From 60a11ade2398423e98196e4a8b87b99a73c85882 Mon Sep 17 00:00:00 2001
From: Anh Nguyen-Tuong <zenpoems@gmail.com>
Date: Sat, 23 Feb 2019 10:10:36 -0500
Subject: [PATCH] Fix crash

Building CFGs seems to require that the assembly is correct
Force building of the assembly after making mods to the IR
and before building a new CFG
---
 .../tools/zax/critical_edge_breaker.cpp          | 16 +++++++++++++---
 .../tools/zax/critical_edge_breaker.hpp          |  9 +++++----
 afl_transforms/tools/zax/zax_base.cpp            |  2 +-
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/afl_transforms/tools/zax/critical_edge_breaker.cpp b/afl_transforms/tools/zax/critical_edge_breaker.cpp
index 713f30f..0f40b00 100644
--- a/afl_transforms/tools/zax/critical_edge_breaker.cpp
+++ b/afl_transforms/tools/zax/critical_edge_breaker.cpp
@@ -29,8 +29,9 @@ using namespace std;
 using namespace IRDB_SDK;
 using namespace Zafl;
 
-CriticalEdgeBreaker_t::CriticalEdgeBreaker_t(IRDB_SDK::FileIR_t *p_IR, const bool p_verbose) :
+CriticalEdgeBreaker_t::CriticalEdgeBreaker_t(IRDB_SDK::FileIR_t *p_IR, set<string> p_blacklist, const bool p_verbose) :
 	m_IR(p_IR),
+	m_blacklist(p_blacklist),
 	m_verbose(p_verbose),
 	m_extra_nodes(0)
 {
@@ -45,9 +46,18 @@ unsigned CriticalEdgeBreaker_t::getNumberExtraNodes() const
 // iterate over each function and break critical edges
 void CriticalEdgeBreaker_t::breakCriticalEdges()
 {
+	auto is_blacklisted = [this](const Function_t* f) -> bool
+		{
+		  const auto fname = f->getName();
+		  return (fname[0] == '.' || fname.find("@plt") != string::npos || m_blacklist.find(fname)!=m_blacklist.end());
+		};
+
 	for ( auto &f : m_IR->getFunctions() )
 	{
-		if (f && f->getEntryPoint())
+		if (!f) continue;
+		if (is_blacklisted(f)) continue;
+
+		if (f->getEntryPoint())
 			m_extra_nodes += breakCriticalEdges(f);
 	}
 }
@@ -114,10 +124,10 @@ unsigned CriticalEdgeBreaker_t::breakCriticalEdges(Function_t* p_func)
 
 	if (m_verbose)
 	{
+		m_IR->assembleRegistry();
 		cout << "Number critical edge instrumented: " << num_critical_edges_instrumented << endl;
 		auto post_cfgp = ControlFlowGraph_t::factory(p_func);
 		auto &post_cfg = *post_cfgp;
-		m_IR->assembleRegistry();
 		cout << "Post CFG: " << endl;
 		cout << post_cfg << endl;
 	}
diff --git a/afl_transforms/tools/zax/critical_edge_breaker.hpp b/afl_transforms/tools/zax/critical_edge_breaker.hpp
index 93bc162..6871552 100644
--- a/afl_transforms/tools/zax/critical_edge_breaker.hpp
+++ b/afl_transforms/tools/zax/critical_edge_breaker.hpp
@@ -13,7 +13,7 @@ namespace Zafl
 	class CriticalEdgeBreaker_t
 	{
 		public:
-			CriticalEdgeBreaker_t(FileIR_t *p_variantIR, const bool p_verbose=false);
+			CriticalEdgeBreaker_t(FileIR_t *p_variantIR, set<string> p_blacklist, const bool p_verbose=false);
 			unsigned getNumberExtraNodes() const;
 
 		protected:
@@ -23,9 +23,10 @@ namespace Zafl
 			unsigned breakCriticalEdges(Function_t*);
 
 		private:
-			FileIR_t*    m_IR;
-			const bool   m_verbose;
-			unsigned     m_extra_nodes;
+			FileIR_t*          m_IR;
+			const set<string>  m_blacklist;       
+			const bool         m_verbose;
+			unsigned           m_extra_nodes;
 	};
 } 
 
diff --git a/afl_transforms/tools/zax/zax_base.cpp b/afl_transforms/tools/zax/zax_base.cpp
index bb723c6..9d297e5 100644
--- a/afl_transforms/tools/zax/zax_base.cpp
+++ b/afl_transforms/tools/zax/zax_base.cpp
@@ -1065,7 +1065,7 @@ int ZaxBase_t::execute()
 {
 	if (m_breakupCriticalEdges)
 	{
-		CriticalEdgeBreaker_t ceb(getFileIR(), m_verbose);
+		CriticalEdgeBreaker_t ceb(getFileIR(), m_blacklist, m_verbose);
 		cout << "#ATTRIBUTE num_bb_extra_blocks=" << ceb.getNumberExtraNodes() << endl;
 
 		getFileIR()->setBaseIDS();
-- 
GitLab