1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - LLVM-mode instrumentation pass
3*08b48e0bSAndroid Build Coastguard Worker ---------------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Written by Laszlo Szekeres <[email protected]>,
6*08b48e0bSAndroid Build Coastguard Worker Adrian Herrera <[email protected]>,
7*08b48e0bSAndroid Build Coastguard Worker Michal Zalewski
8*08b48e0bSAndroid Build Coastguard Worker
9*08b48e0bSAndroid Build Coastguard Worker LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
10*08b48e0bSAndroid Build Coastguard Worker from afl-as.c are Michal's fault.
11*08b48e0bSAndroid Build Coastguard Worker
12*08b48e0bSAndroid Build Coastguard Worker NGRAM previous location coverage comes from Adrian Herrera.
13*08b48e0bSAndroid Build Coastguard Worker
14*08b48e0bSAndroid Build Coastguard Worker Copyright 2015, 2016 Google Inc. All rights reserved.
15*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
16*08b48e0bSAndroid Build Coastguard Worker
17*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
18*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
19*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
20*08b48e0bSAndroid Build Coastguard Worker
21*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0
22*08b48e0bSAndroid Build Coastguard Worker
23*08b48e0bSAndroid Build Coastguard Worker This library is plugged into LLVM when invoking clang through afl-clang-fast.
24*08b48e0bSAndroid Build Coastguard Worker It tells the compiler to add code roughly equivalent to the bits discussed
25*08b48e0bSAndroid Build Coastguard Worker in ../afl-as.h.
26*08b48e0bSAndroid Build Coastguard Worker
27*08b48e0bSAndroid Build Coastguard Worker */
28*08b48e0bSAndroid Build Coastguard Worker
29*08b48e0bSAndroid Build Coastguard Worker #define AFL_LLVM_PASS
30*08b48e0bSAndroid Build Coastguard Worker
31*08b48e0bSAndroid Build Coastguard Worker #include "config.h"
32*08b48e0bSAndroid Build Coastguard Worker #include "debug.h"
33*08b48e0bSAndroid Build Coastguard Worker #include <stdio.h>
34*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h>
35*08b48e0bSAndroid Build Coastguard Worker #include <unistd.h>
36*08b48e0bSAndroid Build Coastguard Worker
37*08b48e0bSAndroid Build Coastguard Worker #include <list>
38*08b48e0bSAndroid Build Coastguard Worker #include <string>
39*08b48e0bSAndroid Build Coastguard Worker #include <fstream>
40*08b48e0bSAndroid Build Coastguard Worker #include <sys/time.h>
41*08b48e0bSAndroid Build Coastguard Worker
42*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Config/llvm-config.h"
43*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR < 5
44*08b48e0bSAndroid Build Coastguard Worker typedef long double max_align_t;
45*08b48e0bSAndroid Build Coastguard Worker #endif
46*08b48e0bSAndroid Build Coastguard Worker
47*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Pass.h"
48*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
49*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Passes/PassPlugin.h"
50*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Passes/PassBuilder.h"
51*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/PassManager.h"
52*08b48e0bSAndroid Build Coastguard Worker #else
53*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/LegacyPassManager.h"
54*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Transforms/IPO/PassManagerBuilder.h"
55*08b48e0bSAndroid Build Coastguard Worker #endif
56*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/BasicBlock.h"
57*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/Module.h"
58*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Support/Debug.h"
59*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Support/MathExtras.h"
60*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14 /* how about stable interfaces? */
61*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Passes/OptimizationLevel.h"
62*08b48e0bSAndroid Build Coastguard Worker #endif
63*08b48e0bSAndroid Build Coastguard Worker
64*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 4 || \
65*08b48e0bSAndroid Build Coastguard Worker (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 4)
66*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/DebugInfo.h"
67*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/CFG.h"
68*08b48e0bSAndroid Build Coastguard Worker #else
69*08b48e0bSAndroid Build Coastguard Worker #include "llvm/DebugInfo.h"
70*08b48e0bSAndroid Build Coastguard Worker #include "llvm/Support/CFG.h"
71*08b48e0bSAndroid Build Coastguard Worker #endif
72*08b48e0bSAndroid Build Coastguard Worker
73*08b48e0bSAndroid Build Coastguard Worker #include "llvm/IR/IRBuilder.h"
74*08b48e0bSAndroid Build Coastguard Worker
75*08b48e0bSAndroid Build Coastguard Worker #include "afl-llvm-common.h"
76*08b48e0bSAndroid Build Coastguard Worker #include "llvm-alternative-coverage.h"
77*08b48e0bSAndroid Build Coastguard Worker
78*08b48e0bSAndroid Build Coastguard Worker using namespace llvm;
79*08b48e0bSAndroid Build Coastguard Worker
80*08b48e0bSAndroid Build Coastguard Worker namespace {
81*08b48e0bSAndroid Build Coastguard Worker
82*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
83*08b48e0bSAndroid Build Coastguard Worker class AFLCoverage : public PassInfoMixin<AFLCoverage> {
84*08b48e0bSAndroid Build Coastguard Worker
85*08b48e0bSAndroid Build Coastguard Worker public:
AFLCoverage()86*08b48e0bSAndroid Build Coastguard Worker AFLCoverage() {
87*08b48e0bSAndroid Build Coastguard Worker
88*08b48e0bSAndroid Build Coastguard Worker #else
89*08b48e0bSAndroid Build Coastguard Worker class AFLCoverage : public ModulePass {
90*08b48e0bSAndroid Build Coastguard Worker
91*08b48e0bSAndroid Build Coastguard Worker public:
92*08b48e0bSAndroid Build Coastguard Worker static char ID;
93*08b48e0bSAndroid Build Coastguard Worker AFLCoverage() : ModulePass(ID) {
94*08b48e0bSAndroid Build Coastguard Worker
95*08b48e0bSAndroid Build Coastguard Worker #endif
96*08b48e0bSAndroid Build Coastguard Worker
97*08b48e0bSAndroid Build Coastguard Worker initInstrumentList();
98*08b48e0bSAndroid Build Coastguard Worker
99*08b48e0bSAndroid Build Coastguard Worker }
100*08b48e0bSAndroid Build Coastguard Worker
101*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
102*08b48e0bSAndroid Build Coastguard Worker PreservedAnalyses run(Module &M, ModuleAnalysisManager &MAM);
103*08b48e0bSAndroid Build Coastguard Worker #else
104*08b48e0bSAndroid Build Coastguard Worker bool runOnModule(Module &M) override;
105*08b48e0bSAndroid Build Coastguard Worker #endif
106*08b48e0bSAndroid Build Coastguard Worker
107*08b48e0bSAndroid Build Coastguard Worker protected:
108*08b48e0bSAndroid Build Coastguard Worker uint32_t ngram_size = 0;
109*08b48e0bSAndroid Build Coastguard Worker uint32_t ctx_k = 0;
110*08b48e0bSAndroid Build Coastguard Worker uint32_t map_size = MAP_SIZE;
111*08b48e0bSAndroid Build Coastguard Worker uint32_t function_minimum_size = 1;
112*08b48e0bSAndroid Build Coastguard Worker const char *ctx_str = NULL, *caller_str = NULL, *skip_nozero = NULL;
113*08b48e0bSAndroid Build Coastguard Worker const char *use_threadsafe_counters = nullptr;
114*08b48e0bSAndroid Build Coastguard Worker
115*08b48e0bSAndroid Build Coastguard Worker };
116*08b48e0bSAndroid Build Coastguard Worker
117*08b48e0bSAndroid Build Coastguard Worker } // namespace
118*08b48e0bSAndroid Build Coastguard Worker
119*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
120*08b48e0bSAndroid Build Coastguard Worker extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
llvmGetPassPluginInfo()121*08b48e0bSAndroid Build Coastguard Worker llvmGetPassPluginInfo() {
122*08b48e0bSAndroid Build Coastguard Worker
123*08b48e0bSAndroid Build Coastguard Worker return {LLVM_PLUGIN_API_VERSION, "AFLCoverage", "v0.1",
124*08b48e0bSAndroid Build Coastguard Worker /* lambda to insert our pass into the pass pipeline. */
125*08b48e0bSAndroid Build Coastguard Worker [](PassBuilder &PB) {
126*08b48e0bSAndroid Build Coastguard Worker
127*08b48e0bSAndroid Build Coastguard Worker #if 1
128*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR <= 13
129*08b48e0bSAndroid Build Coastguard Worker using OptimizationLevel = typename PassBuilder::OptimizationLevel;
130*08b48e0bSAndroid Build Coastguard Worker #endif
131*08b48e0bSAndroid Build Coastguard Worker PB.registerOptimizerLastEPCallback(
132*08b48e0bSAndroid Build Coastguard Worker [](ModulePassManager &MPM, OptimizationLevel OL) {
133*08b48e0bSAndroid Build Coastguard Worker
134*08b48e0bSAndroid Build Coastguard Worker MPM.addPass(AFLCoverage());
135*08b48e0bSAndroid Build Coastguard Worker
136*08b48e0bSAndroid Build Coastguard Worker });
137*08b48e0bSAndroid Build Coastguard Worker
138*08b48e0bSAndroid Build Coastguard Worker /* TODO LTO registration */
139*08b48e0bSAndroid Build Coastguard Worker #else
140*08b48e0bSAndroid Build Coastguard Worker using PipelineElement = typename PassBuilder::PipelineElement;
141*08b48e0bSAndroid Build Coastguard Worker PB.registerPipelineParsingCallback([](StringRef Name,
142*08b48e0bSAndroid Build Coastguard Worker ModulePassManager &MPM,
143*08b48e0bSAndroid Build Coastguard Worker ArrayRef<PipelineElement>) {
144*08b48e0bSAndroid Build Coastguard Worker
145*08b48e0bSAndroid Build Coastguard Worker if (Name == "AFLCoverage") {
146*08b48e0bSAndroid Build Coastguard Worker
147*08b48e0bSAndroid Build Coastguard Worker MPM.addPass(AFLCoverage());
148*08b48e0bSAndroid Build Coastguard Worker return true;
149*08b48e0bSAndroid Build Coastguard Worker
150*08b48e0bSAndroid Build Coastguard Worker } else {
