aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvan Hauser <vh@thc.org>2020-11-01 21:34:08 +0100
committervan Hauser <vh@thc.org>2020-11-01 21:34:08 +0100
commit0fd98ae8b070b05a72b2c47a76f4ea145f9d51c2 (patch)
tree67b81c3ebc89ee3745edba2acd436908e3ca9b78
parenta0c0cf97129cc42b98c3ac65aeb9c2ca81db899f (diff)
downloadafl++-0fd98ae8b070b05a72b2c47a76f4ea145f9d51c2.tar.gz
added mutation introspection make target
Diffstat
-rw-r--r--GNUmakefile6
-rw-r--r--README.md1
-rw-r--r--docs/Changelog.md2
-rw-r--r--include/afl-fuzz.h6
-rw-r--r--include/alloc-inl.h36
-rw-r--r--instrumentation/SanitizerCoveragePCGUARD.so.cc14
-rw-r--r--src/afl-fuzz-bitmap.c11
-rw-r--r--src/afl-fuzz-extras.c16
-rw-r--r--src/afl-fuzz-one.c503
-rw-r--r--src/afl-fuzz.c17
10 files changed, 592 insertions, 20 deletions
diff --git a/GNUmakefile b/GNUmakefile
index c8d155e4..764c9baa 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -110,6 +110,11 @@ ifdef PROFILING
LDFLAGS += -pg
endif
+ifdef INTROSPECTION
+ $(info Compiling with introspection documentation)
+ CFLAGS_OPT += -DINTROSPECTION=1
+endif
+
ifneq "$(shell uname -m)" "x86_64"
ifneq "$(patsubst i%86,i386,$(shell uname -m))" "i386"
ifneq "$(shell uname -m)" "amd64"
@@ -348,6 +353,7 @@ help:
@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
@echo PROFILING - compile afl-fuzz with profiling information
+ @echo INTROSPECTION - compile afl-fuzz with mutation introspection
@echo NO_PYTHON - disable python support
@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
diff --git a/README.md b/README.md
index 7c3b6ecf..d954a236 100644
--- a/README.md
+++ b/README.md
@@ -211,6 +211,7 @@ These build options exist:
* ASAN_BUILD - compiles with memory sanitizer for debug purposes
* DEBUG - no optimization, -ggdb3, all warnings and -Werror
* PROFILING - compile with profiling information (gprof)
+* INTROSPECTION - compile afl-fuzz with mutation introspection
* NO_PYTHON - disable python support
* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
* AFL_NO_X86 - if compiling on non-intel/amd platforms
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 798a056f..f11a1178 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -35,6 +35,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
skipped. They are used for splicing though.
- set the default power schedule to the superiour "seek" schedule
- added NO_SPLICING compile option and makefile define
+ - added INTROSPECTION make target that writes all mutations to
+ out/NAME/introspection.txt
- print special compile time options used in help output
- instrumentation
- We received an enhanced gcc_plugin module from AdaCore, thank you
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 85b31795..5ff7672b 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -717,6 +717,12 @@ typedef struct afl_state {
* is too large) */
struct queue_entry **q_testcase_cache;
+#ifdef INTROSPECTION
+ char mutation[8072];
+ char m_tmp[4096];
+ FILE *introspection_file;
+#endif
+
} afl_state_t;
struct custom_mutator {
diff --git a/include/alloc-inl.h b/include/alloc-inl.h
index 36e47810..d7aa51a7 100644
--- a/include/alloc-inl.h
+++ b/include/alloc-inl.h
@@ -708,6 +708,42 @@ static inline void *afl_realloc(void **buf, size_t size_needed) {
}
+/* afl_realloc_exact uses afl alloc buffers but sets it to a specific size */
+
+static inline void *afl_realloc_exact(void **buf, size_t size_needed) {
+
+ struct afl_alloc_buf *new_buf = NULL;
+
+ size_t current_size = 0;
+
+ if (likely(*buf)) {
+
+ /* the size is always stored at buf - 1*size_t */
+ new_buf = (struct afl_alloc_buf *)afl_alloc_bufptr(*buf);
+ current_size = new_buf->complete_size;
+
+ }
+
+ size_needed += AFL_ALLOC_SIZE_OFFSET;
+
+ /* No need to realloc */
+ if (unlikely(current_size == size_needed)) { return *buf; }
+
+ /* alloc */
+ new_buf = (struct afl_alloc_buf *)realloc(new_buf, size_needed);
+ if (unlikely(!new_buf)) {
+
+ *buf = NULL;
+ return NULL;
+
+ }
+
+ new_buf->complete_size = size_needed;
+ *buf = (void *)(new_buf->buf);
+ return *buf;
+
+}
+
static inline void afl_free(void *buf) {
if (buf) { free(afl_alloc_bufptr(buf)); }
diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
index 97e8d32b..2f87e4f9 100644
