Skip to content

Commit f2f5de8

Browse files
GJDuckGJDuck
committed
Upgrade to latest E9Patch + other improvements
1 parent 12a0974 commit f2f5de8

File tree

5 files changed

+48
-449
lines changed

5 files changed

+48
-449
lines changed

build.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ fi
3232

3333
set -e
3434

35-
VERSION=6231858f43b1fa4b439cb82cbe68455787f65543
35+
VERSION=5ae72d476f72080f8b596910d6c574e086c4084e
3636

3737
# STEP (1): install e9patch if necessary:
3838
if [ ! -x e9patch-$VERSION/e9patch ]

e9AFLPlugin.cpp

+42-28
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,6 @@
3434

3535
using namespace e9frontend;
3636

37-
#include "e9cfg.cpp"
38-
3937
#define AREA_BASE 0x200000
4038
#define AREA_SIZE ((size_t)1 << 16)
4139

@@ -79,6 +77,12 @@ struct BB
7977
typedef std::map<intptr_t, BB> CFG;
8078
#define BB_INDIRECT (-1)
8179

80+
/*
81+
* Misc.
82+
*/
83+
typedef std::map<BB *, BB *> Paths;
84+
typedef std::map<intptr_t, unsigned> Ids;
85+
8286
/*
8387
* To compile:
8488
* $ g++ -std=c++11 -fPIC -shared -o e9afl.so -O2 e9afl.cpp \
@@ -186,7 +190,7 @@ extern void *e9_plugin_init_v1(FILE *out, const ELF *elf)
186190
<< "{\"int32\":" << stack_adjust << "},";
187191
code << "\"$instruction\",\"$continue\"";
188192

189-
sendTrampolineMessage(out, "afl", code.str().c_str());
193+
sendTrampolineMessage(out, "$afl", code.str().c_str());
190194

191195
return nullptr;
192196
}
@@ -217,7 +221,7 @@ static void addPredecessor(intptr_t pred, intptr_t succ,
217221
static void addSuccessor(intptr_t pred, intptr_t succ,
218222
const Targets &targets, CFG &cfg)
219223
{
220-
auto i = targets.find(pred);
224+
auto i = targets.lower_bound(pred);
221225
if (i == targets.end())
222226
return;
223227
auto j = cfg.find(pred);
@@ -314,17 +318,26 @@ static void buildCFG(const ELF *elf, const Instr *Is, size_t size,
314318
/*
315319
* Attempt to optimize away a bad block.
316320
*/
317-
typedef std::map<BB *, BB *> Paths;
321+
static void optimizeBlock(CFG &cfg, BB &bb);
318322
static void optimizePaths(CFG &cfg, BB *pred_bb, BB *succ_bb, Paths &paths)
319323
{
320324
auto i = paths.find(succ_bb);
321325
if (i != paths.end())
322326
{
323327
// Multiple paths to succ_bb;
328+
BB *unopt_bb = nullptr;
324329
if (pred_bb != nullptr)
325-
pred_bb->optimized = false;
330+
unopt_bb = pred_bb;
326331
else if (i->second != nullptr)
327-
i->second->optimized = false;
332+
unopt_bb = i->second;
333+
334+
// Note: (unopt_bb == nullptr) can happen in degenerate cases, e.g.:
335+
// jne .Lnext; .Lnext: ...
336+
if (unopt_bb != nullptr)
337+
{
338+
unopt_bb->optimized = false;
339+
optimizeBlock(cfg, *unopt_bb);
340+
}
328341
return;
329342
}
330343
paths.insert({succ_bb, pred_bb});
@@ -339,7 +352,7 @@ static void optimizePaths(CFG &cfg, BB *pred_bb, BB *succ_bb, Paths &paths)
339352
optimizePaths(cfg, pred_bb, succ_bb, paths);
340353
}
341354
}
342-
static void optimizeBlock(CFG &cfg, intptr_t entry, BB &bb)
355+
static void optimizeBlock(CFG &cfg, BB &bb)
343356
{
344357
if (bb.optimized)
345358
return;
@@ -355,39 +368,40 @@ static void optimizeBlock(CFG &cfg, intptr_t entry, BB &bb)
355368
/*
356369
* Verify the optimization is correct (for debugging).
357370
*/
358-
static void verify(CFG &cfg, const std::map<intptr_t, unsigned> &bbs, BB *bb,
371+
static void verify(CFG &cfg, const Ids &ids, intptr_t curr, BB *bb,
359372
std::set<BB *> &seen)
360373
{
374+
unsigned id = ids.find(curr)->second;
361375
for (auto succ: bb->succs)
362376
{
363377
auto i = cfg.find(succ);
364378
BB *succ_bb = (i == cfg.end()? nullptr: &i->second);
365379
if (succ_bb == nullptr)
366-
fprintf(stderr, " indirect");
380+
fprintf(stderr, " BB_%u->indirect", id);
367381
else
368-
{
369-
auto j = bbs.find(succ);
370-
fprintf(stderr, " BB_%u", j->second);
371-
}
382+
fprintf(stderr, " BB_%u->BB_%u", id, ids.find(succ)->second);
372383
auto r = seen.insert(succ_bb);
373384
if (!r.second)
374385
{
375386
putc('\n', stderr);
376387
error("multiple non-instrumented paths detected");
377388
}
378-
if (succ_bb != nullptr && succ_bb->instrument < 0)
379-
verify(cfg, bbs, succ_bb, seen);
389+
if (succ_bb != nullptr && succ_bb->optimized)
390+
verify(cfg, ids, succ, succ_bb, seen);
380391
}
381392
}
382-
static void verify(CFG &cfg, const std::map<intptr_t, unsigned> &bbs)
393+
static void verify(CFG &cfg, const Ids &ids)
383394
{
384395
putc('\n', stderr);
385396
for (auto &entry: cfg)
386397
{
387-
auto i = bbs.find(entry.first);
388-
fprintf(stderr, "\33[32mVERIFY\33[0m BB_%u:", i->second);
398+
BB *bb = &entry.second;
399+
if (bb->optimized)
400+
continue;
401+
fprintf(stderr, "\33[32mVERIFY\33[0m BB_%u:",
402+
ids.find(entry.first)->second);
389403
std::set<BB *> seen;
390-
verify(cfg, bbs, &entry.second, seen);
404+
verify(cfg, ids, entry.first, bb, seen);
391405
putc('\n', stderr);
392406
}
393407
putc('\n', stderr);
@@ -463,7 +477,7 @@ static void calcInstrumentPoints(const ELF *elf, const Instr *Is, size_t size,
463477
// Step #3: Optimize away bad blocks:
464478
if (option_Oblock == OPTION_DEFAULT)
465479
for (auto &entry: cfg)
466-
optimizeBlock(cfg, entry.first, entry.second);
480+
optimizeBlock(cfg, entry.second);
467481