151*08b48e0bSAndroid Build Coastguard Worker
152*08b48e0bSAndroid Build Coastguard Worker return false;
153*08b48e0bSAndroid Build Coastguard Worker
154*08b48e0bSAndroid Build Coastguard Worker }
155*08b48e0bSAndroid Build Coastguard Worker
156*08b48e0bSAndroid Build Coastguard Worker });
157*08b48e0bSAndroid Build Coastguard Worker
158*08b48e0bSAndroid Build Coastguard Worker #endif
159*08b48e0bSAndroid Build Coastguard Worker
160*08b48e0bSAndroid Build Coastguard Worker }};
161*08b48e0bSAndroid Build Coastguard Worker
162*08b48e0bSAndroid Build Coastguard Worker }
163*08b48e0bSAndroid Build Coastguard Worker
164*08b48e0bSAndroid Build Coastguard Worker #else
165*08b48e0bSAndroid Build Coastguard Worker
166*08b48e0bSAndroid Build Coastguard Worker char AFLCoverage::ID = 0;
167*08b48e0bSAndroid Build Coastguard Worker #endif
168*08b48e0bSAndroid Build Coastguard Worker
169*08b48e0bSAndroid Build Coastguard Worker /* needed up to 3.9.0 */
170*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR == 3 && \
171*08b48e0bSAndroid Build Coastguard Worker (LLVM_VERSION_MINOR < 9 || \
172*08b48e0bSAndroid Build Coastguard Worker (LLVM_VERSION_MINOR == 9 && LLVM_VERSION_PATCH < 1))
PowerOf2Ceil(unsigned in)173*08b48e0bSAndroid Build Coastguard Worker uint64_t PowerOf2Ceil(unsigned in) {
174*08b48e0bSAndroid Build Coastguard Worker
175*08b48e0bSAndroid Build Coastguard Worker uint64_t in64 = in - 1;
176*08b48e0bSAndroid Build Coastguard Worker in64 |= (in64 >> 1);
177*08b48e0bSAndroid Build Coastguard Worker in64 |= (in64 >> 2);
178*08b48e0bSAndroid Build Coastguard Worker in64 |= (in64 >> 4);
179*08b48e0bSAndroid Build Coastguard Worker in64 |= (in64 >> 8);
180*08b48e0bSAndroid Build Coastguard Worker in64 |= (in64 >> 16);
181*08b48e0bSAndroid Build Coastguard Worker in64 |= (in64 >> 32);
182*08b48e0bSAndroid Build Coastguard Worker return in64 + 1;
183*08b48e0bSAndroid Build Coastguard Worker
184*08b48e0bSAndroid Build Coastguard Worker }
185*08b48e0bSAndroid Build Coastguard Worker
186*08b48e0bSAndroid Build Coastguard Worker #endif
187*08b48e0bSAndroid Build Coastguard Worker
188*08b48e0bSAndroid Build Coastguard Worker /* #if LLVM_VERSION_STRING >= "4.0.1" */
189*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 5 || \
190*08b48e0bSAndroid Build Coastguard Worker (LLVM_VERSION_MAJOR == 4 && LLVM_VERSION_PATCH >= 1)
191*08b48e0bSAndroid Build Coastguard Worker #define AFL_HAVE_VECTOR_INTRINSICS 1
192*08b48e0bSAndroid Build Coastguard Worker #endif
193*08b48e0bSAndroid Build Coastguard Worker
194*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
run(Module & M,ModuleAnalysisManager & MAM)195*08b48e0bSAndroid Build Coastguard Worker PreservedAnalyses AFLCoverage::run(Module &M, ModuleAnalysisManager &MAM) {
196*08b48e0bSAndroid Build Coastguard Worker
197*08b48e0bSAndroid Build Coastguard Worker #else
198*08b48e0bSAndroid Build Coastguard Worker bool AFLCoverage::runOnModule(Module &M) {
199*08b48e0bSAndroid Build Coastguard Worker
200*08b48e0bSAndroid Build Coastguard Worker #endif
201*08b48e0bSAndroid Build Coastguard Worker
202*08b48e0bSAndroid Build Coastguard Worker LLVMContext &C = M.getContext();
203*08b48e0bSAndroid Build Coastguard Worker
204*08b48e0bSAndroid Build Coastguard Worker IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
205*08b48e0bSAndroid Build Coastguard Worker IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
206*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
207*08b48e0bSAndroid Build Coastguard Worker IntegerType *IntLocTy =
208*08b48e0bSAndroid Build Coastguard Worker IntegerType::getIntNTy(C, sizeof(PREV_LOC_T) * CHAR_BIT);
209*08b48e0bSAndroid Build Coastguard Worker #endif
210*08b48e0bSAndroid Build Coastguard Worker struct timeval tv;
211*08b48e0bSAndroid Build Coastguard Worker struct timezone tz;
212*08b48e0bSAndroid Build Coastguard Worker u32 rand_seed;
213*08b48e0bSAndroid Build Coastguard Worker unsigned int cur_loc = 0;
214*08b48e0bSAndroid Build Coastguard Worker
215*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
216*08b48e0bSAndroid Build Coastguard Worker auto PA = PreservedAnalyses::all();
217*08b48e0bSAndroid Build Coastguard Worker #endif
218*08b48e0bSAndroid Build Coastguard Worker
219*08b48e0bSAndroid Build Coastguard Worker /* Setup random() so we get Actually Random(TM) outputs from AFL_R() */
220*08b48e0bSAndroid Build Coastguard Worker gettimeofday(&tv, &tz);
221*08b48e0bSAndroid Build Coastguard Worker rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
222*08b48e0bSAndroid Build Coastguard Worker AFL_SR(rand_seed);
223*08b48e0bSAndroid Build Coastguard Worker
224*08b48e0bSAndroid Build Coastguard Worker /* Show a banner */
225*08b48e0bSAndroid Build Coastguard Worker
226*08b48e0bSAndroid Build Coastguard Worker setvbuf(stdout, NULL, _IONBF, 0);
227*08b48e0bSAndroid Build Coastguard Worker
228*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_DEBUG")) debug = 1;
229*08b48e0bSAndroid Build Coastguard Worker
230*08b48e0bSAndroid Build Coastguard Worker if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
231*08b48e0bSAndroid Build Coastguard Worker
232*08b48e0bSAndroid Build Coastguard Worker SAYF(cCYA "afl-llvm-pass" VERSION cRST
233*08b48e0bSAndroid Build Coastguard Worker " by <[email protected]> and <[email protected]>\n");
234*08b48e0bSAndroid Build Coastguard Worker
235*08b48e0bSAndroid Build Coastguard Worker } else
236*08b48e0bSAndroid Build Coastguard Worker
237*08b48e0bSAndroid Build Coastguard Worker be_quiet = 1;
238*08b48e0bSAndroid Build Coastguard Worker
239*08b48e0bSAndroid Build Coastguard Worker /*
240*08b48e0bSAndroid Build Coastguard Worker char *ptr;
241*08b48e0bSAndroid Build Coastguard Worker if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) {
242*08b48e0bSAndroid Build Coastguard Worker
243*08b48e0bSAndroid Build Coastguard Worker map_size = atoi(ptr);
244*08b48e0bSAndroid Build Coastguard Worker if (map_size < 8 || map_size > (1 << 29))
245*08b48e0bSAndroid Build Coastguard Worker FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30",
246*08b48e0bSAndroid Build Coastguard Worker map_size); if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3);
247*08b48e0bSAndroid Build Coastguard Worker
248*08b48e0bSAndroid Build Coastguard Worker }
249*08b48e0bSAndroid Build Coastguard Worker
250*08b48e0bSAndroid Build Coastguard Worker */
251*08b48e0bSAndroid Build Coastguard Worker
252*08b48e0bSAndroid Build Coastguard Worker /* Decide instrumentation ratio */
253*08b48e0bSAndroid Build Coastguard Worker
254*08b48e0bSAndroid Build Coastguard Worker char *inst_ratio_str = getenv("AFL_INST_RATIO");
255*08b48e0bSAndroid Build Coastguard Worker unsigned int inst_ratio = 100;
256*08b48e0bSAndroid Build Coastguard Worker
257*08b48e0bSAndroid Build Coastguard Worker if (inst_ratio_str) {
258*08b48e0bSAndroid Build Coastguard Worker
259*08b48e0bSAndroid Build Coastguard Worker if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
260*08b48e0bSAndroid Build Coastguard Worker inst_ratio > 100)
261*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad value of AFL_INST_RATIO (must be between 1 and 100)");
262*08b48e0bSAndroid Build Coastguard Worker
263*08b48e0bSAndroid Build Coastguard Worker }
264*08b48e0bSAndroid Build Coastguard Worker
265*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 9
266*08b48e0bSAndroid Build Coastguard Worker char *neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO");
267*08b48e0bSAndroid Build Coastguard Worker #endif
268*08b48e0bSAndroid Build Coastguard Worker skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO");
269*08b48e0bSAndroid Build Coastguard Worker use_threadsafe_counters = getenv("AFL_LLVM_THREADSAFE_INST");
270*08b48e0bSAndroid Build Coastguard Worker
271*08b48e0bSAndroid Build Coastguard Worker if ((isatty(2) && !getenv("AFL_QUIET")) || !!getenv("AFL_DEBUG")) {
272*08b48e0bSAndroid Build Coastguard Worker
273*08b48e0bSAndroid Build Coastguard Worker if (use_threadsafe_counters) {
274*08b48e0bSAndroid Build Coastguard Worker
275*08b48e0bSAndroid Build Coastguard Worker // disabled unless there is support for other modules as well
276*08b48e0bSAndroid Build Coastguard Worker // (increases documentation complexity)
277*08b48e0bSAndroid Build Coastguard Worker /* if (!getenv("AFL_LLVM_NOT_ZERO")) { */
278*08b48e0bSAndroid Build Coastguard Worker
279*08b48e0bSAndroid Build Coastguard Worker skip_nozero = "1";
280*08b48e0bSAndroid Build Coastguard Worker SAYF(cCYA "afl-llvm-pass" VERSION cRST " using thread safe counters\n");
281*08b48e0bSAndroid Build Coastguard Worker
282*08b48e0bSAndroid Build Coastguard Worker /*
283*08b48e0bSAndroid Build Coastguard Worker
284*08b48e0bSAndroid Build Coastguard Worker } else {
285*08b48e0bSAndroid Build Coastguard Worker
286*08b48e0bSAndroid Build Coastguard Worker SAYF(cCYA "afl-llvm-pass" VERSION cRST
287*08b48e0bSAndroid Build Coastguard Worker " using thread safe not-zero-counters\n");
288*08b48e0bSAndroid Build Coastguard Worker
289*08b48e0bSAndroid Build Coastguard Worker }
290*08b48e0bSAndroid Build Coastguard Worker
291*08b48e0bSAndroid Build Coastguard Worker */
292*08b48e0bSAndroid Build Coastguard Worker
293*08b48e0bSAndroid Build Coastguard Worker } else {
294*08b48e0bSAndroid Build Coastguard Worker
295*08b48e0bSAndroid Build Coastguard Worker SAYF(cCYA "afl-llvm-pass" VERSION cRST
296*08b48e0bSAndroid Build Coastguard Worker " using non-thread safe instrumentation\n");
297*08b48e0bSAndroid Build Coastguard Worker
298*08b48e0bSAndroid Build Coastguard Worker }
299*08b48e0bSAndroid Build Coastguard Worker