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@@ -247,13 +247,13 @@ SanitizerCoverageOptions OverrideFromCL(SanitizerCoverageOptions Options) {
Options.CoverageType =
SanitizerCoverageOptions::SCK_Edge; // std::max(Options.CoverageType,
// CLOpts.CoverageType);
- Options.IndirectCalls = true; // CLOpts.IndirectCalls;
- Options.TraceCmp = false; //|= ClCMPTracing;
- Options.TraceDiv = false; //|= ClDIVTracing;
- Options.TraceGep = false; //|= ClGEPTracing;
- Options.TracePC = false; //|= ClTracePC;
- Options.TracePCGuard = true; // |= ClTracePCGuard;
- Options.Inline8bitCounters = 0; //|= ClInline8bitCounters;
+ Options.IndirectCalls = true; // CLOpts.IndirectCalls;
+ Options.TraceCmp = false; //|= ClCMPTracing;
+ Options.TraceDiv = false; //|= ClDIVTracing;
+ Options.TraceGep = false; //|= ClGEPTracing;
+ Options.TracePC = false; //|= ClTracePC;
+ Options.TracePCGuard = true; // |= ClTracePCGuard;
+ Options.Inline8bitCounters = 0; //|= ClInline8bitCounters;
// Options.InlineBoolFlag = 0; //|= ClInlineBoolFlag;
Options.PCTable = false; //|= ClCreatePCTable;
Options.NoPrune = false; //|= !ClPruneBlocks;
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 2653b9fd..735420c3 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -587,6 +587,11 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
add_to_queue(afl, queue_fn, len, 0);
+#ifdef INTROSPECTION
+ fprintf(afl->introspection_file, "QUEUE %s = %s\n", afl->mutation,
+ afl->queue_top->fname);
+#endif
+
if (hnb == 2) {
afl->queue_top->has_new_cov = 1;
@@ -659,6 +664,9 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
}
++afl->unique_tmouts;
+#ifdef INTROSPECTION
+ fprintf(afl->introspection_file, "UNIQUE_TIMEOUT %s\n", afl->mutation);
+#endif
/* Before saving, we make sure that it's a genuine hang by re-running
the target with a more generous timeout (unless the default timeout
@@ -742,6 +750,9 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#endif /* ^!SIMPLE_FILES */
++afl->unique_crashes;
+#ifdef INTROSPECTION
+ fprintf(afl->introspection_file, "UNIQUE_CRASH %s\n", afl->mutation);
+#endif
if (unlikely(afl->infoexec)) {
// if the user wants to be informed on new crashes - do that
diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c
index adec986e..171cce96 100644
--- a/src/afl-fuzz-extras.c
+++ b/src/afl-fuzz-extras.c
@@ -423,8 +423,8 @@ void dedup_extras(afl_state_t *afl) {
}
if (afl->extras_cnt != orig_cnt)
- afl->extras = ck_realloc((void **)&afl->extras,
- afl->extras_cnt * sizeof(struct extra_data));
+ afl->extras = afl_realloc_exact(
+ (void **)&afl->extras, afl->extras_cnt * sizeof(struct extra_data));
}
@@ -462,16 +462,8 @@ void add_extra(afl_state_t *afl, u8 *mem, u32 len) {
}
- if (afl->extras) {
-
- afl->extras = ck_realloc((void **)&afl->extras,
- (afl->extras_cnt + 1) * sizeof(struct extra_data));
-
- } else {
-
- afl->extras = ck_alloc((afl->extras_cnt + 1) * sizeof(struct extra_data));
-
- }
+ afl->extras = afl_realloc((void **)&afl->extras,
+ (afl->extras_cnt + 1) * sizeof(struct extra_data));
if (unlikely(!afl->extras)) { PFATAL("alloc"); }
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 0f3393d2..5337b7f8 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -609,6 +609,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
FLIP_BIT(out_buf, afl->stage_cur);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT1 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
FLIP_BIT(out_buf, afl->stage_cur);
@@ -718,6 +723,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
FLIP_BIT(out_buf, afl->stage_cur);
FLIP_BIT(out_buf, afl->stage_cur + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT2 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
FLIP_BIT(out_buf, afl->stage_cur);
@@ -747,6 +757,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
FLIP_BIT(out_buf, afl->stage_cur + 2);
FLIP_BIT(out_buf, afl->stage_cur + 3);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT4 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
FLIP_BIT(out_buf, afl->stage_cur);
@@ -802,6 +817,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
out_buf[afl->stage_cur] ^= 0xFF;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT8 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
/* We also use this stage to pull off a simple trick: we identify
@@ -889,6 +909,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
