Merge pull request #69 from AngoraFuzzer/dev

Implement never-zero counter and inst_ratio

Author: spinpx

README.md

@@ -112,6 +112,3 @@ For more information, please refer to the documentation under the
 - [Environment variables](./docs/environment_variables.md)
 - [UI Terminology](./docs/ui.md)
 - [Troubleshoot](./docs/troubleshoot.md)
-
---------
-Angora is maintained by [ByteDance AI Lab](https://ailab.bytedance.com/) now.

docs/environment_variables.md

@@ -8,6 +8,7 @@
 - `ANGORA_OUTPUT_COND_LOC=1` : (Debug option) Output the location of each predicate during compiling.
 - `ANGORA_TAINT_CUSTOM_RULE=/path/to/object` : object contains those proxy function (how to propagate taints), e.g. `ANGORA_TAINT_CUSTOM_RULE=~/angora/bin/lib/zlib-func.o` . You should add it as custom type in the file passed by `ANGORA_TAINT_RULE_LIST` first.
 - `ANGORA_TAINT_RULE_LIST=/path/to/list` : DataFlowSanitizer’s [ABI list](https://clang.llvm.org/docs/DataFlowSanitizer.html), e.g. `ANGORA_TAINT_RULE_LIST=~/angora/bin/rules/zlib_abilist.txt`.
+- `ANGORA_INST_RATIO`: 
 
 # Environment variables for running
 

fuzzer/Cargo.toml

@@ -11,7 +11,7 @@ unstable = []
 clap = "2.32"
 log = "0.4"
 pretty_env_logger = "0.3"
-rand = "0.6"
+rand = "0.7"
 libc = "0.2"
 wait-timeout = "0.2"
 ctrlc = { version = "3.1", features = ["termination"] }

fuzzer/src/command.rs

@@ -84,7 +84,7 @@ impl CommandOpt {
         let clang_lib = Command::new("llvm-config")
             .arg("--libdir")
             .output()
-            .unwrap()
+            .expect("Can't find llvm-config")
             .stdout;
         let clang_lib = String::from_utf8(clang_lib).unwrap();
         let ld_library = "$LD_LIBRARY_PATH:".to_string() + clang_lib.trim();

llvm_mode/compiler/angora_clang.c

@@ -378,12 +378,12 @@ static void edit_params(u32 argc, char **argv) {
       break;
     case 32:
       /* if (access(cc_params[cc_par_cnt - 1], R_OK)) */
-      FATAL("-m32 is not supported by your compiler");
+      // FATAL("-m32 is not supported by your compiler");
       break;
 
     case 64:
       /* if (access(cc_params[cc_par_cnt - 1], R_OK)) */
-      FATAL("-m64 is not supported by your compiler");
+      // FATAL("-m64 is not supported by your compiler");
       break;
     }
   }

llvm_mode/libcxx/compile.sh

@@ -1,5 +1,8 @@
 #!/usr/bin/env bash
 
+BIN_PATH=$(readlink -f "$0")
+ROOT_DIR=$(dirname $(dirname $(dirname $BIN_PATH)))
+
 LLVM_VERSION=7.0.0
 
 NINJA_B=`which ninja 2>/dev/null`
@@ -62,7 +65,7 @@ ninja cxx cxxabi
 cd ..
 mkdir build_track && cd build_track/
 
-CC=~/angora/bin/angora-clang CXX=~/angora/bin/angora-clang++ cmake -G Ninja ../llvm_src  -DLIBCXXABI_ENABLE_SHARED=NO -DLIBCXX_ENABLE_SHARED=NO -DLIBCXX_CXX_ABI=libcxxabi 
+CC=${ROOT_DIR}/bin/angora-clang CXX=${ROOT_DIR}/bin/angora-clang++ cmake -G Ninja ../llvm_src  -DLIBCXXABI_ENABLE_SHARED=NO -DLIBCXX_ENABLE_SHARED=NO -DLIBCXX_CXX_ABI=libcxxabi 
 #-DLLVM_FORCE_USE_OLD_TOOLCHAIN=YES 
 USE_DFSAN=1 ninja cxx cxxabi
 

llvm_mode/pass/AngoraPass.cc

@@ -63,6 +63,7 @@ class AngoraLLVMPass : public ModulePass {
   u32 CidCounter;
   unsigned long int RandSeed = 1;
   bool is_bc;
+  unsigned int inst_ratio = 100;
 
   // Const Variables
   DenseSet<u32> UniqCidSet;
@@ -117,6 +118,7 @@ class AngoraLLVMPass : public ModulePass {
   bool runOnModule(Module &M) override;
   u32 getInstructionId(Instruction *Inst);
   u32 getRandomBasicBlockId();
+  bool skipBasicBlock();
   u32 getRandomNum();
   void setRandomNumSeed(u32 seed);
   u32 getRandomContextId();
@@ -145,6 +147,8 @@ char AngoraLLVMPass::ID = 0;
 
 u32 AngoraLLVMPass::getRandomBasicBlockId() { return random() % MAP_SIZE; }
 
+bool AngoraLLVMPass::skipBasicBlock() { return (random() % 100) >= inst_ratio; }
+
 // http://pubs.opengroup.org/onlinepubs/009695399/functions/rand.html
 u32 AngoraLLVMPass::getRandomNum() {
   RandSeed = RandSeed * 1103515245 + 12345;
@@ -222,6 +226,14 @@ void AngoraLLVMPass::initVariables(Module &M) {
     errs() << "Input is LLVM bitcode\n";
   }
 
+  char* inst_ratio_str = getenv("ANGORA_INST_RATIO");
+  if (inst_ratio_str) {
+    if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
+        inst_ratio > 100)
+      FATAL("Bad value of ANGORA_INST_RATIO (must be between 1 and 100)");
+  }
+  errs() << "inst_ratio: " << inst_ratio << "\n";
+
   // set seed
   srandom(ModId);
   setRandomNumSeed(ModId);
@@ -339,8 +351,8 @@ void AngoraLLVMPass::initVariables(Module &M) {
   char* custom_fn_ctx = getenv(CUSTOM_FN_CTX);
   if (custom_fn_ctx) {
     num_fn_ctx = atoi(custom_fn_ctx);
-    if (num_fn_ctx < 0 || num_fn_ctx > 32) {
-      errs() << "custom context should be: >= 0 && <=32 \n"; 
+    if (num_fn_ctx < 0 || num_fn_ctx >= 32) {
+      errs() << "custom context should be: >= 0 && < 32 \n"; 
       exit(1);
     }
   }
@@ -365,9 +377,9 @@ void AngoraLLVMPass::initVariables(Module &M) {
 // Coverage statistics: AFL's Branch count
 // Angora enable function-call context.
 void AngoraLLVMPass::countEdge(Module &M, BasicBlock &BB) {
-  if (!FastMode)
+  if (!FastMode || skipBasicBlock())
     return;
-
+  
   // LLVMContext &C = M.getContext();
   unsigned int cur_loc = getRandomBasicBlockId();
   ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);
@@ -394,13 +406,25 @@ void AngoraLLVMPass::countEdge(Module &M, BasicBlock &BB) {
   LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
   setInsNonSan(Counter);
 
-  // Avoid overflow
-  Value *CmpOF = IRB.CreateICmpNE(Counter, ConstantInt::get(Int8Ty, -1));
-  setValueNonSan(CmpOF);
-
-  Value *IncVal = IRB.CreateZExt(CmpOF, Int8Ty);
+  // Implementation of saturating counter.
+  // Value *CmpOF = IRB.CreateICmpNE(Counter, ConstantInt::get(Int8Ty, -1));
+  // setValueNonSan(CmpOF);
+  // Value *IncVal = IRB.CreateZExt(CmpOF, Int8Ty);
+  // setValueNonSan(IncVal);
+  // Value *IncRet = IRB.CreateAdd(Counter, IncVal);
+  // setValueNonSan(IncRet);
+
+  // Implementation of Never-zero counter
+  // The idea is from Marc and Heiko in AFLPlusPlus
+  // Reference: : https://github.com/vanhauser-thc/AFLplusplus/blob/master/llvm_mode/README.neverzero and https://github.com/vanhauser-thc/AFLplusplus/issues/10
+    
+  Value *IncRet = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
+  setValueNonSan(IncRet);
+  Value *IsZero = IRB.CreateICmpEQ(IncRet, ConstantInt::get(Int8Ty, 0));
+  setValueNonSan(IsZero);
+  Value *IncVal = IRB.CreateZExt(IsZero, Int8Ty);
   setValueNonSan(IncVal);
-  Value *IncRet = IRB.CreateAdd(Counter, IncVal);
+  IncRet = IRB.CreateAdd(IncRet, IncVal);
   setValueNonSan(IncRet);
 
   // Store Back Map[idx]
@@ -607,10 +631,12 @@ void AngoraLLVMPass::processCmp(Instruction *Cond, Constant *Cid,
     OpArg[1] = castArgType(IRB, OpArg[1]);
     Value *CondExt = IRB.CreateZExt(Cond, Int32Ty);
     setValueNonSan(CondExt);
+    LoadInst *CurCtx = IRB.CreateLoad(AngoraContext);
+    setInsNonSan(CurCtx);
     CallInst *ProxyCall =
-        IRB.CreateCall(TraceCmp, {CondExt, Cid, OpArg[0], OpArg[1]});
+        IRB.CreateCall(TraceCmp, {CondExt, Cid, CurCtx, OpArg[0], OpArg[1]});
     setInsNonSan(ProxyCall);
-        */
+    */
     LoadInst *CurCid = IRB.CreateLoad(AngoraCondId);
     setInsNonSan(CurCid);
     Value *CmpEq = IRB.CreateICmpEQ(Cid, CurCid);
@@ -841,7 +867,7 @@ bool AngoraLLVMPass::runOnModule(Module &M) {
     return true;
 
   for (auto &F : M) {
-    if (F.isDeclaration())
+    if (F.isDeclaration() || F.getName().startswith(StringRef("asan.module")))
       continue;
 
     addFnWrap(F);