300*08b48e0bSAndroid Build Coastguard Worker }
301*08b48e0bSAndroid Build Coastguard Worker
302*08b48e0bSAndroid Build Coastguard Worker unsigned PrevLocSize = 0;
303*08b48e0bSAndroid Build Coastguard Worker unsigned PrevCallerSize = 0;
304*08b48e0bSAndroid Build Coastguard Worker
305*08b48e0bSAndroid Build Coastguard Worker char *ngram_size_str = getenv("AFL_LLVM_NGRAM_SIZE");
306*08b48e0bSAndroid Build Coastguard Worker if (!ngram_size_str) ngram_size_str = getenv("AFL_NGRAM_SIZE");
307*08b48e0bSAndroid Build Coastguard Worker char *ctx_k_str = getenv("AFL_LLVM_CTX_K");
308*08b48e0bSAndroid Build Coastguard Worker if (!ctx_k_str) ctx_k_str = getenv("AFL_CTX_K");
309*08b48e0bSAndroid Build Coastguard Worker ctx_str = getenv("AFL_LLVM_CTX");
310*08b48e0bSAndroid Build Coastguard Worker caller_str = getenv("AFL_LLVM_CALLER");
311*08b48e0bSAndroid Build Coastguard Worker
312*08b48e0bSAndroid Build Coastguard Worker bool instrument_ctx = ctx_str || caller_str;
313*08b48e0bSAndroid Build Coastguard Worker
314*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
315*08b48e0bSAndroid Build Coastguard Worker /* Decide previous location vector size (must be a power of two) */
316*08b48e0bSAndroid Build Coastguard Worker VectorType *PrevLocTy = NULL;
317*08b48e0bSAndroid Build Coastguard Worker
318*08b48e0bSAndroid Build Coastguard Worker if (ngram_size_str)
319*08b48e0bSAndroid Build Coastguard Worker if (sscanf(ngram_size_str, "%u", &ngram_size) != 1 || ngram_size < 2 ||
320*08b48e0bSAndroid Build Coastguard Worker ngram_size > NGRAM_SIZE_MAX)
321*08b48e0bSAndroid Build Coastguard Worker FATAL(
322*08b48e0bSAndroid Build Coastguard Worker "Bad value of AFL_NGRAM_SIZE (must be between 2 and NGRAM_SIZE_MAX "
323*08b48e0bSAndroid Build Coastguard Worker "(%u))",
324*08b48e0bSAndroid Build Coastguard Worker NGRAM_SIZE_MAX);
325*08b48e0bSAndroid Build Coastguard Worker
326*08b48e0bSAndroid Build Coastguard Worker if (ngram_size == 1) ngram_size = 0;
327*08b48e0bSAndroid Build Coastguard Worker if (ngram_size)
328*08b48e0bSAndroid Build Coastguard Worker PrevLocSize = ngram_size - 1;
329*08b48e0bSAndroid Build Coastguard Worker else
330*08b48e0bSAndroid Build Coastguard Worker PrevLocSize = 1;
331*08b48e0bSAndroid Build Coastguard Worker
332*08b48e0bSAndroid Build Coastguard Worker /* Decide K-ctx vector size (must be a power of two) */
333*08b48e0bSAndroid Build Coastguard Worker VectorType *PrevCallerTy = NULL;
334*08b48e0bSAndroid Build Coastguard Worker
335*08b48e0bSAndroid Build Coastguard Worker if (ctx_k_str)
336*08b48e0bSAndroid Build Coastguard Worker if (sscanf(ctx_k_str, "%u", &ctx_k) != 1 || ctx_k < 1 || ctx_k > CTX_MAX_K)
337*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad value of AFL_CTX_K (must be between 1 and CTX_MAX_K (%u))",
338*08b48e0bSAndroid Build Coastguard Worker CTX_MAX_K);
339*08b48e0bSAndroid Build Coastguard Worker
340*08b48e0bSAndroid Build Coastguard Worker if (ctx_k == 1) {
341*08b48e0bSAndroid Build Coastguard Worker
342*08b48e0bSAndroid Build Coastguard Worker ctx_k = 0;
343*08b48e0bSAndroid Build Coastguard Worker instrument_ctx = true;
344*08b48e0bSAndroid Build Coastguard Worker caller_str = ctx_k_str; // Enable CALLER instead
345*08b48e0bSAndroid Build Coastguard Worker
346*08b48e0bSAndroid Build Coastguard Worker }
347*08b48e0bSAndroid Build Coastguard Worker
348*08b48e0bSAndroid Build Coastguard Worker if (ctx_k) {
349*08b48e0bSAndroid Build Coastguard Worker
350*08b48e0bSAndroid Build Coastguard Worker PrevCallerSize = ctx_k;
351*08b48e0bSAndroid Build Coastguard Worker instrument_ctx = true;
352*08b48e0bSAndroid Build Coastguard Worker
353*08b48e0bSAndroid Build Coastguard Worker }
354*08b48e0bSAndroid Build Coastguard Worker
355*08b48e0bSAndroid Build Coastguard Worker #else
356*08b48e0bSAndroid Build Coastguard Worker if (ngram_size_str)
357*08b48e0bSAndroid Build Coastguard Worker #ifndef LLVM_VERSION_PATCH
358*08b48e0bSAndroid Build Coastguard Worker FATAL(
359*08b48e0bSAndroid Build Coastguard Worker "Sorry, NGRAM branch coverage is not supported with llvm version "
360*08b48e0bSAndroid Build Coastguard Worker "%d.%d.%d!",
361*08b48e0bSAndroid Build Coastguard Worker LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, 0);
362*08b48e0bSAndroid Build Coastguard Worker #else
363*08b48e0bSAndroid Build Coastguard Worker FATAL(
364*08b48e0bSAndroid Build Coastguard Worker "Sorry, NGRAM branch coverage is not supported with llvm version "
365*08b48e0bSAndroid Build Coastguard Worker "%d.%d.%d!",
366*08b48e0bSAndroid Build Coastguard Worker LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, LLVM_VERSION_PATCH);
367*08b48e0bSAndroid Build Coastguard Worker #endif
368*08b48e0bSAndroid Build Coastguard Worker if (ctx_k_str)
369*08b48e0bSAndroid Build Coastguard Worker #ifndef LLVM_VERSION_PATCH
370*08b48e0bSAndroid Build Coastguard Worker FATAL(
371*08b48e0bSAndroid Build Coastguard Worker "Sorry, K-CTX branch coverage is not supported with llvm version "
372*08b48e0bSAndroid Build Coastguard Worker "%d.%d.%d!",
373*08b48e0bSAndroid Build Coastguard Worker LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, 0);
374*08b48e0bSAndroid Build Coastguard Worker #else
375*08b48e0bSAndroid Build Coastguard Worker FATAL(
376*08b48e0bSAndroid Build Coastguard Worker "Sorry, K-CTX branch coverage is not supported with llvm version "
377*08b48e0bSAndroid Build Coastguard Worker "%d.%d.%d!",
378*08b48e0bSAndroid Build Coastguard Worker LLVM_VERSION_MAJOR, LLVM_VERSION_MINOR, LLVM_VERSION_PATCH);
379*08b48e0bSAndroid Build Coastguard Worker #endif
380*08b48e0bSAndroid Build Coastguard Worker PrevLocSize = 1;
381*08b48e0bSAndroid Build Coastguard Worker #endif
382*08b48e0bSAndroid Build Coastguard Worker
383*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
384*08b48e0bSAndroid Build Coastguard Worker int PrevLocVecSize = PowerOf2Ceil(PrevLocSize);
385*08b48e0bSAndroid Build Coastguard Worker if (ngram_size)
386*08b48e0bSAndroid Build Coastguard Worker PrevLocTy = VectorType::get(IntLocTy, PrevLocVecSize
387*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 12
388*08b48e0bSAndroid Build Coastguard Worker ,
389*08b48e0bSAndroid Build Coastguard Worker false
390*08b48e0bSAndroid Build Coastguard Worker #endif
391*08b48e0bSAndroid Build Coastguard Worker );
392*08b48e0bSAndroid Build Coastguard Worker #endif
393*08b48e0bSAndroid Build Coastguard Worker
394*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
395*08b48e0bSAndroid Build Coastguard Worker int PrevCallerVecSize = PowerOf2Ceil(PrevCallerSize);
396*08b48e0bSAndroid Build Coastguard Worker if (ctx_k)
397*08b48e0bSAndroid Build Coastguard Worker PrevCallerTy = VectorType::get(IntLocTy, PrevCallerVecSize
398*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 12
399*08b48e0bSAndroid Build Coastguard Worker ,
400*08b48e0bSAndroid Build Coastguard Worker false
401*08b48e0bSAndroid Build Coastguard Worker #endif
402*08b48e0bSAndroid Build Coastguard Worker );
403*08b48e0bSAndroid Build Coastguard Worker #endif
404*08b48e0bSAndroid Build Coastguard Worker
405*08b48e0bSAndroid Build Coastguard Worker /* Get globals for the SHM region and the previous location. Note that
406*08b48e0bSAndroid Build Coastguard Worker __afl_prev_loc is thread-local. */
407*08b48e0bSAndroid Build Coastguard Worker
408*08b48e0bSAndroid Build Coastguard Worker GlobalVariable *AFLMapPtr =
409*08b48e0bSAndroid Build Coastguard Worker new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
410*08b48e0bSAndroid Build Coastguard Worker GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
411*08b48e0bSAndroid Build Coastguard Worker GlobalVariable *AFLPrevLoc;
412*08b48e0bSAndroid Build Coastguard Worker GlobalVariable *AFLPrevCaller;
413*08b48e0bSAndroid Build Coastguard Worker GlobalVariable *AFLContext = NULL;
414*08b48e0bSAndroid Build Coastguard Worker
415*08b48e0bSAndroid Build Coastguard Worker if (ctx_str || caller_str)
416*08b48e0bSAndroid Build Coastguard Worker #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS)
417*08b48e0bSAndroid Build Coastguard Worker AFLContext = new GlobalVariable(
418*08b48e0bSAndroid Build Coastguard Worker M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx");
419*08b48e0bSAndroid Build Coastguard Worker #else
420*08b48e0bSAndroid Build Coastguard Worker AFLContext = new GlobalVariable(
421*08b48e0bSAndroid Build Coastguard Worker M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx", 0,
422*08b48e0bSAndroid Build Coastguard Worker GlobalVariable::GeneralDynamicTLSModel, 0, false);
423*08b48e0bSAndroid Build Coastguard Worker #endif
424*08b48e0bSAndroid Build Coastguard Worker
425*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
426*08b48e0bSAndroid Build Coastguard Worker if (ngram_size)
427*08b48e0bSAndroid Build Coastguard Worker #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS)
428*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc = new GlobalVariable(
429*08b48e0bSAndroid Build Coastguard Worker M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage,
430*08b48e0bSAndroid Build Coastguard Worker /* Initializer */ nullptr, "__afl_prev_loc");
431*08b48e0bSAndroid Build Coastguard Worker #else
432*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc = new GlobalVariable(
433*08b48e0bSAndroid Build Coastguard Worker M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage,
434*08b48e0bSAndroid Build Coastguard Worker /* Initializer */ nullptr, "__afl_prev_loc",
435*08b48e0bSAndroid Build Coastguard Worker /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel,
