taskcluster/scripts/misc/afl-nyx.patch

   1 commit 1e1e67d0a7d16db0a4331702af713a163c40b87f
   2 Author: Jesse Schwartzentruber <truber@mozilla.com>
   3 Date:   Fri Jul 14 11:04:04 2023 -0400
   4
   5     Increase MAP_SIZE for Nyx
   6
   7 diff --git a/include/config.h b/include/config.h
   8 index 988e536e..5e9870c0 100644
   9 --- a/include/config.h
  10 +++ b/include/config.h
  11 @@ -459,7 +459,7 @@
  12     problems with complex programs). You need to recompile the target binary
  13     after changing this - otherwise, SEGVs may ensue. */
  14
  15 -#define MAP_SIZE_POW2 16
  16 +#define MAP_SIZE_POW2 23
  17
  18  /* Do not change this unless you really know what you are doing. */
  19
  20 commit a6e42d98d9d3e936dc74729f17ab1208d477c944
  21 Author: vanhauser-thc <vh@thc.org>
  22 Date:   Tue Jun 18 15:09:11 2024 +0200
  23
  24     llvm 19 fixes
  25
  26 diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
  27 index a09f28a90..63ea71c1b 100644
  28 --- a/instrumentation/SanitizerCoverageLTO.so.cc
  29 +++ b/instrumentation/SanitizerCoverageLTO.so.cc
  30 @@ -214,8 +214,12 @@ class ModuleSanitizerCoverageLTO
  31
  32    void SetNoSanitizeMetadata(Instruction *I) {
  33
  34 +#if LLVM_VERSION_MAJOR >= 19
  35 +    I->setNoSanitizeMetadata();
  36 +#else
  37      I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
  38                     MDNode::get(*C, None));
  39 +#endif
  40
  41    }
  42
  43 @@ -225,7 +229,7 @@ class ModuleSanitizerCoverageLTO
  44    FunctionCallee SanCovTracePCIndir;
  45    FunctionCallee SanCovTracePC /*, SanCovTracePCGuard*/;
  46    Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
  47 -      *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy;
  48 +      *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy, *PtrTy;
  49    Module           *CurModule;
  50    std::string       CurModuleUniqueId;
  51    Triple            TargetTriple;
  52 @@ -416,6 +420,7 @@ bool ModuleSanitizerCoverageLTO::instrumentModule(
  53    Int16Ty = IRB.getInt16Ty();
  54    Int8Ty = IRB.getInt8Ty();
  55    Int1Ty = IRB.getInt1Ty();
  56 +  PtrTy = PointerType::getUnqual(*C);
  57
  58    /* AFL++ START */
  59    char        *ptr;
  60 @@ -1350,7 +1355,7 @@ void ModuleSanitizerCoverageLTO::instrumentFunction(
  61      Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
  62
  63    if (F.empty()) return;
  64 -  if (F.getName().find(".module_ctor") != std::string::npos)
  65 +  if (F.getName().contains(".module_ctor"))
  66      return;  // Should not instrument sanitizer init functions.
