1*08b48e0bSAndroid Build Coastguard Worker# afl-clang-lto - collision free instrumentation at link time 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard Worker## TL;DR: 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard WorkerThis version requires a LLVM 12 or newer. 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard Worker1. Use afl-clang-lto/afl-clang-lto++ because the resulting binaries run 8*08b48e0bSAndroid Build Coastguard Worker slightly faster and give better coverage. 9*08b48e0bSAndroid Build Coastguard Worker 10*08b48e0bSAndroid Build Coastguard Worker2. You can use it together with COMPCOV, COMPLOG and the instrument file 11*08b48e0bSAndroid Build Coastguard Worker listing features. 12*08b48e0bSAndroid Build Coastguard Worker 13*08b48e0bSAndroid Build Coastguard Worker3. It only works with LLVM 12 or newer. 14*08b48e0bSAndroid Build Coastguard Worker 15*08b48e0bSAndroid Build Coastguard Worker4. AUTODICTIONARY feature (see below) 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard Worker5. If any problems arise, be sure to set `AR=llvm-ar RANLIB=llvm-ranlib AS=llvm-as`. 18*08b48e0bSAndroid Build Coastguard Worker Some targets might need `LD=afl-clang-lto` and others `LD=afl-ld-lto`. 19*08b48e0bSAndroid Build Coastguard Worker 20*08b48e0bSAndroid Build Coastguard Worker## Introduction and problem description 21*08b48e0bSAndroid Build Coastguard Worker 22*08b48e0bSAndroid Build Coastguard WorkerA big issue with how vanilla AFL worked was that the basic block IDs that are 23*08b48e0bSAndroid Build Coastguard Workerset during compilation are random - and hence naturally the larger the number 24*08b48e0bSAndroid Build Coastguard Workerof instrumented locations, the higher the number of edge collisions are in the 25*08b48e0bSAndroid Build Coastguard Workermap. This can result in not discovering new paths and therefore degrade the 26*08b48e0bSAndroid Build Coastguard Workerefficiency of the fuzzing process. 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker*This issue is underestimated in the fuzzing community* With a 2^16 = 64kb 29*08b48e0bSAndroid Build Coastguard Workerstandard map at already 256 instrumented blocks, there is on average one 30*08b48e0bSAndroid Build Coastguard Workercollision. On average, a target has 10.000 to 50.000 instrumented blocks, hence 31*08b48e0bSAndroid Build Coastguard Workerthe real collisions are between 750-18.000! 32*08b48e0bSAndroid Build Coastguard Worker 33*08b48e0bSAndroid Build Coastguard WorkerNote that PCGUARD (our own modified implementation and the SANCOV PCGUARD 34*08b48e0bSAndroid Build Coastguard Workerimplementation from libfuzzer) also provides collision free coverage. 35*08b48e0bSAndroid Build Coastguard WorkerIt is a bit slower though and can a few targets with very early constructors. 36*08b48e0bSAndroid Build Coastguard Worker 37*08b48e0bSAndroid Build Coastguard Worker* We instrument at link time when we have all files pre-compiled. 38*08b48e0bSAndroid Build Coastguard Worker* To instrument at link time, we compile in LTO (link time optimization) mode. 39*08b48e0bSAndroid Build Coastguard Worker* Our compiler (afl-clang-lto/afl-clang-lto++) takes care of setting the correct 40*08b48e0bSAndroid Build Coastguard Worker LTO options and runs our own afl-ld linker instead of the system linker. 41*08b48e0bSAndroid Build Coastguard Worker* The LLVM linker collects all LTO files to link and instruments them so that we 42*08b48e0bSAndroid Build Coastguard Worker have non-colliding edge coverage. 