436*08b48e0bSAndroid Build Coastguard Worker /* AddressSpace */ 0, /* IsExternallyInitialized */ false);
437*08b48e0bSAndroid Build Coastguard Worker #endif
438*08b48e0bSAndroid Build Coastguard Worker else
439*08b48e0bSAndroid Build Coastguard Worker #endif
440*08b48e0bSAndroid Build Coastguard Worker #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS)
441*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc = new GlobalVariable(
442*08b48e0bSAndroid Build Coastguard Worker M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
443*08b48e0bSAndroid Build Coastguard Worker #else
444*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc = new GlobalVariable(
445*08b48e0bSAndroid Build Coastguard Worker M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
446*08b48e0bSAndroid Build Coastguard Worker GlobalVariable::GeneralDynamicTLSModel, 0, false);
447*08b48e0bSAndroid Build Coastguard Worker #endif
448*08b48e0bSAndroid Build Coastguard Worker
449*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
450*08b48e0bSAndroid Build Coastguard Worker if (ctx_k)
451*08b48e0bSAndroid Build Coastguard Worker #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS)
452*08b48e0bSAndroid Build Coastguard Worker AFLPrevCaller = new GlobalVariable(
453*08b48e0bSAndroid Build Coastguard Worker M, PrevCallerTy, /* isConstant */ false, GlobalValue::ExternalLinkage,
454*08b48e0bSAndroid Build Coastguard Worker /* Initializer */ nullptr, "__afl_prev_caller");
455*08b48e0bSAndroid Build Coastguard Worker #else
456*08b48e0bSAndroid Build Coastguard Worker AFLPrevCaller = new GlobalVariable(
457*08b48e0bSAndroid Build Coastguard Worker M, PrevCallerTy, /* isConstant */ false, GlobalValue::ExternalLinkage,
458*08b48e0bSAndroid Build Coastguard Worker /* Initializer */ nullptr, "__afl_prev_caller",
459*08b48e0bSAndroid Build Coastguard Worker /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel,
460*08b48e0bSAndroid Build Coastguard Worker /* AddressSpace */ 0, /* IsExternallyInitialized */ false);
461*08b48e0bSAndroid Build Coastguard Worker #endif
462*08b48e0bSAndroid Build Coastguard Worker else
463*08b48e0bSAndroid Build Coastguard Worker #endif
464*08b48e0bSAndroid Build Coastguard Worker #if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS)
465*08b48e0bSAndroid Build Coastguard Worker AFLPrevCaller =
466*08b48e0bSAndroid Build Coastguard Worker new GlobalVariable(M, Int32Ty, false, GlobalValue::ExternalLinkage, 0,
467*08b48e0bSAndroid Build Coastguard Worker "__afl_prev_caller");
468*08b48e0bSAndroid Build Coastguard Worker #else
469*08b48e0bSAndroid Build Coastguard Worker AFLPrevCaller = new GlobalVariable(
470*08b48e0bSAndroid Build Coastguard Worker M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_caller",
471*08b48e0bSAndroid Build Coastguard Worker 0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
472*08b48e0bSAndroid Build Coastguard Worker #endif
473*08b48e0bSAndroid Build Coastguard Worker
474*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
475*08b48e0bSAndroid Build Coastguard Worker /* Create the vector shuffle mask for updating the previous block history.
476*08b48e0bSAndroid Build Coastguard Worker Note that the first element of the vector will store cur_loc, so just set
477*08b48e0bSAndroid Build Coastguard Worker it to undef to allow the optimizer to do its thing. */
478*08b48e0bSAndroid Build Coastguard Worker
479*08b48e0bSAndroid Build Coastguard Worker SmallVector<Constant *, 32> PrevLocShuffle = {UndefValue::get(Int32Ty)};
480*08b48e0bSAndroid Build Coastguard Worker
481*08b48e0bSAndroid Build Coastguard Worker for (unsigned I = 0; I < PrevLocSize - 1; ++I)
482*08b48e0bSAndroid Build Coastguard Worker PrevLocShuffle.push_back(ConstantInt::get(Int32Ty, I));
483*08b48e0bSAndroid Build Coastguard Worker
484*08b48e0bSAndroid Build Coastguard Worker for (int I = PrevLocSize; I < PrevLocVecSize; ++I)
485*08b48e0bSAndroid Build Coastguard Worker PrevLocShuffle.push_back(ConstantInt::get(Int32Ty, PrevLocSize));
486*08b48e0bSAndroid Build Coastguard Worker
487*08b48e0bSAndroid Build Coastguard Worker Constant *PrevLocShuffleMask = ConstantVector::get(PrevLocShuffle);
488*08b48e0bSAndroid Build Coastguard Worker
489*08b48e0bSAndroid Build Coastguard Worker Constant *PrevCallerShuffleMask = NULL;
490*08b48e0bSAndroid Build Coastguard Worker SmallVector<Constant *, 32> PrevCallerShuffle = {UndefValue::get(Int32Ty)};
491*08b48e0bSAndroid Build Coastguard Worker
492*08b48e0bSAndroid Build Coastguard Worker if (ctx_k) {
493*08b48e0bSAndroid Build Coastguard Worker
494*08b48e0bSAndroid Build Coastguard Worker for (unsigned I = 0; I < PrevCallerSize - 1; ++I)
495*08b48e0bSAndroid Build Coastguard Worker PrevCallerShuffle.push_back(ConstantInt::get(Int32Ty, I));
496*08b48e0bSAndroid Build Coastguard Worker
497*08b48e0bSAndroid Build Coastguard Worker for (int I = PrevCallerSize; I < PrevCallerVecSize; ++I)
498*08b48e0bSAndroid Build Coastguard Worker PrevCallerShuffle.push_back(ConstantInt::get(Int32Ty, PrevCallerSize));
499*08b48e0bSAndroid Build Coastguard Worker
500*08b48e0bSAndroid Build Coastguard Worker PrevCallerShuffleMask = ConstantVector::get(PrevCallerShuffle);
501*08b48e0bSAndroid Build Coastguard Worker
502*08b48e0bSAndroid Build Coastguard Worker }
503*08b48e0bSAndroid Build Coastguard Worker
504*08b48e0bSAndroid Build Coastguard Worker #endif
505*08b48e0bSAndroid Build Coastguard Worker
506*08b48e0bSAndroid Build Coastguard Worker // other constants we need
507*08b48e0bSAndroid Build Coastguard Worker ConstantInt *One = ConstantInt::get(Int8Ty, 1);
508*08b48e0bSAndroid Build Coastguard Worker
509*08b48e0bSAndroid Build Coastguard Worker Value *PrevCtx = NULL; // CTX sensitive coverage
510*08b48e0bSAndroid Build Coastguard Worker LoadInst *PrevCaller = NULL; // K-CTX coverage
511*08b48e0bSAndroid Build Coastguard Worker
512*08b48e0bSAndroid Build Coastguard Worker /* Instrument all the things! */
513*08b48e0bSAndroid Build Coastguard Worker
514*08b48e0bSAndroid Build Coastguard Worker int inst_blocks = 0;
515*08b48e0bSAndroid Build Coastguard Worker scanForDangerousFunctions(&M);
516*08b48e0bSAndroid Build Coastguard Worker
517*08b48e0bSAndroid Build Coastguard Worker for (auto &F : M) {
518*08b48e0bSAndroid Build Coastguard Worker
519*08b48e0bSAndroid Build Coastguard Worker int has_calls = 0;
520*08b48e0bSAndroid Build Coastguard Worker if (debug)
521*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "FUNCTION: %s (%zu)\n", F.getName().str().c_str(),
522*08b48e0bSAndroid Build Coastguard Worker F.size());
523*08b48e0bSAndroid Build Coastguard Worker
524*08b48e0bSAndroid Build Coastguard Worker if (!isInInstrumentList(&F, MNAME)) { continue; }
525*08b48e0bSAndroid Build Coastguard Worker
526*08b48e0bSAndroid Build Coastguard Worker if (F.size() < function_minimum_size) { continue; }
527*08b48e0bSAndroid Build Coastguard Worker
528*08b48e0bSAndroid Build Coastguard Worker std::list<Value *> todo;
529*08b48e0bSAndroid Build Coastguard Worker for (auto &BB : F) {
530*08b48e0bSAndroid Build Coastguard Worker
531*08b48e0bSAndroid Build Coastguard Worker BasicBlock::iterator IP = BB.getFirstInsertionPt();
532*08b48e0bSAndroid Build Coastguard Worker IRBuilder<> IRB(&(*IP));
533*08b48e0bSAndroid Build Coastguard Worker
534*08b48e0bSAndroid Build Coastguard Worker // Context sensitive coverage
535*08b48e0bSAndroid Build Coastguard Worker if (instrument_ctx && &BB == &F.getEntryBlock()) {
536*08b48e0bSAndroid Build Coastguard Worker
537*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
538*08b48e0bSAndroid Build Coastguard Worker if (ctx_k) {
539*08b48e0bSAndroid Build Coastguard Worker
540*08b48e0bSAndroid Build Coastguard Worker PrevCaller = IRB.CreateLoad(
541*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
542*08b48e0bSAndroid Build Coastguard Worker PrevCallerTy,
543*08b48e0bSAndroid Build Coastguard Worker #endif
544*08b48e0bSAndroid Build Coastguard Worker AFLPrevCaller);
545*08b48e0bSAndroid Build Coastguard Worker PrevCaller->setMetadata(M.getMDKindID("nosanitize"),
546*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
547*08b48e0bSAndroid Build Coastguard Worker PrevCtx =
548*08b48e0bSAndroid Build Coastguard Worker IRB.CreateZExt(IRB.CreateXorReduce(PrevCaller), IRB.getInt32Ty());
549*08b48e0bSAndroid Build Coastguard Worker
550*08b48e0bSAndroid Build Coastguard Worker } else
551*08b48e0bSAndroid Build Coastguard Worker
552*08b48e0bSAndroid Build Coastguard Worker #endif
553*08b48e0bSAndroid Build Coastguard Worker {
554*08b48e0bSAndroid Build Coastguard Worker
555*08b48e0bSAndroid Build Coastguard Worker // load the context ID of the previous function and write to a
556*08b48e0bSAndroid Build Coastguard Worker // local variable on the stack
557*08b48e0bSAndroid Build Coastguard Worker LoadInst *PrevCtxLoad = IRB.CreateLoad(
558*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
559*08b48e0bSAndroid Build Coastguard Worker IRB.getInt32Ty(),
560*08b48e0bSAndroid Build Coastguard Worker #endif
561*08b48e0bSAndroid Build Coastguard Worker AFLContext);
562*08b48e0bSAndroid Build Coastguard Worker PrevCtxLoad->setMetadata(M.getMDKindID("nosanitize"),
563*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
564*08b48e0bSAndroid Build Coastguard Worker PrevCtx = PrevCtxLoad;
565*08b48e0bSAndroid Build Coastguard Worker
566*08b48e0bSAndroid Build Coastguard Worker }
567*08b48e0bSAndroid Build Coastguard Worker
568*08b48e0bSAndroid Build Coastguard Worker // does the function have calls? and is any of the calls larger than one
569*08b48e0bSAndroid Build Coastguard Worker // basic block?