*(u16 *)(out_buf + i) ^= 0xFFFF;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT16 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -927,6 +952,11 @@ u8 fuzz_one_original(afl_state_t *afl) {
*(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT32 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -985,6 +1015,11 @@ skip_bitflip:
afl->stage_cur_val = j;
out_buf[i] = orig + j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8+ %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1001,6 +1036,11 @@ skip_bitflip:
afl->stage_cur_val = -j;
out_buf[i] = orig - j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8- %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1065,6 +1105,11 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u16 *)(out_buf + i) = orig + j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16+ %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1079,6 +1124,11 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u16 *)(out_buf + i) = orig - j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16- %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1097,6 +1147,11 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16+BE %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1111,6 +1166,11 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16-BE %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1174,6 +1234,11 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u32 *)(out_buf + i) = orig + j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32+ %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1188,6 +1253,11 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u32 *)(out_buf + i) = orig - j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32- %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1206,6 +1276,11 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32+BE %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1220,6 +1295,11 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32-BE %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1287,6 +1367,11 @@ skip_arith:
afl->stage_cur_val = interesting_8[j];
out_buf[i] = interesting_8[j];
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s INTERESTING8 %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
out_buf[i] = orig;
@@ -1342,6 +1427,11 @@ skip_arith:
*(u16 *)(out_buf + i) = interesting_16[j];
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s INTERESTING16 %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1358,6 +1448,11 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s INTERESTING16BE %u %u", afl->queue_cur->fname, i, j);
+#endif
+
*(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1421,6 +1516,11 @@ skip_arith:
*(u32 *)(out_buf + i) = interesting_32[j];
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s INTERESTING32 %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1437,6 +1537,11 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s INTERESTING32BE %u %u", afl->queue_cur->fname, i, j);
+#endif
+
*(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1510,6 +1615,12 @@ skip_interest:
last_len = afl->extras[j].len;
memcpy(out_buf + i, afl->extras[j].data, last_len);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s EXTRAS overwrite %u %u:%s", afl->queue_cur->fname, i, j,
+ afl->extras[j].data);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1557,6 +1668,12 @@ skip_interest:
/* Copy tail */
memcpy(ex_tmp + i + afl->extras[j].len, out_buf + i, len - i);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s EXTRAS insert %u %u:%s", afl->queue_cur->fname, i, j,
+ afl->extras[j].data);
+#endif
+
if (common_fuzz_stuff(afl, ex_tmp, len + afl->extras[j].len)) {
goto abandon_entry;
@@ -1614,6 +1731,12 @@ skip_user_extras:
last_len = afl->a_extras[j].len;
memcpy(out_buf + i, afl->a_extras[j].data, last_len);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s AUTO_EXTRAS overwrite %u %u:%s", afl->queue_cur->fname, i, j,
+ afl->a_extras[j].data);
+#endif
+
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -1675,7 +1798,7 @@ custom_mutator_stage:
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max;
++afl->stage_cur) {
- struct queue_entry *target;
+ struct queue_entry *target = NULL;
u32 tid;