468482
// Step #4: Collect final instrumentation points.
469483
for (auto &entry: cfg)
@@ -473,12 +487,12 @@ static void calcInstrumentPoints(const ELF *elf, const Instr *Is, size_t size,
473487
}
474488

475489
// Setp #5: Print debugging information (if necessary)
476-
std::map<intptr_t, unsigned> bbs;
490+
Ids ids;
477491
if (option_debug == OPTION_ALWAYS)
478492
{
479493
unsigned bb = 0;
480494
for (const auto &entry: targets)
481-
bbs.insert({entry.first, bb++});
495+
ids.insert({entry.first, bb++});
482496
}
483497
for (size_t i = 0; (option_debug == OPTION_ALWAYS) && i < size; i++)
484498
{
@@ -488,7 +502,7 @@ static void calcInstrumentPoints(const ELF *elf, const Instr *Is, size_t size,
488502
auto j = cfg.find(I->address);
489503
if (j != cfg.end())
490504
{
491-
auto l = bbs.find(I->address);
505+
auto l = ids.find(I->address);
492506
fprintf(stderr, "\n# \33[32mBB_%u\33[0m%s%s\n", l->second,
493507
(j->second.bad? " [\33[31mBAD\33[0m]": ""),
494508
(j->second.bad && !j->second.optimized?
@@ -504,7 +518,7 @@ static void calcInstrumentPoints(const ELF *elf, const Instr *Is, size_t size,
504518
fprintf(stderr, "indirect");
505519
continue;
506520
}
507-
auto l = bbs.find(pred);
521+
auto l = ids.find(pred);
508522
fprintf(stderr, "BB_%u", l->second);
509523
}
510524
fprintf(stderr, "\n# succs = ");
@@ -518,7 +532,7 @@ static void calcInstrumentPoints(const ELF *elf, const Instr *Is, size_t size,
518532
fprintf(stderr, "indirect");
519533
continue;
520534
}
521-
auto l = bbs.find(pred);
535+
auto l = ids.find(pred);
522536
fprintf(stderr, "BB_%u", l->second);
523537
}
524538
putc('\n', stderr);
@@ -530,7 +544,7 @@ static void calcInstrumentPoints(const ELF *elf, const Instr *Is, size_t size,
530544
fprintf(stderr, "%lx: %s\n", I->address, I->string.instr);
531545
}
532546
if (option_debug == OPTION_ALWAYS)
533-
verify(cfg, bbs);
547+
verify(cfg, ids);
534548
}
535549

536550
/*
@@ -595,6 +609,6 @@ extern void e9_plugin_patch_v1(FILE *out, const ELF *elf,
595609
metadata[2].name = nullptr;
596610
metadata[2].data = nullptr;
597611

598-
sendPatchMessage(out, "afl", info->offset, metadata);
612+
sendPatchMessage(out, "$afl", info->offset, metadata);
599613
}
600614

e9afl.cpp

+4-3
Original file line numberDiff line numberDiff line change
@@ -207,9 +207,10 @@ int main(int argc, char **argv)
207207
command += path;
208208
command += "/e9tool\" ";
209209

210-
command += "--backend \"";
211-
command += path;
212-
command += "/e9patch\" ";
210+
command += "-E '\".plt\"' ";
211+
command += "-E '\".plt.got\"' ";
212+
command += "-O2 ";
213+
command += "--option --mem-granularity=4096 ";
213214

214215
command += "-o \"";
215216
command += output;

0 commit comments

Comments
 (0)