570*08b48e0bSAndroid Build Coastguard Worker for (auto &BB_2 : F) {
571*08b48e0bSAndroid Build Coastguard Worker
572*08b48e0bSAndroid Build Coastguard Worker if (has_calls) break;
573*08b48e0bSAndroid Build Coastguard Worker for (auto &IN : BB_2) {
574*08b48e0bSAndroid Build Coastguard Worker
575*08b48e0bSAndroid Build Coastguard Worker CallInst *callInst = nullptr;
576*08b48e0bSAndroid Build Coastguard Worker if ((callInst = dyn_cast<CallInst>(&IN))) {
577*08b48e0bSAndroid Build Coastguard Worker
578*08b48e0bSAndroid Build Coastguard Worker Function *Callee = callInst->getCalledFunction();
579*08b48e0bSAndroid Build Coastguard Worker if (!Callee || Callee->size() < function_minimum_size)
580*08b48e0bSAndroid Build Coastguard Worker continue;
581*08b48e0bSAndroid Build Coastguard Worker else {
582*08b48e0bSAndroid Build Coastguard Worker
583*08b48e0bSAndroid Build Coastguard Worker has_calls = 1;
584*08b48e0bSAndroid Build Coastguard Worker break;
585*08b48e0bSAndroid Build Coastguard Worker
586*08b48e0bSAndroid Build Coastguard Worker }
587*08b48e0bSAndroid Build Coastguard Worker
588*08b48e0bSAndroid Build Coastguard Worker }
589*08b48e0bSAndroid Build Coastguard Worker
590*08b48e0bSAndroid Build Coastguard Worker }
591*08b48e0bSAndroid Build Coastguard Worker
592*08b48e0bSAndroid Build Coastguard Worker }
593*08b48e0bSAndroid Build Coastguard Worker
594*08b48e0bSAndroid Build Coastguard Worker // if yes we store a context ID for this function in the global var
595*08b48e0bSAndroid Build Coastguard Worker if (has_calls) {
596*08b48e0bSAndroid Build Coastguard Worker
597*08b48e0bSAndroid Build Coastguard Worker Value *NewCtx = ConstantInt::get(Int32Ty, AFL_R(map_size));
598*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
599*08b48e0bSAndroid Build Coastguard Worker if (ctx_k) {
600*08b48e0bSAndroid Build Coastguard Worker
601*08b48e0bSAndroid Build Coastguard Worker Value *ShuffledPrevCaller = IRB.CreateShuffleVector(
602*08b48e0bSAndroid Build Coastguard Worker PrevCaller, UndefValue::get(PrevCallerTy),
603*08b48e0bSAndroid Build Coastguard Worker PrevCallerShuffleMask);
604*08b48e0bSAndroid Build Coastguard Worker Value *UpdatedPrevCaller = IRB.CreateInsertElement(
605*08b48e0bSAndroid Build Coastguard Worker ShuffledPrevCaller, NewCtx, (uint64_t)0);
606*08b48e0bSAndroid Build Coastguard Worker
607*08b48e0bSAndroid Build Coastguard Worker StoreInst *Store =
608*08b48e0bSAndroid Build Coastguard Worker IRB.CreateStore(UpdatedPrevCaller, AFLPrevCaller);
609*08b48e0bSAndroid Build Coastguard Worker Store->setMetadata(M.getMDKindID("nosanitize"),
610*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
611*08b48e0bSAndroid Build Coastguard Worker
612*08b48e0bSAndroid Build Coastguard Worker } else
613*08b48e0bSAndroid Build Coastguard Worker
614*08b48e0bSAndroid Build Coastguard Worker #endif
615*08b48e0bSAndroid Build Coastguard Worker {
616*08b48e0bSAndroid Build Coastguard Worker
617*08b48e0bSAndroid Build Coastguard Worker if (ctx_str) NewCtx = IRB.CreateXor(PrevCtx, NewCtx);
618*08b48e0bSAndroid Build Coastguard Worker StoreInst *StoreCtx = IRB.CreateStore(NewCtx, AFLContext);
619*08b48e0bSAndroid Build Coastguard Worker StoreCtx->setMetadata(M.getMDKindID("nosanitize"),
620*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
621*08b48e0bSAndroid Build Coastguard Worker
622*08b48e0bSAndroid Build Coastguard Worker }
623*08b48e0bSAndroid Build Coastguard Worker
624*08b48e0bSAndroid Build Coastguard Worker }
625*08b48e0bSAndroid Build Coastguard Worker
626*08b48e0bSAndroid Build Coastguard Worker }
627*08b48e0bSAndroid Build Coastguard Worker
628*08b48e0bSAndroid Build Coastguard Worker if (AFL_R(100) >= inst_ratio) continue;
629*08b48e0bSAndroid Build Coastguard Worker
630*08b48e0bSAndroid Build Coastguard Worker /* Make up cur_loc */
631*08b48e0bSAndroid Build Coastguard Worker
632*08b48e0bSAndroid Build Coastguard Worker // cur_loc++;
633*08b48e0bSAndroid Build Coastguard Worker cur_loc = AFL_R(map_size);
634*08b48e0bSAndroid Build Coastguard Worker
635*08b48e0bSAndroid Build Coastguard Worker /* There is a problem with Ubuntu 18.04 and llvm 6.0 (see issue #63).
636*08b48e0bSAndroid Build Coastguard Worker The inline function successors() is not inlined and also not found at runtime
637*08b48e0bSAndroid Build Coastguard Worker :-( As I am unable to detect Ubuntu18.04 here, the next best thing is to
638*08b48e0bSAndroid Build Coastguard Worker disable this optional optimization for LLVM 6.0.0 and Linux */
639*08b48e0bSAndroid Build Coastguard Worker #if !(LLVM_VERSION_MAJOR == 6 && LLVM_VERSION_MINOR == 0) || !defined __linux__
640*08b48e0bSAndroid Build Coastguard Worker // only instrument if this basic block is the destination of a previous
641*08b48e0bSAndroid Build Coastguard Worker // basic block that has multiple successors
642*08b48e0bSAndroid Build Coastguard Worker // this gets rid of ~5-10% of instrumentations that are unnecessary
643*08b48e0bSAndroid Build Coastguard Worker // result: a little more speed and less map pollution
644*08b48e0bSAndroid Build Coastguard Worker int more_than_one = -1;
645*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "BB %u: ", cur_loc);
646*08b48e0bSAndroid Build Coastguard Worker for (pred_iterator PI = pred_begin(&BB), E = pred_end(&BB); PI != E;
647*08b48e0bSAndroid Build Coastguard Worker ++PI) {
648*08b48e0bSAndroid Build Coastguard Worker
649*08b48e0bSAndroid Build Coastguard Worker BasicBlock *Pred = *PI;
650*08b48e0bSAndroid Build Coastguard Worker
651*08b48e0bSAndroid Build Coastguard Worker int count = 0;
652*08b48e0bSAndroid Build Coastguard Worker if (more_than_one == -1) more_than_one = 0;
653*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, " %p=>", Pred);
654*08b48e0bSAndroid Build Coastguard Worker
655*08b48e0bSAndroid Build Coastguard Worker for (succ_iterator SI = succ_begin(Pred), E = succ_end(Pred); SI != E;
656*08b48e0bSAndroid Build Coastguard Worker ++SI) {
657*08b48e0bSAndroid Build Coastguard Worker
658*08b48e0bSAndroid Build Coastguard Worker BasicBlock *Succ = *SI;
659*08b48e0bSAndroid Build Coastguard Worker
660*08b48e0bSAndroid Build Coastguard Worker // if (count > 0)
661*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "|");
662*08b48e0bSAndroid Build Coastguard Worker if (Succ != NULL) count++;
663*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, "%p", Succ);
664*08b48e0bSAndroid Build Coastguard Worker
665*08b48e0bSAndroid Build Coastguard Worker }
666*08b48e0bSAndroid Build Coastguard Worker
667*08b48e0bSAndroid Build Coastguard Worker if (count > 1) more_than_one = 1;
668*08b48e0bSAndroid Build Coastguard Worker
669*08b48e0bSAndroid Build Coastguard Worker }
670*08b48e0bSAndroid Build Coastguard Worker
671*08b48e0bSAndroid Build Coastguard Worker // fprintf(stderr, " == %d\n", more_than_one);
672*08b48e0bSAndroid Build Coastguard Worker if (F.size() > 1 && more_than_one != 1) {
673*08b48e0bSAndroid Build Coastguard Worker
674*08b48e0bSAndroid Build Coastguard Worker // in CTX mode we have to restore the original context for the caller -
675*08b48e0bSAndroid Build Coastguard Worker // she might be calling other functions which need the correct CTX
676*08b48e0bSAndroid Build Coastguard Worker if (instrument_ctx && has_calls) {
677*08b48e0bSAndroid Build Coastguard Worker
678*08b48e0bSAndroid Build Coastguard Worker Instruction *Inst = BB.getTerminator();
679*08b48e0bSAndroid Build Coastguard Worker if (isa<ReturnInst>(Inst) || isa<ResumeInst>(Inst)) {
680*08b48e0bSAndroid Build Coastguard Worker
681*08b48e0bSAndroid Build Coastguard Worker IRBuilder<> Post_IRB(Inst);
682*08b48e0bSAndroid Build Coastguard Worker
683*08b48e0bSAndroid Build Coastguard Worker StoreInst *RestoreCtx;
684*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
685*08b48e0bSAndroid Build Coastguard Worker if (ctx_k)
686*08b48e0bSAndroid Build Coastguard Worker RestoreCtx = IRB.CreateStore(PrevCaller, AFLPrevCaller);
