diff options
62 files changed, 1672 insertions, 685 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index fb13b91a..0042bf28 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,4 +1,6 @@ -# How to submit a Pull Request to AFL++ +# Contributing to AFL++ + +## How to submit a pull request All contributions (pull requests) must be made against our `dev` branch. @@ -20,4 +22,38 @@ and use AFL's macros wherever possible (e.g., WARNF, FATAL, MAP_SIZE, ...). Remember that AFL++ has to build and run on many platforms, so generalize your Makefiles/GNUmakefile (or your patches to our pre-existing Makefiles) to be as -generic as possible. \ No newline at end of file +generic as possible. + +## How to contribute to the docs + +We welcome contributions to our docs. + +Before creating a new file, please check if your content matches an existing +file in one the following folders: + +* [docs/](docs/) (this is where you can find most of our docs content) +* [frida_mode/](frida_mode/) +* [instrumentation/](instrumentation/) +* [qemu_mode/](qemu_mode/) +* [unicorn_mode/](unicorn_mode/) + +When working on the docs, please keep the following guidelines in mind: + +* Edit or create Markdown files and use Markdown markup. + * Do: fuzzing_gui_program.md + * Don't: fuzzing_gui_program.txt +* Use underscore in file names. + * Do: fuzzing_network_service.md + * Don't: fuzzing-network-service.md +* Use a maximum of 80 characters per line to make reading in a console easier. +* Make all pull requests against `dev`, see + [#how-to-submit-a-pull-request-to-afl](#how-to-submit-a-pull-request-to-afl). + +And finally, here are some best practices for writing docs content: + +* Use clear and simple language. +* Structure your content with headings and paragraphs. +* Use bulleted lists to present similar content in a way that makes it easy to + scan. +* Use numbered lists for procedures or prioritizing. +* Link to related content, for example, prerequisites or in-depth discussions. \ No newline at end of file diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 1e2c411d..f1de28a4 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -390,11 +390,11 @@ instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrument ifeq "$(LLVM_MIN_4_0_1)" "0" $(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER)) endif - $(CXX) $(CLANG_CPPFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o + $(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o ./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps ifeq "$(LLVM_10_OK)" "1" - -$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o + -$(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o endif ./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o diff --git a/afl-plot b/afl-plot index 75981d7f..90a46d24 100755 --- a/afl-plot +++ b/afl-plot @@ -140,9 +140,9 @@ set output '$outputdir/high_freq.png' $GNUPLOT_SETUP -plot '$inputdir/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\ - '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\ - '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\ +plot '$inputdir/plot_data' using 1:4 with filledcurve x1 title 'corpus count' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\ + '' using 1:3 with filledcurve x1 title 'current fuzz item' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\ + '' using 1:5 with lines title 'pending items' linecolor rgb '#0090ff' linewidth 3, \\ '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\ '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3 " diff --git a/custom_mutators/gramatron/gramfuzz.c b/custom_mutators/gramatron/gramfuzz.c index 5f6906bd..9c9dbb43 100644 --- a/custom_mutators/gramatron/gramfuzz.c +++ b/custom_mutators/gramatron/gramfuzz.c @@ -211,7 +211,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, } else if (data->mut_idx == 2) { // Perform splice mutation // we cannot use the supplied splice data so choose a new random file - u32 tid = rand_below(global_afl, data->afl->queued_paths); + u32 tid = rand_below(global_afl, data->afl->queued_items); struct queue_entry *q = data->afl->queue_buf[tid]; // Read the input representation for the splice candidate diff --git a/custom_mutators/radamsa/libradamsa.c b/custom_mutators/radamsa/libradamsa.c index 792eea35..e6838752 100644 --- a/custom_mutators/radamsa/libradamsa.c +++ b/custom_mutators/radamsa/libradamsa.c @@ -4473,6 +4473,10 @@ static word prim_sys(word op, word a, word b, word c) { FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, +#if defined(F_DUP2FD) + F_DUP2FD, + F_DUP2FD_CLOEXEC, +#endif F_GETFD, F_SETFD, F_GETFL, diff --git a/dictionaries/README.md b/dictionaries/README.md index 0b3b4d90..ab0a6798 100644 --- a/dictionaries/README.md +++ b/dictionaries/README.md @@ -1,6 +1,6 @@ # AFL++ dictionaries -(See [../README.md](../README.md) for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../docs/README.md). This subdirectory contains a set of dictionaries that can be used in conjunction with the -x option to allow the fuzzer to effortlessly explore the grammar of diff --git a/docs/Changelog.md b/docs/Changelog.md index 34b9affb..00502efe 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,10 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++3.15a (dev) - documentation restructuring, made possible by Google Season of Docs + - we renamed several UI and fuzzer_stat entries to be more precise, + e.g. "unique crashes" -> "saved crashes", "total paths" -> + "corpus count", "current path" -> "current item". + This might need changing custom scripting! - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you @@ -30,6 +34,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - better banner - more effective cmplog mode - more often update the UI when in input2stage mode + - qemu_mode/unicorn_mode: fixed OOB write when using libcompcov, + thanks to kotee4ko for reporting! - frida_mode: - better performance, bug fixes - David Carlier added Android support :) @@ -47,7 +53,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - fix for shared linking on MacOS - fixed a potential crash in targets for LAF string handling - added AFL_USE_TSAN thread sanitizer support - - llvm and LTO mode modified to work with new llvm 14-dev (again) + - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) - fix for AFL_REAL_LD - added the very good grammar mutator "GramaTron" to the custom_mutators @@ -1566,7 +1572,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted by G.M. Lime. - - Added last path / crash / hang times to fuzzer_stats, suggested by + - Added last find / crash / hang times to fuzzer_stats, suggested by Richard Hipp. - Fixed a typo, thanks to Jakub Wilk. diff --git a/docs/FAQ.md b/docs/FAQ.md index 7869ee61..f1cffe00 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -34,6 +34,19 @@ If you find an interesting or important question missing, submit it via </p></details> <details> + <summary id="is-afl-a-whitebox-graybox-or-blackbox-fuzzer">Is AFL++ a whitebox, graybox, or blackbox fuzzer?</summary><p> + + The definition of the terms whitebox, graybox, and blackbox fuzzing varies + from one source to another. For example, "graybox fuzzing" could mean + binary-only or source code fuzzing, or something completely different. + Therefore, we try to avoid them. + + [The Fuzzing Book](https://www.fuzzingbook.org/html/GreyboxFuzzer.html#AFL:-An-Effective-Greybox-Fuzzer) + describes the original AFL to be a graybox fuzzer. In that sense, AFL++ is + also a graybox fuzzer. +</p></details> + +<details> <summary id="where-can-i-find-tutorials">Where can I find tutorials?</summary><p> We compiled a list of tutorials and exercises, see @@ -127,6 +140,15 @@ If you find an interesting or important question missing, submit it via ## Performance <details> + <summary id="what-makes-a-good-performance">What makes a good performance?</summary><p> + + Good performance generally means "making the fuzzing results better". This can + be influenced by various factors, for example, speed (finding lots of paths + quickly) or thoroughness (working with decreased speed, but finding better + mutations). +</p></details> + +<details> <summary id="how-can-i-improve-the-fuzzing-speed">How can I improve the fuzzing speed?</summary><p> There are a few things you can do to improve the fuzzing speed, see @@ -146,8 +168,8 @@ If you find an interesting or important question missing, submit it via the edge coverage result will be different across runs. Those edges that change are then flagged "unstable". - The more "unstable" edges, the more difficult for AFL++ to identify valid new - paths. + The more "unstable" edges there are, the harder it is for AFL++ to identify + valid new paths. A value above 90% is usually fine and a value above 80% is also still ok, and even a value above 20% can still result in successful finds of bugs. However, diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 00000000..2bd07bb6 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,65 @@ +# AFL++ documentation + +This is the overview of the AFL++ docs content. + +For general information on AFL++, see the +[README.md of the repository](../README.md). + +Also take a look at our [FAQ.md](FAQ.md) and +[best_practices.md](best_practices.md). + +## Fuzzing targets with the source code available + +You can find a quickstart for fuzzing targets with the source code available in +the [README.md of the repository](../README.md#quick-start-fuzzing-with-afl). + +For in-depth information on the steps of the fuzzing process, see +[fuzzing_in_depth.md](fuzzing_in_depth.md) or click on the following +image and select a step. + + + +For further information on instrumentation, see the +[READMEs in the instrumentation/ folder](../instrumentation/). + +### Instrumenting the target + +For more information, click on the following image and select a step. + + + +### Preparing the fuzzing campaign + +For more information, click on the following image and select a step. + + + +### Fuzzing the target + +For more information, click on the following image and select a step. + + + +### Managing the fuzzing campaign + +For more information, click on the following image and select a step. + + + +## Fuzzing other targets + +To learn about fuzzing other targets, see: + +* Binary-only: [fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md) +* GUI programs: + [best_practices.md#fuzzing-a-gui-program](best_practices.md#fuzzing-a-gui-program) +* Libraries: [frida_mode/README.md](../frida_mode/README.md) +* Network services: + [best_practices.md#fuzzing-a-network-service](best_practices.md#fuzzing-a-network-service) +* Non-linux: [unicorn_mode/README.md](../unicorn_mode/README.md) + +## Additional information + +* Tools that help fuzzing with AFL++: + [third_party_tools.md](third_party_tools.md) +* Tutorials: [tutorials.md](tutorials.md) \ No newline at end of file diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 2da61cc4..6af39769 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -40,7 +40,7 @@ superior to blind fuzzing or coverage-only tools. This section provides an overview of the status screen - plus tips for troubleshooting any warnings and red text shown in the UI. -For the general instruction manual, see [README.md](../README.md). +For the general instruction manual, see [README.md](README.md). ### A note about colors @@ -85,7 +85,7 @@ for parallel fuzzing. Second to last is the power schedule mode being run ``` +----------------------------------------------------+ | run time : 0 days, 8 hrs, 32 min, 43 sec | - | last new path : 0 days, 0 hrs, 6 min, 40 sec | + | last new find : 0 days, 0 hrs, 6 min, 40 sec | | last uniq crash : none seen yet | | last uniq hang : 0 days, 1 hrs, 24 min, 32 sec | +----------------------------------------------------+ @@ -485,20 +485,20 @@ directory. This includes: - `cycles_wo_finds` - number of cycles without any new paths found - `execs_done` - number of execve() calls attempted - `execs_per_sec` - overall number of execs per second -- `paths_total` - total number of entries in the queue -- `paths_favored` - number of queue entries that are favored -- `paths_found` - number of entries discovered through local fuzzing -- `paths_imported` - number of entries imported from other instances +- `corpus_count` - total number of entries in the queue +- `corpus_favored` - number of queue entries that are favored +- `corpus_found` - number of entries discovered through local fuzzing +- `corpus_imported` - number of entries imported from other instances - `max_depth` - number of levels in the generated data set -- `cur_path` - currently processed entry number +- `cur_item` - currently processed entry number - `pending_favs` - number of favored entries still waiting to be fuzzed - `pending_total` - number of all entries waiting to be fuzzed -- `variable_paths` - number of test cases showing variable behavior +- `corpus_variable` - number of test cases showing variable behavior - `stability` - percentage of bitmap bytes that behave consistently - `bitmap_cvg` - percentage of edge coverage found in the map so far -- `unique_crashes` - number of unique crashes recorded -- `unique_hangs` - number of unique hangs encountered -- `last_path` - seconds since the last path was found +- `saved_crashes` - number of unique crashes recorded +- `saved_hangs` - number of unique hangs encountered +- `last_find` - seconds since the last find was found - `last_crash` - seconds since the last crash was found - `last_hang` - seconds since the last hang was found - `execs_since_crash` - execs since the last crash was found @@ -531,9 +531,9 @@ last crash > X, etc.). The selected metrics are a subset of all the metrics found in the status and in the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, -`execs_done`,`execs_per_sec`, `paths_total`, `paths_favored`, `paths_found`, -`paths_imported`, `max_depth`, `cur_path`, `pending_favs`, `pending_total`, -`variable_paths`, `unique_crashes`, `unique_hangs`, `total_crashes`, +`execs_done`,`execs_per_sec`, `corpus_count`, `corpus_favored`, `corpus_found`, +`corpus_imported`, `max_depth`, `cur_item`, `pending_favs`, `pending_total`, +`corpus_variable`, `saved_crashes`, `saved_hangs`, `total_crashes`, `slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. Their definitions can be found in the addendum above. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index aaceb600..b280ca0a 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -11,7 +11,7 @@ Fuzzing source code is a three-step process: 2. Prepare the fuzzing by selecting and optimizing the input corpus for the target. 