43*08b48e0bSAndroid Build Coastguard Worker* We use a new (for afl) edge coverage - which is the same as in llvm 44*08b48e0bSAndroid Build Coastguard Worker -fsanitize=coverage edge coverage mode. :) 45*08b48e0bSAndroid Build Coastguard Worker 46*08b48e0bSAndroid Build Coastguard WorkerThe result: 47*08b48e0bSAndroid Build Coastguard Worker 48*08b48e0bSAndroid Build Coastguard Worker* 10-25% speed gain compared to llvm_mode 49*08b48e0bSAndroid Build Coastguard Worker* guaranteed non-colliding edge coverage 50*08b48e0bSAndroid Build Coastguard Worker* The compile time, especially for binaries to an instrumented library, can be 51*08b48e0bSAndroid Build Coastguard Worker much (and sometimes much much) longer. 52*08b48e0bSAndroid Build Coastguard Worker 53*08b48e0bSAndroid Build Coastguard WorkerExample build output from a libtiff build: 54*08b48e0bSAndroid Build Coastguard Worker 55*08b48e0bSAndroid Build Coastguard Worker``` 56*08b48e0bSAndroid Build Coastguard Workerlibtool: link: afl-clang-lto -g -O2 -Wall -W -o thumbnail thumbnail.o ../libtiff/.libs/libtiff.a ../port/.libs/libport.a -llzma -ljbig -ljpeg -lz -lm 57*08b48e0bSAndroid Build Coastguard Workerafl-clang-lto++2.63d by Marc "vanHauser" Heuse <[email protected]> in mode LTO 58*08b48e0bSAndroid Build Coastguard Workerafl-llvm-lto++2.63d by Marc "vanHauser" Heuse <[email protected]> 59*08b48e0bSAndroid Build Coastguard WorkerAUTODICTIONARY: 11 strings found 60*08b48e0bSAndroid Build Coastguard Worker[+] Instrumented 12071 locations with no collisions (on average 1046 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). 61*08b48e0bSAndroid Build Coastguard Worker``` 62*08b48e0bSAndroid Build Coastguard Worker 63*08b48e0bSAndroid Build Coastguard Worker## Getting LLVM 12+ 64*08b48e0bSAndroid Build Coastguard Worker 65*08b48e0bSAndroid Build Coastguard Worker### Installing llvm 66*08b48e0bSAndroid Build Coastguard Worker 67*08b48e0bSAndroid Build Coastguard WorkerThe best way to install LLVM is to follow [https://apt.llvm.org/](https://apt.llvm.org/) 68*08b48e0bSAndroid Build Coastguard Worker 69*08b48e0bSAndroid Build Coastguard Workere.g. for LLVM 15: 70*08b48e0bSAndroid Build Coastguard Worker``` 71*08b48e0bSAndroid Build Coastguard Workerwget https://apt.llvm.org/llvm.sh 72*08b48e0bSAndroid Build Coastguard Workerchmod +x llvm.sh 73*08b48e0bSAndroid Build Coastguard Workersudo ./llvm.sh 15 all 74*08b48e0bSAndroid Build Coastguard Worker``` 75*08b48e0bSAndroid Build Coastguard Worker 76*08b48e0bSAndroid Build Coastguard WorkerLLVM 12 to 18 should be available in all current Linux repositories. 77*08b48e0bSAndroid Build Coastguard Worker 78*08b48e0bSAndroid Build Coastguard Worker## How to build afl-clang-lto 79*08b48e0bSAndroid Build Coastguard Worker 80*08b48e0bSAndroid Build Coastguard WorkerThat part is easy. 81*08b48e0bSAndroid Build Coastguard WorkerJust set `LLVM_CONFIG` to the llvm-config-VERSION and build AFL++, e.g. for 82*08b48e0bSAndroid Build Coastguard WorkerLLVM 15: 83*08b48e0bSAndroid Build Coastguard Worker 84*08b48e0bSAndroid Build Coastguard Worker``` 85*08b48e0bSAndroid Build Coastguard Workercd ~/AFLplusplus 86*08b48e0bSAndroid Build Coastguard Workerexport LLVM_CONFIG=llvm-config-15 87*08b48e0bSAndroid Build Coastguard Workermake 88*08b48e0bSAndroid Build Coastguard Workersudo make install 89*08b48e0bSAndroid Build Coastguard Worker``` 90*08b48e0bSAndroid Build Coastguard Worker 91*08b48e0bSAndroid Build Coastguard Worker## How to use afl-clang-lto 92*08b48e0bSAndroid Build Coastguard Worker 93*08b48e0bSAndroid Build Coastguard WorkerJust use afl-clang-lto like you did with afl-clang-fast or afl-gcc. 94*08b48e0bSAndroid Build Coastguard Worker 95*08b48e0bSAndroid Build Coastguard