687*08b48e0bSAndroid Build Coastguard Worker else
688*08b48e0bSAndroid Build Coastguard Worker #endif
689*08b48e0bSAndroid Build Coastguard Worker RestoreCtx = Post_IRB.CreateStore(PrevCtx, AFLContext);
690*08b48e0bSAndroid Build Coastguard Worker RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
691*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
692*08b48e0bSAndroid Build Coastguard Worker
693*08b48e0bSAndroid Build Coastguard Worker }
694*08b48e0bSAndroid Build Coastguard Worker
695*08b48e0bSAndroid Build Coastguard Worker }
696*08b48e0bSAndroid Build Coastguard Worker
697*08b48e0bSAndroid Build Coastguard Worker continue;
698*08b48e0bSAndroid Build Coastguard Worker
699*08b48e0bSAndroid Build Coastguard Worker }
700*08b48e0bSAndroid Build Coastguard Worker
701*08b48e0bSAndroid Build Coastguard Worker #endif
702*08b48e0bSAndroid Build Coastguard Worker
703*08b48e0bSAndroid Build Coastguard Worker ConstantInt *CurLoc;
704*08b48e0bSAndroid Build Coastguard Worker
705*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
706*08b48e0bSAndroid Build Coastguard Worker if (ngram_size)
707*08b48e0bSAndroid Build Coastguard Worker CurLoc = ConstantInt::get(IntLocTy, cur_loc);
708*08b48e0bSAndroid Build Coastguard Worker else
709*08b48e0bSAndroid Build Coastguard Worker #endif
710*08b48e0bSAndroid Build Coastguard Worker CurLoc = ConstantInt::get(Int32Ty, cur_loc);
711*08b48e0bSAndroid Build Coastguard Worker
712*08b48e0bSAndroid Build Coastguard Worker /* Load prev_loc */
713*08b48e0bSAndroid Build Coastguard Worker
714*08b48e0bSAndroid Build Coastguard Worker LoadInst *PrevLoc;
715*08b48e0bSAndroid Build Coastguard Worker
716*08b48e0bSAndroid Build Coastguard Worker if (ngram_size) {
717*08b48e0bSAndroid Build Coastguard Worker
718*08b48e0bSAndroid Build Coastguard Worker PrevLoc = IRB.CreateLoad(
719*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
720*08b48e0bSAndroid Build Coastguard Worker PrevLocTy,
721*08b48e0bSAndroid Build Coastguard Worker #endif
722*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc);
723*08b48e0bSAndroid Build Coastguard Worker
724*08b48e0bSAndroid Build Coastguard Worker } else {
725*08b48e0bSAndroid Build Coastguard Worker
726*08b48e0bSAndroid Build Coastguard Worker PrevLoc = IRB.CreateLoad(
727*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
728*08b48e0bSAndroid Build Coastguard Worker IRB.getInt32Ty(),
729*08b48e0bSAndroid Build Coastguard Worker #endif
730*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc);
731*08b48e0bSAndroid Build Coastguard Worker
732*08b48e0bSAndroid Build Coastguard Worker }
733*08b48e0bSAndroid Build Coastguard Worker
734*08b48e0bSAndroid Build Coastguard Worker PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
735*08b48e0bSAndroid Build Coastguard Worker Value *PrevLocTrans;
736*08b48e0bSAndroid Build Coastguard Worker
737*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
738*08b48e0bSAndroid Build Coastguard Worker /* "For efficiency, we propose to hash the tuple as a key into the
739*08b48e0bSAndroid Build Coastguard Worker hit_count map as (prev_block_trans << 1) ^ curr_block_trans, where
740*08b48e0bSAndroid Build Coastguard Worker prev_block_trans = (block_trans_1 ^ ... ^ block_trans_(n-1)" */
741*08b48e0bSAndroid Build Coastguard Worker
742*08b48e0bSAndroid Build Coastguard Worker if (ngram_size)
743*08b48e0bSAndroid Build Coastguard Worker PrevLocTrans =
744*08b48e0bSAndroid Build Coastguard Worker IRB.CreateZExt(IRB.CreateXorReduce(PrevLoc), IRB.getInt32Ty());
745*08b48e0bSAndroid Build Coastguard Worker else
746*08b48e0bSAndroid Build Coastguard Worker #endif
747*08b48e0bSAndroid Build Coastguard Worker PrevLocTrans = PrevLoc;
748*08b48e0bSAndroid Build Coastguard Worker
749*08b48e0bSAndroid Build Coastguard Worker if (instrument_ctx)
750*08b48e0bSAndroid Build Coastguard Worker PrevLocTrans =
751*08b48e0bSAndroid Build Coastguard Worker IRB.CreateZExt(IRB.CreateXor(PrevLocTrans, PrevCtx), Int32Ty);
752*08b48e0bSAndroid Build Coastguard Worker else
753*08b48e0bSAndroid Build Coastguard Worker PrevLocTrans = IRB.CreateZExt(PrevLocTrans, IRB.getInt32Ty());
754*08b48e0bSAndroid Build Coastguard Worker
755*08b48e0bSAndroid Build Coastguard Worker /* Load SHM pointer */
756*08b48e0bSAndroid Build Coastguard Worker
757*08b48e0bSAndroid Build Coastguard Worker LoadInst *MapPtr = IRB.CreateLoad(
758*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
759*08b48e0bSAndroid Build Coastguard Worker PointerType::get(Int8Ty, 0),
760*08b48e0bSAndroid Build Coastguard Worker #endif
761*08b48e0bSAndroid Build Coastguard Worker AFLMapPtr);
762*08b48e0bSAndroid Build Coastguard Worker MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
763*08b48e0bSAndroid Build Coastguard Worker
764*08b48e0bSAndroid Build Coastguard Worker Value *MapPtrIdx;
765*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
766*08b48e0bSAndroid Build Coastguard Worker if (ngram_size)
767*08b48e0bSAndroid Build Coastguard Worker MapPtrIdx = IRB.CreateGEP(
768*08b48e0bSAndroid Build Coastguard Worker Int8Ty, MapPtr,
769*08b48e0bSAndroid Build Coastguard Worker IRB.CreateZExt(
770*08b48e0bSAndroid Build Coastguard Worker IRB.CreateXor(PrevLocTrans, IRB.CreateZExt(CurLoc, Int32Ty)),
771*08b48e0bSAndroid Build Coastguard Worker Int32Ty));
772*08b48e0bSAndroid Build Coastguard Worker else
773*08b48e0bSAndroid Build Coastguard Worker #endif
774*08b48e0bSAndroid Build Coastguard Worker MapPtrIdx = IRB.CreateGEP(
775*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
776*08b48e0bSAndroid Build Coastguard Worker Int8Ty,
777*08b48e0bSAndroid Build Coastguard Worker #endif
778*08b48e0bSAndroid Build Coastguard Worker MapPtr, IRB.CreateXor(PrevLocTrans, CurLoc));
779*08b48e0bSAndroid Build Coastguard Worker
780*08b48e0bSAndroid Build Coastguard Worker /* Update bitmap */
781*08b48e0bSAndroid Build Coastguard Worker
782*08b48e0bSAndroid Build Coastguard Worker if (use_threadsafe_counters) { /* Atomic */
783*08b48e0bSAndroid Build Coastguard Worker
784*08b48e0bSAndroid Build Coastguard Worker IRB.CreateAtomicRMW(llvm::AtomicRMWInst::BinOp::Add, MapPtrIdx, One,
785*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 13
786*08b48e0bSAndroid Build Coastguard Worker llvm::MaybeAlign(1),
787*08b48e0bSAndroid Build Coastguard Worker #endif
788*08b48e0bSAndroid Build Coastguard Worker llvm::AtomicOrdering::Monotonic);
789*08b48e0bSAndroid Build Coastguard Worker /*
790*08b48e0bSAndroid Build Coastguard Worker
791*08b48e0bSAndroid Build Coastguard Worker }
792*08b48e0bSAndroid Build Coastguard Worker
793*08b48e0bSAndroid Build Coastguard Worker */
794*08b48e0bSAndroid Build Coastguard Worker
795*08b48e0bSAndroid Build Coastguard Worker } else {
796*08b48e0bSAndroid Build Coastguard Worker
797*08b48e0bSAndroid Build Coastguard Worker LoadInst *Counter = IRB.CreateLoad(
798*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
799*08b48e0bSAndroid Build Coastguard Worker IRB.getInt8Ty(),
800*08b48e0bSAndroid Build Coastguard Worker #endif
801*08b48e0bSAndroid Build Coastguard Worker MapPtrIdx);
802*08b48e0bSAndroid Build Coastguard Worker Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
803*08b48e0bSAndroid Build Coastguard Worker
804*08b48e0bSAndroid Build Coastguard Worker Value *Incr = IRB.CreateAdd(Counter, One);
805*08b48e0bSAndroid Build Coastguard Worker
806*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 9
807*08b48e0bSAndroid Build Coastguard Worker if (!skip_nozero) {
808*08b48e0bSAndroid Build Coastguard Worker
809*08b48e0bSAndroid Build Coastguard Worker #else
810*08b48e0bSAndroid Build Coastguard Worker if (neverZero_counters_str != NULL) {
811*08b48e0bSAndroid Build Coastguard Worker
812*08b48e0bSAndroid Build Coastguard Worker #endif
813*08b48e0bSAndroid Build Coastguard Worker /* hexcoder: Realize a counter that skips zero during overflow.