3. Perform the fuzzing of the target by randomly mutating input and assessing if - a generated input was processed in a new path in the target binary. + that input was processed on a new path in the target binary. ## 0. Common sense risks @@ -95,38 +95,43 @@ Clickable README links for the chosen compiler: * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features -You can select the mode for the afl-cc compiler by: -1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, +You can select the mode for the afl-cc compiler by one of the following methods: + +* Using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, - afl-gcc-fast, afl-g++-fast (recommended!) -2. using the environment variable AFL_CC_COMPILER with MODE -3. passing --afl-MODE command line options to the compiler via - CFLAGS/CXXFLAGS/CPPFLAGS + afl-gcc-fast, afl-g++-fast (recommended!). +* Using the environment variable `AFL_CC_COMPILER` with `MODE`. +* Passing --afl-MODE command line options to the compiler via + `CFLAGS`/`CXXFLAGS`/`CPPFLAGS`. + +`MODE` can be one of the following: -MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN -(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++). +* LTO (afl-clang-lto*) +* LLVM (afl-clang-fast*) +* GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++) +* CLANG(afl-clang/afl-clang++) Because no AFL++ specific command-line options are accepted (beside the --afl-MODE command), the compile-time tools make fairly broad use of environment -variables, which can be listed with `afl-cc -hh` or by reading +variables, which can be listed with `afl-cc -hh` or looked up in [env_variables.md](env_variables.md). ### b) Selecting instrumentation options -The following options are available when you instrument with LTO mode -(afl-clang-fast/afl-clang-lto): +If you instrument with LTO mode (afl-clang-fast/afl-clang-lto), the following +options are available: -* Splitting integer, string, float and switch comparisons so AFL++ can easier +* Splitting integer, string, float, and switch comparisons so AFL++ can easier solve these. This is an important option if you do not have a very good and - large input corpus. This technique is called laf-intel or COMPCOV. To use this - set the following environment variable before compiling the target: `export - AFL_LLVM_LAF_ALL=1` You can read more about this in + large input corpus. This technique is called laf-intel or COMPCOV. To use + this, set the following environment variable before compiling the target: + `export AFL_LLVM_LAF_ALL=1`. You can read more about this in [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). * A different technique (and usually a better one than laf-intel) is to instrument the target so that any compare values in the target are sent to AFL++ which then tries to put these values into the fuzzing data at different locations. This technique is very fast and good - if the target does not - transform input data before comparison. Therefore this technique is called + transform input data before comparison. Therefore, this technique is called `input to state` or `redqueen`. If you want to use this technique, then you have to compile the target twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`, and pass this binary to afl-fuzz via the `-c` @@ -135,24 +140,25 @@ The following options are available when you instrument with LTO mode about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). -If you use LTO, LLVM or GCC_PLUGIN mode -(afl-clang-fast/afl-clang-lto/afl-gcc-fast) you have the option to selectively +If you use LTO, LLVM, or GCC_PLUGIN mode +(afl-clang-fast/afl-clang-lto/afl-gcc-fast), you have the option to selectively only instrument parts of the target that you are interested in: -* To instrument only those parts of the target that you are interested in create - a file with all the filenames of the source code that should be instrumented. - For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than - DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one filename or - function per line (no directory information necessary for filenames9, and - either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** `export - AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default to - instrument unless noted (DENYLIST) or not perform instrumentation unless +* To instrument only those parts of the target that you are interested in, + create a file with all the filenames of the source code that should be + instrumented. For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode + other than DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one + filename or function per line (no directory information necessary for + filenames), and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** + `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default + to instrument unless noted (DENYLIST) or not perform instrumentation unless requested (ALLOWLIST). **NOTE:** During optimization functions might be inlined and then would not match! See - [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). There are many more options and modes available, however, these are most of the time less effective. See: + * [instrumentation/README.llvm.md#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage) * [instrumentation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage) @@ -166,12 +172,13 @@ It is possible to use sanitizers when instrumenting targets for fuzzing, which allows you to find bugs that would not necessarily result in a crash. Note that sanitizers have a huge impact on CPU (= less executions per second) -and RAM usage. Also you should only run one afl-fuzz instance per sanitizer +and RAM usage. Also, you should only run one afl-fuzz instance per sanitizer type. This is enough because a use-after-free bug will be picked up, e.g., by ASAN (address sanitizer) anyway when syncing to other fuzzing instances, so not all fuzzing instances need to be instrumented with ASAN. The following sanitizers have built-in support in AFL++: + * ASAN = Address SANitizer, finds memory corruption vulnerabilities like use-after-free, NULL pointer dereference, buffer overruns, etc. Enabled with `export AFL_USE_ASAN=1` before compiling. @@ -184,7 +191,7 @@ The following sanitizers have built-in support in AFL++: with `export AFL_USE_UBSAN=1` before compiling. * CFISAN = Control Flow Integrity SANitizer, finds instances where the control flow is found to be illegal. Originally this was rather to prevent return - oriented programming exploit chains from functioning, in fuzzing this is + oriented programming exploit chains from functioning. In fuzzing, this is mostly reduced to detecting type confusion vulnerabilities - which is, however, one of the most important and dangerous C++ memory corruption classes! Enabled with `export AFL_USE_CFISAN=1` before compiling. @@ -227,20 +234,20 @@ All AFL++ compilers will set this preprocessor definition automatically. ### e) Instrumenting the target -In this step the target source code is compiled so that it can be fuzzed. +In this step, the target source code is compiled so that it can be fuzzed. -Basically you have to tell the target build system that the selected AFL++ +Basically, you have to tell the target build system that the selected AFL++ compiler is used. Also - if possible - you should always configure the build -system such that the target is compiled statically and not dynamically. How to -do this is described below. +system in such way that the target is compiled statically and not dynamically. +How to do this is described below. The #1 rule when instrumenting a target is: avoid instrumenting shared libraries -at all cost. You would need to set LD_LIBRARY_PATH to point to these, you could -accidentally type "make install" and install them system wide - so don't. Really -don't. **Always compile libraries you want to have instrumented as static and -link these to the target program!** +at all cost. You would need to set `LD_LIBRARY_PATH` to point to these, you +could accidentally type "make install" and install them system wide - so don't. +Really don't. **Always compile libraries you want to have instrumented as static +and link these to the target program!** -Then build the target. (Usually with `make`) +Then build the target. (Usually with `make`.) **NOTES** @@ -258,41 +265,49 @@ Then build the target. (Usually with `make`) #### configure -For `configure` build systems this is usually done by: +For `configure` build systems, this is usually done by: -`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared` +``` +CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared +``` -Note that if you are using the (better) afl-clang-lto compiler you also have to -set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is +Note that if you are using the (better) afl-clang-lto compiler, you also have to +set `AR` to llvm-ar[-VERSION] and `RANLIB` to llvm-ranlib[-VERSION] - as is described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). -#### cmake +#### CMake -For `cmake` build systems this is usually done by: +For CMake build systems, this is usually done by: -`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..` +``` +mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .. +``` Note that if you are using the (better) afl-clang-lto compiler you also have to set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). -#### meson +#### Meson Build System -For meson you have to set the AFL++ compiler with the very first command! -`CC=afl-cc CXX=afl-c++ meson` +For the Meson Build System, you have to set the AFL++ compiler with the very +first command! -#### other build systems or if configure/cmake didn't work +``` +CC=afl-cc CXX=afl-c++ meson +``` + +#### Other build systems or if configure/cmake didn't work -Sometimes cmake and configure do not pick up the AFL++ compiler, or the -ranlib/ar that is needed - because this was just not foreseen by the developer -of the target. Or they have non-standard options. Figure out if there is a -non-standard way to set this, otherwise set up the build normally and edit the -generated build environment afterwards manually to point it to the right -compiler (and/or ranlib and ar). +Sometimes `cmake` and `configure` do not pick up the AFL++ compiler or the +`RANLIB`/`AR` that is needed - because this was just not foreseen by the +developer of the target. Or they have non-standard options. Figure out if there +is a non-standard way to set this, otherwise set up the build normally and edit +the generated build environment afterwards manually to point it to the right +compiler (and/or `RANLIB` and `AR`). ### f) Better instrumentation -If you just fuzz a target program as-is you are wasting a great opportunity for +If you just fuzz a target program as-is, you are wasting a great opportunity for much more fuzzing speed. This variant requires the usage of afl-clang-lto, afl-clang-fast or @@ -304,7 +319,7 @@ that you want to fuzz, plus a few specific AFL++ functions around it. See [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) for details. -Basically if you do not fuzz a target in persistent mode, then you are just +Basically, if you do not fuzz a target in persistent mode, then you are just doing it for a hobby and not professionally :-). ### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput() @@ -354,20 +369,24 @@ You can find many good examples of starting files in the ### b) Making the input corpus unique Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not -produce a new path in the target. +produce a new path/coverage in the target: -Put all files from step a) into one directory, e.g., INPUTS. +1. Put all files from [step a](#a-collecting-inputs) into one directory, e.g., INPUTS. +2. Run afl-cmin: + * If the target program is to be called by fuzzing as `bin/target -d + INPUTFILE`, set the INPUTFILE argument that the target program would read + from as `@@`: -If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` -the run afl-cmin like this: + ``` + afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@ + ``` -`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@` + * If the target reads from stdin instead, just omit the `@@` as this is the + default: -Note that the INPUTFILE argument that the target program would read from has to -be set as `@@`. - -If the target reads from stdin instead, just omit the `@@` as this is the -default. + ``` + afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d + ``` This step is highly recommended! @@ -385,14 +404,16 @@ for i in *; do done ``` -This step can also be parallelized, e.g., with `parallel`. Note that this step -is rather optional though. +This step can also be parallelized, e.g., with `parallel`. + +Note that this step is rather optional though. ### Done! -The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/ -if you minimized the corpus in step c) - is the resulting input corpus directory -to be used in fuzzing! :-) +The INPUTS_UNIQUE/ directory from [step b](#b-making-the-input-corpus-unique) - +or even better the directory input/ if you minimized the corpus in +[step c](#c-minimizing-all-corpus-files) - is the resulting input corpus +directory to be used in fuzzing! :-) ## 3. Fuzzing the target @@ -405,28 +426,31 @@ seriously :-) ### a) Running afl-fuzz -Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on -the host if you execute afl-fuzz in a docker container). This reconfigures the +Before you do even a test run of afl-fuzz, execute `sudo afl-system-config` (on +the host if you execute afl-fuzz in a Docker container). This reconfigures the system for optimal speed - which afl-fuzz checks and bails otherwise. Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot run afl-system-config with root privileges on the host for whatever reason. -Note there is also `sudo afl-persistent-config` which sets additional permanent -boot options for a much better fuzzing performance. +Note: -Note that both scripts improve your fuzzing performance but also decrease your -system protection against attacks! So set strong firewall rules and only expose -SSH as a network service if you use these (which is highly recommended). +* There is also `sudo afl-persistent-config` which sets additional permanent + boot options for a much better fuzzing performance. +* Both scripts improve your fuzzing performance but also decrease your system + protection against attacks! So set strong firewall rules and only expose SSH + as a network service if you use these (which is highly recommended). -If you have an input corpus from step 2, then specify this directory with the -`-i` option. Otherwise, create a new directory and create a file with any -content as test data in there. +If you have an input corpus from [step 2](#2-preparing-the-fuzzing-campaign), +then specify this directory with the `-i` option. Otherwise, create a new +directory and create a file with any content as test data in there. If you do not want anything special, the defaults are already usually best, hence all you need is to specify the seed input directory with the result of -step [2a) Collect inputs](#a-collect-inputs): +step [2a) Collecting inputs](#a-collecting-inputs): -`afl-fuzz -i input -o output -- bin/target -d @@` +``` +afl-fuzz -i input -o output -- bin/target -d @@ +``` Note that the directory specified with `-o` will be created if it does not exist. @@ -444,7 +468,9 @@ If you need to stop and re-start the fuzzing, use the same command line options (or even change them by selecting a different power schedule or another mutation mode!) and switch the input directory with a dash (`-`): -`afl-fuzz -i - -o output -- bin/target -d @@` +``` +afl-fuzz -i - -o output -- bin/target -d @@ +``` Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if something is already included for your data @@ -461,7 +487,7 @@ specific locations for the input file (`-f`), performing deterministic fuzzing We highly recommend that you set a memory limit for running the target with `-m` which defines the maximum memory in MB. This prevents a potential out-of-memory problem for your system plus helps you detect missing `malloc()` failure -handling in the target. Play around with various -m values until you find one +handling in the target. Play around with various `-m` values until you find one that safely works for all your input seeds (if you have good ones and then double or quadruple that. @@ -469,8 +495,8 @@ By default, afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or send a signal SIGINT. You can limit the number of executions or approximate runtime in seconds with options also. -When you start afl-fuzz you will see a user interface that shows what the status -is: +When you start afl-fuzz, you will see a user interface that shows what the +status is:  @@ -570,7 +596,7 @@ its name is unique, hence the recommendation for `-M main-$HOSTNAME`. Now there are three strategies on how you can sync between the servers: * never: sounds weird, but this makes every server an island and has the chance - the each follow different paths into the target. You can make this even more + that each follow different paths into the target. You can make this even more interesting by even giving different seeds to each server. * regularly (~4h): this ensures that all fuzzing campaigns on the servers "see" the same thing. It is like fuzzing on a huge server. @@ -596,7 +622,8 @@ done ``` You can run this manually, per cron job - as you need it. There is a more -complex and configurable script in `utils/distributed_fuzzing`. +complex and configurable script in +[utils/distributed_fuzzing](../utils/distributed_fuzzing). ### e) The status of the fuzz campaign @@ -612,7 +639,7 @@ If you have multiple servers, then use the command after a sync or you have to execute this script per server. Another tool to inspect the current state and history of a specific instance is -afl-plot, which generates an index.html file and a graphs that show how the +afl-plot, which generates an index.html file and graphs that show how the fuzzing instance is performing. The syntax is `afl-plot instance_dir web_dir`, e.g., `afl-plot out/default /srv/www/htdocs/plot`. @@ -623,7 +650,7 @@ To stop an afl-fuzz run, press Control-C. To restart an afl-fuzz run, just reuse the same command line but replace the `-i directory` with `-i -` or set `AFL_AUTORESUME=1`. -If you want to add new seeds to a fuzzing campaign you can run a temporary +If you want to add new seeds to a fuzzing campaign, you can run a temporary fuzzing instance, e.g., when your main fuzzer is using `-o out` and the new seeds are in `newseeds/` directory: @@ -633,7 +660,7 @@ AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- . ### g) Checking the coverage of the fuzzing -The `paths found` value is a bad indicator for checking how good the coverage +The `corpus count` value is a bad indicator for checking how good the coverage is. A better indicator - if you use default llvm instrumentation with at least @@ -686,21 +713,21 @@ or honggfuzz. ### i) Improve the speed! * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 - speed increase) + speed increase). * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input - file on a tempfs location, see [env_variables.md](env_variables.md) + file on a tempfs location, see [env_variables.md](env_variables.md). * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can - also just run `sudo afl-persistent-config` + also just run `sudo afl-persistent-config`. * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a - bit faster than on any other journaling filesystem -* Use your cores! [3c) Using multiple cores](#c-using-multiple-cores) + bit faster than on any other journaling filesystem. +* Use your cores! See [3c) Using multiple cores](#c-using-multiple-cores). * Run `sudo afl-system-config` before starting the first afl-fuzz instance after - a reboot + a reboot. ### j) Going beyond crashes @@ -774,7 +801,7 @@ making it easier to diagnose faults. Having said that, it's important to acknowledge that some fuzzing crashes can be difficult to quickly evaluate for exploitability without a lot of debugging and code analysis work. To assist with this task, afl-fuzz supports a very unique -"crash exploration" mode enabled with the -C flag. +"crash exploration" mode enabled with the `-C` flag. In this mode, the fuzzer takes one or more crashing test cases as the input and uses its feedback-driven fuzzing strategies to very quickly enumerate all code @@ -800,19 +827,19 @@ mode, it will happily accept instrumented and non-instrumented binaries. In the non-crashing mode, the minimizer relies on standard AFL++ instrumentation to make the file simpler without altering the execution path. -The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with -afl-fuzz. +The minimizer accepts the `-m`, `-t`, `-f`, and `@@` syntax in a manner +compatible with afl-fuzz. Another tool in AFL++ is the afl-analyze tool. It takes an input file, attempts -to sequentially flip bytes, and observes the behavior of the tested program. It -then color-codes the input based on which sections appear to be critical, and +to sequentially flip bytes and observes the behavior of the tested program. It +then color-codes the input based on which sections appear to be critical and which are not; while not bulletproof, it can often offer quick insights into complex file formats. ## 5. CI fuzzing -Some notes on CI fuzzing - this fuzzing is different to normal fuzzing campaigns -as these are much shorter runnings. +Some notes on continuous integration (CI) fuzzing - this fuzzing is different to +normal fuzzing campaigns as these are much shorter runnings. 1. Always: * LTO has a much longer compile time which is diametrical to short fuzzing - @@ -820,10 +847,10 @@ as these are much shorter runnings. * If you compile with CMPLOG, then you can save fuzzing time and reuse that compiled target for both the `-c` option and the main fuzz target. This will impact the speed by ~15% though. - * `AFL_FAST_CAL` - Enable fast calibration, this halves the time the + * `AFL_FAST_CAL` - enables fast calibration, this halves the time the saturated corpus needs to be loaded. - * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new found paths, not the - initial corpus as this very likely has been done for them already. + * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the initial + corpus as this very likely has been done for them already. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg new file mode 100644 index 00000000..0cccee6f --- /dev/null +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Do not edit this file with editors other than diagrams.net --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1037px" height="377px" viewBox="-0.5 -0.5 1037 377" content="<mxfile host="Electron" modified="2021-12-13T19:53:17.604Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36" etag="8yL_0DjEX3f8xBmLby7c" version="15.8.7" type="device"><diagram id="OVZjTGZe8BRyvyoDS4zM" name="0 - overview">7V1tc5s4EP41+UjGgLHxxzSJm940c73r3bS5Lx0ZZKNGICJE3n79SSDxZmITG2yS4JlMjJAl2H322dUiiRPz3H/8TEHoXRMX4hNj5D6emBcnhmFMxyb/J0qe0hLdsEZpyYoiV5blBd/RM5SFqlqMXBiVKjJCMENhudAhQQAdVioDlJKHcrUlweVeQ7CCawXfHYDXS38gl3myVJ/M8hNXEK082bVtTNMTPlCV5Z1EHnDJQ6HIvDwxzykhLP3mP55DLKSn5MJMc/U0nn9G+kS7cr/hizPzSksbm7/mJ9ktUBiwnZumy6+PD9PQerihf3jU9Mnz5V+aurd7gGMpMHmz7ElJkJI4cKFoRT8xPz14iMHvIXDE2QcOGl7mMR/L00uE8TnBhPLjgAS80idAHQkLU1QgAZOH+pgfN7w3KYN7SBl8LGhW3utnSHzI6BOvIs9qxsxOfyORO5a3+pCjICvzCgDIkAsk8lZZ27l0+Rcp4NcI29oubBi4ZwL1ufgKws01MeJH8BGxn/KM+H5T+H7xWKh08SQP9pM9dEuWti75gmStGsGqMgoxYOi+bJ91wpY9fCOIX16uWGt6Oit8bHtS0vNkdmrpxfPlDiISUwfKNovmUu2mip8t7TJAV5CttZsAJZPR7tjRp+/WUK2JUTHUU2UpR7TV8WCrLdiqaeglY511YqpVBB3ZVBtA542aqm2UubYXpqrXudUJ5v1+ikIQlAQ/uYtFuJZITIsSkZ3xCvo4fEzkps7zbyvx/xuFQowiPgV+CNAqUE3zS01bTytu0PBoJw0nOpXNiSoRo+QWvgiDsegFLCKCYwbPsuL9meQw6DA7A8f7DXD10azqOBsKe2rtL+3xzfny6rd9B6+mV/p/F/Z89uNeMydr0v4b3sWIcunycR+IbvcTftkITjhsko+U+hz4CAtZXEF8DxlygFAOFkZrXjhc/JD/6pOQMD+Fz+QJH7kuhvWa5YNSBlAgfndYUzIrqjXtdUPSJx0ZUr1q1wPQP0OGSABwK6p1QeRldT+Mng3dPp6etV/Mms/0mYXDL7+vwOjO0K41fd2E1xQrokvlmwhlHlkJGFzmpZXoN6/zlZBQ6vg3ZOxJChnEjFRo9iU9vwwNrhv69FPF0uJARNmjU0sd5oF2cnSgSHvfENq2ylSgj8en1niUf4wdo+aqu97WcHthcy3wFM4G4PUEeJZdxYeVxXN7D9HqGusaYE2G9APADgcw09iOiZ3Tdbyxg6JLOeTDgknllSQWGmWWcjTlALop4edlNL0SuPsBMNX9pphU4idV7SbTn7UN6f1i6TpXl6YVgIjzKFyeFLMVHmPiadmZ6NWYrxDz4sWpQ3x+cDb/GuI4En9rRwtMFiJNwcCCo82Yu8QRxcv4+RkFq18o+OXCkHmnPh+cmSvN8aBzy09ozIOaQ3gUC1ZQI8vkWP6omCHZI61yLroSSRXZSyGpAhpkVIbhxEvDiUmVBM26FIxuH3RE0Y/ArlsQdEx06sl5geg2MktfiE6vUf2RiQ4mfMbrsjgqsptWyPC2wXHXJECMY020IfoaOK4bjrOt0+mxKU7FF33C+VhjFIGVcOgOFUiJWgL2P6LZ5JFI1mzLwO6equWFjXqObWNU+wilM3DXkrgaNw/uuqm7Virb6q5VBq4n7rp2gtKRaczR4khwmB+LOYNYjExoa1T2byR4TDWdDEhoF4T2MT21paLRbDRiHNRVbzS5PmHcrWLcB47HNRZpS0JbHnqvQV71NaC+G9QLH94Y9Z0xu9k/1AONxkEgcA+WOEF5SxD/OxaTftT9iV/t1Vzh6pSBpG0qG3lb4W+PTcXug38YklOvjXbNptGu1atoV02pHjTdVNNqsspWTev9et6irrtP3m/Bg7zsaQsKwpiJkU0YR1ocoLsYtpWFBLciyEs6SMc3objWUdbJEPO14Mims+pUiR54Mr2HSUlH81GAfPSchH0YK8xzZbY2qL9Oe4BFuIv2B7B3A3auih6AvYfDesDRjTF0mAB7wsBtQfw8bVcR+5tLwfcYzX0Yg6gVLUNk2jgynTSNTO1eRabv79HK6xTb+RzD2XRUdlaTitG+MMFwh2mBtQqeDAo+rIJNFfa2r+DaR/9HSSIcctrnhwbTtNmS5LbY4iNMleu5ysezzhxELX/MBv54x2CaVNroeOsB4yjhxqEXIbQzjqgV4Gh9GFG/rPxYo4hNV92v3EcEVepDZLgXMGLJc17eT4gwpMnUBhRwdoh9rjtVT0q+nTTJdyizJKrTIU+yx24DlRV8tnzsd4gsST3ZvfvQu2Oyq1lUUC/oXpFdD5cULApkl1MaELsjaCTZJKGtxG/GaHmzwzONLthNHxvHpjd7oLe96M1oSG9Hm5Wy6ar7RG9Ogd4iECDGdUZbZ7Ss5YHTOuI0roUjc5qa3zpw2o6cVjPVrrbeuFec1sPJx7Drsed5OuTMlZVpVwxH3WazUbbwWpkEPy6xmWrLzW3EZsw6Qnjd1jJH39ABo4U4BdMlJPyfB2gAowhG2gPvUsP43k/PMBgxrlQ5S7AV/P+gHLpC1IGbJ2CELNJraB/+g5NPbUEtIT2ek/8QO+F06ORrVo9ucqs9cfI9XDvqaj5x0fKpEwd/nTRd8O/DqKWbUYuasXM0QtPX49cvWfBYAMCLyh5tV/b72AF69y2JO9Pdm3ki2nWyf9zQq+j9GjtuWLuz9+7u82RV5zqBDxu7V9Zp7v6Gju7S4y8/B9obF9cgkDvcDJv+d/Wape6AUZdBr7qA/r65ZTuRNw37D/SKFz3bKFoiYNpsAl1dS7PNLXU9e6ouT/l2kNMXQFi2dYB3/lR3L+/qnT/8MH/FX1o9f1Oiefk/</diagram></mxfile>"><defs/><g><rect x="794" y="0" width="240" height="210" rx="6.3" ry="6.3" fill="none" stroke="rgb(0, 0, 0)" pointer-events="all"/><path d="M 1034 29.52 L 794 29.52" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="530" y="0.25" width="240" height="210" rx="6.3" ry="6.3" fill="none" stroke="rgb(0, 0, 0)" pointer-events="all"/><path d="M 770 29.52 L 530 29.52" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="266" y="0.25" width="240" height="210" rx="6.3" ry="6.3" fill="none" stroke="rgb(0, 0, 0)" pointer-events="all"/><rect x="266" y="0.25" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 267px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span style="font-size: 14px">Prepare campaign</span></div></div></div></foreignObject><text x="386" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle" font-weight="bold">Prepare campaign</text></switch></g><rect x="0" y="0" width="240" height="375" rx="7.2" ry="7.2" fill="none" stroke="rgb(0, 0, 0)" pointer-events="all"/><rect x="700" y="345" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 360px; margin-left: 701px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="780" y="364" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Required task</text></switch></g><rect x="874" y="345" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 360px; margin-left: 875px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="954" y="364" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Optional task</text></switch></g><path d="M 240 104.54 L 259.63 104.54" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 264.88 104.54 L 257.88 108.04 L 259.63 104.54 L 257.88 101.04 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 506 105.25 L 523.63 105.25" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 528.88 105.25 L 521.88 108.75 L 523.63 105.25 L 521.88 101.75 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 770 105.25 L 787.63 105.28" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 792.88 105.28 L 785.88 108.77 L 787.63 105.28 L 785.89 101.77 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 914 133.25 L 914 153.88" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 914 159.13 L 910.5 152.13 L 914 153.88 L 917.5 152.13 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><rect x="824" y="103.25" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 118px; margin-left: 825px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#g-checking-the-coverage-of-the-fuzzing" style="font-size: 14px">Check coverage</a></div></div></div></foreignObject><text x="914" y="122" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Check coverage</text></switch></g><path d="M 914 75.75 L 914 95.86 L 914 83.29 L 914 96.88" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 914 102.13 L 910.5 95.13 L 914 96.88 L 917.5 95.13 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><rect x="824" y="45.75" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 61px; margin-left: 825px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-the-status-of-the-fuzz-campaign" style="font-size: 14px">Monitor status</a></div></div></div></foreignObject><text x="914" y="65" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Monitor status</text></switch></g><rect x="824" y="160.25" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 