WorkerAlso, the instrument file listing (AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST -> 96*08b48e0bSAndroid Build Coastguard Worker[README.instrument_list.md](README.instrument_list.md)) and laf-intel/compcov 97*08b48e0bSAndroid Build Coastguard Worker(AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work. 98*08b48e0bSAndroid Build Coastguard Worker 99*08b48e0bSAndroid Build Coastguard WorkerExample (note that you might need to add the version, e.g. `llvm-ar-15`: 100*08b48e0bSAndroid Build Coastguard Worker 101*08b48e0bSAndroid Build Coastguard Worker``` 102*08b48e0bSAndroid Build Coastguard WorkerCC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar AS=llvm-as ./configure 103*08b48e0bSAndroid Build Coastguard Workermake 104*08b48e0bSAndroid Build Coastguard Worker``` 105*08b48e0bSAndroid Build Coastguard Worker 106*08b48e0bSAndroid Build Coastguard WorkerNOTE: some targets also need to set the linker, try both `afl-clang-lto` and 107*08b48e0bSAndroid Build Coastguard Worker`afl-ld-lto` for `LD=` before `configure`. 108*08b48e0bSAndroid Build Coastguard Worker 109*08b48e0bSAndroid Build Coastguard Worker## Instrumenting shared libraries 110*08b48e0bSAndroid Build Coastguard Worker 111*08b48e0bSAndroid Build Coastguard WorkerNote: this is highly discouraged! Try to compile to static libraries with 112*08b48e0bSAndroid Build Coastguard Workerafl-clang-lto instead of shared libraries! 113*08b48e0bSAndroid Build Coastguard Worker 114*08b48e0bSAndroid Build Coastguard WorkerTo make instrumented shared libraries work with afl-clang-lto, you have to do 115*08b48e0bSAndroid Build Coastguard Workerquite some extra steps. 116*08b48e0bSAndroid Build Coastguard Worker 117*08b48e0bSAndroid Build Coastguard WorkerEvery shared library you want to instrument has to be individually compiled. The 118*08b48e0bSAndroid Build Coastguard Workerenvironment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during 119*08b48e0bSAndroid Build Coastguard Workercompilation. Additionally, the environment variable `AFL_LLVM_LTO_STARTID` has 120*08b48e0bSAndroid Build Coastguard Workerto be set to the added edge count values of all previous compiled instrumented 121*08b48e0bSAndroid Build Coastguard Workershared libraries for that target. E.g., for the first shared library this would 122*08b48e0bSAndroid Build Coastguard Workerbe `AFL_LLVM_LTO_STARTID=0` and afl-clang-lto will then report how many edges 123*08b48e0bSAndroid Build Coastguard Workerhave been instrumented (let's say it reported 1000 instrumented edges). The 124*08b48e0bSAndroid Build Coastguard Workersecond shared library then has to be set to that value 125*08b48e0bSAndroid Build Coastguard Worker(`AFL_LLVM_LTO_STARTID=1000` in our example), for the third to all previous 126*08b48e0bSAndroid Build Coastguard Workercounts added, etc. 127*08b48e0bSAndroid Build Coastguard Worker 128*08b48e0bSAndroid Build Coastguard WorkerThe final program compilation step then may *not* have 129*08b48e0bSAndroid Build Coastguard Worker`AFL_LLVM_LTO_DONTWRITEID` set, and `AFL_LLVM_LTO_STARTID` must be set to all 130*08b48e0bSAndroid Build Coastguard Workeredge counts added of all shared libraries it will be linked to. 131*08b48e0bSAndroid Build Coastguard Worker 132*08b48e0bSAndroid Build Coastguard WorkerThis is quite some hands-on work, so better stay away from instrumenting shared 133*08b48e0bSAndroid Build Coastguard Workerlibraries. :-) 134*08b48e0bSAndroid Build Coastguard Worker 135*08b48e0bSAndroid Build Coastguard Worker## AUTODICTIONARY feature 136*08b48e0bSAndroid Build Coastguard Worker 137*08b48e0bSAndroid Build Coastguard