Revert "Merge branch 'release' into stable"

This reverts commit 815161827689c339d335233b7b232ac9b120b79b, reversing
changes made to 9321a24e682b5c8bf6278961bd014cb883b87295.

7 files changed, 54 insertions, 70 deletions

diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index a5cad03c..dbf2920f 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -877,6 +877,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
   SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n");
 
+  afl_fsrv_init(&fsrv);
+
   while ((opt = getopt(argc, argv, "+i:f:m:t:eOQUWh")) > 0) {
 
     switch (opt) {
@@ -985,14 +987,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
         break;
 
-      case 'O':                                               /* FRIDA mode */
-
-        if (frida_mode) { FATAL("Multiple -O options not supported"); }
-
-        frida_mode = 1;
-
-        break;
-
       case 'Q':
 
         if (qemu_mode) { FATAL("Multiple -Q options not supported"); }
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 6a60fb85..9899f973 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -637,6 +637,33 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
     }
 
+    if (cmplog_mode) {
+
+      if (lto_mode && !have_c) {
+
+        cc_params[cc_par_cnt++] = alloc_printf(
+            "-Wl,-mllvm=-load=%s/cmplog-instructions-pass.so", obj_path);
+        cc_params[cc_par_cnt++] = alloc_printf(
+            "-Wl,-mllvm=-load=%s/cmplog-routines-pass.so", obj_path);
+
+      } else {
+
+        cc_params[cc_par_cnt++] = "-Xclang";
+        cc_params[cc_par_cnt++] = "-load";
+        cc_params[cc_par_cnt++] = "-Xclang";
+        cc_params[cc_par_cnt++] =
+            alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
+
+        cc_params[cc_par_cnt++] = "-Xclang";
+        cc_params[cc_par_cnt++] = "-load";
+        cc_params[cc_par_cnt++] = "-Xclang";
+        cc_params[cc_par_cnt++] =
+            alloc_printf("%s/cmplog-routines-pass.so", obj_path);
+
+      }
+
+    }
+
     // cc_params[cc_par_cnt++] = "-Qunused-arguments";
 
     // in case LLVM is installed not via a package manager or "make install"
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 8fb8a75a..5e8fb9b5 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -418,8 +418,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
     struct rlimit r;
 
-    if (!fsrv->cmplog_binary && fsrv->qemu_mode == false &&
-        fsrv->frida_mode == false) {
+    if (!fsrv->cmplog_binary) {
 
       unsetenv(CMPLOG_SHM_ENV_VAR);  // we do not want that in non-cmplog fsrv
 
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 1bc5854e..7274f679 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -2102,10 +2102,10 @@ havoc_stage:
 
         case 8 ... 9: {
 
-        case 8 ... 9: {
-
           /* Set word to interesting value, little endian. */
 
+          if (temp_len < 2) { break; }
+
 #ifdef INTROSPECTION
           snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16");
           strcat(afl->mutation, afl->m_tmp);
@@ -2119,7 +2119,7 @@ havoc_stage:
 
         case 10 ... 11: {
 
-          /* Set word to interesting value, randomly choosing endian. */
+          /* Set word to interesting value, big endian. */
 
           if (temp_len < 2) { break; }
 
@@ -2136,10 +2136,10 @@ havoc_stage:
 
         case 12 ... 13: {
 
-        case 12 ... 13: {
-
           /* Set dword to interesting value, little endian. */
 
+          if (temp_len < 4) { break; }
+
 #ifdef INTROSPECTION
           snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32");
           strcat(afl->mutation, afl->m_tmp);
@@ -2153,7 +2153,7 @@ havoc_stage:
 
         case 14 ... 15: {
 
-          /* Set dword to interesting value, randomly choosing endian. */
+          /* Set dword to interesting value, big endian. */
 
           if (temp_len < 4) { break; }
 
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index fb81522e..e876beea 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -424,7 +424,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
         }
 
         var_detected = 1;
-        afl->stage_max = afl->fast_cal ? CAL_CYCLES : CAL_CYCLES_LONG;
+        afl->stage_max =
+            afl->afl_env.afl_cal_fast ? CAL_CYCLES : CAL_CYCLES_LONG;
 
       } else {
 
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index c2294f7c..e0930234 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -881,10 +881,6 @@ void show_stats(afl_state_t *afl) {
 
     strcpy(tmp, "disabled (custom-mutator-only mode)");
 
