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy;
+ *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy, *PtrTy;
Module *CurModule;
std::string CurModuleUniqueId;
Triple TargetTriple;
@@ -416,6 +420,7 @@ bool ModuleSanitizerCoverageLTO::instrumentModule(
Int16Ty = IRB.getInt16Ty();
Int8Ty = IRB.getInt8Ty();
Int1Ty = IRB.getInt1Ty();
+ PtrTy = PointerType::getUnqual(*C);
/* AFL++ START */
char *ptr;
@@ -1350,7 +1355,7 @@ void ModuleSanitizerCoverageLTO::instrumentFunction(
Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
if (F.empty()) return;
- if (F.getName().find(".module_ctor") != std::string::npos)
+ if (F.getName().contains(".module_ctor"))
return; // Should not instrument sanitizer init functions.
#if LLVM_VERSION_MAJOR >= 18
if (F.getName().starts_with("__sanitizer_"))
@@ -1372,6 +1377,10 @@ void ModuleSanitizerCoverageLTO::instrumentFunction(
if (F.hasPersonalityFn() &&
isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
return;
+ if (F.hasFnAttribute(Attribute::NoSanitizeCoverage)) return;
+#if LLVM_VERSION_MAJOR >= 19
+ if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation)) return;
+#endif
// if (Allowlist && !Allowlist->inSection("coverage", "fun", F.getName()))
// return;
// if (Blocklist && Blocklist->inSection("coverage", "fun", F.getName()))
@@ -2023,16 +2032,20 @@ GlobalVariable *ModuleSanitizerCoverageLTO::CreatePCArray(
if (&F.getEntryBlock() == AllBlocks[i]) {
- PCs.push_back((Constant *)IRB.CreatePointerCast(&F, IntptrPtrTy));
- PCs.push_back((Constant *)IRB.CreateIntToPtr(
- ConstantInt::get(IntptrTy, 1), IntptrPtrTy));
+ PCs.push_back((Constant *)IRB.CreatePointerCast(&F, PtrTy));
+ PCs.push_back(
+ (Constant *)IRB.CreateIntToPtr(ConstantInt::get(IntptrTy, 1), PtrTy));
} else {
PCs.push_back((Constant *)IRB.CreatePointerCast(
- BlockAddress::get(AllBlocks[i]), IntptrPtrTy));
- PCs.push_back((Constant *)IRB.CreateIntToPtr(
- ConstantInt::get(IntptrTy, 0), IntptrPtrTy));
+ BlockAddress::get(AllBlocks[i]), PtrTy));
+#if LLVM_VERSION_MAJOR >= 16
+ PCs.push_back(Constant::getNullValue(PtrTy));
+#else
+ PCs.push_back(
+ (Constant *)IRB.CreateIntToPtr(ConstantInt::get(IntptrTy, 0), PtrTy));
+#endif
}
diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
index 01881f28e..49fe904be 100644
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@@ -161,7 +161,9 @@ class ModuleSanitizerCoverageAFL
void SetNoSanitizeMetadata(Instruction *I) {
-#if LLVM_VERSION_MAJOR >= 16
+#if LLVM_VERSION_MAJOR >= 19
+ I->setNoSanitizeMetadata();
+#elif LLVM_VERSION_MAJOR >= 16
I->setMetadata(LLVMContext::MD_nosanitize, MDNode::get(*C, std::nullopt));
#else
I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
@@ -179,7 +181,7 @@ class ModuleSanitizerCoverageAFL
FunctionCallee SanCovTraceSwitchFunction;
GlobalVariable *SanCovLowestStack;
Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
- *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy;
+ *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy, *PtrTy;
Module *CurModule;
std::string CurModuleUniqueId;
Triple TargetTriple;
@@ -272,13 +274,19 @@ std::pair<Value *, Value *> ModuleSanitizerCoverageAFL::CreateSecStartEnd(
if (!TargetTriple.isOSBinFormatCOFF())
return std::make_pair(SecStart, SecEnd);
- // Account for the fact that on windows-msvc __start_* symbols actually
- // point to a uint64_t before the start of the array.
