NeatMonster/value-profiling.diff

## value-profiling.diff
diff -Naur a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
--- a/llvm_mode/afl-llvm-rt.o.c	2017-02-01 02:59:41.000000000 +0100
+++ b/llvm_mode/afl-llvm-rt.o.c	2017-06-29 15:55:53.052681442 +0200
@@ -304,3 +304,205 @@
   }

 }
+
+/* This function is called on every indirect call, but only if the binary has
+   been compiled with -fsanitize-coverage=trace-pc,indirect-calls. */
+
+void __sanitizer_cov_trace_pc_indir(uptr callee) {
+
+  uptr caller = (uptr)__builtin_return_address(0);
+
+  const uptr bits = MAP_SIZE_POW2 / 2;
+  const uptr mask = (1 << bits) - 1;
+
+  /* For now we use the less significant bits of the caller and the callee
+     addresses to add an hit to the output map. */
+
+  uptr index = (caller & mask) | ((callee & mask) << bits);
+  __afl_area_ptr[index]++;
+}
+
+/* This function is called by all functions operating on integers. It computes
+   an index using the program counter and the two values being compared. */
+
+void __afl_handle_cmp(uptr pc, u64 arg1, u64 arg2, u8 size) {
+
+  u64 dist = 0;
+  u64 xor = arg1 ^ arg2;
+  if (xor & 0x00000000000000ff) dist++;
+  if (xor & 0x000000000000ff00) dist++;
+  if (xor & 0x0000000000ff0000) dist++;
+  if (xor & 0x00000000ff000000) dist++;
+  if (xor & 0x000000ff00000000) dist++;
+  if (xor & 0x0000ff0000000000) dist++;
+  if (xor & 0x00ff000000000000) dist++;
+  if (xor & 0xff00000000000000) dist++;
+
+  /* If the two values have nothing in common, do not reward. */
+
+  if (dist >= size) return;
+
+  const u64 bits = MAP_SIZE_POW2 - 3;
+  const u64 mask = (1 << bits) - 1;
+
+  /* For now we use the less significant bits of the program counter, and the
+     number of bytes in common between the two values. */
+
+  uptr index = (pc & mask) | (dist << bits);
+  __afl_area_ptr[index]++;
+}
+
+/* The functions below are called on every integer comparison, but only if the
+   binary has been compiled with -fsanitize-coverage=trace-cmp. */
+
+//void __sanitizer_cov_trace_cmp1(u8 arg1, u8 arg2) {
+//
+//  uptr pc = (uptr)__builtin_return_address(0);
+//
+//  __afl_handle_cmp(pc, arg1, arg2, 1);
+//}
+
+void __sanitizer_cov_trace_cmp2(u16 arg1, u16 arg2) {
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  __afl_handle_cmp(pc, arg1, arg2, 2);
+}
+
+void __sanitizer_cov_trace_cmp4(u32 arg1, u32 arg2) {
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  __afl_handle_cmp(pc, arg1, arg2, 4);
+}
+
+void __sanitizer_cov_trace_cmp8(u64 arg1, u64 arg2) {
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  __afl_handle_cmp(pc, arg1, arg2, 8);
+}
+
+/* This function are called on every switch being executed, but only if the
+   binary has been compiled with -fsanitize-coverage=trace-cmp. */
+
+void __sanitizer_cov_trace_switch(u64 val, u64 *cases) {
+
+  u64 len = cases[0];
+  u64 size = cases[2];
+  u64 *vals = cases + 2;
+
+  if (size < 16) return; /* Ignore integers smaller than 16 bits. */
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  u64 i = 0, token = 0;
+  for (i = 0; i < len; ++i) {
+    token = val ^ vals[i];
+    if (val < vals[i]) break;
+  }
+
+  __afl_handle_cmp(pc + i, token, 0, MAX(1, size / 8));
+}
+
+/* The functions below are called on every division, but only if the binary has