u8 * new_buf = NULL;
u32 target_len = 0;
@@ -1717,6 +1840,12 @@ custom_mutator_stage:
if (mutated_size > 0) {
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s CUSTOM %s",
+ afl->queue_cur->fname,
+ target != NULL ? (char *)target->fname : "none");
+#endif
+
if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) {
goto abandon_entry;
@@ -1866,6 +1995,11 @@ havoc_stage:
afl->stage_cur_val = use_stacking;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s HAVOC %u",
+ afl->queue_cur->fname, use_stacking);
+#endif
+
for (i = 0; i < use_stacking; ++i) {
if (afl->custom_mutators_count) {
@@ -1909,6 +2043,10 @@ havoc_stage:
/* Flip a single bit somewhere. Spooky! */
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT1");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
FLIP_BIT(out_buf, rand_below(afl, temp_len << 3));
break;
@@ -1916,6 +2054,10 @@ havoc_stage:
/* Set byte to interesting value. */
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING8");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
out_buf[rand_below(afl, temp_len)] =
interesting_8[rand_below(afl, sizeof(interesting_8))];
break;
@@ -1928,11 +2070,19 @@ havoc_stage:
if (rand_below(afl, 2)) {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)];
} else {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16BE");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = SWAP16(
interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]);
@@ -1948,11 +2098,19 @@ havoc_stage:
if (rand_below(afl, 2)) {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)];
} else {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32BE");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = SWAP32(
interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]);
@@ -1964,6 +2122,10 @@ havoc_stage:
/* Randomly subtract from byte. */
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH8-");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
out_buf[rand_below(afl, temp_len)] -= 1 + rand_below(afl, ARITH_MAX);
break;
@@ -1971,6 +2133,10 @@ havoc_stage:
/* Randomly add to byte. */
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH8+");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
out_buf[rand_below(afl, temp_len)] += 1 + rand_below(afl, ARITH_MAX);
break;
@@ -1984,6 +2150,10 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16-_%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
} else {
@@ -1991,6 +2161,11 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 1);
u16 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16-BE_%u_%u", pos,
+ num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
@@ -2008,6 +2183,10 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16+_%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
} else {
@@ -2015,6 +2194,11 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 1);
u16 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16+BE_%u_%u", pos,
+ num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
@@ -2032,6 +2216,10 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 3);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32-_%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
} else {
@@ -2039,6 +2227,11 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 3);
u32 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32-BE_%u_%u", pos,
+ num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
@@ -2056,6 +2249,10 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 3);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32+_%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
} else {
@@ -2063,6 +2260,11 @@ havoc_stage:
u32 pos = rand_below(afl, temp_len - 3);
u32 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32+BE_%u_%u", pos,
+ num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
@@ -2076,6 +2278,10 @@ havoc_stage:
why not. We use XOR with 1-255 to eliminate the
possibility of a no-op. */
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " RAND8");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
out_buf[rand_below(afl, temp_len)] ^= 1 + rand_below(afl, 255);
break;
@@ -2095,6 +2301,11 @@ havoc_stage:
del_from = rand_below(afl, temp_len - del_len + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " DEL_%u_%u", del_from,
