Make cmplog implementation consistent with AFL++ (#3299)

Evian-Zhang · web-flow · commit 8ea82090c8e1 · 2025-06-16T13:11:52.000+02:00
* Make cmplog implementation consistent with AFL++

* Make all API consistent
diff --git a/libafl_targets/src/cmplog.c b/libafl_targets/src/cmplog.c
@@ -97,15 +97,15 @@ static inline long area_is_valid(const void *ptr, size_t len) {
 }
 
 // Very generic cmplog instructions callback
-void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape,
+void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t size,
                                           uint64_t arg1, uint64_t arg2) {
-  cmplog_instructions_checked(k, shape, arg1, arg2, 0);
+  cmplog_instructions_checked(k, size, arg1, arg2, 0);
 }
 
 // Very generic afl++ style cmplog instructions callback
-void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t shape,
+void __libafl_targets_cmplog_instructions_extended(uintptr_t k, uint8_t size,
   uint64_t arg1, uint64_t arg2) {
-  cmplog_instructions_checked_extended(k, shape, arg1, arg2, 0);
+  cmplog_instructions_checked_extended(k, size, arg1, arg2, 0);
 }
 
 // Very generic cmplog routines callback
@@ -179,7 +179,7 @@ void __cmplog_ins_hook1_extended(uint8_t arg1, uint8_t arg2, uint8_t attr) {
   k = (k >> 4) ^ (k << 8);
   k &= CMPLOG_MAP_W - 1;
 
-  cmplog_instructions_checked_extended(k, 0, arg1, arg2, attr);
+  cmplog_instructions_checked_extended(k, 1, arg1, arg2, attr);
 }
 void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) {
   uintptr_t k = RETADDR;
@@ -194,7 +194,7 @@ void __cmplog_ins_hook2_extended(uint16_t arg1, uint16_t arg2, uint8_t attr) {
   k = (k >> 4) ^ (k << 8);
   k &= CMPLOG_MAP_W - 1;
 
-  cmplog_instructions_checked_extended(k, 1, arg1, arg2, attr);
+  cmplog_instructions_checked_extended(k, 2, arg1, arg2, attr);
 }
 void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) {
   uintptr_t k = RETADDR;
@@ -209,7 +209,7 @@ void __cmplog_ins_hook4_extended(uint32_t arg1, uint32_t arg2, uint8_t attr) {
   k = (k >> 4) ^ (k << 8);
   k &= CMPLOG_MAP_W - 1;
 
-  cmplog_instructions_checked_extended(k, 3, arg1, arg2, attr);
+  cmplog_instructions_checked_extended(k, 4, arg1, arg2, attr);
 }
 void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) {
   uintptr_t k = RETADDR;
@@ -224,7 +224,7 @@ void __cmplog_ins_hook8_extended(uint64_t arg1, uint64_t arg2, uint8_t attr) {
   k = (k >> 4) ^ (k << 8);
   k &= CMPLOG_MAP_W - 1;
 
-  cmplog_instructions_checked_extended(k, 7, arg1, arg2, attr);
+  cmplog_instructions_checked_extended(k, 8, arg1, arg2, attr);
 }
 void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) {
   uintptr_t k = RETADDR;
@@ -241,7 +241,7 @@ void __cmplog_ins_hook16_extended(uint128_t arg1, uint128_t arg2,
   k = (k >> 4) ^ (k << 8);
   k &= CMPLOG_MAP_W - 1;
 
-  cmplog_instructions_checked_extended(k, 15, arg1, arg2, attr);
+  cmplog_instructions_checked_extended(k, 16, arg1, arg2, attr);
 }
 void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2) {
   uintptr_t k = RETADDR;
@@ -257,7 +257,7 @@ void __cmplog_ins_hookN_extended(uint128_t arg1, uint128_t arg2, uint8_t attr,
   k = (k >> 4) ^ (k << 8);
   k &= CMPLOG_MAP_W - 1;
 
-  cmplog_instructions_checked_extended(k, size - 1, arg1, arg2, attr);
+  cmplog_instructions_checked_extended(k, size, arg1, arg2, attr);
 }
 void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t size) {
   uintptr_t k = RETADDR;
diff --git a/libafl_targets/src/cmplog.h b/libafl_targets/src/cmplog.h
@@ -106,12 +106,15 @@ extern uint8_t libafl_cmplog_enabled;
 // cmplog_routines_checked,
 // cmplog_routines_checked_extended
 