+   been compiled with -fsanitize-coverage=trace-div. */
+
+void __sanitizer_cov_trace_div4(u32 val) {
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  __afl_handle_cmp(pc, val, 0, 4);
+}
+
+void __sanitizer_cov_trace_div8(u64 val) {
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  __afl_handle_cmp(pc, val, 0, 8);
+}
+
+/* This function are called on every array indexing, but only if the binary has
+   been compiled with -fsanitize-coverage=trace-gep. */
+
+void __sanitizer_cov_trace_gep(uptr idx) {
+
+  uptr pc = (uptr)__builtin_return_address(0);
+
+  __afl_handle_cmp(pc, idx, 0, sizeof(size_t));
+}
+
+#ifdef USE_WEAK_HOOKS
+
+/* This function is called when doing memory comparisons. It computes an index
+   using the program counter and the two strings being compared. */
+
+void __afl_handle_memcmp(void *caller_pc, const void *s1, const void *s2,
+                         size_t n, int is_str) {
+
+  const u8 *b1 = (const u8 *)s1;
+  const u8 *b2 = (const u8 *)s2;
+
+  /* Count how many starting bytes the two strings have in common. */
+
+  size_t i, len = MIN(n, 32);
+  for (i = 0; i < len; ++i)
+    if (b1[i] != b2[i] || (is_str && (b1[i] == 0 || b2[i] == 0))) break;
+
+  const u64 bits = MAP_SIZE_POW2 - 5;
+  const u64 mask = (1 << bits) - 1;
+
+  /* For now we use the less significant bits of the program counter, and the
+     number of starting bytes in common between the two strings. */
+
+  size_t pc = (size_t)caller_pc;
+  size_t index = (pc & mask) | (i << bits);
+  __afl_area_ptr[index]++;
+}
+
+/* The functions below are called on every call to their eponymous function, but
+   only if the binary has been compiled with at least a sanitizer enabled. */
+
+void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
+                                  const void *s2, size_t n, int result) {
+
+  if (!result || n <= 1) return;
+
+  __afl_handle_memcmp(caller_pc, s1, s2, n, 0);
+}
+
+void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
+                                  const char *s2, int result) {
+
+  if (!result) return;
+
+  /* We need to calculate the length ourselves . */
+
+  size_t n = 0;
+  while (s1[n] && s2[n]) ++n;
+  if (n <= 1) return;
+
+  __afl_handle_memcmp(caller_pc, s1, s2, n, 1);
+}
+
+void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
+                                   const char *s2, size_t n, int result) {
+
+  if (!result || n <= 1) return;
+
+  __afl_handle_memcmp(caller_pc, s1, s2, n, 1);
+}
+
+void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
+                                      const char *s2, int result) {
+
+  return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
+}
+
+void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
+                                       const char *s2, size_t n, int result) {
+
+  return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
+}
+
+#endif /* USE_WEAK_HOOKS */
diff -Naur a/llvm_mode/Makefile b/llvm_mode/Makefile
--- a/llvm_mode/Makefile	2016-06-24 04:38:49.000000000 +0200
+++ b/llvm_mode/Makefile	2017-06-29 13:12:50.003040093 +0200
@@ -30,6 +30,9 @@
                -DVERSION=\"$(VERSION)\"
 ifdef AFL_TRACE_PC
   CFLAGS    += -DUSE_TRACE_PC=1
+  ifdef AFL_WEAK_HOOKS
+  	CFLAGS  += -DUSE_WEAK_HOOKS=1
+  endif
 endif