+ del_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memmove(out_buf + del_from, out_buf + del_from + del_len,
temp_len - del_from - del_len);
@@ -2128,6 +2339,12 @@ havoc_stage:
clone_to = rand_below(afl, temp_len);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " CLONE_%s_%u_%u_%u",
+ actually_clone ? "clone" : "insert", clone_from, clone_to,
+ clone_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
new_buf =
afl_realloc(AFL_BUF_PARAM(out_scratch), temp_len + clone_len);
if (unlikely(!new_buf)) { PFATAL("alloc"); }
@@ -2181,12 +2398,23 @@ havoc_stage:
if (copy_from != copy_to) {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " OVERWRITE_COPY_%u_%u_%u", copy_from, copy_to,
+ copy_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
}
} else {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " OVERWRITE_FIXED_%u_%u_%u", copy_from, copy_to, copy_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memset(out_buf + copy_to,
rand_below(afl, 2) ? rand_below(afl, 256)
: out_buf[rand_below(afl, temp_len)],
@@ -2222,6 +2450,12 @@ havoc_stage:
if ((s32)extra_len > temp_len) { break; }
insert_at = rand_below(afl, temp_len - extra_len + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " AUTO_EXTRA_OVERWRITE_%u_%u_%s", insert_at, extra_len,
+ afl->a_extras[use_extra].data);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memcpy(out_buf + insert_at, afl->a_extras[use_extra].data,
extra_len);
@@ -2236,6 +2470,12 @@ havoc_stage:
if ((s32)extra_len > temp_len) { break; }
insert_at = rand_below(afl, temp_len - extra_len + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " EXTRA_OVERWRITE_%u_%u_%s", insert_at, extra_len,
+ afl->a_extras[use_extra].data);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memcpy(out_buf + insert_at, afl->extras[use_extra].data,
extra_len);
@@ -2258,12 +2498,23 @@ havoc_stage:
use_extra = rand_below(afl, afl->a_extras_cnt);
extra_len = afl->a_extras[use_extra].len;
ptr = afl->a_extras[use_extra].data;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " AUTO_EXTRA_INSERT_%u_%u_%s", insert_at, extra_len,
+ ptr);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
} else {
use_extra = rand_below(afl, afl->extras_cnt);
extra_len = afl->extras[use_extra].len;
ptr = afl->extras[use_extra].data;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " EXTRA_INSERT_%u_%u_%s", insert_at, extra_len, ptr);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
}
@@ -2324,6 +2575,12 @@ havoc_stage:
copy_from = rand_below(afl, new_len - copy_len + 1);
copy_to = rand_below(afl, temp_len - copy_len + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " SPLICE_OVERWRITE_%u_%u_%u_%s", copy_from, copy_to,
+ copy_len, target->fname);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memmove(out_buf + copy_to, new_buf + copy_from, copy_len);
} else {
@@ -2340,6 +2597,12 @@ havoc_stage:
temp_len + clone_len + 1);
if (unlikely(!temp_buf)) { PFATAL("alloc"); }
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " SPLICE_INSERT_%u_%u_%u_%s", clone_from, clone_to,
+ clone_len, target->fname);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
/* Head */
memcpy(temp_buf, out_buf, clone_to);
@@ -2755,6 +3018,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
FLIP_BIT(out_buf, afl->stage_cur);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT1 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
FLIP_BIT(out_buf, afl->stage_cur);
@@ -2864,6 +3131,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
FLIP_BIT(out_buf, afl->stage_cur);
FLIP_BIT(out_buf, afl->stage_cur + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT2 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
FLIP_BIT(out_buf, afl->stage_cur);
@@ -2893,6 +3164,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
FLIP_BIT(out_buf, afl->stage_cur + 2);
FLIP_BIT(out_buf, afl->stage_cur + 3);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT4 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
FLIP_BIT(out_buf, afl->stage_cur);
@@ -2948,6 +3223,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
out_buf[afl->stage_cur] ^= 0xFF;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT8 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
/* We also use this stage to pull off a simple trick: we identify