-  if (unlikely(afl->custom_only)) {
-
-    strcpy(tmp, "disabled (custom-mutator-only mode)");
-
   } else if (likely(afl->skip_deterministic)) {
 
     strcpy(tmp, "disabled (default, enable with -D)");
@@ -1021,9 +1017,10 @@ void show_stats(afl_state_t *afl) {
   if (unlikely(afl->afl_env.afl_custom_mutator_library)) {
 
     strcat(tmp, " ");
-    strcat(tmp, u_stringify_int(IB(2), afl->stage_finds[STAGE_PYTHON]));
+    strcat(tmp, u_stringify_int(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]));
     strcat(tmp, "/");
-    strcat(tmp, u_stringify_int(IB(3), afl->stage_cycles[STAGE_PYTHON]));
+    strcat(tmp,
+           u_stringify_int(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]));
     strcat(tmp, ",");
 
   } else {
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 5278c839..5c899e69 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -90,7 +90,8 @@ static bool quiet_mode,                /* Hide non-essential messages?      */
     have_coverage,                     /* have coverage?                    */
     no_classify,                       /* do not classify counts            */
     debug,                             /* debug mode                        */
-    print_filenames;                   /* print the current filename        */
+    print_filenames,                   /* print the current filename        */
+    wait_for_gdb;
 
 static volatile u8 stop_soon,          /* Ctrl-C pressed?                   */
     child_crashed;                     /* Child crashed?                    */
@@ -425,18 +426,6 @@ static u32 read_file(u8 *in_file) {
 
   }
 
-  if (st.st_size > MAX_FILE) {
-
-    WARNF("Input file '%s' is too large, only reading %u bytes.", in_file,
-          MAX_FILE);
-    in_len = MAX_FILE;
-
-  } else {
-
-    in_len = st.st_size;
-
-  }
-
   in_data = ck_alloc_nozero(in_len);
 
   ck_read(fd, in_data, in_len, in_file);
@@ -830,13 +819,13 @@ static void usage(u8 *argv0) {
       "  -o file    - file to write the trace data to\n\n"
 
       "Execution control settings:\n"
-      "  -t msec       - timeout for each run (none)\n"
-      "  -m megs       - memory limit for child process (%u MB)\n"
-      "  -O            - use binary-only instrumentation (FRIDA mode)\n"
-      "  -Q            - use binary-only instrumentation (QEMU mode)\n"
-      "  -U            - use Unicorn-based instrumentation (Unicorn mode)\n"
-      "  -W            - use qemu-based instrumentation with Wine (Wine mode)\n"
-      "                  (Not necessary, here for consistency with other afl-* "
+      "  -t msec    - timeout for each run (none)\n"
+      "  -m megs    - memory limit for child process (%u MB)\n"
+      "  -O         - use binary-only instrumentation (FRIDA mode)\n"
+      "  -Q         - use binary-only instrumentation (QEMU mode)\n"
+      "  -U         - use Unicorn-based instrumentation (Unicorn mode)\n"
+      "  -W         - use qemu-based instrumentation with Wine (Wine mode)\n"
+      "               (Not necessary, here for consistency with other afl-* "
       "tools)\n\n"
       "Other settings:\n"
       "  -i dir     - process all files below this directory, must be combined "
@@ -873,7 +862,8 @@ static void usage(u8 *argv0) {
       "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
       "AFL_PRINT_FILENAMES: If set, the filename currently processed will be "
       "printed to stdout\n"
-      "AFL_QUIET: do not print extra informational output\n",
+      "AFL_QUIET: do not print extra informational output\n"
+      "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n",
       argv0, MEM_LIMIT, doc_path);
 
   exit(1);
@@ -1258,15 +1248,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
   if (in_dir) {
 
-    DIR *           dir_in, *dir_out = NULL;
-    struct dirent **file_list;
-
-    //    int            done = 0;
-    u8 infile[PATH_MAX], outfile[PATH_MAX];
-    u8 wait_for_gdb = 0;
-#if !defined(DT_REG)
-    struct stat statbuf;
-#endif
+    DIR *dir_in, *dir_out = NULL;
 
     if (getenv("AFL_DEBUG_GDB")) wait_for_gdb = true;
 
@@ -1367,28 +1349,12 @@ int main(int argc, char **argv_orig, char **envp) {
     if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz)
       shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
 
-    int file_count = scandir(in_dir, &file_list, NULL, alphasort);
-    if (file_count < 0) {
-
-      PFATAL("Failed to read from input dir at %s\n", in_dir);
-
-    }
-
-    for (int i = 0; i < file_count; i++) {
-
-      struct dirent *dir_ent = file_list[i];
-
-      if (dir_ent->d_name[0] == '.') {
-
-        continue;  // skip anything that starts with '.'
+    if (execute_testcases(in_dir) == 0) {
 
       FATAL("could not read input testcases from %s", in_dir);
 
     }
 
-    free(file_list);
-    file_list = NULL;
-
     if (!quiet_mode) { OKF("Processed %llu input files.", fsrv->total_execs); }
 
     if (dir_out) { closedir(dir_out); }