From 110324e23ae9f5b77454ea39341300b61b8dfc0f Mon Sep 17 00:00:00 2001
From: Anh <zenpoems@gmail.com>
Date: Fri, 8 Feb 2019 08:18:23 -0800
Subject: [PATCH] Fix graph optimization

Before eliding conditional branch,  verify that neither successor is IBTA
---
 afl_transforms/tools/zax/zax_base.cpp | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/afl_transforms/tools/zax/zax_base.cpp b/afl_transforms/tools/zax/zax_base.cpp
index 48bb2d8..4ff7000 100644
--- a/afl_transforms/tools/zax/zax_base.cpp
+++ b/afl_transforms/tools/zax/zax_base.cpp
@@ -596,19 +596,28 @@ BasicBlockSet_t ZaxBase_t::getBlocksToInstrument(const ControlFlowGraph_t &cfg)
 			continue;
 		}
 
-		// optimization:
-		//    inner node: 1 predecessor and 1 successor
-		//    
-		//    predecessor has only 1 successor (namely this bb)
-		//    bb has 1 predecessor 
 		if (m_bb_graph_optimize)
 		{
-			if (bb->getSuccessors().size() == 2 && bb->endsInConditionalBranch())
+			const auto has_ibta=
+				[&](const BasicBlockSet_t& successors) -> bool
+				{
+					for (const auto & s : successors)
+					{
+						if (s->getInstructions()[0]->getIndirectBranchTargetAddress())
+							return true;
+					}
+					return false;
+				};
+
+			if (bb->getSuccessors().size() == 2 && 
+			    bb->endsInConditionalBranch() && 
+			    !has_ibta(bb->getSuccessors()))
 			{
 				// for now, until we get a more principled way of pruning the graph,
 				// make sure to keep both successors
 				for (auto next_bb : bb->getSuccessors())
 					keepers.insert(next_bb);
+
 				m_num_bb_skipped_cbranch++;
 				continue;
 			}
@@ -618,6 +627,7 @@ BasicBlockSet_t ZaxBase_t::getBlocksToInstrument(const ControlFlowGraph_t &cfg)
 	}
 	return keepers;
 }
+
 void ZaxBase_t::filterBlocksByDomgraph(BasicBlockSet_t& in_out,  const DominatorGraph_t* dg)
 {
 	if(!m_domgraph_optimize)
-- 
GitLab