+ // Account for the fact that on windows-msvc __start_* symbols actually
+ // point to a uint64_t before the start of the array.
+#if LLVM_VERSION_MAJOR >= 19
+ auto GEP =
+ IRB.CreatePtrAdd(SecStart, ConstantInt::get(IntptrTy, sizeof(uint64_t)));
+ return std::make_pair(GEP, SecEnd);
+#else
auto SecStartI8Ptr = IRB.CreatePointerCast(SecStart, Int8PtrTy);
auto GEP = IRB.CreateGEP(Int8Ty, SecStartI8Ptr,
ConstantInt::get(IntptrTy, sizeof(uint64_t)));
return std::make_pair(IRB.CreatePointerCast(GEP, PointerType::getUnqual(Ty)),
SecEnd);
+#endif
}
@@ -370,6 +378,7 @@ bool ModuleSanitizerCoverageAFL::instrumentModule(
Int16Ty = IRB.getInt16Ty();
Int8Ty = IRB.getInt8Ty();
Int1Ty = IRB.getInt1Ty();
+ PtrTy = PointerType::getUnqual(*C);
LLVMContext &Ctx = M.getContext();
AFLMapPtr =
@@ -572,7 +581,8 @@ void ModuleSanitizerCoverageAFL::instrumentFunction(
if (F.empty()) return;
if (!isInInstrumentList(&F, FMNAME)) return;
- if (F.getName().find(".module_ctor") != std::string::npos)
+ // if (F.getName().find(".module_ctor") != std::string::npos)
+ if (F.getName().contains(".module_ctor"))
return; // Should not instrument sanitizer init functions.
#if LLVM_VERSION_MAJOR >= 18
if (F.getName().starts_with("__sanitizer_"))
@@ -595,6 +605,9 @@ void ModuleSanitizerCoverageAFL::instrumentFunction(
isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
return;
if (F.hasFnAttribute(Attribute::NoSanitizeCoverage)) return;
+#if LLVM_VERSION_MAJOR >= 19
+ if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation)) return;
+#endif
if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
SplitAllCriticalEdges(
F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
@@ -692,16 +705,16 @@ GlobalVariable *ModuleSanitizerCoverageAFL::CreatePCArray(
if (&F.getEntryBlock() == AllBlocks[i]) {
- PCs.push_back((Constant *)IRB.CreatePointerCast(&F, IntptrPtrTy));
- PCs.push_back((Constant *)IRB.CreateIntToPtr(
- ConstantInt::get(IntptrTy, 1), IntptrPtrTy));
+ PCs.push_back((Constant *)IRB.CreatePointerCast(&F, PtrTy));
+ PCs.push_back(
+ (Constant *)IRB.CreateIntToPtr(ConstantInt::get(IntptrTy, 1), PtrTy));
} else {
PCs.push_back((Constant *)IRB.CreatePointerCast(
- BlockAddress::get(AllBlocks[i]), IntptrPtrTy));
+ BlockAddress::get(AllBlocks[i]), PtrTy));
#if LLVM_VERSION_MAJOR >= 16
- PCs.push_back(Constant::getNullValue(IntptrPtrTy));
+ PCs.push_back(Constant::getNullValue(PtrTy));
#else
PCs.push_back((Constant *)IRB.CreateIntToPtr(
ConstantInt::get(IntptrTy, 0), IntptrPtrTy));
@@ -711,10 +724,10 @@ GlobalVariable *ModuleSanitizerCoverageAFL::CreatePCArray(
}
- auto *PCArray = CreateFunctionLocalArrayInSection(N * 2, F, IntptrPtrTy,
- SanCovPCsSectionName);
+ auto *PCArray =
+ CreateFunctionLocalArrayInSection(N * 2, F, PtrTy, SanCovPCsSectionName);
PCArray->setInitializer(
- ConstantArray::get(ArrayType::get(IntptrPtrTy, N * 2), PCs));
+ ConstantArray::get(ArrayType::get(PtrTy, N * 2), PCs));
PCArray->setConstant(true);
return PCArray;
@@ -822,7 +835,12 @@ bool ModuleSanitizerCoverageAFL::InjectCoverage(
StringRef FuncName = Callee->getName();
if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue;
+#if LLVM_VERSION_MAJOR >= 20
+ // test canary
+ InstrumentationIRBuilder IRB(callInst);
+#else
IRBuilder<> IRB(callInst);
+#endif
if (!FunctionGuardArray) {
commit 8fcca6fb410a6ece1a4cd2eb8a2cdeed4d4d9865
Author: "Christian Holler (:decoder)" <choller@mozilla.com>
Date: Wed Jun 19 12:36:58 2024 +0200
Collect persistent coverage data and dump it at the end of the run
With CODE_COVERAGE builds, we need to collect the coverage data of each
iteration in a persistant buffer that has the same size as the regular
trace buffer used for fuzzing. We dump this information at the end of
the run and when combined with pointer data and module info, this can be
used to calculate code coverage.