 CXXFLAGS    ?= -O3 -funroll-loops
diff -Naur a/types.h b/types.h
--- a/types.h	2017-06-02 08:34:36.000000000 +0200
+++ b/types.h	2017-06-29 10:15:00.309117731 +0200
@@ -45,6 +45,7 @@
 #else
 typedef uint64_t u64;
 #endif /* ^__x86_64__ */
+typedef uintptr_t uptr;

 typedef int8_t   s8;
 typedef int16_t  s16;
	diff -Naur a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
	--- a/llvm_mode/afl-llvm-rt.o.c 2017-02-01 02:59:41.000000000 +0100
	+++ b/llvm_mode/afl-llvm-rt.o.c 2017-06-29 15:55:53.052681442 +0200
	@@ -304,3 +304,205 @@
	}

	}
	+
	+/* This function is called on every indirect call, but only if the binary has
	+ been compiled with -fsanitize-coverage=trace-pc,indirect-calls. */
	+
	+void __sanitizer_cov_trace_pc_indir(uptr callee) {
	+
	+ uptr caller = (uptr)__builtin_return_address(0);
	+
	+ const uptr bits = MAP_SIZE_POW2 / 2;
	+ const uptr mask = (1 << bits) - 1;
	+
	+ /* For now we use the less significant bits of the caller and the callee
	+ addresses to add an hit to the output map. */
	+
	+ uptr index = (caller & mask) \| ((callee & mask) << bits);
	+ __afl_area_ptr[index]++;
	+}
	+
	+/* This function is called by all functions operating on integers. It computes
	+ an index using the program counter and the two values being compared. */
	+
	+void __afl_handle_cmp(uptr pc, u64 arg1, u64 arg2, u8 size) {
	+
	+ u64 dist = 0;
	+ u64 xor = arg1 ^ arg2;
	+ if (xor & 0x00000000000000ff) dist++;
	+ if (xor & 0x000000000000ff00) dist++;
	+ if (xor & 0x0000000000ff0000) dist++;
	+ if (xor & 0x00000000ff000000) dist++;
	+ if (xor & 0x000000ff00000000) dist++;
	+ if (xor & 0x0000ff0000000000) dist++;
	+ if (xor & 0x00ff000000000000) dist++;
	+ if (xor & 0xff00000000000000) dist++;
	+
	+ /* If the two values have nothing in common, do not reward. */
	+
	+ if (dist >= size) return;
	+
	+ const u64 bits = MAP_SIZE_POW2 - 3;
	+ const u64 mask = (1 << bits) - 1;
	+
	+ /* For now we use the less significant bits of the program counter, and the
	+ number of bytes in common between the two values. */
	+
	+ uptr index = (pc & mask) \| (dist << bits);
	+ __afl_area_ptr[index]++;
	+}
	+
	+/* The functions below are called on every integer comparison, but only if the
	+ binary has been compiled with -fsanitize-coverage=trace-cmp. */
	+
	+//void __sanitizer_cov_trace_cmp1(u8 arg1, u8 arg2) {
	+//
	+// uptr pc = (uptr)__builtin_return_address(0);
	+//
	+// __afl_handle_cmp(pc, arg1, arg2, 1);
	+//}
	+
	+void __sanitizer_cov_trace_cmp2(u16 arg1, u16 arg2) {
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ __afl_handle_cmp(pc, arg1, arg2, 2);
	+}
	+
	+void __sanitizer_cov_trace_cmp4(u32 arg1, u32 arg2) {
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ __afl_handle_cmp(pc, arg1, arg2, 4);
	+}
	+
	+void __sanitizer_cov_trace_cmp8(u64 arg1, u64 arg2) {
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ __afl_handle_cmp(pc, arg1, arg2, 8);
	+}
	+
	+/* This function are called on every switch being executed, but only if the
	+ binary has been compiled with -fsanitize-coverage=trace-cmp. */
	+
	+void __sanitizer_cov_trace_switch(u64 val, u64 *cases) {
	+
	+ u64 len = cases[0];
	+ u64 size = cases[2];
	+ u64 *vals = cases + 2;
	+
	+ if (size < 16) return; /* Ignore integers smaller than 16 bits. */
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ u64 i = 0, token = 0;
	+ for (i = 0; i < len; ++i) {
	+ token = val ^ vals[i];
	+ if (val < vals[i]) break;
	+ }
	+
	+ __afl_handle_cmp(pc + i, token, 0, MAX(1, size / 8));
	+}
	+