@@ -3035,6 +3314,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
*(u16 *)(out_buf + i) ^= 0xFFFF;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT16 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3073,6 +3356,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
*(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT32 %u",
+ afl->queue_cur->fname, afl->stage_cur);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3131,6 +3418,10 @@ skip_bitflip:
afl->stage_cur_val = j;
out_buf[i] = orig + j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH8+ %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3147,6 +3438,10 @@ skip_bitflip:
afl->stage_cur_val = -j;
out_buf[i] = orig - j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH8- %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3211,6 +3506,10 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u16 *)(out_buf + i) = orig + j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH16+ %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3225,6 +3524,10 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u16 *)(out_buf + i) = orig - j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH16- %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3243,6 +3546,10 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_ARITH16+BE %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3257,6 +3564,10 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_ARITH16-BE %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3320,6 +3631,10 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u32 *)(out_buf + i) = orig + j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH32+ %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3334,6 +3649,10 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u32 *)(out_buf + i) = orig - j;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH32- %u %u",
+ afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3352,6 +3671,10 @@ skip_bitflip:
afl->stage_cur_val = j;
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_ARITH32+BE %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3366,6 +3689,10 @@ skip_bitflip:
afl->stage_cur_val = -j;
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_ARITH32-BE %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3433,6 +3760,10 @@ skip_arith:
afl->stage_cur_val = interesting_8[j];
out_buf[i] = interesting_8[j];
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_INTERESTING8 %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
out_buf[i] = orig;
@@ -3488,6 +3819,10 @@ skip_arith:
*(u16 *)(out_buf + i) = interesting_16[j];
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_INTERESTING16 %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3504,6 +3839,10 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_INTERESTING16BE %u %u", afl->queue_cur->fname, i, j);
+#endif
*(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3567,6 +3906,10 @@ skip_arith:
*(u32 *)(out_buf + i) = interesting_32[j];
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_INTERESTING32 %u %u", afl->queue_cur->fname, i, j);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3583,6 +3926,10 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_INTERESTING32BE %u %u", afl->queue_cur->fname, i, j);
+#endif
*(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3656,6 +4003,11 @@ skip_interest:
last_len = afl->extras[j].len;
memcpy(out_buf + i, afl->extras[j].data, last_len);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_EXTRAS overwrite %u %u:%s", afl->queue_cur->fname, i, j,
+ afl->extras[j].data);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3703,6 +4055,11 @@ skip_interest:
/* Copy tail */
memcpy(ex_tmp + i + afl->extras[j].len, out_buf + i, len - i);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_EXTRAS insert %u %u:%s", afl->queue_cur->fname, i, j,
+ afl->extras[j].data);
+#endif
if (common_fuzz_stuff(afl, ex_tmp, len + afl->extras[j].len)) {
goto abandon_entry;
@@ -3759,6 +4116,11 @@ skip_user_extras:
last_len = afl->a_extras[j].len;
memcpy(out_buf + i, afl->a_extras[j].data, last_len);
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation),
+ "%s MOPT_AUTO_EXTRAS overwrite %u %u:%s", afl->queue_cur->fname,
+ i, j, afl->a_extras[j].data);
+#endif