175px; margin-left: 825px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#4-triaging-crashes" style="font-size: 14px">Triage crashes</a></div></div></div></foreignObject><text x="914" y="179" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Triage crashes</text></switch></g><path d="M 650 132.75 L 650 152.86 L 650 140.86 L 650 154.38" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 650 159.63 L 646.5 152.63 L 650 154.38 L 653.5 152.63 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><rect x="560" y="102.75" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 118px; margin-left: 561px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-using-multiple-cores" style="font-size: 14px">Use multiple cores</a></div></div></div></foreignObject><text x="650" y="122" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Use multiple cores</text></switch></g><rect x="560" y="160.75" width="180" height="31" rx="4.65" ry="4.65" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 176px; margin-left: 561px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-using-multiple-machines-for-fuzzing" style="font-size: 14px">Use multiple machines</a></div></div></div></foreignObject><text x="650" y="180" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Use multiple machines</text></switch></g><rect x="560" y="42.75" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 58px; margin-left: 561px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-running-afl-fuzz" style="font-size: 14px">Run <font style="font-size: 14px">afl-fuzz</font></a></div></div></div></foreignObject><text x="650" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Run afl-fuzz</text></switch></g><path d="M 650 72.75 L 650 92.86 L 650 82.86 L 650 96.38" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 650 101.63 L 646.5 94.63 L 650 96.38 L 653.5 94.63 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 386 132.75 L 386 152.86 L 386 141.86 L 386 155.38" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 386 160.63 L 382.5 153.63 L 386 155.38 L 389.5 153.63 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><rect x="296" y="102.75" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 118px; margin-left: 297px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-making-the-input-corpus-unique" style="font-size: 14px">Make input corpus unique</a></div></div></div></foreignObject><text x="386" y="122" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Make input corpus unique</text></switch></g><rect x="296" y="161.75" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 177px; margin-left: 297px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-minimizing-all-corpus-files" style="font-size: 14px">Minimize corpus file</a></div></div></div></foreignObject><text x="386" y="181" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Minimize corpus file</text></switch></g><rect x="296" y="42.75" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 58px; margin-left: 297px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-collecting-inputs" style="font-size: 14px">Collect inputs</a></div></div></div></foreignObject><text x="386" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Collect inputs</text></switch></g><path d="M 386 72.75 L 386 92.86 L 386 82.86 L 386 96.38" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 386 101.63 L 382.5 94.63 L 386 96.38 L 389.5 94.63 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 120 73 L 120 95.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 120 100.88 L 116.5 93.88 L 120 95.63 L 123.5 93.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="30" y="43" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 58px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-selecting-the-best-afl-compiler-for-instrumenting-the-target" style="font-size: 14px">Select compiler</a></div></div></div></foreignObject><text x="120" y="62" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Select compiler</text></switch></g><path d="M 120 132 L 120 154.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 120 159.88 L 116.5 152.88 L 120 154.63 L 123.5 152.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="30" y="102" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 117px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-selecting-instrumentation-options" style="font-size: 14px">Select options</a></div></div></div></foreignObject><text x="120" y="121" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Select options</text></switch></g><path d="M 120 191 L 120 213.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 120 218.88 L 116.5 211.88 L 120 213.63 L 123.5 211.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="30" y="161" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 176px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-selecting-sanitizers" style="font-size: 14px">Select sanitizer</a></div></div></div></foreignObject><text x="120" y="180" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Select sanitizer</text></switch></g><path d="M 120 303 L 120 321.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 120 326.88 L 116.5 319.88 L 120 321.63 L 123.5 319.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="30" y="274" width="180" height="29" rx="4.35" ry="4.35" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 289px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-instrumenting-the-target" style="font-size: 14px">Compile target source code</a></div></div></div></foreignObject><text x="120" y="293" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Compile target source code</text></switch></g><rect x="30" y="328" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 343px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#g-libfuzzer-fuzzer-harnesses-with-llvmfuzzertestoneinput" style="font-size: 14px">Write and compile harness</a></div></div></div></foreignObject><text x="120" y="347" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Write and compile harness</text></switch></g><path d="M 120 250 L 120 267.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 120 272.88 L 116.5 265.88 L 120 267.63 L 123.5 265.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="30" y="220" width="180" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 235px; margin-left: 31px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-modifying-the-target" style="font-size: 14px">Modify target</a></div></div></div></foreignObject><text x="120" y="239" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle">Modify target</text></switch></g><rect x="0" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">Instrument target</div></div></div></foreignObject><text x="120" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle" font-weight="bold">Instrument target</text></switch></g><rect x="530" y="0.25" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 531px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span style="font-size: 14px">Fuzz target</span></div></div></div></foreignObject><text x="650" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle" font-weight="bold">Fuzz target</text></switch></g><rect x="794" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 795px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span style="font-size: 14px">Manage campaign</span></div></div></div></foreignObject><text x="914" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="14px" text-anchor="middle" font-weight="bold">Manage campaign</text></switch></g><path d="M 240 30 L 0 30" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 506 29.52 L 266 29.52" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg new file mode 100644 index 00000000..9e2d8734 --- /dev/null +++ b/docs/resources/1_instrument_target.drawio.svg @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Do not edit this file with editors other than diagrams.net --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1023px" height="292px" viewBox="-0.5 -0.5 1023 292" content="<mxfile host="Electron" modified="2021-12-13T19:42:03.193Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36" etag="hdewpv168W63eKmEhDdv" version="15.8.7" type="device"><diagram name="1 - instrument target" id="y32N0Cs56pMhbVcY_pYT">7VvbcqM4EP0aV20eSHHx9dH2xJ5s2UlqPZmd7EtKBhlrIxADIrHz9SOBMGAR47tdiacyFdRqtUSf1pHUIhWj68z6PvCmQ2JBXNFVa1YxvlV0XW9UDfaLS+axRNNraiyxfWQJWSoYoXcohIlaiCwY5BQpIZgiLy80ietCk+ZkwPfJW15tQnC+Vw/YUBKMTIBl6b/IolMh1eqttOI7RPZUdN3UG3GFAxJl8SbBFFjkLSMybipG1yeExk/OrAsx917il/786ZHeQbM3eRoEDRU1761bJTbW26TJ4hV86NL9mtZj068Ah8JfFb2OWSedwAMue7b5860bUD90eO8MPeDbkCZqrL+spvAUnSfu90noWpAPQWXVb1NE4cgDJq99YxHHZFPqYFbS2OMEYdwlmPis7BIXchFx6UiY4ypsIOQFLikB3xSBp+m8OA4IDilsL8TqYmilThTOfoU+hbNMCAmn9iFxIPXnTEXUKo26CJB5PvLf0nDTq0I2zUSaIWRARLi9MJ2iyB4EkBuAakig/gN/h8hnMHD4gpcVKGnlKOUhqLD3iP4JsHrAQZh74jvEr5AiE3BEMLJdJjOZ7yFr1eHuZVW4LSocZFkYFocAYwYKkMvbRUAuoX0wXKv1ag5XvSEDq9WPCWxVAvbeo4i4AO8FWAsE04XuV0FZb6lnhnJNQhFabEkTReLTKbE55jeptJOn2VRnQIgnAP0fUjoXLgUhJUec1DthyV9+JZI+xICi1/x6X4SKaPpAULSQfcjf1dZ1LW8lIKFvQtEwu8ZKtoxSW/H6KdmKQmXxVttHT7NgRT9+OJ034q2GjFK9viXkrWq5sQNjnuw4PhFlnHnE6HV1rXDZG8LaBeHjImxoreMifBKehjNEf/HmbJWKS0+Zmm8zYTkqzJOCy94004gXn7J1abOolLT70tHUaB43muQz4IVAjgt5tXXkJaJ6IZBPHE31JRuH3lKe5BS6TTSd91GjYeSTSFrT2PKcUWrp0BFRL1hS4iQw4KkRH04iaf13yDPiDFbKU/xtPhC9ZyM6DcfXJnFYod0beDgM+H+pNMZkzJPKFIxZTOk9i5hcPAnf35FrPyP32YIenV47FiMAoAQQQ5OyGoVOoTKGAVXABCusHw9h6CsT4itokb5O9BY5bDHWJH09iqxV+G1E3D6T5gZpjjuWjf2PJYMf9/wKgVhQrvurKMVuYuDarBfxuxP9qHzb3/kw1S5buSrRXTnkwc/hPsZsXDePN+h+t/v8MHjs395tNnTbNFmD2lEHylp1B+27/scjJSw2/SuJeE+enaecvjdL2tY2puINcraaVsuvjrWCnG2zIGerq4dK2mqN82PHcYYdUw4E/MZAIdHFQbCCAlONrRhQtqOyoUHXQpwrVOLKTVj0Z6mXO6e8n+798KF7/7NoNrmYBw2j4qu1DDnegNi72xE+f+XvsuT1AuPRQtHl5iP65U8pp+1IBQe/zzk3XlhOxZ6eFvTzOIfvtEeOd6ir9ERuQ+yqVnhj77vu3Ti76K7kxJxtZjg7AC6iDDZ/FU0vlHYnahcW2Us1PS6MOA24PCDW4uf2qH1XQLa920L5oFA6LJT+KJQ+diLxhTc3+YLFODfeTJLv5zQ14QYHyW68iUlJcUGjfIOTbv43nazldqVdlhpvq8YhwhZXnwcUOmtOXhaPE2SHfsFhpTsELwXiIQyiTjuiu1HcnaQXHXWkaVoyMfOz+CvMTEM7t5mpyx8hfb4dzeJL1bIdTcJTZ7KjSQyfE21aikMsNJmXUeYw0qoUfGC6EUO2Iy+x8S4SUsmBMpCVLRLxI+KnUx5jDojYAM+vi7q67Ck2YK6afkLmqj8NxpYXPqj/qXd/vzm/hu9IUYrmxjJxuVabf3Oeeq9w9Uk/J16a9+t6UnZbxi21Aq8ksl2vI6TM2Zr30uUXVMuG9ncbUQimfgFTSndsjeXyF5BHxnKdHMlnx3L5CLY1lrWSCX5gLNfZHX52LJeXvq2xNEom+IGxrF2wlA5gW2OplUzwrbFkxfRv0GL19E/5jJs/</diagram></mxfile>"><defs/><g><rect x="390" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 391px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Instrument target</span></div></div></div></foreignObject><text x="510" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Instrument target</text></switch></g><rect x="686" y="260" width="160" height="30" rx="3.6" ry="3.6" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 687px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="766" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="860" y="260" width="160" height="30" rx="3.6" ry="3.6" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 861px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="940" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 139.5 L 413.63 139.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 139.5 L 411.88 143 L 413.63 139.5 L 411.88 136 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 180 139.66 L 203.63 139.66" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 139.66 L 201.88 143.16 L 203.63 139.66 L 201.88 136.16 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="0" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-selecting-the-best-afl-compiler-for-instrumenting-the-target">Select compiler</a><br /><br />LTO mode<br />(<span>clang/clang++ 11+</span><span>)</span><br /><br />LLVM mode<br />(<span>clang/clang++ 3.8+</span><span>)</span><br /><br />GCC_PLUGIN mode<br />(<span>gcc 5+</span><span>)</span><br /><br />GCC/CLANG mode<br />(other)</div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select compiler...</text></switch></g><rect x="210" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-selecting-instrumentation-options">Select options</a><br /><br />Select options depending on<br />the compiler:<br /><br />COMPCOV<br />(only LTO)<br /><br />CmpLog<br />(only LTO)<br /><br />selective instrumentation<br />(LTO, LLVM, GCC_PLUGIN)</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select options...</text></switch></g><path d="M 600 140 L 620 140 L 610 140 L 623.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 628.88 140 L 621.88 143.5 L 623.63 140 L 621.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="420" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-selecting-sanitizers">Select sanitizer</a><br /><br />Select one sanitizer<br />per instance:<br /><br />ASAN<br />CFISAN<br />LSAN<br />MSAN<br />TSAN<br />UBSAN</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select sanitizer...</text></switch></g><rect x="840" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 841px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-instrumenting-the-target">Compile target source code</a><br /><br />Compile target source code depending on the build system:<br /><br />configure<br />CMake<br />Meson Build System<br />other</div></div></div></foreignObject><text x="930" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Compile target source code...</text></switch></g><path d="M 810 140 L 830 140 L 820 140 L 833.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 838.88 140 L 831.88 143.5 L 833.63 140 L 831.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="630" y="40" width="180" height="200" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 631px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-modifying-the-target">Modify target</a><br /><br />All AFL++ compilers<br />do this automatically.<br /></div></div></div></foreignObject><text x="720" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Modify target...