-static inline void cmplog_instructions_checked(uintptr_t k, uint8_t shape,
+// size is the operand size of instruction, which should be greater than 0
+static inline void cmplog_instructions_checked(uintptr_t k, uint8_t size,
                                                uint64_t arg1, uint64_t arg2,
                                                uint8_t arg1_is_const) {
   if (!libafl_cmplog_enabled) { return; }
   libafl_cmplog_enabled = false;
 
+  if (size == 0) { return; }
+  uint8_t shape = size - 1;
   uint16_t hits;
   if (libafl_cmplog_map_ptr->headers[k].kind != CMPLOG_KIND_INS) {
     libafl_cmplog_map_ptr->headers[k].kind = CMPLOG_KIND_INS;
@@ -132,12 +135,16 @@ static inline void cmplog_instructions_checked(uintptr_t k, uint8_t shape,
   libafl_cmplog_enabled = true;
 }
 
+// size is the operand size of instruction, which should be greater than 0
 static inline void cmplog_instructions_checked_extended(
-    uintptr_t k, uint8_t shape, uint64_t arg1, uint64_t arg2, uint8_t attr) {
+    uintptr_t k, uint8_t size, uint64_t arg1, uint64_t arg2, uint8_t attr) {
 #ifdef CMPLOG_EXTENDED
   if (!libafl_cmplog_enabled) { return; }
   libafl_cmplog_enabled = false;
 
+  if (size == 0) { return; }
+  uint8_t shape = size - 1;
+
   // printf("%ld %ld %ld\n", k, arg1, arg2);
   uint16_t hits;
   if (libafl_cmplog_map_extended_ptr->headers[k].type != CMPLOG_KIND_INS) {
@@ -160,7 +167,7 @@ static inline void cmplog_instructions_checked_extended(
 #else
   // just do nothing
   (void)k;
-  (void)shape;
+  (void)size;
   (void)arg1;
   (void)arg2;
   (void)attr;
@@ -176,13 +183,12 @@ static inline void cmplog_routines_checked(uintptr_t k, const uint8_t *ptr1,
   if (libafl_cmplog_map_ptr->headers[k].kind != CMPLOG_KIND_RTN) {
     libafl_cmplog_map_ptr->headers[k].kind = CMPLOG_KIND_RTN;
     libafl_cmplog_map_ptr->headers[k].hits = 1;
-    libafl_cmplog_map_ptr->headers[k].shape = len;
+    libafl_cmplog_map_ptr->headers[k].shape = len - 1;
     hits = 0;
   } else {
     hits = libafl_cmplog_map_ptr->headers[k].hits++;
     if (libafl_cmplog_map_ptr->headers[k].shape < len) {
-      libafl_cmplog_map_ptr->headers[k].shape =
-          len;  // TODO; adjust len for AFL++'s cmplog protocol
+      libafl_cmplog_map_ptr->headers[k].shape = len - 1;
     }
   }
 
@@ -204,19 +210,18 @@ static inline void cmplog_routines_checked_extended(uintptr_t      k,
   if (libafl_cmplog_map_extended_ptr->headers[k].type != CMPLOG_KIND_RTN) {
     libafl_cmplog_map_extended_ptr->headers[k].type = CMPLOG_KIND_RTN;
     libafl_cmplog_map_extended_ptr->headers[k].hits = 1;
-    libafl_cmplog_map_extended_ptr->headers[k].shape = len;
+    libafl_cmplog_map_extended_ptr->headers[k].shape = len - 1;
     hits = 0;
   } else {
     hits = libafl_cmplog_map_extended_ptr->headers[k].hits++;
     if (libafl_cmplog_map_extended_ptr->headers[k].shape < len) {
-      libafl_cmplog_map_extended_ptr->headers[k].shape =
-          len;  // TODO; adjust len for AFL++'s cmplog protocol
+      libafl_cmplog_map_extended_ptr->headers[k].shape = len - 1;
     }
   }
 
   hits &= CMPLOG_MAP_RTN_H - 1;
-  libafl_cmplog_map_extended_ptr->vals.routines[k][hits].v0_len = len;
-  libafl_cmplog_map_extended_ptr->vals.routines[k][hits].v1_len = len;
+  libafl_cmplog_map_extended_ptr->vals.routines[k][hits].v0_len = 0x80 + len;
+  libafl_cmplog_map_extended_ptr->vals.routines[k][hits].v1_len = 0x80 + len;
   MEMCPY(libafl_cmplog_map_extended_ptr->vals.routines[k][hits].v0, ptr1, len);
   MEMCPY(libafl_cmplog_map_extended_ptr->vals.routines[k][hits].v1, ptr2, len);
   libafl_cmplog_enabled = true;
diff --git a/libafl_targets/src/cmps/mod.rs b/libafl_targets/src/cmps/mod.rs
@@ -46,13 +46,13 @@ pub const CMPLOG_KIND_RTN: u8 = 1;
 // EXTERNS, GLOBALS
 
