2.04b

legend-issue · Mar 2, 2016 · 418e426 · 418e426
1 parent 5144d64
commit 418e426
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 17 deletions.
diff --git a/Makefile b/Makefile
@@ -14,7 +14,7 @@
 #
 
 PROGNAME    = afl
-VERSION     = 2.03b
+VERSION     = 2.04b
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin

diff --git a/afl-analyze.c b/afl-analyze.c
@@ -707,6 +707,8 @@ static void set_up_environment(void) {
 
   setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
                          "symbolize=0:"
+                         "abort_on_error=1:"
+                         "allocator_may_return_null=1:"
                          "msan_track_origins=0", 0);
 
   if (getenv("AFL_LD_PRELOAD"))

diff --git a/afl-fuzz.c b/afl-fuzz.c
@@ -1942,6 +1942,8 @@ static void init_forkserver(char** argv) {
 
     setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
                            "symbolize=0:"
+                           "abort_on_error=1:"
+                           "allocator_may_return_null=1:"
                            "msan_track_origins=0", 0);
 
     execv(target_path, argv);

diff --git a/afl-showmap.c b/afl-showmap.c
@@ -337,6 +337,8 @@ static void set_up_environment(void) {
 
   setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
                          "symbolize=0:"
+                         "abort_on_error=1:"
+                         "allocator_may_return_null=1:"
                          "msan_track_origins=0", 0);
 
   if (getenv("AFL_LD_PRELOAD"))

diff --git a/afl-tmin.c b/afl-tmin.c
@@ -698,6 +698,8 @@ static void set_up_environment(void) {
 
   setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
                          "symbolize=0:"
+                         "abort_on_error=1:"
+                         "allocator_may_return_null=1:"
                          "msan_track_origins=0", 0);
 
   if (getenv("AFL_LD_PRELOAD"))

diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -16,6 +16,13 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.03b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.04b:
+--------------
+
+  - Removed indirect-calls coverage from -fsanitize-coverage (since it's
+    redundant). Spotted by Kostya Serebryany.
+
 --------------
 Version 2.03b:
 --------------

diff --git a/docs/env_variables.txt b/docs/env_variables.txt
@@ -208,8 +208,11 @@ optimal values if not already present in the environment:
 
   - In the same vein, by default, MSAN_OPTIONS are set to:
 
-    exit_code=86
+    exit_code=86 (required for legacy reasons)    
+    abort_on_error=1
+    symbolize=0
     msan_track_origins=0
+    allocator_may_return_null=1
 
     Be sure to include the first one when customizing anything, since MSAN
     doesn't call abort() on error, and we need a way to detect faults.
diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c
@@ -120,7 +120,7 @@ static void edit_params(u32 argc, char** argv) {
      http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs */
 
 #ifdef USE_TRACE_PC
-  cc_params[cc_par_cnt++] = "-fsanitize-coverage=bb,indirect-calls,trace-pc";
+  cc_params[cc_par_cnt++] = "-fsanitize-coverage=bb,trace-pc";
 #else
   cc_params[cc_par_cnt++] = "-Xclang";
   cc_params[cc_par_cnt++] = "-load";

diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
@@ -216,22 +216,21 @@ __attribute__((constructor(0))) void __afl_auto_init(void) {
 }
 
 
-/*********************************************
- * Support for -fsanitize-coverage=trace-pc. *
- *********************************************/
+/* The following stuff deals with support for -fsanitize-coverage=bb,trace-pc.
+   It remains non-operational in the traditional, plugin-backed LLVM mode.
+   For more info about 'trace-pc', see README.llvm.
 
-static u32 inst_ratio_scaled = MIN(4096, MAP_SIZE);
-
-
-/* The first function is called on every basic block. We use the return address
-   instead of a randomly-generated token (because LLVM is not giving us one).
-   Since ASLR may make addresses vary across runs, we use only the last 12
-   bits, which should be stable within a given binary.
+   The first function (__sanitizer_cov_trace_pc) is called back on every
+   basic block. Since LLVM is not giving us any stable IDs for the blocks,
+   we use 12 least significant bits of the return address (which should be
+   stable even with ASLR; more significant bits may vary across runs).
 
    Since MAP_SIZE is usually larger than 12 bits, we "pad" it by combining
    left-shifted __afl_prev_loc. This gives us a theoretical maximum of 24 
-   bits (but basic blocks might be aligned, which reduces this number
-   somewhat). */
+   bits, although instruction alignment likely reduces this somewhat. */
+
+
+static u32 inst_ratio_scaled = MIN(4096, MAP_SIZE);
 
 void __sanitizer_cov_trace_pc(void) {
 
@@ -270,8 +269,7 @@ void __sanitizer_cov_trace_pc_indir(void* dummy) {
 
 
 /* Init callback. Unfortunately, LLVM does not support compile-time
-   instrumentation density scaling, at least not just yet - so the runtime
-   inst_ratio stuff slows us down :-( */
+   instrumentation density scaling, at least not just yet. */
 
 void __sanitizer_cov_module_init(void) {