</text></switch></g><path d="M 0 68 L 180 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 210 68 L 390 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 420 68 L 600 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 630 68 L 810 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 840 68 L 1020 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg new file mode 100644 index 00000000..92cc61c0 --- /dev/null +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Do not edit this file with editors other than diagrams.net --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="602px" height="182px" viewBox="-0.5 -0.5 602 182" content="<mxfile host="Electron" modified="2021-12-13T19:46:53.705Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36" etag="j3HrbIjtiP4yXzQi70w6" version="15.8.7" type="device"><diagram name="2 - prepare campaign" id="dejA2OcQ2wkmtmh7vij0">7VpZd9o6EP41PJoDNtjmkZDQpjdpc8pd2qceYQtbN7LlyDJLfv3VYHnDhCVluy2ckyCNRtt834xGxg1jEMw/cBT5j8zFtKG33HnDuG3oerun9+QXSBapxGwZqcDjxFVKhWBEXrEStpQ0IS6OK4qCMSpIVBU6LAyxIyoyxDmbVdUmjFZnjZCHa4KRg2hd+g9xha+kbbNXNHzExPPV1LZupQ0BypTVTmIfuWxWEhl3DWPAGRNpKZgPMAXjZXb54/P426dPj/fi/sa6H5l8MJtZWjrYcJ8u+RY4DsVhh1Z7nSKaKHs1dJPKSW7iCIWy7EH5iWOYHFBCQYSIF2ZacrqyojKUWGTW5ywJXQwraMnmmU8EHkXIgdaZ5JuU+SKgstaWxQmhdMAo47IeshCDiIVipIYDlVhw9oxXlBB3FO86MAsax4wmAvdzcStf2lYbKltPMRd4XmKQsukHzAIs+EKqqFatZyl+LKrEnxVs0ztK5peIZigZUgT38qELEGVB4bgHpr0apl/xS0K4hEH6HoqfN6DU3o5SFYKG3Mfyo8AaooBQsMRHTKdYEAcBIhQoY9w60vZY9roB88om2lcNAXFditdTQAYGgUgI/Y4LpG13qkB260i2zVMimVGpBOWXSBAWInoQKF0U+7nuL4ur1W5dGK7ZEVPCDbvy1FJVxoXPPED5rpDeVENpofPAWKQg/BcLsVAxDyWCndBx90MvZgl38CYL2SpVQNzDmwbM0hOw30Y2cEyRINNqVnB4ZO03D1QE7OJ4spSaLwmkDRIeAXlQH2bVhx4RfjJuOiyQlf7wIaJJDH+12piyMRy9Ao2l9fWhyxwQT5LXVxJ6P0j4w8WR8JuBDPnGWAvQsxRrwscaCaNEaA7jURJrSUhe5DLz1WTH+CN6hsN+qbtMzUBbFnL97OxHxcGfysZ8H8lfMUyTyYGFkOEhxYxsVQNJFiLZp7c+41l9sWhCNScg5ZQkHSmbtcXC2maaFx44Bfj0LlGzyH2soyY5nWoMXRdC7TUh1D5aCK1nOWd3NEeTNCQBgSYNUZq5mYRR3oDqXpYq47KHgeoF+pfY3b+Wm726154pinFh7tXtrnGv06csB84qMitvzyrsi8oqjPo94OzBDsnoRil2BAS7pfOvCXGDVCULD/HhQlsmccm0wspsBdLzhKbigLRDi+KJ2LQ+cH/5H6JgwDheE9DeWgEYChax9QnIme7Wlxbr2vn961KCnXGW2HZB17HDhTnV9YmRZa7x1jMy3VzBMg3dqtsKnPk6fgJh44rwaRE22r3TItw5B8J4TsQ36N7sqtr3UsvtXI28rCyySih3WuoE1e/ltqLbspb1+63ZZNmnZdNlpL+/M+Sd3omPCPMaQH5hNpkrY6RXwKOxqdP7v7DpwoCzjJUf4WxjpzDwjpEOR4H211dr6LD47s+/F18ezHjykjxp6+7sq5QI3T684tDI72QlMKtsWGv+XXGrw1S6a3XXXLUy2c+iWbvr7XiOb3fo1YGODKZ+BbP2kNKymr3yx3ontN1Vjmwe98hId65I137tebfXWuaRvFZWixevUvXi9TXj7j8=</diagram></mxfile>"><defs/><g><rect x="180" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 181px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Prepare campaign</span></div></div></div></foreignObject><text x="300" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Prepare campaign</text></switch></g><rect x="266" y="140" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 267px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="346" y="159" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="440" y="140" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 155px; margin-left: 441px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="520" y="159" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 80.03 L 410.03 80.03 L 400.03 80.03 L 413.63 80.03" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 80.03 L 411.88 83.53 L 413.63 80.03 L 411.88 76.53 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><rect x="210" y="40" width="180" height="80" rx="5.6" ry="5.6" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-making-the-input-corpus-unique">Make input corpus unique</a><br /><br /><br />Use <font face="Courier New">afl-cmin</font> on input corpus.</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Make input corpus unique...</text></switch></g><rect x="420" y="40" width="180" height="80" rx="5.6" ry="5.6" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-minimizing-all-corpus-files">Minimize corpus file</a><br /><br /><br />Use <font face="Courier New">afl-tmin</font> on input files.</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Minimize corpus file...</text></switch></g><path d="M 180 80.03 L 200.03 80.03 L 190.03 80.03 L 203.63 80.03" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 80.03 L 201.88 83.53 L 203.63 80.03 L 201.88 76.53 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="0" y="40" width="180" height="80" rx="5.6" ry="5.6" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-collecting-inputs">Collect inputs</a><br /><br /><br /><div style="text-align: left">Collect one or more input files.<br /></div></div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Collect inputs...</text></switch></g><path d="M 0 68 L 180 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 420 68 L 600 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 210 68 L 390 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg new file mode 100644 index 00000000..a4e5c940 --- /dev/null +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Do not edit this file with editors other than diagrams.net --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="602px" height="321px" viewBox="-0.5 -0.5 602 321" content="<mxfile host="Electron" modified="2021-12-13T19:53:35.794Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36" etag="jM13QVAaX0ZLxAkZ9sC7" version="15.8.7" type="device"><diagram name="3 - fuzz target" id="5ivncerJTzjQBJIEBaCC">7VrbcuI4EP0aHklhDAYeCROS2spsMsNO7WZfUsJubE1ky5FlLvn6VdsytjEJlzDATkJVYtTqbll9jlpWm5o58OfXgoTeV+4AqzUbzrxmfqk11adjqAtKFqmk22mnAldQJxUZuWBEX0ALG1oaUweikqLknEkaloU2DwKwZUlGhOCzstqEs/KoIXGhIhjZhFWlf1NHelpqWL284wao6+mhu81O2uGTTFnPJPKIw2cFkXlVMweCc5l+8+cDYBi8LC6Dee/BjDuX93fP/Onx0WKXxryeOhvuYrKcgoBAHta1mbqeEhbreA3jlxfEiAgXpJ64XGTRFDwOHECPjZp5OfOohFFIbOydKf4omSd9plqG+jqhjA0440K1Ax4AinggR9odqkRS8CdYUSLC1jxq4ShkHHEWS+gvxSjdMiY6dlMQEuYFRugYXQP3QYqFUtG99V5H470oE3mWs6fZ0jKvQBxTy4gmrLt0nYOivmhcdsCoVcHoOzzHVCgYEKfo6Q2UjM0olSGoqXkkHw3WkPiUYSRugE1BUpsgIoy6gZLZKvagrC4xvKqL9XWHTx2HwXoKqIUuCQ3Q7tcC2e22SkCqiVWQNKxjItmuIHkXSsoDwg6CpEMib6n728LaMRpnBqtVgQ0ctQfpJhfS4y6CfJVLL8uJNNe55TzUCP4EKRc645FY8iMu293Aw9m+CZ0ARiSdlnfkdTBo03tO1bgFyK2VlGy1LtplLxGPhQ3asLgLVnyZG32le1/FV8KN5az2p0unkgVOwZ8zg7iy674D4l7r1BB3PzPCcenStBpbkeVQAPc+AT4uwKbROyrA2UPGcRGGOZX/oLnKV2nrodDzZa49J41F1gjUTAtG2Hwo9uVmSSuz+9Bs6nSPy6bsMfe0e/5HhrzVO+4OYZwE4c8EciQ2WSs+fvEDpWH+X9h0ZsB1zHIRyOiae54qNno6HAW+fSORa5Gf8dVdx5ze34wmi1td3S1vIRaTuKqw0CFgkkit5xgL0gpGiRX2Pt5Hc+hS6cXjC5v7qtEf3oYsjvCv0hozPlaXSJKx4lBz6HAbxZP45YUG7iMNHh0IpXfhO2rB2/U4UtK6H2M9n0Hd5gKi/B7UNxevPyLAgrrWqmGxP9VjqdaQZJqZbCxel+gKNZad8jp1Y6ZmWNUtjEkDNanAhjQom4e5S/z7hAbqgvPHhPWGJSY91Eyrc3kQBopgVNk2G3/CrBqb+tflKK95xvgnzl+71RHYPHBIsmDSO317kvve6ijhn6AkkMbWN1eVpHSIQ4SPq38mLhartcqL3IAjBEBsLwmV7dEALrYZaKB0E5JAhPO1SQTRRSWRnleNVWJu3qbAmr8lae+cdnd5HbJSTGmvqbZ211RbD1JuXZsI1z1LnzgROquJULM0qk+4qGubLfJiZnbk1Lgcdv/MqLiX/I9ATD8T5YES5WgR2MrTGOQMAIMtk3SWxvgzk+364sg8t0zWPL9MRuoiDgLMZWTCksxVpff3GLlYXiNpT8HmLc7vmta+47KdUDcWkC2CXGWYaUWLSIKPy5XjyuShpH7yZjUKAZytHhhGIdh0sliuNBqEsUyfS0KMZcOhAmzJxWIrd33HQdokdnbyondLw1GSt9HQB58nLGbUp/KdS/4jrHLDaJ9wmU9/mP8S6w8qOu2H68lf095k6q09ua0e5gOnjz92ysNXgK18jj/wAbsQlvaaqGSy957DK7BsWYHdXIpZdXS4Y/haMLep5P7uYK6eCfbGcvXF/pGxXLf/fjQsV5+K9sayvWGB742lauY/skzV85+qmlf/AQ==</diagram></mxfile>"><defs/><g><rect x="180" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 181px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">Fuzz target</div></div></div></foreignObject><text x="300" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Fuzz target</text></switch></g><rect x="266" y="290" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 305px; margin-left: 267px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="346" y="309" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="440" y="290" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 305px; margin-left: 441px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="520" y="309" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 154.5 L 413.63 154.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 154.5 L 411.88 158 L 413.63 154.5 L 411.88 151 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 180 154.5 L 203.63 154.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 154.5 L 201.88 158 L 203.63 154.5 L 201.88 151 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="210" y="40" width="180" height="230" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-using-multiple-cores">Use multiple cores</a><br /><br />Fuzz one target with<br />multiple instances:<br /><br />One main fuzzer:<br /><font face="Courier New">-M main<br /></font><br />Secondary fuzzers:<br /><font face="Courier New">-S variant1</font><br /><br />Use up to 32/64 cores<br />on each machine.<br /><br />Cache test cases.</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Use multiple cores...</text></switch></g><rect x="420" y="40" width="180" height="230" rx="9" ry="9" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-using-multiple-machines-for-fuzzing">Use multiple machines</a><br /><br />Fuzz one target with<br />multiple machines:<br /><br />One main fuzzer per server:<br /><font face="Courier New">-M main<br /></font><br />Secondary fuzzers:<br /><font face="Courier New">-S variant1</font><br /><br />Sync between the servers.</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Use multiple machines...</text></switch></g><rect x="0" y="40" width="180" height="230" rx="9" ry="9" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-running-afl-fuzz">Run <font>afl-fuzz</font></a><br /><br />Reconfigure the<br />system for optimal speed.<br /><br />Specify the input corpus directory.<br /><br />Add a dictionary.<br /><br />Set a memory limit.</div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Run afl-fuzz...</text></switch></g><path d="M 0 68 L 180 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 210 68 L 390 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 420 68 L 600 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg new file mode 100644 index 00000000..dae9fbf9 --- /dev/null +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Do not edit this file with editors other than diagrams.net --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="812px" height="248px" viewBox="-0.5 -0.5 812 248" content="<mxfile host="Electron" modified="2021-12-13T19:48:46.524Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36" etag="b0WrXWq9J19mvUe3cyls" version="15.8.7" type="device"><diagram name="4 - manage campaign" id="Y3go6SgXnJCvyWpIHdu5">7Vtbd5s4EP41fnQOBuM4j4kTN9tt2m2ddNt96ZFBgFKBqBDx5dfvCIS5+hLHxtluck4CGl1H38w3giEdY+TP33EUenfMxrSja/a8Y1x3dPg578FFShapZHhupgKXEzsV9XLBhCyxEmpKGhMbR6WGgjEqSFgWWiwIsCVKMsQ5m5WbOYyWZw2Ri2uCiYVoXfo3sYWnpL3BRV5xi4nrqamH+nla4aOssdIk8pDNZgWRcdMxRpwxkd758xGmcvOyfQno+P27z+ST+GJMBnoUDkf/ON10sPFzuqxU4DgQew/9GH1dGvzhdv4xpK4xWS5mVw9dIx36CdFY7VdHH1CY5AqB2OPYSaSDX7HU8soTQsJ2KWfRxy4RXjw9s5gPhcvxh5DGkfytlaaUTeESCTQFWPSxzSwpduLlkgTuDxL8sHEovDPf7uiG27U8bP2Eiq7wcNdiT5gDRl3mJGXVKV8T3LnyOpK9EkNKO2SKwEQoa5PJpny95CGCrlomdxhsOZgdsnBpJ0Ys5gRDJ+0jntUXgxzajTw281FYWEc6WDYx+IH0Dyzqa7DADUuqaLB3gkSCWNFZq0rAEtYqMEB+CDfBNJIXqU1Z4uIAli/kSlAAf27v7z7AheOQcVFtzIKCwmfK48Qic2PO4sDG0pR70HjmEYEnYarPDIgrsU2fqmobRd6qbSQ4+4lHjDKeDGVoyY/aljHyCZXUdovpE4b9RVJxStwAZBb4G2yPcQWrklX0UlUIJmd0CKXZuAELcAJcIBAJZKdrOQXilqJEM9mynfxY+bucFM8LLKb8+h1mPhZ8AU1UbfeirzhKkbSpirMC4w2VzCuQXW+ghEixrLsaO2cSuFFk8gzO0tcSSxRKY0ht6A4FqXlbYAtI7m1ua8V2G8xB224ODThJ6CdquLqRqEY5eP0Ey2nEaCzw5UqsHRPT4aCMaa+Oqd5vwNQ4FqT1WPEF/4oJBxiAy1D082VOeww/9YltU7ybqx4NyMF5vwSknp0wit45aBPJfg3JT6EgLED0IEgenX5fBaympr0yWM0abNiGs7AqQsz1mCtBvsmlV2Uizdt8YDLEJQg+YiEWivFQDGG+Pbd9HnhS243QcUzhFPVUfjJogkF1/YuR5OCUQX5epWT94swsjxLBkcrCqmPxNF4by9g6lkAcToe1sRLbWGm1v7kMG0J0+/bzyiC+OD8cxNVTWfsQZ2eGN0poy1706ol6jbUcDOHeG8LtImz0LtpF+CS0jOdEfJPdz0xV+l6ouZ6rkZPCIisEoGmhkyx+L9bl3ZJS1u9/bU3nw3atqemN3xuBtAl5/6LlENF/I5Df2JoGlTGOfaQ8yVPmPtb0yoAz9eproN1oYI+RDmcCjUkjsyGEnDhphJPckEySxFExU9QtvFiuZDfuWEAE4500tyKnPHG+aOYhEcXb8kUyqyTvPVxYucaclWyVIFu9VG83YxRSJjbr8KwskTYDg+nI7DIKvegtMfS8l5S9nnnCzJBLNf747fMjN64fLv8Ud+/Fp9FKif/Sa6eUmjdQ4iBtlxLvBuW1QwebXaHYtOrXROT9ruAEuTL7b3HprVGdZe5liyRruGqxP3OXyegA/Cf1Ws9/is1eOE93tH4GhyI3CxY8DrJtklY3B24GqiVJrt1nNm43MgifBOvXnSxK4EgkkSvKYc1X4iThGkYhPlkmerSrAAKGWSzxeh2STXdIYDd80sFJEikkm2BLrl3GbVJV+oUB7ogxrZAx115VjKtmUk4f4rS1vBpn5jCBUCFBD6StFT5/0ArGFa836bpkImGSBgU8G1jSexKuYXHT50Upb+7kPOWFVoevt7eJ4+AEY3DpJKu84zyYys//sok2E8EUxHbGGbAmCWqD62xxlrJnVQ18gyvVTb/ZZ1pyAFM/oQMsvk2vb4Q21q7u9T+Gs68Lc9jsANUzXmBfys878z1sRCZ/kK+cmXbdyfq2FbbFbNiVTPbS5/3a0XvHN73bX/lUBzrc434jmLsc2H93MKup3L2xrH5C0DKW+huWtfPC3liaWxz8yFjuksn53bGshr69sTS2OPjeWEIx/xeBtHn+jxbGzb8=</diagram></mxfile>"><defs/><g><rect x="210" y="40" width="180" height="160" rx="8" ry="8" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#g-checking-the-coverage-of-the-fuzzing">Check coverage</a><br /><br />Use <font face="Courier New">afl-showmap</font> to get<br />code coverage statistics.<br /><br />Use <font face="Courier New">afl-cov</font> to generate an HTML report on coverage.</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Check coverage...</text></switch></g><rect x="290" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 291px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Manage campaign</span></div></div></div></foreignObject><text x="410" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Manage campaign</text></switch></g><rect x="476" y="217" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 232px; margin-left: 477px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="556" y="236" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="650" y="217" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 232px; margin-left: 651px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="730" y="236" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 119.5 L 413.63 119.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 119.5 L 411.88 123 L 413.63 119.5 L 411.88 116 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 180 119.5 L 203.63 119.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 119.5 L 201.88 123 L 203.63 119.5 L 201.88 116 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="0" y="40" width="180" height="160" rx="8" ry="8" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-the-status-of-the-fuzz-campaign">Monitor status</a><br /><br />Use <font face="Courier New">afl-whatsup</font> to show the status of the fuzzing campaign.<br /><br />Use <font face="Courier New">afl-plot</font> to generate an HTML report with graphs.</div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Monitor status...</text></switch></g><path d="M 600 120 L 620 120 L 610 120 L 623.63 120" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 628.88 120 L 621.88 123.5 L 623.63 120 L 621.88 116.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="420" y="40" width="180" height="160" rx="8" ry="8" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#4-triaging-crashes">Triage crashes</a><br /><br />Use <font face="Courier New">afl-fuzz</font> with <font face="Courier New">-C</font> flag to run crash exploration mode.<br /><br />Use <font face="Courier New">afl-tmin</font> on test cases<br />for minimization.<br /><br />Use <font face="Courier New">afl-analyze</font> to find<br />critical sections in test cases.</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Triage crashes...