if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
++afl->stage_cur;
@@ -3885,6 +4247,11 @@ pacemaker_fuzzing:
}
+#ifdef INTROSPECTION
+ snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_HAVOC %u",
+ afl->queue_cur->fname, use_stacking);
+#endif
+
for (i = 0; i < use_stacking; ++i) {
switch (select_algorithm(afl)) {
@@ -3893,6 +4260,10 @@ pacemaker_fuzzing:
/* Flip a single bit somewhere. Spooky! */
FLIP_BIT(out_buf, rand_below(afl, temp_len << 3));
MOpt_globals.cycles_v2[STAGE_FLIP1] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT1");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 1:
@@ -3901,6 +4272,10 @@ pacemaker_fuzzing:
FLIP_BIT(out_buf, temp_len_puppet);
FLIP_BIT(out_buf, temp_len_puppet + 1);
MOpt_globals.cycles_v2[STAGE_FLIP2] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT2");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 2:
@@ -3911,24 +4286,40 @@ pacemaker_fuzzing:
FLIP_BIT(out_buf, temp_len_puppet + 2);
FLIP_BIT(out_buf, temp_len_puppet + 3);
MOpt_globals.cycles_v2[STAGE_FLIP4] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT4");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 3:
if (temp_len < 4) { break; }
out_buf[rand_below(afl, temp_len)] ^= 0xFF;
MOpt_globals.cycles_v2[STAGE_FLIP8] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT8");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 4:
if (temp_len < 8) { break; }
*(u16 *)(out_buf + rand_below(afl, temp_len - 1)) ^= 0xFFFF;
MOpt_globals.cycles_v2[STAGE_FLIP16] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT16");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 5:
if (temp_len < 8) { break; }
*(u32 *)(out_buf + rand_below(afl, temp_len - 3)) ^= 0xFFFFFFFF;
MOpt_globals.cycles_v2[STAGE_FLIP32] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT32");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 6:
@@ -3937,6 +4328,10 @@ pacemaker_fuzzing:
out_buf[rand_below(afl, temp_len)] +=
1 + rand_below(afl, ARITH_MAX);
MOpt_globals.cycles_v2[STAGE_ARITH8] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH+-");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 7:
@@ -3946,11 +4341,20 @@ pacemaker_fuzzing:
u32 pos = rand_below(afl, temp_len - 1);
*(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16-%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
} else {
u32 pos = rand_below(afl, temp_len - 1);
u16 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16BE-%u-%u",
+ pos, num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
@@ -3960,12 +4364,21 @@ pacemaker_fuzzing:
if (rand_below(afl, 2)) {
u32 pos = rand_below(afl, temp_len - 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16+%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
} else {
u32 pos = rand_below(afl, temp_len - 1);
u16 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16BE+%u-%u",
+ pos, num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
@@ -3980,12 +4393,21 @@ pacemaker_fuzzing:
if (rand_below(afl, 2)) {
u32 pos = rand_below(afl, temp_len - 3);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32-%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
} else {
u32 pos = rand_below(afl, temp_len - 3);
u32 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32BE-%u-%u",
+ pos, num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
@@ -3996,12 +4418,21 @@ pacemaker_fuzzing:
if (rand_below(afl, 2)) {
u32 pos = rand_below(afl, temp_len - 3);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32+%u", pos);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
} else {
u32 pos = rand_below(afl, temp_len - 3);
u32 num = 1 + rand_below(afl, ARITH_MAX);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32BE+%u-%u",
+ pos, num);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
@@ -4016,6 +4447,10 @@ pacemaker_fuzzing:
out_buf[rand_below(afl, temp_len)] =
interesting_8[rand_below(afl, sizeof(interesting_8))];
MOpt_globals.cycles_v2[STAGE_INTEREST8] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING8");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 10:
@@ -4023,12 +4458,20 @@ pacemaker_fuzzing:
if (temp_len < 8) { break; }
if (rand_below(afl, 2)) {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
interesting_16[rand_below(afl,
sizeof(interesting_16) >> 1)];