  67  #if LLVM_VERSION_MAJOR >= 18
  68    if (F.getName().starts_with("__sanitizer_"))
  69 @@ -1372,6 +1377,10 @@ void ModuleSanitizerCoverageLTO::instrumentFunction(
  70    if (F.hasPersonalityFn() &&
  71        isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
  72      return;
  73 +  if (F.hasFnAttribute(Attribute::NoSanitizeCoverage)) return;
  74 +#if LLVM_VERSION_MAJOR >= 19
  75 +  if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation)) return;
  76 +#endif
  77    // if (Allowlist && !Allowlist->inSection("coverage", "fun", F.getName()))
  78    //  return;
  79    // if (Blocklist && Blocklist->inSection("coverage", "fun", F.getName()))
  80 @@ -2023,16 +2032,20 @@ GlobalVariable *ModuleSanitizerCoverageLTO::CreatePCArray(
  81
  82      if (&F.getEntryBlock() == AllBlocks[i]) {
  83
  84 -      PCs.push_back((Constant *)IRB.CreatePointerCast(&F, IntptrPtrTy));
  85 -      PCs.push_back((Constant *)IRB.CreateIntToPtr(
  86 -          ConstantInt::get(IntptrTy, 1), IntptrPtrTy));
  87 +      PCs.push_back((Constant *)IRB.CreatePointerCast(&F, PtrTy));
  88 +      PCs.push_back(
  89 +          (Constant *)IRB.CreateIntToPtr(ConstantInt::get(IntptrTy, 1), PtrTy));
  90
  91      } else {
  92
  93        PCs.push_back((Constant *)IRB.CreatePointerCast(
  94 -          BlockAddress::get(AllBlocks[i]), IntptrPtrTy));
  95 -      PCs.push_back((Constant *)IRB.CreateIntToPtr(
  96 -          ConstantInt::get(IntptrTy, 0), IntptrPtrTy));
  97 +          BlockAddress::get(AllBlocks[i]), PtrTy));
  98 +#if LLVM_VERSION_MAJOR >= 16
  99 +      PCs.push_back(Constant::getNullValue(PtrTy));
 100 +#else
 101 +      PCs.push_back(
 102 +          (Constant *)IRB.CreateIntToPtr(ConstantInt::get(IntptrTy, 0), PtrTy));
 103 +#endif
 104
 105      }
 106
 107 diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
 108 index 01881f28e..49fe904be 100644
 109 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
 110 +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
 111 @@ -161,7 +161,9 @@ class ModuleSanitizerCoverageAFL
 112
 113    void SetNoSanitizeMetadata(Instruction *I) {
 114
 115 -#if LLVM_VERSION_MAJOR >= 16
 116 +#if LLVM_VERSION_MAJOR >= 19
 117 +    I->setNoSanitizeMetadata();
 118 +#elif LLVM_VERSION_MAJOR >= 16
 119      I->setMetadata(LLVMContext::MD_nosanitize, MDNode::get(*C, std::nullopt));
 120  #else
 121      I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
 122 @@ -179,7 +181,7 @@ class ModuleSanitizerCoverageAFL
 123    FunctionCallee  SanCovTraceSwitchFunction;
 124    GlobalVariable *SanCovLowestStack;
 125    Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
 126 -      *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy;
 127 +      *Int16Ty, *Int8Ty, *Int8PtrTy, *Int1Ty, *Int1PtrTy, *PtrTy;
 128    Module           *CurModule;
 129    std::string       CurModuleUniqueId;
 130    Triple            TargetTriple;
 131 @@ -272,13 +274,19 @@ std::pair<Value *, Value *> ModuleSanitizerCoverageAFL::CreateSecStartEnd(
 132    if (!TargetTriple.isOSBinFormatCOFF())
 133      return std::make_pair(SecStart, SecEnd);
 134
 135 -  // Account for the fact that on windows-msvc __start_* symbols actually
 136 -  // point to a uint64_t before the start of the array.
 137 +    // Account for the fact that on windows-msvc __start_* symbols actually
 138 +    // point to a uint64_t before the start of the array.
 139 +#if LLVM_VERSION_MAJOR >= 19
 140 +  auto GEP =
 141 +      IRB.CreatePtrAdd(SecStart, ConstantInt::get(IntptrTy, sizeof(uint64_t)));
 142 +  return std::make_pair(GEP, SecEnd);
 143 +#else
 144    auto SecStartI8Ptr = IRB.CreatePointerCast(SecStart, Int8PtrTy);
 145    auto GEP = IRB.CreateGEP(Int8Ty, SecStartI8Ptr,
 146                             ConstantInt::get(IntptrTy, sizeof(uint64_t)));
 147    return std::make_pair(IRB.CreatePointerCast(GEP, PointerType::getUnqual(Ty)),
 148                          SecEnd);
 149 +#endif
 150
 151  }
 152
 153 @@ -370,6 +378,7 @@ bool ModuleSanitizerCoverageAFL::instrumentModule(
 154    Int16Ty = IRB.getInt16Ty();
 155    Int8Ty = IRB.getInt8Ty();
 156    Int1Ty = IRB.getInt1Ty();
 157 +  PtrTy = PointerType::getUnqual(*C);
 158
 159    LLVMContext &Ctx = M.getContext();
 160    AFLMapPtr =
 161 @@ -572,7 +581,8 @@ void ModuleSanitizerCoverageAFL::instrumentFunction(
 162
 163    if (F.empty()) return;
 164    if (!isInInstrumentList(&F, FMNAME)) return;
 165 -  if (F.getName().find(".module_ctor") != std::string::npos)
 166 +  // if (F.getName().find(".module_ctor") != std::string::npos)
 167 +  if (F.getName().contains(".module_ctor"))
 168      return;  // Should not instrument sanitizer init functions.