</text></switch></g><rect x="630" y="40" width="180" height="160" rx="8" ry="8" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 631px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><u>Start new campaign </u><br /><br />Stop instances without<br />crashes.<br /><br />Start new instances with<br />different options.<br /><br />Select new test cases<br />based on insights.</div></div></div></foreignObject><text x="720" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Start new campaign...</text></switch></g><path d="M 0 68 L 180 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 210 68 L 390 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 420 68 L 600 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 630 68 L 810 68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg> \ No newline at end of file diff --git a/docs/resources/grafana-afl++.json b/docs/resources/grafana-afl++.json index 96e824de..7afe89b1 100644 --- a/docs/resources/grafana-afl++.json +++ b/docs/resources/grafana-afl++.json @@ -926,7 +926,7 @@ "steppedLine": false, "targets": [ { - "expr": "fuzzing{type=\"cur_path\"}", + "expr": "fuzzing{type=\"cur_item\"}", "interval": "", "legendFormat": "", "refId": "A" @@ -936,7 +936,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "Curent path", + "title": "Current fuzz item", "tooltip": { "shared": true, "sort": 0, @@ -1116,7 +1116,7 @@ "steppedLine": false, "targets": [ { - "expr": "fuzzing{type=\"paths_favored\"}", + "expr": "fuzzing{type=\"corpus_favored\"}", "interval": "", "legendFormat": "", "refId": "A" @@ -1135,7 +1135,7 @@ } ], "timeShift": null, - "title": "Path Favored", + "title": "Corpus Favored", "tooltip": { "shared": true, "sort": 0, @@ -1428,7 +1428,7 @@ "steppedLine": false, "targets": [ { - "expr": "fuzzing{type=\"paths_imported\"}", + "expr": "fuzzing{type=\"corpus_imported\"}", "interval": "", "legendFormat": "", "refId": "A" @@ -1447,7 +1447,7 @@ } ], "timeShift": null, - "title": "Path Imported", + "title": "Corpus Imported", "tooltip": { "shared": true, "sort": 0, diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index 003b9c79..d8f0fb67 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -26,7 +26,7 @@ StatsD allows you to receive and aggregate metrics from a wide range of applications and retransmit them to a backend of your choice. From AFL++, StatsD can receive the following metrics: -- cur_path +- cur_item - cycle_done - cycles_wo_finds - edges_found @@ -34,18 +34,18 @@ From AFL++, StatsD can receive the following metrics: - execs_per_sec - havoc_expansion - max_depth -- paths_favored -- paths_found -- paths_imported -- paths_total +- corpus_favored +- corpus_found +- corpus_imported +- corpus_count - pending_favs - pending_total - slowest_exec_ms - total_crashes -- unique_crashes -- unique_hangs +- saved_crashes +- saved_hangs - var_byte_count -- variable_paths +- corpus_variable Depending on your StatsD server, you will be able to monitor, trigger alerts, or perform actions based on these metrics (for example: alert on slow exec/s for a diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c index 41162f2a..b51cb697 100644 --- a/frida_mode/src/instrument/instrument_x64.c +++ b/frida_mode/src/instrument/instrument_x64.c @@ -45,7 +45,9 @@ static gboolean instrument_coverage_in_range(gssize offset) { } - #pragma pack(push, 1) + #ifdef __APPLE__ + #pragma pack(push, 1) + typedef struct { // cur_location = (block_address >> 4) ^ (block_address << 8); @@ -58,7 +60,7 @@ typedef struct { // mov QWORD PTR [rsp-0x90],rbx // mov eax,DWORD PTR [rip+0x333d5a] # 0x7ffff6ff2740 // mov DWORD PTR [rip+0x333d3c],0x9fbb # 0x7ffff6ff2740 - // xor eax,0x103f77 + // lea rax,[rip + 0x103f77] // mov bl,BYTE PTR [rax] // add bl,0x1 // adc bl,0x0 @@ -76,7 +78,7 @@ typedef struct { uint8_t mov_eax_prev_loc[6]; uint8_t mov_prev_loc_curr_loc_shr1[10]; - uint8_t xor_eax_curr_loc[5]; + uint8_t leax_eax_curr_loc[7]; uint8_t mov_rbx_ptr_rax[2]; uint8_t add_bl_1[3]; @@ -90,14 +92,81 @@ typedef struct { } afl_log_code_asm_t; - #pragma pack(pop) + #pragma pack(pop) -typedef union { +static const afl_log_code_asm_t template = + { - afl_log_code_asm_t code; - uint8_t bytes[0]; + .mov_rax_rsp_88 = {0x48, 0x89, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + .lahf = 0x9f, + .mov_rax_rsp_90 = {0x48, 0x89, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .mov_rbx_rsp_98 = {0x48, 0x89, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, -} afl_log_code; + .mov_eax_prev_loc = {0x8b, 0x05}, + .mov_prev_loc_curr_loc_shr1 = {0xc7, 0x05}, + + .leax_eax_curr_loc = {0x48, 0x8d, 0x05}, + .mov_rbx_ptr_rax = {0x8a, 0x18}, + .add_bl_1 = {0x80, 0xc3, 0x01}, + .adc_bl_0 = {0x80, 0xd3, 0x00}, + .mov_ptr_rax_rbx = {0x88, 0x18}, + + .mov_rsp_98_rbx = {0x48, 0x8B, 0x9C, 0x24, 0x68, 0xFF, 0xFF, 0xFF}, + .mov_rsp_90_rax = {0x48, 0x8B, 0x84, 0x24, 0x70, 0xFF, 0xFF, 0xFF}, + .sahf = 0x9e, + .mov_rsp_88_rax = {0x48, 0x8B, 0x84, 0x24, 0x78, 0xFF, 0xFF, 0xFF}, + +} + +; + + #else + #pragma pack(push, 1) +typedef struct { + + // cur_location = (block_address >> 4) ^ (block_address << 8); + // shared_mem[cur_location ^ prev_location]++; + // prev_location = cur_location >> 1; + + // mov QWORD PTR [rsp-0x80],rax + // lahf + // mov QWORD PTR [rsp-0x88],rax + // mov QWORD PTR [rsp-0x90],rbx + // mov eax,DWORD PTR [rip+0x333d5a] # 0x7ffff6ff2740 + // mov DWORD PTR [rip+0x333d3c],0x9fbb # 0x7ffff6ff2740 + // xor eax,0x103f77 + // mov bl,BYTE PTR [rax] + // add bl,0x1 + // adc bl,0x0 + // mov BYTE PTR [rax],bl + // mov rbx,QWORD PTR [rsp-0x90] + // mov rax,QWORD PTR [rsp-0x88] + // sahf + // mov rax,QWORD PTR [rsp-0x80] + + uint8_t mov_rax_rsp_88[8]; + uint8_t lahf; + uint8_t mov_rax_rsp_90[8]; + uint8_t mov_rbx_rsp_98[8]; + + uint8_t mov_eax_prev_loc[6]; + uint8_t mov_prev_loc_curr_loc_shr1[10]; + + uint8_t xor_eax_curr_loc[5]; + + uint8_t mov_rbx_ptr_rax[2]; + uint8_t add_bl_1[3]; + uint8_t adc_bl_0[3]; + uint8_t mov_ptr_rax_rbx[2]; + + uint8_t mov_rsp_98_rbx[8]; + uint8_t mov_rsp_90_rax[8]; + uint8_t sahf; + uint8_t mov_rsp_88_rax[8]; + +} afl_log_code_asm_t; + + #pragma pack(pop) static const afl_log_code_asm_t template = { @@ -124,6 +193,22 @@ static const afl_log_code_asm_t template = } ; + #endif + +typedef union { + + afl_log_code_asm_t code; + uint8_t bytes[0]; + +} afl_log_code; + + #ifdef __APPLE__ + +void instrument_coverage_optimize_init(void) { + +} + + #else static gboolean instrument_coverage_find_low(const GumRangeDetails *details, gpointer user_data) { @@ -181,10 +266,10 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path, __afl_area_ptr = NULL; - #if !defined(__ANDROID__) + #if !defined(__ANDROID__) shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION); if (shm_fd == -1) { FATAL("shm_open() failed\n"); } - #else + #else shm_fd = open("/dev/ashmem", O_RDWR); if (shm_fd == -1) { FATAL("open() failed\n"); } if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { @@ -199,7 +284,7 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path, } - #endif + #endif __afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0); @@ -231,51 +316,6 @@ static void instrument_coverage_optimize_map_shm(guint64 shm_env_val, } -static void instrument_coverage_switch(GumStalkerObserver *self, - gpointer start_address, - const cs_insn * from_insn, - gpointer * target) { - - UNUSED_PARAMETER(self); - UNUSED_PARAMETER(start_address); - - cs_x86 * x86; - cs_x86_op *op; - if (from_insn == NULL) { return; } - - x86 = &from_insn->detail->x86; - op = x86->operands; - - if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { - - return; - - } - - switch (from_insn->id) { - - case X86_INS_CALL: - case X86_INS_JMP: - if (x86->op_count != 1) { - - FATAL("Unexpected operand count: %d", x86->op_count); - - } - - if (op[0].type != X86_OP_IMM) { return; } - - break; - case X86_INS_RET: - break; - default: - return; - - } - - *target = (guint8 *)*target + sizeof(afl_log_code); - -} - void instrument_coverage_optimize_init(void) { gpointer low_address = NULL; @@ -324,6 +364,53 @@ void instrument_coverage_optimize_init(void) { } + #endif + +static void instrument_coverage_switch(GumStalkerObserver *self, + gpointer start_address, + const cs_insn * from_insn, + gpointer * target) { + + UNUSED_PARAMETER(self); + UNUSED_PARAMETER(start_address); + + cs_x86 * x86; + cs_x86_op *op; + if (from_insn == NULL) { return; } + + x86 = &from_insn->detail->x86; + op = x86->operands; + + if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) { + + return; + + } + + switch (from_insn->id) { + + case X86_INS_CALL: + case X86_INS_JMP: + if (x86->op_count != 1) { + + FATAL("Unexpected operand count: %d", x86->op_count); + + } + + if (op[0].type != X86_OP_IMM) { return; } + + break; + case X86_INS_RET: + break; + default: + return; + + } + + *target = (guint8 *)*target + sizeof(afl_log_code); + +} + static void instrument_coverage_suppress_init(void) { static gboolean initialized = false; @@ -405,12 +492,35 @@ void instrument_coverage_optimize(const cs_insn * instr, *((gint *)&code.bytes[prev_loc_value_offset2]) = (gint)prev_loc_value2; + #ifdef __APPLE__ + + gssize xor_curr_loc_offset = offsetof(afl_log_code, code.leax_eax_curr_loc) + + sizeof(code.code.leax_eax_curr_loc) - + sizeof(guint32); + + gssize xor_curr_loc_value = + ((GPOINTER_TO_SIZE(__afl_area_ptr) | area_offset) - + (code_addr + offsetof(afl_log_code, code.mov_eax_prev_loc) + + sizeof(code.code.mov_eax_prev_loc))); + + if (!instrument_coverage_in_range(xor_curr_loc_value)) { + + FATAL("Patch out of range (xor_curr_loc_value): 0x%016lX", + xor_curr_loc_value); + + } + + *((guint32 *)&code.bytes[xor_curr_loc_offset]) = xor_curr_loc_value; + + #else + gssize xor_curr_loc_offset = offsetof(afl_log_code, code.xor_eax_curr_loc) + sizeof(code.code.xor_eax_curr_loc) - sizeof(guint32); *((guint32 *)&code.bytes[xor_curr_loc_offset]) = (guint32)(GPOINTER_TO_SIZE(__afl_area_ptr) | area_offset); + #endif gum_x86_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code)); diff --git a/frida_mode/test/libxml/GNUmakefile b/frida_mode/test/libxml/GNUmakefile new file mode 100644 index 00000000..1d675187 --- /dev/null +++ b/frida_mode/test/libxml/GNUmakefile @@ -0,0 +1,172 @@ +PWD:=$(shell pwd)/ +ROOT:=$(PWD)../../../ +BUILD_DIR:=$(PWD)build/ + +AFLPP_FRIDA_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/frida_hook.so +AFLPP_QEMU_DRIVER_HOOK_OBJ=$(ROOT)frida_mode/build/qemu_hook.so + +LIBXML_GIT_REPO:=https://gitlab.gnome.org/GNOME/libxml2.git +LIBXML_DIR:=$(BUILD_DIR)libxml/ +LIBXML_BIN:=$(LIBXML_DIR).libs/libxml2.a + +TARGET_URL:=https://raw.githubusercontent.com/google/fuzzbench/master/benchmarks/libxml2-v2.9.2/target.cc +TARGET_SRC:=$(BUILD_DIR)target.cc +TARGET_OBJ:=$(BUILD_DIR)target.o + +HARNESS_URL:="https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c" +HARNESS_SRC:=$(BUILD_DIR)StandaloneFuzzTargetMain.c +HARNESS_OBJ:=$(BUILD_DIR)StandaloneFuzzTargetMain.o + +TEST_BIN:=$(BUILD_DIR)test + +ifeq "$(shell uname)" "Darwin" +TEST_BIN_LDFLAGS:=-undefined dynamic_lookup -Wl,-no_pie +endif + +TEST_DATA_DIR:=$(BUILD_DIR)in/ +TEST_DATA_FILE:=$(TEST_DATA_DIR)default_seed +DUMMY_DATA_FILE:=$(BUILD_DIR)dummy.dat + +FRIDA_OUT:=$(BUILD_DIR)frida-out +QEMU_OUT:=$(BUILD_DIR)qemu-out + +ifndef ARCH + +ARCH=$(shell uname -m) +ifeq "$(ARCH)" "aarch64" + ARCH:=arm64 +endif + +ifeq "$(ARCH)" "i686" + ARCH:=x86 +endif +endif + +GET_SYMBOL_ADDR:=$(ROOT)frida_mode/util/get_symbol_addr.sh + +AFL_QEMU_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x4000000000) + +ifeq "$(ARCH)" "aarch64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000aaaaaaaaa000) +endif + +ifeq "$(ARCH)" "x86_64" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x0000555555554000) +endif + +ifeq "$(ARCH)" "x86" + AFL_FRIDA_PERSISTENT_ADDR=$(shell $(GET_SYMBOL_ADDR) $(TEST_BIN) LLVMFuzzerTestOneInput 0x56555000) +endif + +.PHONY: all clean frida hook + +all: $(TEST_BIN) + make -C $(ROOT)frida_mode/ + +32: + CXXFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all + +$(BUILD_DIR): + mkdir -p $@ + +########## LIBXML ####### + +$(LIBXML_DIR): | $(BUILD_DIR) + git clone --depth 1 $(LIBXML_GIT_REPO) $@ + +$(LIBXML_BIN): | $(LIBXML_DIR) + cd $(LIBXML_DIR) && git fetch --tags + cd $(LIBXML_DIR) && git checkout -f v2.9.2 + cd $(LIBXML_DIR) && ./autogen.sh + cd $(LIBXML_DIR) && CCLD="$CXX $CXXFLAGS" ./configure --without-python --with-threads=no \ + --with-zlib=no --with-lzma=no + cd $(LIBXML_DIR) && make + +libxml: $(LIBXML_BIN) + +########## TARGET ####### + +$(TARGET_SRC): + wget -O $@ $(TARGET_URL) + +$(TARGET_OBJ): $(TARGET_SRC) $(LIBXML_BIN) + $(CXX) \ + $(CXXFLAGS) \ + -std=c++11 \ + -I $(LIBXML_DIR)include \ + -c $< \ + -o $@ + +target: $(TARGET_OBJ) + + +######### HARNESS ######## +$(HARNESS_SRC): | $(BUILD_DIR) + wget -O $@ $(HARNESS_URL) + +$(HARNESS_OBJ): $(HARNESS_SRC) + $(CC) $(CXXFLAGS) $(LDFLAGS) -o $@ -c $< + +harness: $(HARNESS_OBJ) + +######### TEST ######## + +$(TEST_BIN): $(HARNESS_OBJ) $(TARGET_OBJ) $(LIBXML_BIN) + $(CXX) \ + $(CFLAGS) \ + -o $@ \ + $(HARNESS_OBJ) \ + $(TARGET_OBJ) \ + $(LIBXML_BIN) \ + $(LDFLAGS) \ + $(TEST_BIN_LDFLAGS) \ + +test: $(TEST_BIN) + +########## DUMMY ####### + +$(DUMMY_DATA_FILE): | $(BUILD_DIR) + dd if=/dev/zero bs=1048576 count=1 of=$@ + +###### TEST DATA ####### + +$(TEST_DATA_DIR): | $(BUILD_DIR) + mkdir -p $@ + +$(TEST_DATA_FILE): | $(TEST_DATA_DIR) + dd if=/dev/zero bs=1048576 count=1 of=$@ + +###### ####### + +clean: + rm -rf $(BUILD_DIR) + +frida: $(TEST_BIN) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) $(DUMMY_DATA_FILE) + AFL_FRIDA_PERSISTENT_CNT=1000000 \ + AFL_FRIDA_PERSISTENT_HOOK=$(AFLPP_FRIDA_DRIVER_HOOK_OBJ) \ + AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_FRIDA_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -i $(TEST_DATA_DIR) \ + -o $(FRIDA_OUT) \ + -m none \ + -d \ + -O \ + -V 30 \ + -- \ + $(TEST_BIN) $(DUMMY_DATA_FILE) + +qemu: $(TEST_BIN) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(TEST_DATA_FILE) $(DUMMY_DATA_FILE) + AFL_QEMU_PERSISTENT_CNT=1000000 \ + AFL_QEMU_PERSISTENT_HOOK=$(AFLPP_QEMU_DRIVER_HOOK_OBJ) \ + AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ + AFL_ENTRYPOINT=$(AFL_QEMU_PERSISTENT_ADDR) \ + $(ROOT)afl-fuzz \ + -i $(TEST_DATA_DIR) \ + -o $(QEMU_OUT) \ + -m none \ + -d \ + -Q \ + -V 30 \ + -- \ + $(TEST_BIN) $(DUMMY_DATA_FILE) diff --git a/frida_mode/test/libxml/Makefile b/frida_mode/test/libxml/Makefile new file mode 100644 index 00000000..07b139e9 --- /dev/null +++ b/frida_mode/test/libxml/Makefile @@ -0,0 +1,13 @@ +all: + @echo trying to use GNU make... + @gmake all || echo please install GNUmake + +32: + @echo trying to use GNU make... + @gmake 32 || echo please install GNUmake + +clean: + @gmake clean + +frida: + @gmake frida diff --git a/frida_mode/test/libxml/get_symbol_addr.py b/frida_mode/test/libxml/get_symbol_addr.py new file mode 100755 index 00000000..1c46e010 --- /dev/null +++ b/frida_mode/test/libxml/get_symbol_addr.