	+/* The functions below are called on every division, but only if the binary has
	+ been compiled with -fsanitize-coverage=trace-div. */
	+
	+void __sanitizer_cov_trace_div4(u32 val) {
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ __afl_handle_cmp(pc, val, 0, 4);
	+}
	+
	+void __sanitizer_cov_trace_div8(u64 val) {
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ __afl_handle_cmp(pc, val, 0, 8);
	+}
	+
	+/* This function are called on every array indexing, but only if the binary has
	+ been compiled with -fsanitize-coverage=trace-gep. */
	+
	+void __sanitizer_cov_trace_gep(uptr idx) {
	+
	+ uptr pc = (uptr)__builtin_return_address(0);
	+
	+ __afl_handle_cmp(pc, idx, 0, sizeof(size_t));
	+}
	+
	+#ifdef USE_WEAK_HOOKS
	+
	+/* This function is called when doing memory comparisons. It computes an index
	+ using the program counter and the two strings being compared. */
	+
	+void __afl_handle_memcmp(void caller_pc, const void s1, const void *s2,
	+ size_t n, int is_str) {
	+
	+ const u8 b1 = (const u8 )s1;
	+ const u8 b2 = (const u8 )s2;
	+
	+ /* Count how many starting bytes the two strings have in common. */
	+
	+ size_t i, len = MIN(n, 32);
	+ for (i = 0; i < len; ++i)
	+ if (b1[i] != b2[i] \|\| (is_str && (b1[i] == 0 \|\| b2[i] == 0))) break;
	+
	+ const u64 bits = MAP_SIZE_POW2 - 5;
	+ const u64 mask = (1 << bits) - 1;
	+
	+ /* For now we use the less significant bits of the program counter, and the
	+ number of starting bytes in common between the two strings. */
	+
	+ size_t pc = (size_t)caller_pc;
	+ size_t index = (pc & mask) \| (i << bits);
	+ __afl_area_ptr[index]++;
	+}
	+
	+/* The functions below are called on every call to their eponymous function, but
	+ only if the binary has been compiled with at least a sanitizer enabled. */
	+
	+void __sanitizer_weak_hook_memcmp(void caller_pc, const void s1,
	+ const void *s2, size_t n, int result) {
	+
	+ if (!result \|\| n <= 1) return;
	+
	+ __afl_handle_memcmp(caller_pc, s1, s2, n, 0);
	+}
	+
	+void __sanitizer_weak_hook_strcmp(void caller_pc, const char s1,
	+ const char *s2, int result) {
	+
	+ if (!result) return;
	+
	+ /* We need to calculate the length ourselves . */
	+
	+ size_t n = 0;
	+ while (s1[n] && s2[n]) ++n;
	+ if (n <= 1) return;
	+
	+ __afl_handle_memcmp(caller_pc, s1, s2, n, 1);
	+}
	+
	+void __sanitizer_weak_hook_strncmp(void caller_pc, const char s1,
	+ const char *s2, size_t n, int result) {
	+
	+ if (!result \|\| n <= 1) return;
	+
	+ __afl_handle_memcmp(caller_pc, s1, s2, n, 1);
	+}
	+
	+void __sanitizer_weak_hook_strcasecmp(void called_pc, const char s1,
	+ const char *s2, int result) {
	+
	+ return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
	+}
	+
	+void __sanitizer_weak_hook_strncasecmp(void called_pc, const char s1,
	+ const char *s2, size_t n, int result) {
	+
	+ return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
	+}
	+
	+#endif /* USE_WEAK_HOOKS */
	diff -Naur a/llvm_mode/Makefile b/llvm_mode/Makefile
	--- a/llvm_mode/Makefile 2016-06-24 04:38:49.000000000 +0200
	+++ b/llvm_mode/Makefile 2017-06-29 13:12:50.003040093 +0200
	@@ -30,6 +30,9 @@
	-DVERSION=\"$(VERSION)\"
	ifdef AFL_TRACE_PC
	CFLAGS += -DUSE_TRACE_PC=1
	+ ifdef AFL_WEAK_HOOKS
	+ CFLAGS += -DUSE_WEAK_HOOKS=1
	+ endif
	endif

	CXXFLAGS ?= -O3 -funroll-loops
	diff -Naur a/types.h b/types.h
	--- a/types.h 2017-06-02 08:34:36.000000000 +0200
	+++ b/types.h 2017-06-29 10:15:00.309117731 +0200
	@@ -45,6 +45,7 @@
	#else
	typedef uint64_t u64;
	#endif /* ^__x86_64__ */
	+typedef uintptr_t uptr;

	typedef int8_t s8;
	typedef int16_t s16;