 #[cfg(any(feature = "cmplog", feature = "sancov_cmplog", feature = "sancov_value_profile"))]
-// void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t shape, uint64_t arg1, uint64_t arg2)
+// void __libafl_targets_cmplog_instructions(uintptr_t k, uint8_t size, uint64_t arg1, uint64_t arg2)
 unsafe extern "C" {
     /// Logs an instruction for feedback during fuzzing
-    pub fn __libafl_targets_cmplog_instructions(k: usize, shape: u8, arg1: u64, arg2: u64);
+    pub fn __libafl_targets_cmplog_instructions(k: usize, size: u8, arg1: u64, arg2: u64);
 
     /// Logs an AFL++ style instruction for feedback during fuzzing
-    pub fn __libafl_targets_cmplog_instructions_extended(k: usize, shape: u8, arg1: u64, arg2: u64);
+    pub fn __libafl_targets_cmplog_instructions_extended(k: usize, size: u8, arg1: u64, arg2: u64);
 
     /// Logs a routine for feedback during fuzzing
     pub fn __libafl_targets_cmplog_routines(k: usize, ptr1: *const u8, ptr2: *const u8);
@@ -387,30 +387,32 @@ impl CmpMap for CmpLogMap {
 
     fn values_of(&self, idx: usize, execution: usize) -> Option<CmpValues> {
         if self.headers[idx].kind == CMPLOG_KIND_INS {
+            let shape = self.headers[idx].shape;
             unsafe {
-                match self.headers[idx].shape {
-                    1 => Some(CmpValues::U8((
+                match shape {
+                    0 => Some(CmpValues::U8((
                         self.vals.operands[idx][execution].0 as u8,
                         self.vals.operands[idx][execution].1 as u8,
                         self.vals.operands[idx][execution].2 == 1,
                     ))),
-                    2 => Some(CmpValues::U16((
+                    1 => Some(CmpValues::U16((
                         self.vals.operands[idx][execution].0 as u16,
                         self.vals.operands[idx][execution].1 as u16,
                         self.vals.operands[idx][execution].2 == 1,
                     ))),
-                    4 => Some(CmpValues::U32((
+                    3 => Some(CmpValues::U32((
                         self.vals.operands[idx][execution].0 as u32,
                         self.vals.operands[idx][execution].1 as u32,
                         self.vals.operands[idx][execution].2 == 1,
                     ))),
-                    8 => Some(CmpValues::U64((
+                    7 => Some(CmpValues::U64((
                         self.vals.operands[idx][execution].0,
                         self.vals.operands[idx][execution].1,
                         self.vals.operands[idx][execution].2 == 1,
                     ))),
-                    // other => panic!("Invalid CmpLog shape {}", other),
-                    _ => None,
+                    // TODO handle 128 bits & 256 bits & 512 bits cmps
+                    15 | 31 | 63 => None,
+                    _ => panic!("Invalid CmpLog shape {shape}"),
                 }
             }
         } else {
@@ -579,8 +581,9 @@ impl CmpMap for AflppCmpLogMap {
     fn values_of(&self, idx: usize, execution: usize) -> Option<CmpValues> {
         let header = self.headers[idx];
         if header.type_().value() == CMPLOG_KIND_INS {
+            let shape = self.headers[idx].shape().value();
             unsafe {
-                match self.headers[idx].shape().value() {
+                match shape {
                     0 => Some(CmpValues::U8((
                         self.vals.operands[idx][execution].v0 as u8,
                         self.vals.operands[idx][execution].v1 as u8,
@@ -601,9 +604,9 @@ impl CmpMap for AflppCmpLogMap {
                         self.vals.operands[idx][execution].v1,
                         false,
                     ))),
-                    // TODO handle 128 bits & 256 bits cmps
-                    // other => panic!("Invalid CmpLog shape {}", other),
-                    _ => None,
+                    // TODO handle 128 bits & 256 bits & 512 bits cmps
+                    15 | 31 | 63 => None,
+                    _ => panic!("Invalid CmpLog shape {shape}"),
                 }
             }
         } else {