 169  #if LLVM_VERSION_MAJOR >= 18
 170    if (F.getName().starts_with("__sanitizer_"))
 171 @@ -595,6 +605,9 @@ void ModuleSanitizerCoverageAFL::instrumentFunction(
 172        isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
 173      return;
 174    if (F.hasFnAttribute(Attribute::NoSanitizeCoverage)) return;
 175 +#if LLVM_VERSION_MAJOR >= 19
 176 +  if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation)) return;
 177 +#endif
 178    if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 179      SplitAllCriticalEdges(
 180          F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
 181 @@ -692,16 +705,16 @@ GlobalVariable *ModuleSanitizerCoverageAFL::CreatePCArray(
 182
 183      if (&F.getEntryBlock() == AllBlocks[i]) {
 184
 185 -      PCs.push_back((Constant *)IRB.CreatePointerCast(&F, IntptrPtrTy));
 186 -      PCs.push_back((Constant *)IRB.CreateIntToPtr(
 187 -          ConstantInt::get(IntptrTy, 1), IntptrPtrTy));
 188 +      PCs.push_back((Constant *)IRB.CreatePointerCast(&F, PtrTy));
 189 +      PCs.push_back(
 190 +          (Constant *)IRB.CreateIntToPtr(ConstantInt::get(IntptrTy, 1), PtrTy));
 191
 192      } else {
 193
 194        PCs.push_back((Constant *)IRB.CreatePointerCast(
 195 -          BlockAddress::get(AllBlocks[i]), IntptrPtrTy));
 196 +          BlockAddress::get(AllBlocks[i]), PtrTy));
 197  #if LLVM_VERSION_MAJOR >= 16
 198 -      PCs.push_back(Constant::getNullValue(IntptrPtrTy));
 199 +      PCs.push_back(Constant::getNullValue(PtrTy));
 200  #else
 201        PCs.push_back((Constant *)IRB.CreateIntToPtr(
 202            ConstantInt::get(IntptrTy, 0), IntptrPtrTy));
 203 @@ -711,10 +724,10 @@ GlobalVariable *ModuleSanitizerCoverageAFL::CreatePCArray(
 204
 205    }
 206
 207 -  auto *PCArray = CreateFunctionLocalArrayInSection(N * 2, F, IntptrPtrTy,
 208 -                                                    SanCovPCsSectionName);
 209 +  auto *PCArray =
 210 +      CreateFunctionLocalArrayInSection(N * 2, F, PtrTy, SanCovPCsSectionName);
 211    PCArray->setInitializer(
 212 -      ConstantArray::get(ArrayType::get(IntptrPtrTy, N * 2), PCs));
 213 +      ConstantArray::get(ArrayType::get(PtrTy, N * 2), PCs));
 214    PCArray->setConstant(true);
 215
 216    return PCArray;
 217 @@ -822,7 +835,12 @@ bool ModuleSanitizerCoverageAFL::InjectCoverage(
 218          StringRef FuncName = Callee->getName();
 219          if (FuncName.compare(StringRef("__afl_coverage_interesting"))) continue;
 220
 221 +#if LLVM_VERSION_MAJOR >= 20
 222 +        // test canary
 223 +        InstrumentationIRBuilder IRB(callInst);
 224 +#else
 225          IRBuilder<> IRB(callInst);
 226 +#endif
 227
 228          if (!FunctionGuardArray) {
 229
 230 commit 8fcca6fb410a6ece1a4cd2eb8a2cdeed4d4d9865
 231 Author: "Christian Holler (:decoder)" <choller@mozilla.com>
 232 Date:   Wed Jun 19 12:36:58 2024 +0200
 233
 234     Collect persistent coverage data and dump it at the end of the run
 235
 236     With CODE_COVERAGE builds, we need to collect the coverage data of each
 237     iteration in a persistant buffer that has the same size as the regular
 238     trace buffer used for fuzzing. We dump this information at the end of
 239     the run and when combined with pointer data and module info, this can be
 240     used to calculate code coverage.