WorkerWhile compiling, a dictionary based on string comparisons is automatically 138*08b48e0bSAndroid Build Coastguard Workergenerated and put into the target binary. This dictionary is transferred to 139*08b48e0bSAndroid Build Coastguard Workerafl-fuzz on start. This improves coverage statistically by 5-10%. :) 140*08b48e0bSAndroid Build Coastguard Worker 141*08b48e0bSAndroid Build Coastguard WorkerNote that if for any reason you do not want to use the autodictionary feature, 142*08b48e0bSAndroid Build Coastguard Workerthen just set the environment variable `AFL_NO_AUTODICT` when starting afl-fuzz. 143*08b48e0bSAndroid Build Coastguard Worker 144*08b48e0bSAndroid Build Coastguard Worker## Fixed memory map 145*08b48e0bSAndroid Build Coastguard Worker 146*08b48e0bSAndroid Build Coastguard WorkerTo speed up fuzzing a little bit more, it is possible to set a fixed shared 147*08b48e0bSAndroid Build Coastguard Workermemory map. Recommended is the value 0x10000. 148*08b48e0bSAndroid Build Coastguard Worker 149*08b48e0bSAndroid Build Coastguard WorkerIn most cases, this will work without any problems. However, if a target uses 150*08b48e0bSAndroid Build Coastguard Workerearly constructors, ifuncs, or a deferred forkserver, this can crash the target. 151*08b48e0bSAndroid Build Coastguard Worker 152*08b48e0bSAndroid Build Coastguard WorkerAlso, on unusual operating systems/processors/kernels or weird libraries the 153*08b48e0bSAndroid Build Coastguard Workerrecommended 0x10000 address might not work, so then change the fixed address. 154*08b48e0bSAndroid Build Coastguard Worker 155*08b48e0bSAndroid Build Coastguard WorkerTo enable this feature, set `AFL_LLVM_MAP_ADDR` with the address. 156*08b48e0bSAndroid Build Coastguard Worker 157*08b48e0bSAndroid Build Coastguard Worker## Document edge IDs 158*08b48e0bSAndroid Build Coastguard Worker 159*08b48e0bSAndroid Build Coastguard WorkerSetting `export AFL_LLVM_DOCUMENT_IDS=file` will document in a file which edge 160*08b48e0bSAndroid Build Coastguard WorkerID was given to which function. This helps to identify functions with variable 161*08b48e0bSAndroid Build Coastguard Workerbytes or which functions were touched by an input. 162*08b48e0bSAndroid Build Coastguard Worker 163*08b48e0bSAndroid Build Coastguard Worker## Solving difficult targets 164*08b48e0bSAndroid Build Coastguard Worker 165*08b48e0bSAndroid Build Coastguard WorkerSome targets are difficult because the configure script does unusual stuff that 166*08b48e0bSAndroid Build Coastguard Workeris unexpected for afl. See the next section `Potential issues` for how to solve 167*08b48e0bSAndroid Build Coastguard Workerthese. 168*08b48e0bSAndroid Build Coastguard Worker 169*08b48e0bSAndroid Build Coastguard Worker### Example: ffmpeg 170*08b48e0bSAndroid Build Coastguard Worker 171*08b48e0bSAndroid Build Coastguard WorkerAn example of a hard to solve target is ffmpeg. Here is how to successfully 172*08b48e0bSAndroid Build Coastguard Workerinstrument it: 173*08b48e0bSAndroid Build Coastguard Worker 174*08b48e0bSAndroid Build Coastguard Worker1. Get and extract the current ffmpeg and change to its directory. 