814*08b48e0bSAndroid Build Coastguard Worker * Once this counter reaches its maximum value, it next increments to
815*08b48e0bSAndroid Build Coastguard Worker * 1
816*08b48e0bSAndroid Build Coastguard Worker *
817*08b48e0bSAndroid Build Coastguard Worker * Instead of
818*08b48e0bSAndroid Build Coastguard Worker * Counter + 1 -> Counter
819*08b48e0bSAndroid Build Coastguard Worker * we inject now this
820*08b48e0bSAndroid Build Coastguard Worker * Counter + 1 -> {Counter, OverflowFlag}
821*08b48e0bSAndroid Build Coastguard Worker * Counter + OverflowFlag -> Counter
822*08b48e0bSAndroid Build Coastguard Worker */
823*08b48e0bSAndroid Build Coastguard Worker
824*08b48e0bSAndroid Build Coastguard Worker ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
825*08b48e0bSAndroid Build Coastguard Worker auto cf = IRB.CreateICmpEQ(Incr, Zero);
826*08b48e0bSAndroid Build Coastguard Worker auto carry = IRB.CreateZExt(cf, Int8Ty);
827*08b48e0bSAndroid Build Coastguard Worker Incr = IRB.CreateAdd(Incr, carry);
828*08b48e0bSAndroid Build Coastguard Worker
829*08b48e0bSAndroid Build Coastguard Worker }
830*08b48e0bSAndroid Build Coastguard Worker
831*08b48e0bSAndroid Build Coastguard Worker IRB.CreateStore(Incr, MapPtrIdx)
832*08b48e0bSAndroid Build Coastguard Worker ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
833*08b48e0bSAndroid Build Coastguard Worker
834*08b48e0bSAndroid Build Coastguard Worker } /* non atomic case */
835*08b48e0bSAndroid Build Coastguard Worker
836*08b48e0bSAndroid Build Coastguard Worker /* Update prev_loc history vector (by placing cur_loc at the head of the
837*08b48e0bSAndroid Build Coastguard Worker vector and shuffle the other elements back by one) */
838*08b48e0bSAndroid Build Coastguard Worker
839*08b48e0bSAndroid Build Coastguard Worker StoreInst *Store;
840*08b48e0bSAndroid Build Coastguard Worker
841*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
842*08b48e0bSAndroid Build Coastguard Worker if (ngram_size) {
843*08b48e0bSAndroid Build Coastguard Worker
844*08b48e0bSAndroid Build Coastguard Worker Value *ShuffledPrevLoc = IRB.CreateShuffleVector(
845*08b48e0bSAndroid Build Coastguard Worker PrevLoc, UndefValue::get(PrevLocTy), PrevLocShuffleMask);
846*08b48e0bSAndroid Build Coastguard Worker Value *UpdatedPrevLoc = IRB.CreateInsertElement(
847*08b48e0bSAndroid Build Coastguard Worker ShuffledPrevLoc, IRB.CreateLShr(CurLoc, (uint64_t)1), (uint64_t)0);
848*08b48e0bSAndroid Build Coastguard Worker
849*08b48e0bSAndroid Build Coastguard Worker Store = IRB.CreateStore(UpdatedPrevLoc, AFLPrevLoc);
850*08b48e0bSAndroid Build Coastguard Worker Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
851*08b48e0bSAndroid Build Coastguard Worker
852*08b48e0bSAndroid Build Coastguard Worker } else
853*08b48e0bSAndroid Build Coastguard Worker
854*08b48e0bSAndroid Build Coastguard Worker #endif
855*08b48e0bSAndroid Build Coastguard Worker {
856*08b48e0bSAndroid Build Coastguard Worker
857*08b48e0bSAndroid Build Coastguard Worker Store = IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1),
858*08b48e0bSAndroid Build Coastguard Worker AFLPrevLoc);
859*08b48e0bSAndroid Build Coastguard Worker Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
860*08b48e0bSAndroid Build Coastguard Worker
861*08b48e0bSAndroid Build Coastguard Worker }
862*08b48e0bSAndroid Build Coastguard Worker
863*08b48e0bSAndroid Build Coastguard Worker // in CTX mode we have to restore the original context for the caller -
864*08b48e0bSAndroid Build Coastguard Worker // she might be calling other functions which need the correct CTX.
865*08b48e0bSAndroid Build Coastguard Worker // Currently this is only needed for the Ubuntu clang-6.0 bug
866*08b48e0bSAndroid Build Coastguard Worker if (instrument_ctx && has_calls) {
867*08b48e0bSAndroid Build Coastguard Worker
868*08b48e0bSAndroid Build Coastguard Worker Instruction *Inst = BB.getTerminator();
869*08b48e0bSAndroid Build Coastguard Worker if (isa<ReturnInst>(Inst) || isa<ResumeInst>(Inst)) {
870*08b48e0bSAndroid Build Coastguard Worker
871*08b48e0bSAndroid Build Coastguard Worker IRBuilder<> Post_IRB(Inst);
872*08b48e0bSAndroid Build Coastguard Worker
873*08b48e0bSAndroid Build Coastguard Worker StoreInst *RestoreCtx;
874*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_HAVE_VECTOR_INTRINSICS
875*08b48e0bSAndroid Build Coastguard Worker if (ctx_k)
876*08b48e0bSAndroid Build Coastguard Worker RestoreCtx = IRB.CreateStore(PrevCaller, AFLPrevCaller);
877*08b48e0bSAndroid Build Coastguard Worker else
878*08b48e0bSAndroid Build Coastguard Worker #endif
879*08b48e0bSAndroid Build Coastguard Worker RestoreCtx = Post_IRB.CreateStore(PrevCtx, AFLContext);
880*08b48e0bSAndroid Build Coastguard Worker RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
881*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
882*08b48e0bSAndroid Build Coastguard Worker
883*08b48e0bSAndroid Build Coastguard Worker }
884*08b48e0bSAndroid Build Coastguard Worker
885*08b48e0bSAndroid Build Coastguard Worker }
886*08b48e0bSAndroid Build Coastguard Worker
887*08b48e0bSAndroid Build Coastguard Worker inst_blocks++;
888*08b48e0bSAndroid Build Coastguard Worker
889*08b48e0bSAndroid Build Coastguard Worker }
890*08b48e0bSAndroid Build Coastguard Worker
891*08b48e0bSAndroid Build Coastguard Worker #if 0
892*08b48e0bSAndroid Build Coastguard Worker if (use_threadsafe_counters) { /*Atomic NeverZero */
893*08b48e0bSAndroid Build Coastguard Worker // handle the list of registered blocks to instrument
894*08b48e0bSAndroid Build Coastguard Worker for (auto val : todo) {
895*08b48e0bSAndroid Build Coastguard Worker
896*08b48e0bSAndroid Build Coastguard Worker /* hexcoder: Realize a thread-safe counter that skips zero during
897*08b48e0bSAndroid Build Coastguard Worker * overflow. Once this counter reaches its maximum value, it next
898*08b48e0bSAndroid Build Coastguard Worker * increments to 1
899*08b48e0bSAndroid Build Coastguard Worker *
900*08b48e0bSAndroid Build Coastguard Worker * Instead of
901*08b48e0bSAndroid Build Coastguard Worker * Counter + 1 -> Counter
902*08b48e0bSAndroid Build Coastguard Worker * we inject now this
903*08b48e0bSAndroid Build Coastguard Worker * Counter + 1 -> {Counter, OverflowFlag}
904*08b48e0bSAndroid Build Coastguard Worker * Counter + OverflowFlag -> Counter
905*08b48e0bSAndroid Build Coastguard Worker */
906*08b48e0bSAndroid Build Coastguard Worker
907*08b48e0bSAndroid Build Coastguard Worker /* equivalent c code looks like this
908*08b48e0bSAndroid Build Coastguard Worker * Thanks to
909*08b48e0bSAndroid Build Coastguard Worker https://preshing.com/20150402/you-can-do-any-kind-of-atomic-read-modify-write-operation/
910*08b48e0bSAndroid Build Coastguard Worker
911*08b48e0bSAndroid Build Coastguard Worker int old = atomic_load_explicit(&Counter, memory_order_relaxed);
912*08b48e0bSAndroid Build Coastguard Worker int new;
913*08b48e0bSAndroid Build Coastguard Worker do {
914*08b48e0bSAndroid Build Coastguard Worker
915*08b48e0bSAndroid Build Coastguard Worker if (old == 255) {
916*08b48e0bSAndroid Build Coastguard Worker
917*08b48e0bSAndroid Build Coastguard Worker new = 1;
918*08b48e0bSAndroid Build Coastguard Worker
919*08b48e0bSAndroid Build Coastguard Worker } else {
920*08b48e0bSAndroid Build Coastguard Worker
921*08b48e0bSAndroid Build Coastguard Worker new = old + 1;
922*08b48e0bSAndroid Build Coastguard Worker
923*08b48e0bSAndroid Build Coastguard Worker }
924*08b48e0bSAndroid Build Coastguard Worker
925*08b48e0bSAndroid Build Coastguard Worker } while (!atomic_compare_exchange_weak_explicit(&Counter, &old, new,
926*08b48e0bSAndroid Build Coastguard Worker
927*08b48e0bSAndroid Build Coastguard Worker memory_order_relaxed, memory_order_relaxed));
928*08b48e0bSAndroid Build Coastguard Worker
929*08b48e0bSAndroid Build Coastguard Worker */
930*08b48e0bSAndroid Build Coastguard Worker
931*08b48e0bSAndroid Build Coastguard Worker Value * MapPtrIdx = val;
932*08b48e0bSAndroid Build Coastguard Worker Instruction * MapPtrIdxInst = cast<Instruction>(val);
933*08b48e0bSAndroid Build Coastguard Worker BasicBlock::iterator it0(&(*MapPtrIdxInst));
934*08b48e0bSAndroid Build Coastguard Worker ++it0;
935*08b48e0bSAndroid Build Coastguard Worker IRBuilder<> IRB(&(*it0));
936*08b48e0bSAndroid Build Coastguard Worker
937*08b48e0bSAndroid Build Coastguard Worker // load the old counter value atomically
938*08b48e0bSAndroid Build Coastguard Worker LoadInst *Counter = IRB.CreateLoad(
939*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 14
940*08b48e0bSAndroid Build Coastguard Worker IRB.getInt8Ty(),
941*08b48e0bSAndroid Build Coastguard Worker #endif
942*08b48e0bSAndroid Build Coastguard Worker MapPtrIdx);
943*08b48e0bSAndroid Build Coastguard Worker Counter->setAlignment(llvm::Align());
944*08b48e0bSAndroid Build Coastguard Worker Counter->setAtomic(llvm::AtomicOrdering::Monotonic);
945*08b48e0bSAndroid Build Coastguard Worker Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
946*08b48e0bSAndroid Build Coastguard Worker
947*08b48e0bSAndroid Build Coastguard Worker BasicBlock *BB = IRB.GetInsertBlock();
948*08b48e0bSAndroid Build Coastguard Worker // insert a basic block with the corpus of a do while loop
949*08b48e0bSAndroid Build Coastguard Worker // the calculation may need to repeat, if atomic compare_exchange is not
950*08b48e0bSAndroid Build Coastguard Worker // successful
951*08b48e0bSAndroid Build Coastguard Worker
952*08b48e0bSAndroid Build Coastguard Worker BasicBlock::iterator it(*Counter);
953*08b48e0bSAndroid Build Coastguard Worker it++; // split after load counter
954*08b48e0bSAndroid Build Coastguard Worker BasicBlock *end_bb = BB->splitBasicBlock(it);
955*08b48e0bSAndroid Build Coastguard Worker end_bb->setName("injected");
956*08b48e0bSAndroid Build Coastguard Worker
957*08b48e0bSAndroid Build Coastguard Worker // insert the block before the second half of the split
958*08b48e0bSAndroid Build Coastguard Worker BasicBlock *do_while_bb =
959*08b48e0bSAndroid Build Coastguard Worker BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb);