 241
 242 diff --git a/include/forkserver.h b/include/forkserver.h
 243 index 593e34a29..3fd813a4f 100644
 244 --- a/include/forkserver.h
 245 +++ b/include/forkserver.h
 246 @@ -206,6 +206,10 @@ typedef struct afl_forkserver {
 247    s32                   nyx_log_fd;
 248  #endif
 249
 250 +#ifdef __AFL_CODE_COVERAGE
 251 +  u8 *persistent_trace_bits;                   /* Persistent copy of bitmap */
 252 +#endif
 253 +
 254  } afl_forkserver_t;
 255
 256  typedef enum fsrv_run_result {
 257 diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
 258 index 71d8570dc..a998c10f0 100644
 259 --- a/src/afl-forkserver.c
 260 +++ b/src/afl-forkserver.c
 261 @@ -252,6 +252,10 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
 262    fsrv->uses_crash_exitcode = false;
 263    fsrv->uses_asan = false;
 264
 265 +#ifdef __AFL_CODE_COVERAGE
 266 +  fsrv->persistent_trace_bits = NULL;
 267 +#endif
 268 +
 269    fsrv->init_child_func = fsrv_exec_child;
 270    list_append(&fsrv_list, fsrv);
 271
 272 @@ -278,6 +282,10 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
 273    fsrv_to->fsrv_kill_signal = from->fsrv_kill_signal;
 274    fsrv_to->debug = from->debug;
 275
 276 +#ifdef __AFL_CODE_COVERAGE
 277 +  fsrv_to->persistent_trace_bits = from->persistent_trace_bits;
 278 +#endif
 279 +
 280    // These are forkserver specific.
 281    fsrv_to->out_dir_fd = -1;
 282    fsrv_to->child_pid = -1;
 283 diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
 284 index 6a0da6abb..c234fc429 100644
 285 --- a/src/afl-fuzz-run.c
 286 +++ b/src/afl-fuzz-run.c
 287 @@ -60,6 +60,27 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
 288
 289    fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon);
 290
 291 +#ifdef __AFL_CODE_COVERAGE
 292 +  if (unlikely(!fsrv->persistent_trace_bits)) {
 293 +
 294 +    // On the first run, we allocate the persistent map to collect coverage.
 295 +    fsrv->persistent_trace_bits = (u8 *)malloc(fsrv->map_size);
 296 +    memset(fsrv->persistent_trace_bits, 0, fsrv->map_size);
 297 +
 298 +  }
 299 +
 300 +  for (u32 i = 0; i < fsrv->map_size; ++i) {
 301 +
 302 +    if (fsrv->persistent_trace_bits[i] != 255 && fsrv->trace_bits[i]) {
 303 +
 304 +      fsrv->persistent_trace_bits[i]++;
 305 +
 306 +    }
 307 +
 308 +  }
 309 +
 310 +#endif
 311 +
 312    /* If post_run() function is defined in custom mutator, the function will be
 313       called each time after AFL++ executes the target program. */
 314
 315 diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
 316 index a09a53ec8..0209e74fe 100644
 317 --- a/src/afl-fuzz.c
 318 +++ b/src/afl-fuzz.c
 319 @@ -3130,6 +3130,28 @@ int main(int argc, char **argv_orig, char **envp) {
 320    write_bitmap(afl);
 321    save_auto(afl);
 322
 323 +  #ifdef __AFL_CODE_COVERAGE
 324 +  if (afl->fsrv.persistent_trace_bits) {
 325 +
 326 +    char cfn[4096];
 327 +    snprintf(cfn, sizeof(cfn), "%s/covmap.dump", afl->out_dir);
 328 +
 329 +    FILE *cov_fd;
 330 +    if ((cov_fd = fopen(cfn, "w")) == NULL) {
 331 +
 332 +      PFATAL("could not create '%s'", cfn);
 333 +
 334 +    }
 335 +
 336 +    // Write the real map size, as the map size must exactly match the pointer
 337 +    // map in length.
 338 +    fwrite(afl->fsrv.persistent_trace_bits, 1, afl->fsrv.real_map_size, cov_fd);
 339 +    fclose(cov_fd);
 340 +
 341 +  }
 342 +
 343 +  #endif
 344 +
 345    if (afl->pizza_is_served) {
 346
 347      SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST,