1#!/bin/sh 2 3. ./test-pre.sh 4 5$ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin" 6test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { 7 ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 8 AFL_HARDEN=1 ../afl-clang-fast -o test-compcov.harden test-compcov.c > /dev/null 2>&1 9 test -e test-instr.plain && { 10 $ECHO "$GREEN[+] llvm_mode compilation succeeded" 11 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 12 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 13 test -e test-instr.plain.0 -a -e test-instr.plain.1 && { 14 diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { 15 $ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not" 16 CODE=1 17 } || { 18 $ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly" 19 TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` 20 test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && { 21 $ECHO "$GREEN[+] llvm_mode run reported $TUPLES instrumented locations which is fine" 22 } || { 23 $ECHO "$RED[!] llvm_mode instrumentation produces weird numbers: $TUPLES" 24 CODE=1 25 } 26 test "$TUPLES" -lt 3 && SKIP=1 27 true 28 } 29 } || { 30 $ECHO "$RED[!] llvm_mode instrumentation failed" 31 CODE=1 32 } 33 rm -f test-instr.plain.0 test-instr.plain.1 34 } || { 35 $ECHO "$RED[!] llvm_mode failed" 36 CODE=1 37 } 38 AFL_LLVM_INSTRUMENT=CLASSIC AFL_LLVM_THREADSAFE_INST=1 ../afl-clang-fast -o test-instr.ts ../test-instr.c > /dev/null 2>&1 39 test -e test-instr.ts && { 40 $ECHO "$GREEN[+] llvm_mode threadsafe compilation succeeded" 41 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.ts.0 -r -- ./test-instr.ts > /dev/null 2>&1 42 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.ts.1 -r -- ./test-instr.ts < /dev/null > /dev/null 2>&1 43 test -e test-instr.ts.0 -a -e test-instr.ts.1 && { 44 diff test-instr.ts.0 test-instr.ts.1 > /dev/null 2>&1 && { 45 $ECHO "$RED[!] llvm_mode threadsafe instrumentation should be different on different input but is not" 46 CODE=1 47 } || { 48 $ECHO "$GREEN[+] llvm_mode threadsafe instrumentation present and working correctly" 49 TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.ts 2>&1 | grep Captur | awk '{print$3}'` 50 test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && { 51 $ECHO "$GREEN[+] llvm_mode run reported $TUPLES threadsafe instrumented locations which is fine" 52 } || { 53 $ECHO "$RED[!] llvm_mode threadsafe instrumentation produces weird numbers: $TUPLES" 54 CODE=1 55 } 56 test "$TUPLES" -lt 3 && SKIP=1 57 true 58 } 59 } || { 60 $ECHO "$RED[!] llvm_mode threadsafe instrumentation failed" 61 CODE=1 62 } 63 rm -f test-instr.ts.0 test-instr.ts.1 64 } || { 65 $ECHO "$RED[!] llvm_mode (threadsafe) failed" 66 CODE=1 67 } 68 ../afl-clang-fast -DTEST_SHARED_OBJECT=1 -z defs -fPIC -shared -o test-instr.so ../test-instr.c > /dev/null 2>&1 69 test -e test-instr.so && { 70 $ECHO "$GREEN[+] llvm_mode shared object with -z defs compilation succeeded" 71 test `uname -s` = 'Linux' && LIBS=-ldl 72 ../afl-clang-fast -o test-dlopen.plain test-dlopen.c ${LIBS} > /dev/null 2>&1 73 test -e test-dlopen.plain && { 74 $ECHO "$GREEN[+] llvm_mode test-dlopen compilation succeeded" 75 echo 0 | DYLD_INSERT_LIBRARIES=./test-instr.so LD_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ./test-dlopen.plain > /dev/null 2>&1 76 if [ $? -ne 0 ]; then 77 $ECHO "$RED[!] llvm_mode test-dlopen exits with an error" 78 CODE=1 79 fi 80 echo 0 | AFL_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-dlopen.plain.0 -r -- ./test-dlopen.plain > /dev/null 2>&1 81 AFL_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-dlopen.plain.1 -r -- ./test-dlopen.plain < /dev/null > /dev/null 2>&1 82 test -e test-dlopen.plain.0 -a -e test-dlopen.plain.1 && { 83 diff test-dlopen.plain.0 test-dlopen.plain.1 > /dev/null 2>&1 && { 84 $ECHO "$RED[!] llvm_mode test-dlopen instrumentation should be different on different input but is not" 85 CODE=1 86 } || { 87 $ECHO "$GREEN[+] llvm_mode test-dlopen instrumentation present and working correctly" 88 TUPLES=`echo 0|AFL_PRELOAD=./test-instr.so TEST_DLOPEN_TARGET=./test-instr.so AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-dlopen.plain 2>&1 | grep Captur | awk '{print$3}'` 89 test "$TUPLES" -gt 3 -a "$TUPLES" -lt 12 && { 90 $ECHO "$GREEN[+] llvm_mode test-dlopen run reported $TUPLES instrumented locations which is fine" 91 } || { 92 $ECHO "$RED[!] llvm_mode test-dlopen instrumentation produces weird numbers: $TUPLES" 93 CODE=1 94 } 95 test "$TUPLES" -lt 3 && SKIP=1 96 true 97 } 98 } || { 99 $ECHO "$RED[!] llvm_mode test-dlopen instrumentation failed" 100 CODE=1 101 } 102 } || { 103 $ECHO "$RED[!] llvm_mode test-dlopen compilation failed" 104 CODE=1 105 } 106 rm -f test-dlopen.plain test-dlopen.plain.0 test-dlopen.plain.1 test-instr.so 107 unset LIBS 108 } || { 109 $ECHO "$RED[!] llvm_mode shared object with -z defs compilation failed" 110 CODE=1 111 } 112 test -e test-compcov.harden && test_compcov_binary_functionality ./test-compcov.harden && { 113 nm test-compcov.harden | grep -Eq 'stack_chk_fail|fstack-protector-all|fortified' > /dev/null 2>&1 && { 114 $ECHO "$GREEN[+] llvm_mode hardened mode succeeded and is working" 115 } || { 116 $ECHO "$RED[!] llvm_mode hardened mode is not hardened" 117 CODE=1 118 } 119 rm -f test-compcov.harden 120 } || { 121 $ECHO "$RED[!] llvm_mode hardened mode compilation failed" 122 CODE=1 123 } 124 # now we want to be sure that afl-fuzz is working 125 # make sure crash reporter is disabled on Mac OS X 126 (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { 127 $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" 128 CODE=1 129 true 130 }) || { 131 mkdir -p in 132 echo 0 > in/in 133 test -z "$SKIP" && { 134 $ECHO "$GREY[*] running afl-fuzz for llvm_mode, this will take approx 10 seconds" 135 { 136 ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -D -- ./test-instr.plain >>errors 2>&1 137 } >>errors 2>&1 138 test -n "$( ls out/default/queue/id:000002* 2>/dev/null )" && { 139 $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode" 140 } || { 141 echo CUT------------------------------------------------------------------CUT 142 cat errors 143 echo CUT------------------------------------------------------------------CUT 144 $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode" 145 CODE=1 146 } 147 } 148 test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" || { 149 echo 000000000000000000000000 > in/in2 150 echo 111 > in/in3 151 mkdir -p in2 152 ../afl-cmin -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 2>&1 # why is afl-forkserver writing to stderr? 153 CNT=`ls in2/* 2>/dev/null | wc -l` 154 case "$CNT" in 155 *2) $ECHO "$GREEN[+] afl-cmin correctly minimized the number of testcases" ;; 156 *) $ECHO "$RED[!] afl-cmin did not correctly minimize the number of testcases ($CNT)" 157 CODE=1 158 ;; 159 esac 160 rm -f in2/in* 161 export AFL_QUIET=1 162 if type bash >/dev/null ; then { 163 ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null 164 CNT=`ls in2/* 2>/dev/null | wc -l` 165 case "$CNT" in 166 *2) $ECHO "$GREEN[+] afl-cmin.bash correctly minimized the number of testcases" ;; 167 *) $ECHO "$RED[!] afl-cmin.bash did not correctly minimize the number of testcases ($CNT)" 168 CODE=1 169 ;; 170 esac 171 } else { 172 $ECHO "$YELLOW[-] no bash available, cannot test afl-cmin.bash" 173 INCOMPLETE=1 174 } 175 fi 176 ../afl-tmin -m ${MEM_LIMIT} -i in/in2 -o in2/in2 -- ./test-instr.plain > /dev/null 2>&1 177 SIZE=`ls -l in2/in2 2>/dev/null | awk '{print$5}'` 178 test "$SIZE" = 1 && $ECHO "$GREEN[+] afl-tmin correctly minimized the testcase" 179 test "$SIZE" = 1 || { 180 $ECHO "$RED[!] afl-tmin did incorrectly minimize the testcase to $SIZE" 181 CODE=1 182 } 183 rm -rf in2 184 } 185 rm -rf in out errors 186 } 187 rm -f test-instr.plain 188 189 $ECHO "$GREY[*] llvm_mode laf-intel/compcov testing splitting integer types (this might take some time)" 190 for testcase in ./test-int_cases.c ./test-uint_cases.c; do 191 for I in char short int long "long long"; do 192 for BITS in 8 16 32 64; do 193 bin="$testcase-split-$I-$BITS.compcov" 194 AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -fsigned-char -DINT_TYPE="$I" -o "$bin" "$testcase" > test.out 2>&1; 195 if ! test -e "$bin"; then 196 cat test.out 197 $ECHO "$RED[!] llvm_mode laf-intel/compcov integer splitting failed! ($testcase with type $I split to $BITS)!"; 198 CODE=1 199 break 200 fi 201 if ! "$bin"; then 202 $ECHO "$RED[!] llvm_mode laf-intel/compcov integer splitting resulted in miscompilation (type $I split to $BITS)!"; 203 CODE=1 204 break 205 fi 206 rm -f "$bin" test.out || true 207 done 208 done 209 done 210 rm -f test-int-split*.compcov test.out 211 212 AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > test.out 2>&1 213 test -e test-compcov.compcov && test_compcov_binary_functionality ./test-compcov.compcov && { 214 grep --binary-files=text -Eq " [ 123][0-9][0-9] location| [3-9][0-9] location" test.out && { 215 $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" 216 } || { 217 $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" 218 CODE=1 219 } 220 } || { 221 $ECHO "$RED[!] llvm_mode laf-intel/compcov feature compilation failed" 222 CODE=1 223 } 224 rm -f test-compcov.compcov test.out 225 AFL_LLVM_INSTRUMENT=AFL AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -o test-floatingpoint test-floatingpoint.c >errors 2>&1 226 test -e test-floatingpoint && { 227 mkdir -p in 228 echo ZZZZ > in/in 229 $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds" 230 { 231 AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 123 -V50 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 232 } >>errors 2>&1 233 test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && { 234 $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" 235 } || { 236 cat errors 237 $ECHO "$RED[!] llvm_mode laf-intel floatingpoint splitting feature failed" 238 CODE=1 239 } 240 } || { 241 $ECHO "$RED[!] llvm_mode laf-intel floatingpoint splitting feature compilation failed" 242 CODE=1 243 } 244 rm -f test-floatingpoint test.out in/in errors core.* 245 echo foobar.c > instrumentlist.txt 246 AFL_DEBUG=1 AFL_LLVM_INSTRUMENT_FILE=instrumentlist.txt ../afl-clang-fast -o test-compcov test-compcov.c > test.out 2>&1 247 test -e test-compcov && test_compcov_binary_functionality ./test-compcov && { 248 grep -q "No instrumentation targets found" test.out && { 249 $ECHO "$GREEN[+] llvm_mode instrumentlist feature works correctly" 250 } || { 251 $ECHO "$RED[!] llvm_mode instrumentlist feature failed" 252 CODE=1 253 } 254 } || { 255 $ECHO "$RED[!] llvm_mode instrumentlist feature compilation failed" 256 CODE=1 257 } 258 rm -f test-compcov test.out instrumentlist.txt 259 AFL_LLVM_CMPLOG=1 ../afl-clang-fast -o test-cmplog test-cmplog.c > /dev/null 2>&1 260 test -e test-cmplog && { 261 $ECHO "$GREY[*] running afl-fuzz for llvm_mode cmplog, this will take approx 10 seconds" 262 { 263 mkdir -p in 264 echo 00000000000000000000000000000000 > in/in 265 AFL_BENCH_UNTIL_CRASH=1 ../afl-fuzz -m none -V60 -i in -o out -c./test-cmplog -- ./test-cmplog >>errors 2>&1 266 } >>errors 2>&1 267 test -n "$( ls out/default/crashes/id:000000* out/default/hangs/id:000000* 2>/dev/null )" & { 268 $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode cmplog" 269 } || { 270 echo CUT------------------------------------------------------------------CUT 271 cat errors 272 echo CUT------------------------------------------------------------------CUT 273 $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode cmplog" 274 CODE=1 275 } 276 } || { 277 $ECHO "$YELLOW[-] we cannot test llvm_mode cmplog because it is not present" 278 INCOMPLETE=1 279 } 280 rm -rf errors test-cmplog in core.* 281 ../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 282 test -e test-persistent && { 283 echo foo | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { 284 $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" 285 } || { 286 $ECHO "$RED[!] llvm_mode persistent mode feature failed to work" 287 CODE=1 288 } 289 } || { 290 $ECHO "$RED[!] llvm_mode persistent mode feature compilation failed" 291 CODE=1 292 } 293 rm -f test-persistent 294} || { 295 $ECHO "$YELLOW[-] llvm_mode not compiled, cannot test" 296 INCOMPLETE=1 297} 298 299. ./test-post.sh 300