175*08b48e0bSAndroid Build Coastguard Worker 176*08b48e0bSAndroid Build Coastguard Worker2. Running configure with --cc=clang fails and various other items will fail 177*08b48e0bSAndroid Build Coastguard Worker when compiling, so we have to trick configure: 178*08b48e0bSAndroid Build Coastguard Worker 179*08b48e0bSAndroid Build Coastguard Worker ``` 180*08b48e0bSAndroid Build Coastguard Worker ./configure --enable-lto --disable-shared --disable-inline-asm 181*08b48e0bSAndroid Build Coastguard Worker ``` 182*08b48e0bSAndroid Build Coastguard Worker 183*08b48e0bSAndroid Build Coastguard Worker3. Now the configuration is done - and we edit the settings in 184*08b48e0bSAndroid Build Coastguard Worker `./ffbuild/config.mak` (-: the original line, +: what to change it into): 185*08b48e0bSAndroid Build Coastguard Worker 186*08b48e0bSAndroid Build Coastguard Worker ``` 187*08b48e0bSAndroid Build Coastguard Worker -CC=gcc 188*08b48e0bSAndroid Build Coastguard Worker +CC=afl-clang-lto 189*08b48e0bSAndroid Build Coastguard Worker -CXX=g++ 190*08b48e0bSAndroid Build Coastguard Worker +CXX=afl-clang-lto++ 191*08b48e0bSAndroid Build Coastguard Worker -AS=gcc 192*08b48e0bSAndroid Build Coastguard Worker +AS=llvm-as 193*08b48e0bSAndroid Build Coastguard Worker -LD=gcc 194*08b48e0bSAndroid Build Coastguard Worker +LD=afl-clang-lto++ 195*08b48e0bSAndroid Build Coastguard Worker -DEPCC=gcc 196*08b48e0bSAndroid Build Coastguard Worker +DEPCC=afl-clang-lto 197*08b48e0bSAndroid Build Coastguard Worker -DEPAS=gcc 198*08b48e0bSAndroid Build Coastguard Worker +DEPAS=afl-clang-lto++ 199*08b48e0bSAndroid Build Coastguard Worker -AR=ar 200*08b48e0bSAndroid Build Coastguard Worker +AR=llvm-ar 201*08b48e0bSAndroid Build Coastguard Worker -AR_CMD=ar 202*08b48e0bSAndroid Build Coastguard Worker +AR_CMD=llvm-ar 203*08b48e0bSAndroid Build Coastguard Worker -NM_CMD=nm -g 204*08b48e0bSAndroid Build Coastguard Worker +NM_CMD=llvm-nm -g 205*08b48e0bSAndroid Build Coastguard Worker -RANLIB=ranlib -D 206*08b48e0bSAndroid Build Coastguard Worker +RANLIB=llvm-ranlib -D 207*08b48e0bSAndroid Build Coastguard Worker ``` 208*08b48e0bSAndroid Build Coastguard Worker 209*08b48e0bSAndroid Build Coastguard Worker4. Then type make, wait for a long time, and you are done. :) 210*08b48e0bSAndroid Build Coastguard Worker 211*08b48e0bSAndroid Build Coastguard Worker### Example: WebKit jsc 212*08b48e0bSAndroid Build Coastguard Worker 213*08b48e0bSAndroid Build Coastguard WorkerBuilding jsc is difficult as the build script has bugs. 214*08b48e0bSAndroid Build Coastguard Worker 215*08b48e0bSAndroid Build Coastguard Worker1. Checkout Webkit: 216*08b48e0bSAndroid Build Coastguard Worker 217*08b48e0bSAndroid Build Coastguard Worker ``` 218*08b48e0bSAndroid Build Coastguard Worker svn checkout https://svn.webkit.org/repository/webkit/trunk WebKit 219*08b48e0bSAndroid Build Coastguard Worker cd WebKit 220*08b48e0bSAndroid Build Coastguard Worker ``` 221*08b48e0bSAndroid Build Coastguard Worker 222*08b48e0bSAndroid Build Coastguard Worker2. Fix the build environment: 223*08b48e0bSAndroid Build Coastguard Worker 224*08b48e0bSAndroid Build Coastguard Worker ``` 225*08b48e0bSAndroid Build Coastguard Worker mkdir -p WebKitBuild/Release 226*08b48e0bSAndroid Build Coastguard Worker cd WebKitBuild/Release 227*08b48e0bSAndroid Build Coastguard Worker ln -s ../../../../../usr/bin/llvm-ar-12 llvm-ar-12 228*08b48e0bSAndroid Build Coastguard Worker ln -s ../../../../../usr/bin/llvm-ranlib-12 llvm-ranlib-12 229*08b48e0bSAndroid Build Coastguard Worker cd ../.. 230*08b48e0bSAndroid Build Coastguard Worker ``` 231*08b48e0bSAndroid Build Coastguard Worker 232*08b48e0bSAndroid Build Coastguard Worker3. Build. :) 233*08b48e0bSAndroid Build Coastguard Worker 234*08b48e0bSAndroid Build Coastguard Worker ``` 235*08b48e0bSAndroid Build Coastguard Worker Tools/Scripts/build-jsc --jsc-only --cli --cmakeargs="-DCMAKE_AR='llvm-ar-12' -DCMAKE_RANLIB='llvm-ranlib-12' -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DCMAKE_CC_FLAGS='-O3 -lrt' -DCMAKE_CXX_FLAGS='-O3 -lrt' -DIMPORTED_LOCATION='/lib/x86_64-linux-gnu/' -DCMAKE_CC=afl-clang-lto -DCMAKE_CXX=afl-clang-lto++ -DENABLE_STATIC_JSC=ON" 236*08b48e0bSAndroid Build Coastguard Worker ``` 237*08b48e0bSAndroid Build Coastguard Worker 238*08b48e0bSAndroid Build Coastguard Worker## Potential issues 239*08b48e0bSAndroid Build Coastguard Worker 240*08b48e0bSAndroid Build Coastguard Worker### Compiling libraries fails 241*08b48e0bSAndroid Build Coastguard Worker 242*08b48e0bSAndroid Build Coastguard WorkerIf you see this message: 243*08b48e0bSAndroid Build Coastguard Worker 244*08b48e0bSAndroid Build Coastguard Worker``` 245*08b48e0bSAndroid Build Coastguard Worker/bin/ld: libfoo.a: error adding symbols: archive has no index; run ranlib to add one 246*08b48e0bSAndroid Build Coastguard Worker``` 247*08b48e0bSAndroid Build Coastguard Worker 248*08b48e0bSAndroid Build Coastguard WorkerThis is because usually gnu gcc ranlib is being called which cannot deal with 249*08b48e0bSAndroid Build Coastguard Workerclang LTO files. The solution is simple: when you `./configure`, you also have 250*08b48e0bSAndroid Build Coastguard Workerto set `RANLIB=llvm-ranlib` and `AR=llvm-ar`. 251*08b48e0bSAndroid Build Coastguard Worker 252*08b48e0bSAndroid Build Coastguard WorkerSolution: 253*08b48e0bSAndroid Build Coastguard Worker 254*08b48e0bSAndroid Build Coastguard Worker``` 255*08b48e0bSAndroid Build Coastguard WorkerAR=llvm-ar RANLIB=llvm-ranlib CC=afl-clang-lto CXX=afl-clang-lto++ ./configure --disable-shared 256*08b48e0bSAndroid Build Coastguard Worker``` 257*08b48e0bSAndroid Build Coastguard Worker 258*08b48e0bSAndroid Build Coastguard WorkerAnd on some targets you have to set `AR=/RANLIB=` even for `make` as the 259*08b48e0bSAndroid Build Coastguard Workerconfigure script does not save it. Other targets ignore environment variables 260*08b48e0bSAndroid Build Coastguard Workerand need the parameters set via `./configure --cc=... --cxx= --ranlib= ...` etc. 261*08b48e0bSAndroid Build Coastguard Worker(I am looking at you ffmpeg!) 262*08b48e0bSAndroid Build Coastguard Worker 263*08b48e0bSAndroid Build Coastguard WorkerIf you see this message: 264*08b48e0bSAndroid Build Coastguard Worker 265*08b48e0bSAndroid Build Coastguard Worker``` 266*08b48e0bSAndroid Build Coastguard Workerassembler command failed ... 267*08b48e0bSAndroid Build Coastguard Worker``` 268*08b48e0bSAndroid Build Coastguard Worker 269*08b48e0bSAndroid Build Coastguard WorkerThen try setting `llvm-as` for configure: 270*08b48e0bSAndroid Build Coastguard Worker 271*08b48e0bSAndroid Build Coastguard Worker``` 272*08b48e0bSAndroid Build Coastguard WorkerAS=llvm-as ... 273*08b48e0bSAndroid Build Coastguard Worker``` 274*08b48e0bSAndroid Build Coastguard Worker 275*08b48e0bSAndroid Build Coastguard Worker### Compiling programs still fail 276*08b48e0bSAndroid Build Coastguard Worker 277*08b48e0bSAndroid Build Coastguard Workerafl-clang-lto is still work in progress. 278*08b48e0bSAndroid Build Coastguard Worker 279*08b48e0bSAndroid Build Coastguard WorkerKnown issues: 280*08b48e0bSAndroid Build Coastguard Worker* Anything that LLVM 12+ cannot compile, afl-clang-lto cannot compile either - 281*08b48e0bSAndroid Build Coastguard Worker obviously. 282*08b48e0bSAndroid Build Coastguard Worker* Anything that does not compile with LTO, afl-clang-lto cannot compile either - 283*08b48e0bSAndroid Build Coastguard Worker obviously. 284*08b48e0bSAndroid Build Coastguard Worker 285*08b48e0bSAndroid Build Coastguard WorkerHence, if building a target with afl-clang-lto fails, try to build it with 286*08b48e0bSAndroid Build Coastguard WorkerLLVM 12 and LTO enabled (`CC=clang-12`, `CXX=clang++-12`, `CFLAGS=-flto=full`, 287*08b48e0bSAndroid Build Coastguard Workerand `CXXFLAGS=-flto=full`). 