aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/afl-fuzz.h4
-rw-r--r--include/forkserver.h10
-rw-r--r--llvm_mode/afl-clang-fast.c10
-rw-r--r--src/afl-forkserver.c13
-rw-r--r--src/afl-fuzz-bitmap.c12
-rw-r--r--src/afl-fuzz-run.c10
-rw-r--r--src/afl-showmap.c18
-rw-r--r--src/afl-tmin.c51
8 files changed, 68 insertions, 60 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 38501699..7c6019e6 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -842,10 +842,10 @@ u32 count_bytes(afl_state_t *, u8 *);
u32 count_non_255_bytes(afl_state_t *, u8 *);
#ifdef WORD_SIZE_64
void simplify_trace(afl_state_t *, u64 *);
-void classify_counts(afl_state_t *, u64 *);
+void classify_counts(afl_forkserver_t *);
#else
void simplify_trace(afl_state_t *, u32 *);
-void classify_counts(afl_state_t *, u32 *);
+void classify_counts(afl_forkserver_t *);
#endif
void init_count_class16(void);
void minimize_bits(afl_state_t *, u8 *, u8 *);
diff --git a/include/forkserver.h b/include/forkserver.h
index 82953855..f24393bc 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -97,10 +97,12 @@ void afl_fsrv_init(afl_forkserver_t *fsrv);
void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from);
void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
volatile u8 *stop_soon_p, u8 debug_child_output);
-fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
- volatile u8 * stop_soon_p);
-void afl_fsrv_killall(void);
-void afl_fsrv_deinit(afl_forkserver_t *fsrv);
+fsrv_run_result_t afl_fsrv_run_target(
+ afl_forkserver_t *fsrv, u32 timeout,
+ void(classify_counts_func)(afl_forkserver_t *fsrv),
+ volatile u8 *stop_soon_p);
+void afl_fsrv_killall(void);
+void afl_fsrv_deinit(afl_forkserver_t *fsrv);
#ifdef __APPLE__
#define MSG_FORK_ON_APPLE \
diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c
index f58c22dd..57d7b89a 100644
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@@ -184,7 +184,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
sprintf(llvm_fullpath, CLANGPP_BIN);
cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath;
- } else if (!strcmp(name, "afl-clang-fast") || !strcmp(name, "afl-clang-lto")) {
+ } else if (!strcmp(name, "afl-clang-fast") ||
+
+ !strcmp(name, "afl-clang-lto")) {
u8 *alt_cc = getenv("AFL_CC");
if (USE_BINDIR)
@@ -194,8 +196,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)llvm_fullpath;
} else {
+
fprintf(stderr, "Name of the binary: %s\n", argv[0]);
- FATAL("Name of the binary is not a known name, expected afl-clang-fast(++) or afl-clang-lto(++)");
+ FATAL(
+ "Name of the binary is not a known name, expected afl-clang-fast(++) "
+ "or afl-clang-lto(++)");
+
}
/* There are three ways to compile with afl-clang-fast. In the traditional
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index f0040617..89480b07 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -643,16 +643,16 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
/* Execute target application, monitoring for timeouts. Return status
information. The called program will update afl->fsrv->trace_bits. */
-fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
- volatile u8 * stop_soon_p) {
+fsrv_run_result_t afl_fsrv_run_target(
+ afl_forkserver_t *fsrv, u32 timeout,
+ void(classify_counts_func)(afl_forkserver_t *fsrv),
+ volatile u8 *stop_soon_p) {
s32 res;
u32 exec_ms;
int status = 0;
- u32 timeout = fsrv->exec_tmout;
-
/* After this memset, fsrv->trace_bits[] are effectively volatile, so we
must prevent any earlier operations from venturing into that
territory. */
@@ -732,6 +732,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
behave very normally and do not have to be treated as volatile. */
MEM_BARRIER();
+ u32 tb4 = *(u32 *)fsrv->trace_bits;
+
+ if (likely(classify_counts_func)) classify_counts_func(fsrv);
/* Report outcome to caller. */
@@ -756,7 +759,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
}
- if ((*(u32 *)fsrv->trace_bits) == EXEC_FAIL_SIG) return FSRV_RUN_NOINST;
+ if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR;
return FSRV_RUN_OK;
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 298a6207..c5cede4d 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -351,9 +351,11 @@ void init_count_class16(void) {