960*08b48e0bSAndroid Build Coastguard Worker
961*08b48e0bSAndroid Build Coastguard Worker // set terminator of BB from target end_bb to target do_while_bb
962*08b48e0bSAndroid Build Coastguard Worker auto term = BB->getTerminator();
963*08b48e0bSAndroid Build Coastguard Worker BranchInst::Create(do_while_bb, BB);
964*08b48e0bSAndroid Build Coastguard Worker term->eraseFromParent();
965*08b48e0bSAndroid Build Coastguard Worker
966*08b48e0bSAndroid Build Coastguard Worker // continue to fill instructions into the do_while loop
967*08b48e0bSAndroid Build Coastguard Worker IRB.SetInsertPoint(do_while_bb, do_while_bb->getFirstInsertionPt());
968*08b48e0bSAndroid Build Coastguard Worker
969*08b48e0bSAndroid Build Coastguard Worker PHINode *PN = IRB.CreatePHI(Int8Ty, 2);
970*08b48e0bSAndroid Build Coastguard Worker
971*08b48e0bSAndroid Build Coastguard Worker // compare with maximum value 0xff
972*08b48e0bSAndroid Build Coastguard Worker auto *Cmp = IRB.CreateICmpEQ(Counter, ConstantInt::get(Int8Ty, -1));
973*08b48e0bSAndroid Build Coastguard Worker
974*08b48e0bSAndroid Build Coastguard Worker // increment the counter
975*08b48e0bSAndroid Build Coastguard Worker Value *Incr = IRB.CreateAdd(Counter, One);
976*08b48e0bSAndroid Build Coastguard Worker
977*08b48e0bSAndroid Build Coastguard Worker // select the counter value or 1
978*08b48e0bSAndroid Build Coastguard Worker auto *Select = IRB.CreateSelect(Cmp, One, Incr);
979*08b48e0bSAndroid Build Coastguard Worker
980*08b48e0bSAndroid Build Coastguard Worker // try to save back the new counter value
981*08b48e0bSAndroid Build Coastguard Worker auto *CmpXchg = IRB.CreateAtomicCmpXchg(
982*08b48e0bSAndroid Build Coastguard Worker MapPtrIdx, PN, Select, llvm::AtomicOrdering::Monotonic,
983*08b48e0bSAndroid Build Coastguard Worker llvm::AtomicOrdering::Monotonic);
984*08b48e0bSAndroid Build Coastguard Worker CmpXchg->setAlignment(llvm::Align());
985*08b48e0bSAndroid Build Coastguard Worker CmpXchg->setWeak(true);
986*08b48e0bSAndroid Build Coastguard Worker CmpXchg->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
987*08b48e0bSAndroid Build Coastguard Worker
988*08b48e0bSAndroid Build Coastguard Worker // get the result of trying to update the Counter
989*08b48e0bSAndroid Build Coastguard Worker Value *Success =
990*08b48e0bSAndroid Build Coastguard Worker IRB.CreateExtractValue(CmpXchg, ArrayRef<unsigned>({1}));
991*08b48e0bSAndroid Build Coastguard Worker // get the (possibly updated) value of Counter
992*08b48e0bSAndroid Build Coastguard Worker Value *OldVal =
993*08b48e0bSAndroid Build Coastguard Worker IRB.CreateExtractValue(CmpXchg, ArrayRef<unsigned>({0}));
994*08b48e0bSAndroid Build Coastguard Worker
995*08b48e0bSAndroid Build Coastguard Worker // initially we use Counter
996*08b48e0bSAndroid Build Coastguard Worker PN->addIncoming(Counter, BB);
997*08b48e0bSAndroid Build Coastguard Worker // on retry, we use the updated value
998*08b48e0bSAndroid Build Coastguard Worker PN->addIncoming(OldVal, do_while_bb);
999*08b48e0bSAndroid Build Coastguard Worker
1000*08b48e0bSAndroid Build Coastguard Worker // if the cmpXchg was not successful, retry
1001*08b48e0bSAndroid Build Coastguard Worker IRB.CreateCondBr(Success, end_bb, do_while_bb);
1002*08b48e0bSAndroid Build Coastguard Worker
1003*08b48e0bSAndroid Build Coastguard Worker }
1004*08b48e0bSAndroid Build Coastguard Worker
1005*08b48e0bSAndroid Build Coastguard Worker }
1006*08b48e0bSAndroid Build Coastguard Worker
1007*08b48e0bSAndroid Build Coastguard Worker #endif
1008*08b48e0bSAndroid Build Coastguard Worker
1009*08b48e0bSAndroid Build Coastguard Worker }
1010*08b48e0bSAndroid Build Coastguard Worker
1011*08b48e0bSAndroid Build Coastguard Worker /*
1012*08b48e0bSAndroid Build Coastguard Worker // This is currently disabled because we not only need to create/insert a
1013*08b48e0bSAndroid Build Coastguard Worker // function (easy), but also add it as a constructor with an ID < 5
1014*08b48e0bSAndroid Build Coastguard Worker
1015*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_DONTWRITEID") == NULL) {
1016*08b48e0bSAndroid Build Coastguard Worker
1017*08b48e0bSAndroid Build Coastguard Worker // yes we could create our own function, insert it into ctors ...
1018*08b48e0bSAndroid Build Coastguard Worker // but this would be a pain in the butt ... so we use afl-llvm-rt.o
1019*08b48e0bSAndroid Build Coastguard Worker
1020*08b48e0bSAndroid Build Coastguard Worker Function *f = ...
1021*08b48e0bSAndroid Build Coastguard Worker
1022*08b48e0bSAndroid Build Coastguard Worker if (!f) {
1023*08b48e0bSAndroid Build Coastguard Worker
1024*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr,
1025*08b48e0bSAndroid Build Coastguard Worker "Error: init function could not be created (this should not
1026*08b48e0bSAndroid Build Coastguard Worker happen)\n"); exit(-1);
1027*08b48e0bSAndroid Build Coastguard Worker
1028*08b48e0bSAndroid Build Coastguard Worker }
1029*08b48e0bSAndroid Build Coastguard Worker
1030*08b48e0bSAndroid Build Coastguard Worker ... constructor for f = 4
1031*08b48e0bSAndroid Build Coastguard Worker
1032*08b48e0bSAndroid Build Coastguard Worker BasicBlock *bb = &f->getEntryBlock();
1033*08b48e0bSAndroid Build Coastguard Worker if (!bb) {
1034*08b48e0bSAndroid Build Coastguard Worker
1035*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr,
1036*08b48e0bSAndroid Build Coastguard Worker "Error: init function does not have an EntryBlock (this should
1037*08b48e0bSAndroid Build Coastguard Worker not happen)\n"); exit(-1);
1038*08b48e0bSAndroid Build Coastguard Worker
1039*08b48e0bSAndroid Build Coastguard Worker }
1040*08b48e0bSAndroid Build Coastguard Worker
1041*08b48e0bSAndroid Build Coastguard Worker BasicBlock::iterator IP = bb->getFirstInsertionPt();
1042*08b48e0bSAndroid Build Coastguard Worker IRBuilder<> IRB(&(*IP));
1043*08b48e0bSAndroid Build Coastguard Worker
1044*08b48e0bSAndroid Build Coastguard Worker if (map_size <= 0x800000) {
1045*08b48e0bSAndroid Build Coastguard Worker
1046*08b48e0bSAndroid Build Coastguard Worker GlobalVariable *AFLFinalLoc = new GlobalVariable(
1047*08b48e0bSAndroid Build Coastguard Worker M, Int32Ty, true, GlobalValue::ExternalLinkage, 0,
1048*08b48e0bSAndroid Build Coastguard Worker "__afl_final_loc");
1049*08b48e0bSAndroid Build Coastguard Worker ConstantInt *const_loc = ConstantInt::get(Int32Ty, map_size);
1050*08b48e0bSAndroid Build Coastguard Worker StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc);
1051*08b48e0bSAndroid Build Coastguard Worker StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"),
1052*08b48e0bSAndroid Build Coastguard Worker MDNode::get(C, None));
1053*08b48e0bSAndroid Build Coastguard Worker
1054*08b48e0bSAndroid Build Coastguard Worker }
1055*08b48e0bSAndroid Build Coastguard Worker
1056*08b48e0bSAndroid Build Coastguard Worker }
1057*08b48e0bSAndroid Build Coastguard Worker
1058*08b48e0bSAndroid Build Coastguard Worker */
1059*08b48e0bSAndroid Build Coastguard Worker
1060*08b48e0bSAndroid Build Coastguard Worker /* Say something nice. */
1061*08b48e0bSAndroid Build Coastguard Worker
1062*08b48e0bSAndroid Build Coastguard Worker if (!be_quiet) {
1063*08b48e0bSAndroid Build Coastguard Worker
1064*08b48e0bSAndroid Build Coastguard Worker if (!inst_blocks)
1065*08b48e0bSAndroid Build Coastguard Worker WARNF("No instrumentation targets found.");
1066*08b48e0bSAndroid Build Coastguard Worker else {
1067*08b48e0bSAndroid Build Coastguard Worker
1068*08b48e0bSAndroid Build Coastguard Worker char modeline[100];
1069*08b48e0bSAndroid Build Coastguard Worker snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
1070*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
1071*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_USE_ASAN") ? ", ASAN" : "",
1072*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_USE_MSAN") ? ", MSAN" : "",
1073*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
1074*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_USE_TSAN") ? ", TSAN" : "",
1075*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
1076*08b48e0bSAndroid Build Coastguard Worker OKF("Instrumented %d locations (%s mode, ratio %u%%).", inst_blocks,
1077*08b48e0bSAndroid Build Coastguard Worker modeline, inst_ratio);
1078*08b48e0bSAndroid Build Coastguard Worker
1079*08b48e0bSAndroid Build Coastguard Worker }
1080*08b48e0bSAndroid Build Coastguard Worker
1081*08b48e0bSAndroid Build Coastguard Worker }
1082*08b48e0bSAndroid Build Coastguard Worker
1083*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
1084*08b48e0bSAndroid Build Coastguard Worker return PA;
1085*08b48e0bSAndroid Build Coastguard Worker #else
1086*08b48e0bSAndroid Build Coastguard Worker return true;
1087*08b48e0bSAndroid Build Coastguard Worker #endif
1088*08b48e0bSAndroid Build Coastguard Worker
1089*08b48e0bSAndroid Build Coastguard Worker }
1090*08b48e0bSAndroid Build Coastguard Worker
1091*08b48e0bSAndroid Build Coastguard Worker #if LLVM_VERSION_MAJOR < 11 /* use old pass manager */
1092*08b48e0bSAndroid Build Coastguard Worker static void registerAFLPass(const PassManagerBuilder &,
1093*08b48e0bSAndroid Build Coastguard Worker legacy::PassManagerBase &PM) {
1094*08b48e0bSAndroid Build Coastguard Worker
1095*08b48e0bSAndroid Build Coastguard Worker PM.add(new AFLCoverage());
1096*08b48e0bSAndroid Build Coastguard Worker
1097*08b48e0bSAndroid Build Coastguard Worker }
1098*08b48e0bSAndroid Build Coastguard Worker
1099*08b48e0bSAndroid Build Coastguard Worker static RegisterStandardPasses RegisterAFLPass(
1100*08b48e0bSAndroid Build Coastguard Worker PassManagerBuilder::EP_OptimizerLast, registerAFLPass);
1101*08b48e0bSAndroid Build Coastguard Worker
1102*08b48e0bSAndroid Build Coastguard Worker static RegisterStandardPasses RegisterAFLPass0(
1103*08b48e0bSAndroid Build Coastguard Worker PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
1104*08b48e0bSAndroid Build Coastguard Worker #endif
1105*08b48e0bSAndroid Build Coastguard Worker
1106