288*08b48e0bSAndroid Build Coastguard Worker 289*08b48e0bSAndroid Build Coastguard WorkerIf this succeeds, then there is an issue with afl-clang-lto. Please report at 290*08b48e0bSAndroid Build Coastguard Worker[https://github.com/AFLplusplus/AFLplusplus/issues/226](https://github.com/AFLplusplus/AFLplusplus/issues/226). 291*08b48e0bSAndroid Build Coastguard Worker 292*08b48e0bSAndroid Build Coastguard WorkerEven some targets where clang-12 fails can be built if the fail is just in 293*08b48e0bSAndroid Build Coastguard Worker`./configure`, see `Solving difficult targets` above. 294*08b48e0bSAndroid Build Coastguard Worker 295*08b48e0bSAndroid Build Coastguard Worker## History 296*08b48e0bSAndroid Build Coastguard Worker 297*08b48e0bSAndroid Build Coastguard WorkerThis was originally envisioned by hexcoder- in Summer 2019. However, we saw no 298*08b48e0bSAndroid Build Coastguard Workerway to create a pass that is run at link time - although there is a option for 299*08b48e0bSAndroid Build Coastguard Workerthis in the PassManager: EP_FullLinkTimeOptimizationLast. ("Fun" info - nobody 300*08b48e0bSAndroid Build Coastguard Workerknows what this is doing. And the developer who implemented this didn't respond 301*08b48e0bSAndroid Build Coastguard Workerto emails.) 302*08b48e0bSAndroid Build Coastguard Worker 303*08b48e0bSAndroid Build Coastguard WorkerIn December then came the idea to implement this as a pass that is run via the 304*08b48e0bSAndroid Build Coastguard WorkerLLVM "opt" program, which is performed via an own linker that afterwards calls 305*08b48e0bSAndroid Build Coastguard Workerthe real linker. This was first implemented in January and work ... kinda. The 306*08b48e0bSAndroid Build Coastguard WorkerLTO time instrumentation worked, however, "how" the basic blocks were 307*08b48e0bSAndroid Build Coastguard Workerinstrumented was a problem, as reducing duplicates turned out to be very, very 308*08b48e0bSAndroid Build Coastguard Workerdifficult with a program that has so many paths and therefore so many 309*08b48e0bSAndroid Build Coastguard Workerdependencies. A lot of strategies were implemented - and failed. And then sat 310*08b48e0bSAndroid Build Coastguard Workersolvers were tried, but with over 10.000 variables that turned out to be a 311*08b48e0bSAndroid Build Coastguard Workerdead-end too. 312*08b48e0bSAndroid Build Coastguard Worker 313*08b48e0bSAndroid Build Coastguard WorkerThe final idea to solve this came from domenukk who proposed to insert a block 314*08b48e0bSAndroid Build Coastguard Workerinto an edge and then just use incremental counters ... and this worked! After 315*08b48e0bSAndroid Build Coastguard Workersome trials and errors to implement this vanhauser-thc found out that there is 316*08b48e0bSAndroid Build Coastguard Workeractually an LLVM function for this: SplitEdge() :-) 317*08b48e0bSAndroid Build Coastguard Worker 318*08b48e0bSAndroid Build Coastguard WorkerStill more problems came up though as this only works without bugs from LLVM 9 319*08b48e0bSAndroid Build Coastguard Workeronwards, and with high optimization the link optimization ruins the instrumented 320*08b48e0bSAndroid Build Coastguard Workercontrol flow graph. 321*08b48e0bSAndroid Build Coastguard Worker 322*08b48e0bSAndroid Build Coastguard WorkerThis is all now fixed with LLVM 12+. The llvm's own linker is now able to load 323*08b48e0bSAndroid Build Coastguard Workerpasses and this bypasses all problems we had. 324*08b48e0bSAndroid Build Coastguard Worker 325*08b48e0bSAndroid Build Coastguard WorkerHappy end :) 326