} else {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16BE");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
SWAP16(interesting_16[rand_below(
afl, sizeof(interesting_16) >> 1)]);
@@ -4045,12 +4488,20 @@ pacemaker_fuzzing:
if (rand_below(afl, 2)) {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
interesting_32[rand_below(afl,
sizeof(interesting_32) >> 2)];
} else {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32BE");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
*(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
SWAP32(interesting_32[rand_below(
afl, sizeof(interesting_32) >> 2)]);
@@ -4068,6 +4519,10 @@ pacemaker_fuzzing:
out_buf[rand_below(afl, temp_len)] ^= 1 + rand_below(afl, 255);
MOpt_globals.cycles_v2[STAGE_RANDOMBYTE] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " RAND8");
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
case 13: {
@@ -4091,6 +4546,11 @@ pacemaker_fuzzing:
temp_len -= del_len;
MOpt_globals.cycles_v2[STAGE_DELETEBYTE] += 1;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " DEL-%u%u", del_from,
+ del_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
break;
}
@@ -4120,6 +4580,12 @@ pacemaker_fuzzing:
clone_to = rand_below(afl, temp_len);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp), " CLONE_%s_%u_%u_%u",
+ actually_clone ? "clone" : "insert", clone_from,
+ clone_to, clone_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch),
temp_len + clone_len);
if (unlikely(!new_buf)) { PFATAL("alloc"); }
@@ -4175,12 +4641,24 @@ pacemaker_fuzzing:
if (copy_from != copy_to) {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " OVERWRITE_COPY_%u_%u_%u", copy_from, copy_to,
+ copy_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
}
} else {
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " OVERWRITE_FIXED_%u_%u_%u", copy_from, copy_to,
+ copy_len);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memset(out_buf + copy_to,
rand_below(afl, 2) ? rand_below(afl, 256)
: out_buf[rand_below(afl, temp_len)],
@@ -4212,6 +4690,12 @@ pacemaker_fuzzing:
if (extra_len > (u32)temp_len) break;
u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " AUTO_EXTRA_OVERWRITE_%u_%u_%s", insert_at, extra_len,
+ afl->a_extras[use_extra].data);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memcpy(out_buf + insert_at, afl->a_extras[use_extra].data,
extra_len);
@@ -4225,6 +4709,12 @@ pacemaker_fuzzing:
if (extra_len > (u32)temp_len) break;
u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " EXTRA_OVERWRITE_%u_%u_%s", insert_at, extra_len,
+ afl->a_extras[use_extra].data);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
memcpy(out_buf + insert_at, afl->extras[use_extra].data,
extra_len);
@@ -4254,12 +4744,23 @@ pacemaker_fuzzing:
use_extra = rand_below(afl, afl->a_extras_cnt);
extra_len = afl->a_extras[use_extra].len;
ptr = afl->a_extras[use_extra].data;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " AUTO_EXTRA_INSERT_%u_%u_%s", insert_at, extra_len,
+ ptr);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
} else {
use_extra = rand_below(afl, afl->extras_cnt);
extra_len = afl->extras[use_extra].len;
ptr = afl->extras[use_extra].data;
+#ifdef INTROSPECTION
+ snprintf(afl->m_tmp, sizeof(afl->m_tmp),
+ " EXTRA_INSERT_%u_%u_%s", insert_at, extra_len, ptr);
+ strcat(afl->mutation, afl->m_tmp);
+#endif
}
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index cad26841..575e6b74 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -236,6 +236,10 @@ static void usage(u8 *argv0, int more_help) {
SAYF("Compiled with PROFILING\n\n");
#endif
+#ifdef INTROSPECTION
+ SAYF("Compiled with INTROSPECTION\n\n");
+#endif
+
#ifdef _DEBUG
SAYF("Compiled with _DEBUG\n\n");
#endif
@@ -1462,6 +1466,19 @@ int main(int argc, char **argv_orig, char **envp) {
u32 prev_queued_paths = 0;
u8 skipped_fuzz;
+ #ifdef INTROSPECTION
+ char ifn[4096];
+ snprintf(ifn, sizeof(ifn), "%s/introspection.txt", afl->out_dir);
+ if ((afl->introspection_file = fopen(ifn, "w")) == NULL) {
+
+ PFATAL("could not create '%s'", ifn);
+
+ }
+
+ setvbuf(afl->introspection_file, NULL, _IONBF, 0);
+ OKF("Writing mutation introspection to '%s'", ifn);
+ #endif
+
while (likely(!afl->stop_soon)) {
cull_queue(afl);
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-21 22:08:30 +0000