#ifdef WORD_SIZE_64
-void classify_counts(afl_state_t *afl, u64 *mem) {
+void classify_counts(afl_forkserver_t *fsrv) {
- u32 i = (afl->fsrv.map_size >> 3);
+ u32 *mem = (u32 *)fsrv->trace_bits;
+
+ u32 i = (fsrv->map_size >> 3);
if (i == 0) i = 1;
@@ -380,9 +382,11 @@ void classify_counts(afl_state_t *afl, u64 *mem) {
#else
-void classify_counts(afl_state_t *afl, u32 *mem) {
+void classify_counts(afl_forkserver_t *fsrv) {
- u32 i = (afl->fsrv.map_size >> 2);
+ u64 *mem = (u64 *)fsrv->trace_bits;
+
+ u32 i = (fsrv->map_size >> 2);
if (i == 0) i = 1;
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 370a7734..c3ed59ef 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -35,15 +35,7 @@
fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv,
u32 timeout) {
- fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon);
-
-#ifdef WORD_SIZE_64
- classify_counts(afl, (u64 *)fsrv->trace_bits);
-#else
- classify_counts(afl, (u32 *)fsrv->trace_bits);
-#endif /* ^WORD_SIZE_64 */
-
- return res;
+ return afl_fsrv_run_target(fsrv, timeout, classify_counts, &afl->stop_soon);
}
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index fa799bf9..2326d469 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -106,7 +106,10 @@ static const u8 count_class_binary[256] = {
};
-static void classify_counts(u8 *mem, const u8 *map) {
+static void classify_counts(afl_forkserver_t *fsrv) {
+
+ u8 * mem = fsrv->trace_bits;
+ const u8 *map = binary_mode ? count_class_binary : count_class_human;
u32 i = MAP_SIZE;
@@ -240,12 +243,12 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem,
write_to_testcase(fsrv, mem, len);
- fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon);
- if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR)
+ if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts,
+ &stop_soon) == FSRV_RUN_ERROR) {
+
FATAL("Error running target");
- classify_counts(fsrv->trace_bits,
- binary_mode ? count_class_binary : count_class_human);
+ }
if (stop_soon) {
@@ -375,8 +378,7 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) {
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]);
- classify_counts(fsrv->trace_bits,
- binary_mode ? count_class_binary : count_class_human);
+ classify_counts(fsrv);
if (!quiet_mode) SAYF(cRST "-- Program output ends --\n");
@@ -587,7 +589,7 @@ static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
break;
ck_free(fsrv->target_path);
- fsrv->target_path = 0;
+ fsrv->target_path = NULL;
}
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index c994c2de..84e9a498 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -100,8 +100,29 @@ static const u8 count_class_lookup[256] = {
};
-static void classify_counts(u8 *mem) {
+/* Apply mask to classified bitmap (if set). */
+
+static void apply_mask(u32 *mem, u32 *mask) {
+
+ u32 i = (MAP_SIZE >> 2);
+
+ if (!mask) return;
+
+ while (i--) {
+
+ *mem &= ~*mask;
+ mem++;
+ mask++;
+
+ }
+}
+
+static void classify_counts(afl_forkserver_t *fsrv) {
+
+ if (hang_mode) return; /* We only want hangs */
+
+ u8 *mem = fsrv->trace_bits;
u32 i = MAP_SIZE;
if (edges_only) {
@@ -124,23 +145,7 @@ static void classify_counts(u8 *mem) {
}
-}
-
-/* Apply mask to classified bitmap (if set). */
-
-static void apply_mask(u32 *mem, u32 *mask) {
-
- u32 i = (MAP_SIZE >> 2);
-
- if (!mask) return;
-
- while (i--) {
-
- *mem &= ~*mask;
- mem++;
- mask++;
-
- }
+ apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
}
@@ -250,17 +255,11 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
write_to_testcase(fsrv, mem, len);
- fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, &stop_soon);
+ fsrv_run_result_t ret =
+ afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon);
if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child");
- if (!hang_mode) {
-
- classify_counts(fsrv->trace_bits);
- apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
-
- }
-
if (stop_soon) {
SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST);
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-22 23:17:52 +0000