diff --git a/include/forkserver.h b/include/forkserver.h
index 593e34a29..3fd813a4f 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -206,6 +206,10 @@ typedef struct afl_forkserver {
s32 nyx_log_fd;
#endif
+#ifdef __AFL_CODE_COVERAGE
+ u8 *persistent_trace_bits; /* Persistent copy of bitmap */
+#endif
+
} afl_forkserver_t;
typedef enum fsrv_run_result {
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 71d8570dc..a998c10f0 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -252,6 +252,10 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
fsrv->uses_crash_exitcode = false;
fsrv->uses_asan = false;
+#ifdef __AFL_CODE_COVERAGE
+ fsrv->persistent_trace_bits = NULL;
+#endif
+
fsrv->init_child_func = fsrv_exec_child;
list_append(&fsrv_list, fsrv);
@@ -278,6 +282,10 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
fsrv_to->fsrv_kill_signal = from->fsrv_kill_signal;
fsrv_to->debug = from->debug;
+#ifdef __AFL_CODE_COVERAGE
+ fsrv_to->persistent_trace_bits = from->persistent_trace_bits;
+#endif
+
// These are forkserver specific.
fsrv_to->out_dir_fd = -1;
fsrv_to->child_pid = -1;
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 6a0da6abb..c234fc429 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -60,6 +60,27 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon);
+#ifdef __AFL_CODE_COVERAGE
+ if (unlikely(!fsrv->persistent_trace_bits)) {
+
+ // On the first run, we allocate the persistent map to collect coverage.
+ fsrv->persistent_trace_bits = (u8 *)malloc(fsrv->map_size);
+ memset(fsrv->persistent_trace_bits, 0, fsrv->map_size);
+
+ }
+
+ for (u32 i = 0; i < fsrv->map_size; ++i) {
+
+ if (fsrv->persistent_trace_bits[i] != 255 && fsrv->trace_bits[i]) {
+
+ fsrv->persistent_trace_bits[i]++;
+
+ }
+
+ }
+
+#endif
+
/* If post_run() function is defined in custom mutator, the function will be
called each time after AFL++ executes the target program. */
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index a09a53ec8..0209e74fe 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -3130,6 +3130,28 @@ int main(int argc, char **argv_orig, char **envp) {
write_bitmap(afl);
save_auto(afl);
+ #ifdef __AFL_CODE_COVERAGE
+ if (afl->fsrv.persistent_trace_bits) {
+
+ char cfn[4096];
+ snprintf(cfn, sizeof(cfn), "%s/covmap.dump", afl->out_dir);
+
+ FILE *cov_fd;
+ if ((cov_fd = fopen(cfn, "w")) == NULL) {
+
+ PFATAL("could not create '%s'", cfn);
+
+ }
+
+ // Write the real map size, as the map size must exactly match the pointer
+ // map in length.
+ fwrite(afl->fsrv.persistent_trace_bits, 1, afl->fsrv.real_map_size, cov_fd);
+ fclose(cov_fd);
+
+ }
+
+ #endif
+
if (afl->pizza_is_served) {
SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST,