Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(178)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/afl/src/llvm_mode/README.llvm

Issue 2662883002: Roll AFL 2.31b:2.38b and switch coverage to use trace-pc-guard. (Closed)
Patch Set: Remove unneeded vuln_samples binaries. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/afl/src/libdislocator/libdislocator.so.c ('k') | third_party/afl/src/llvm_mode/afl-clang-fast.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 ============================================ 1 ============================================
2 Fast LLVM-based instrumentation for afl-fuzz 2 Fast LLVM-based instrumentation for afl-fuzz
3 ============================================ 3 ============================================
4 4
5 (See ../docs/README for the general instruction manual.) 5 (See ../docs/README for the general instruction manual.)
6 6
7 1) Introduction 7 1) Introduction
8 --------------- 8 ---------------
9 9
10 The code in this directory allows you to instrument programs for AFL using 10 The code in this directory allows you to instrument programs for AFL using
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after
159 Note that as with the previous mode, the feature is easy to misuse; if you 159 Note that as with the previous mode, the feature is easy to misuse; if you
160 do not fully reset the critical state, you may end up with false positives or 160 do not fully reset the critical state, you may end up with false positives or
161 waste a whole lot of CPU power doing nothing useful at all. Be particularly 161 waste a whole lot of CPU power doing nothing useful at all. Be particularly
162 wary of memory leaks and of the state of file descriptors. 162 wary of memory leaks and of the state of file descriptors.
163 163
164 PS. Because there are task switches still involved, the mode isn't as fast as 164 PS. Because there are task switches still involved, the mode isn't as fast as
165 "pure" in-process fuzzing offered, say, by LLVM's LibFuzzer; but it is a lot 165 "pure" in-process fuzzing offered, say, by LLVM's LibFuzzer; but it is a lot
166 faster than the normal fork() model, and compared to in-process fuzzing, 166 faster than the normal fork() model, and compared to in-process fuzzing,
167 should be a lot more robust. 167 should be a lot more robust.
168 168
169 6) Bonus feature #3: new 'trace-pc' mode 169 6) Bonus feature #3: new 'trace-pc-guard' mode
170 ---------------------------------------- 170 ----------------------------------------------
171 171
172 Recent versions of LLVM are shipping with a built-in execution tracing feature 172 Recent versions of LLVM are shipping with a built-in execution tracing feature
173 that is fairly usable for AFL, without the need to post-process the assembly 173 that provides AFL with the necessary tracing data without the need to
174 or install any compiler plugins. See: 174 post-process the assembly or install any compiler plugins. See:
175 175
176 http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs 176 http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards
177 177
178 As of this writing, the feature is only available on SVN trunk, and is yet to 178 As of this writing, the feature is only available on SVN trunk, and is yet to
179 make it to an official release of LLVM. Nevertheless, if you have a 179 make it to an official release of LLVM. Nevertheless, if you have a
180 sufficiently recent compiler and want to give it a try, build afl-clang-fast 180 sufficiently recent compiler and want to give it a try, build afl-clang-fast
181 this way: 181 this way:
182 182
183 AFL_TRACE_PC=1 make clean all 183 AFL_TRACE_PC=1 make clean all
184 184
185 Since a form of 'trace-pc' is also supported in GCC, this mode may become a 185 Note that this mode is currently about 20-30% slower than "vanilla"
186 longer-term solution to all our needs. 186 afl-clang-fast, and about 5-10% slower than afl-clang. I am not entirely sure
187 why.
187 188
188 Note that this mode supports AFL_INST_RATIO at run time, not at compilation
189 time. This is somewhat similar to the behavior of the QEMU mode. Because of
190 the need to support it at run time, the mode is also a tad slower than the
191 plugin-based approach.
OLDNEW
« no previous file with comments | « third_party/afl/src/libdislocator/libdislocator.so.c ('k') | third_party/afl/src/llvm_mode/afl-clang-fast.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698