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +import argparse +from elftools.elf.elffile import ELFFile + +def process_file(file, symbol, base): + with open(file, 'rb') as f: + elf = ELFFile(f) + symtab = elf.get_section_by_name('.symtab') + mains = symtab.get_symbol_by_name(symbol) + if len(mains) != 1: + print ("Failed to find main") + return 1 + + main_addr = mains[0]['st_value'] + main = base + main_addr + print ("0x%016x" % main) + return 0 + +def hex_value(x): + return int(x, 16) + +def main(): + parser = argparse.ArgumentParser(description='Process some integers.') + parser.add_argument('-f', '--file', dest='file', type=str, + help='elf file name', required=True) + parser.add_argument('-s', '--symbol', dest='symbol', type=str, + help='symbol name', required=True) + parser.add_argument('-b', '--base', dest='base', type=hex_value, + help='elf base address', required=True) + + args = parser.parse_args() + return process_file (args.file, args.symbol, args.base) + +if __name__ == "__main__": + ret = main() + exit(ret) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index f3d6d99d..e59b3781 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -527,7 +527,7 @@ typedef struct afl_state { double *alias_probability; /* alias weighted probabilities */ u32 * alias_table; /* alias weighted random lookup table */ - u32 active_paths; /* enabled entries in the queue */ + u32 active_items; /* enabled entries in the queue */ u8 *var_bytes; /* Bytes that appear to be variable */ @@ -537,7 +537,7 @@ typedef struct afl_state { volatile u8 stop_soon, /* Ctrl-C pressed? */ clear_screen; /* Window resized? */ - u32 queued_paths, /* Total number of queued testcases */ + u32 queued_items, /* Total number of queued testcases */ queued_variable, /* Testcases with variable behavior */ queued_at_start, /* Total number of initial inputs */ queued_discovered, /* Items discovered during this run */ @@ -546,7 +546,7 @@ typedef struct afl_state { queued_with_cov, /* Paths with new coverage bytes */ pending_not_fuzzed, /* Queued but not done yet */ pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ + cur_skipped_items, /* Abandoned inputs in cur cycle */ cur_depth, /* Current path depth */ max_depth, /* Max path depth */ useless_at_start, /* Number of useless starting paths */ @@ -556,10 +556,10 @@ typedef struct afl_state { max_det_extras; /* deterministic extra count (dicts)*/ u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ + saved_crashes, /* Crashes with unique signatures */ total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ + saved_tmouts, /* Timeouts with unique signatures */ + saved_hangs, /* Hangs with unique signatures */ last_crash_execs, /* Exec counter at last crash */ queue_cycle, /* Queue round counter */ cycles_wo_finds, /* Cycles without any new paths */ @@ -571,7 +571,7 @@ typedef struct afl_state { start_time, /* Unix start time (ms) */ last_sync_time, /* Time of last sync */ last_sync_cycle, /* Cycle no. of the last sync */ - last_path_time, /* Time for most recent path (ms) */ + last_find_time, /* Time for most recent path (ms) */ last_crash_time, /* Time for most recent crash (ms) */ last_hang_time, /* Time for most recent hang (ms) */ exit_on_time; /* Delay to exit if no new paths */ diff --git a/include/xxhash.h b/include/xxhash.h index 0ca2b852..8cf4a345 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -1010,7 +1010,7 @@ XXH128_hashFromCanonical(const XXH128_canonical_t *src); * These declarations should only be used with static linking. * Never use them in association with dynamic linking! ***************************************************************************** -*/ + */ /* * These definitions are only present to allow static allocation @@ -1435,9 +1435,9 @@ XXH_PUBLIC_API XXH128_hash_t XXH128(const void *data, size_t len, #define XXH_OLD_NAMES #undef XXH_OLD_NAMES /* don't actually use, it is ugly. */ #endif /* XXH_DOXYGEN */ -/*! - * @} - */ + /*! + * @} + */ #ifndef XXH_FORCE_MEMORY_ACCESS /* can be defined externally, on command \ line for example */ @@ -1601,6 +1601,7 @@ static void *XXH_memcpy(void *dest, const void *src, size_t size) { static_assert((c), m); \ \ } while (0) + #elif defined(__cplusplus) && (__cplusplus >= 201103L) /* C++11 */ #define XXH_STATIC_ASSERT_WITH_MESSAGE(c, m) \ do { \ @@ -1608,6 +1609,7 @@ static void *XXH_memcpy(void *dest, const void *src, size_t size) { static_assert((c), m); \ \ } while (0) + #else #define XXH_STATIC_ASSERT_WITH_MESSAGE(c, m) \ do { \ @@ -1619,6 +1621,7 @@ static void *XXH_memcpy(void *dest, const void *src, size_t size) { }; \ \ } while (0) + #endif #define XXH_STATIC_ASSERT(c) XXH_STATIC_ASSERT_WITH_MESSAGE((c), #c) #endif @@ -1830,7 +1833,7 @@ static int XXH_isLittleEndian(void) { return one.c[0]; } -\ + #define XXH_CPU_LITTLE_ENDIAN XXH_isLittleEndian() #endif #endif @@ -2079,23 +2082,6 @@ static xxh_u32 XXH32_avalanche(xxh_u32 h32) { #define XXH_get32bits(p) XXH_readLE32_align(p, align) -/*! - * @internal - * @brief Processes the last 0-15 bytes of @p ptr. - * - * There may be up to 15 bytes remaining to consume from the input. - * This final stage will digest them to ensure that all input bytes are present - * in the final mix. - * - * @param h32 The hash to finalize. - * @param ptr The pointer to the remaining input. - * @param len The remaining length, modulo 16. - * @param align Whether @p ptr is aligned. - * @return The finalized hash. - */ -static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, - XXH_alignment align) { -\ #define XXH_PROCESS1 \ do { \ \ @@ -2113,6 +2099,23 @@ static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, \ } while (0) +/*! + * @internal + * @brief Processes the last 0-15 bytes of @p ptr. + * + * There may be up to 15 bytes remaining to consume from the input. + * This final stage will digest them to ensure that all input bytes are present + * in the final mix. + * + * @param h32 The hash to finalize. + * @param ptr The pointer to the remaining input. + * @param len The remaining length, modulo 16. + * @param align Whether @p ptr is aligned. + * @return The finalized hash. + */ +static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, + XXH_alignment align) { + /* Compact rerolled version */ if (XXH_REROLL) { @@ -3385,6 +3388,7 @@ enum XXH_VECTOR_TYPE /* fake enum */ { (outHi) = vget_high_u32(vreinterpretq_u32_u64(in)); \ \ } while (0) + #else #define XXH_SPLIT_IN_PLACE(in, outLo, outHi) \ do { \ @@ -3393,6 +3397,7 @@ enum XXH_VECTOR_TYPE /* fake enum */ { (outHi) = vshrn_n_u64((in), 32); \ \ } while (0) + #endif #endif /* XXH_VECTOR == XXH_NEON */ diff --git a/instrumentation/README.cmplog.md b/instrumentation/README.cmplog.md index 146b4620..668c07eb 100644 --- a/instrumentation/README.cmplog.md +++ b/instrumentation/README.cmplog.md @@ -11,12 +11,11 @@ see ## Build To use CmpLog, you have to build two versions of the instrumented target -program. +program: -The first version is built using the regular AFL++ instrumentation. - -The second one, the CmpLog binary, is built with setting AFL_LLVM_CMPLOG during -the compilation. +* The first version is built using the regular AFL++ instrumentation. +* The second one, the CmpLog binary, is built with setting `AFL_LLVM_CMPLOG` + during the compilation. For example: diff --git a/instrumentation/README.gcc_plugin.md b/instrumentation/README.gcc_plugin.md index ef38662b..ed39af9d 100644 --- a/instrumentation/README.gcc_plugin.md +++ b/instrumentation/README.gcc_plugin.md @@ -1,7 +1,8 @@ # GCC-based instrumentation for afl-fuzz -For the general instruction manual, see [../README.md](../README.md). For the -LLVM-based instrumentation, see [README.llvm.md](README.llvm.md). +For the general instruction manual, see [docs/README.md](../docs/README.md). + +For the LLVM-based instrumentation, see [README.llvm.md](README.llvm.md). This document describes how to build and use `afl-gcc-fast` and `afl-g++-fast`, which instrument the target with the help of gcc plugins. diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md index 06e653ea..414be060 100644 --- a/instrumentation/README.laf-intel.md +++ b/instrumentation/README.laf-intel.md @@ -39,13 +39,11 @@ AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where bit_width may be 64, 32, or 16. For example, a bit_width of 16 would split larger comparisons down to 16 bit comparisons. -A new experimental feature is splitting floating point comparisons into a series +A new unique feature is splitting floating point comparisons into a series of sign, exponent and mantissa comparisons followed by splitting each of them into 8 bit comparisons when necessary. It is activated with the -`AFL_LLVM_LAF_SPLIT_FLOATS` setting. Note that full IEEE 754 functionality is -not preserved, that is values of nan and infinity will probably behave -differently. +`AFL_LLVM_LAF_SPLIT_FLOATS` setting. Note that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES`. -You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled. :-) \ No newline at end of file +You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled. :-) diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index d220e52c..7855a987 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -1,6 +1,6 @@ # Fast LLVM-based instrumentation for afl-fuzz -For the general instruction manual, see [../README.md](../README.md). +For the general instruction manual, see [docs/README.md](../docs/README.md). For the GCC-based instrumentation, see [README.gcc_plugin.md](README.gcc_plugin.md). diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 8d7f0c80..aa1826cd 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1123,7 +1123,7 @@ bool ModuleSanitizerCoverage::instrumentModule( M, PointerType::get(Int8Tyi, 0), false, GlobalValue::ExternalLinkage, 0, "__afl_dictionary"); - Value *AFLDictOff = IRB.CreateGEP(AFLInternalDictionary, Zero); + Value *AFLDictOff = IRB.CreateGEP(Int8Ty, AFLInternalDictionary, Zero); Value *AFLDictPtr = IRB.CreatePointerCast(AFLDictOff, PointerType::get(Int8Tyi, 0)); StoreInst *StoreDict = IRB.CreateStore(AFLDictPtr, AFLDictionary); @@ -1388,7 +1388,8 @@ void ModuleSanitizerCoverage::instrumentFunction( local_selects++; uint32_t vector_cur = 0; /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = + IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); while (1) { @@ -1399,12 +1400,12 @@ void ModuleSanitizerCoverage::instrumentFunction( /* Load counter for CurLoc */ if (!vector_cnt) { - MapPtrIdx = IRB.CreateGEP(MapPtr, result); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, result); } else { auto element = IRB.CreateExtractElement(result, vector_cur++); - MapPtrIdx = IRB.CreateGEP(MapPtr, element); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, element); } @@ -1418,7 +1419,7 @@ void ModuleSanitizerCoverage::instrumentFunction( } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1672,13 +1673,13 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, if (map_addr) { - MapPtrIdx = IRB.CreateGEP(MapPtrFixed, CurLoc); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtrFixed, CurLoc); } else { - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); - MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, CurLoc); } @@ -1693,7 +1694,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); Value *Incr = IRB.CreateAdd(Counter, One); diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index d5746cc7..7b1d1d40 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -937,7 +937,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, ConstantInt::get(IntptrTy, (++special + AllBlocks.size()) * 4)), Int32PtrTy); - LoadInst *Idx = IRB.CreateLoad(GuardPtr); + LoadInst *Idx = IRB.CreateLoad(IRB.getInt32Ty(), GuardPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Idx); callInst->setOperand(1, Idx); @@ -1059,7 +1059,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = + IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* @@ -1078,17 +1079,17 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, /* Load counter for CurLoc */ if (!vector_cnt) { - CurLoc = IRB.CreateLoad(result); + CurLoc = IRB.CreateLoad(IRB.getInt32Ty(), result); ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); - MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, CurLoc); } else { auto element = IRB.CreateExtractElement(result, vector_cur++); auto elementptr = IRB.CreateIntToPtr(element, Int32PtrTy); - auto elementld = IRB.CreateLoad(elementptr); + auto elementld = IRB.CreateLoad(IRB.getInt32Ty(), elementptr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(elementld); - MapPtrIdx = IRB.CreateGEP(MapPtr, elementld); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, elementld); } @@ -1102,7 +1103,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1347,17 +1348,17 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, ConstantInt::get(IntptrTy, Idx * 4)), Int32PtrTy); - LoadInst *CurLoc = IRB.CreateLoad(GuardPtr); + LoadInst *CurLoc = IRB.CreateLoad(IRB.getInt32Ty(), GuardPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* Load counter for CurLoc */ - Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + Value *MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, CurLoc); if (use_threadsafe_counters) { @@ -1369,7 +1370,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 8e22fde8..640aa4dd 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -454,7 +454,11 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ctx_k) { - PrevCaller = IRB.CreateLoad(AFLPrevCaller); + PrevCaller = IRB.CreateLoad( + #if LLVM_VERSION_MAJOR >= 14 + IRB.getInt32Ty(), + #endif + AFLPrevCaller); PrevCaller->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); PrevCtx = @@ -467,7 +471,11 @@ bool AFLCoverage::runOnModule(Module &M) { // load the context ID of the previous function and write to to a // local variable on the stack - LoadInst *PrevCtxLoad = IRB.CreateLoad(AFLContext); + LoadInst *PrevCtxLoad = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + IRB.getInt32Ty(), +#endif + AFLContext); PrevCtxLoad->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); PrevCtx = PrevCtxLoad; @@ -620,7 +628,11 @@ bool AFLCoverage::runOnModule(Module &M) { /* Load prev_loc */ - LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc); + LoadInst *PrevLoc = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + IRB.getInt32Ty(), +#endif + AFLPrevLoc); PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; @@ -644,20 +656,28 @@ bool AFLCoverage::runOnModule(Module &M) { /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLMapPtr); MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *MapPtrIdx; #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) MapPtrIdx = IRB.CreateGEP( - MapPtr, + Int8Ty, MapPtr, IRB.CreateZExt( IRB.CreateXor(PrevLocTrans, IRB.CreateZExt(CurLoc, Int32Ty)), Int32Ty)); else #endif - MapPtrIdx = IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocTrans, CurLoc)); + MapPtrIdx = IRB.CreateGEP( +#if LLVM_VERSION_MAJOR >= 14 + Int8Ty, +#endif + MapPtr, IRB.CreateXor(PrevLocTrans, CurLoc)); /* Update bitmap */ @@ -676,7 +696,11 @@ bool AFLCoverage::runOnModule(Module &M) { } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + IRB.getInt8Ty(), +#endif + MapPtrIdx); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *Incr = IRB.CreateAdd(Counter, One); @@ -813,7 +837,11 @@ bool AFLCoverage::runOnModule(Module &M) { IRBuilder<> IRB(&(*it0)); // load the old counter value atomically - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad( + #if LLVM_VERSION_MAJOR >= 14 + IRB.getInt8Ty(), + #endif + MapPtrIdx); Counter->setAlignment(llvm::Align()); Counter->setAtomic(llvm::AtomicOrdering::Monotonic); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 07f80b2c..054caee2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -264,7 +264,11 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IRBuilder<> IRB2(selectcmpInst->getParent()); IRB2.SetInsertPoint(selectcmpInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 0565875e..82c2fa4d 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -448,7 +448,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -475,7 +479,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -506,7 +514,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -533,7 +545,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -564,7 +580,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -590,7 +610,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -616,7 +640,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -642,7 +670,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index bcd5f8bd..4f6f2eca 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -246,7 +246,11 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IRBuilder<> IRB2(SI->getParent()); IRB2.SetInsertPoint(SI); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, SI, false); diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index ef3bd66b..2ced37c5 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -529,8 +529,16 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, IRBuilder<> cur_cmp_IRB(&*(cur_cmp_bb->getFirstInsertionPt())); Value *v = ConstantInt::get(Int64Ty, i); - Value *ele = cur_cmp_IRB.CreateInBoundsGEP(VarStr, v, "empty"); - Value *load = cur_cmp_IRB.CreateLoad(ele); + Value *ele = cur_cmp_IRB.CreateInBoundsGEP( +#if LLVM_VERSION_MAJOR >= 14 + Int8Ty, +#endif + VarStr, v, "empty"); + Value *load = cur_cmp_IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + Int8Ty, +#endif + ele); if (isCaseInsensitive) { diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 95485be9..451258d9 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -882,6 +882,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { // BUG FIXME TODO: u64 does not work for > 64 bit ... e.g. 80 and 128 bit if (sizeInBits > 64) { continue; } + IntegerType * intType = IntegerType::get(C, op_size); const unsigned int precision = sizeInBits == 32 ? 24 : sizeInBits == 64 ? 53 : sizeInBits == 128 ? 113 @@ -913,14 +914,106 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { BasicBlock *end_bb = bb->splitBasicBlock(BasicBlock::iterator(FcmpInst)); /* create the integers from floats directly */ - Instruction *b_op0, *b_op1; - b_op0 = CastInst::Create(Instruction::BitCast, op0, - IntegerType::get(C, op_size)); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), b_op0); + Instruction *bpre_op0, *bpre_op1; + bpre_op0 = CastInst::Create(Instruction::BitCast, op0, + IntegerType::get(C, op_size)); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + bpre_op0); + + bpre_op1 = CastInst::Create(Instruction::BitCast, op1, + IntegerType::get(C, op_size)); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + bpre_op1); + + /* Check if any operand is NaN. + * If so, all comparisons except unequal (which yields true) yield false */ + + /* build mask for NaN */ + const unsigned long long NaN_lowend = mask_exponent << precision; + // errs() << "Fractions: IntFractionTy size " << + // IntFractionTy->getPrimitiveSizeInBits() << ", op_size " << op_size << + // ", mask_fraction 0x"; + // errs().write_hex(mask_fraction); + // errs() << ", precision " << precision << + // ", NaN_lowend 0x"; + // errs().write_hex(NaN_lowend); errs() << "\n"; + + /* Check op0 for NaN */ + /* Shift left 1 Bit, ignore sign bit */ + Instruction *nan_op0, *nan_op1; + nan_op0 = BinaryOperator::Create(Instruction::Shl, bpre_op0, + ConstantInt::get(bpre_op0->getType(), 1)); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + nan_op0); + + /* compare to NaN interval */ + Instruction *is_op0_nan = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, nan_op0, + ConstantInt::get(intType, NaN_lowend)); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + is_op0_nan); + + /* Check op1 for NaN */ + /* Shift right 1 Bit, ignore sign bit */ + nan_op1 = BinaryOperator::Create(Instruction::Shl, bpre_op1, + ConstantInt::get(bpre_op1->getType(), 1)); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + nan_op1); + + /* compare to NaN interval */ + Instruction *is_op1_nan = + CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, nan_op1, + ConstantInt::get(intType, NaN_lowend)); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), + is_op1_nan); + + /* combine checks */ + Instruction *is_nan = + BinaryOperator::Create(Instruction::Or, is_op0_nan, is_op1_nan); + bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), is_nan); + + /* the result of the comparison, when at least one op is NaN + is true only for the "NOT EQUAL" predicates. */ + bool NaNcmp_result = FcmpInst->getPredicate() == CmpInst::FCMP_ONE || + FcmpInst->getPredicate() == CmpInst::FCMP_UNE; + + BasicBlock *nonan_bb = + BasicBlock::Create(C, "noNaN", end_bb->getParent(), end_bb); - b_op1 = CastInst::Create(Instruction::BitCast, op1, - IntegerType::get(C, op_size)); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), b_op1); + BranchInst::Create(end_bb, nonan_bb); + + auto term = bb->getTerminator(); + /* if no operand is NaN goto nonan_bb else to handleNaN_bb */ + BranchInst::Create(end_bb, nonan_bb, is_nan, bb); + term->eraseFromParent(); + + /*** now working in nonan_bb ***/ + + /* Treat -0.0 as equal to +0.0, that is for -0.0 make it +0.0 */ + Instruction * b_op0, *b_op1; + Instruction * isMzero_op0, *isMzero_op1; + const unsigned long long MinusZero = 1UL << (sizeInBits - 1U); + const unsigned long long PlusZero = 0; + + isMzero_op0 = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, bpre_op0, + ConstantInt::get(intType, MinusZero)); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), isMzero_op0); + + isMzero_op1 = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, bpre_op1, + ConstantInt::get(intType, MinusZero)); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), isMzero_op1); + + b_op0 = SelectInst::Create(isMzero_op0, ConstantInt::get(intType, PlusZero), + bpre_op0); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), b_op0); + + b_op1 = SelectInst::Create(isMzero_op1, ConstantInt::get(intType, PlusZero), + bpre_op1); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), b_op1); /* isolate signs of value of floating point type */ @@ -931,22 +1024,26 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { s_s0 = BinaryOperator::Create(Instruction::LShr, b_op0, ConstantInt::get(b_op0->getType(), op_size - 1)); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), s_s0); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), s_s0); t_s0 = new TruncInst(s_s0, Int1Ty); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), t_s0); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), t_s0); s_s1 = BinaryOperator::Create(Instruction::LShr, b_op1, ConstantInt::get(b_op1->getType(), op_size - 1)); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), s_s1); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), s_s1); t_s1 = new TruncInst(s_s1, Int1Ty); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), t_s1); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), t_s1); /* compare of the sign bits */ icmp_sign_bit = CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_s0, t_s1); - bb->getInstList().insert(BasicBlock::iterator(bb->getTerminator()), - icmp_sign_bit); + nonan_bb->getInstList().insert( + BasicBlock::iterator(nonan_bb->getTerminator()), icmp_sign_bit); /* create a new basic block which is executed if the signedness bits are * equal */ @@ -962,9 +1059,9 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { BranchInst::Create(end_bb, middle_bb); - auto term = bb->getTerminator(); + term = nonan_bb->getTerminator(); /* if the signs are different goto end_bb else to signequal_bb */ - BranchInst::Create(signequal_bb, end_bb, icmp_sign_bit, bb); + BranchInst::Create(signequal_bb, end_bb, icmp_sign_bit, nonan_bb); term->eraseFromParent(); /* insert code for equal signs */ @@ -1261,7 +1358,7 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { } - PHINode *PN = PHINode::Create(Int1Ty, 3, ""); + PHINode *PN = PHINode::Create(Int1Ty, 4, ""); switch (FcmpInst->getPredicate()) { @@ -1269,37 +1366,45 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { case CmpInst::FCMP_OEQ: /* unequal signs cannot be equal values */ /* goto false branch */ - PN->addIncoming(ConstantInt::get(Int1Ty, 0), bb); + PN->addIncoming(ConstantInt::get(Int1Ty, 0), nonan_bb); /* unequal exponents cannot be equal values, too */ PN->addIncoming(ConstantInt::get(Int1Ty, 0), signequal_bb); /* fractions comparison */ PN->addIncoming(icmp_fraction_result, middle2_bb); + /* NaNs */ + PN->addIncoming(ConstantInt::get(Int1Ty, NaNcmp_result), bb); break; case CmpInst::FCMP_ONE: case CmpInst::FCMP_UNE: /* unequal signs are unequal values */ /* goto true branch */ - PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb); + PN->addIncoming(ConstantInt::get(Int1Ty, 1), nonan_bb); /* unequal exponents are unequal values, too */ PN->addIncoming(icmp_exponent_result, signequal_bb); /* fractions comparison */ PN->addIncoming(icmp_fraction_result, middle2_bb); + /* NaNs */ + PN->addIncoming(ConstantInt::get(Int1Ty, NaNcmp_result), bb); break; case CmpInst::FCMP_OGT: case CmpInst::FCMP_UGT: /* if op1 is negative goto true branch, else go on comparing */ - PN->addIncoming(t_s1, bb); + PN->addIncoming(t_s1, nonan_bb); PN->addIncoming(icmp_exponent_result, signequal2_bb); PN->addIncoming(PN2, middle2_bb); + /* NaNs */ + PN->addIncoming(ConstantInt::get(Int1Ty, NaNcmp_result), bb); break; case CmpInst::FCMP_OLT: case CmpInst::FCMP_ULT: /* if op0 is negative goto true branch, else go on comparing */ - PN->addIncoming(t_s0, bb); + PN->addIncoming(t_s0, nonan_bb); PN->addIncoming(icmp_exponent_result, signequal2_bb); PN->addIncoming(PN2, middle2_bb); + /* NaNs */ + PN->addIncoming(ConstantInt::get(Int1Ty, NaNcmp_result), bb); break; default: continue; @@ -1341,18 +1446,15 @@ bool SplitComparesTransform::runOnModule(Module &M) { if (enableFPSplit) { + simplifyFPCompares(M); count = splitFPCompares(M); - /* - if (!be_quiet) { + if (!be_quiet && !debug) { - errs() << "Split-floatingpoint-compare-pass: " << count - << " FP comparisons split\n"; + errs() << "Split-floatingpoint-compare-pass: " << count + << " FP comparisons splitted\n"; - } - - */ - simplifyFPCompares(M); + } } diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 680c04d6..0c5c12d3 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -002e473939 +ce65a7349e diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 8e04cbf9..a045ef4f 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -1,6 +1,6 @@ # High-performance binary-only instrumentation for afl-fuzz -For the general instruction manual, see [README.md](../README.md). +For the general instruction manual, see [docs/README.md](../docs/README.md). ## 1) Introduction diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl -Subproject 002e473939a350854d56f67ce7b2e2d9706b8bc +Subproject ce65a7349e7156e052b37a660422cad8346764d diff --git a/src/afl-cc.c b/src/afl-cc.c index 1448d8ae..cafb8e32 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -395,7 +395,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); else - snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANGPP_BIN); + snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANG_BIN); alt_cc = llvm_fullpath; } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index fa413dcf..2d88896f 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -491,13 +491,13 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths, + "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); #else queue_fn = - alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths); + alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_items); #endif /* ^!SIMPLE_FILES */ fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); @@ -586,7 +586,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ++afl->total_tmouts; - if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; } + if (afl->saved_hangs >= KEEP_UNIQUE_HANG) { return keeping; } if (likely(!afl->non_instrumented_mode)) { @@ -603,7 +603,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->unique_tmouts; + ++afl->saved_tmouts; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -661,17 +661,17 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, - afl->unique_hangs, + afl->saved_hangs, describe_op(afl, 0, NAME_MAX - strlen("id:000000,"))); #else snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, - afl->unique_hangs); + afl->saved_hangs); #endif /* ^!SIMPLE_FILES */ - ++afl->unique_hangs; + ++afl->saved_hangs; afl->last_hang_time = get_cur_time(); @@ -687,7 +687,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ++afl->total_crashes; - if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } + if (afl->saved_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } if (likely(!afl->non_instrumented_mode)) { @@ -699,22 +699,22 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); } + if (unlikely(!afl->saved_crashes)) { write_crash_readme(afl); } #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, - afl->unique_crashes, afl->fsrv.last_kill_signal, + afl->saved_crashes, afl->fsrv.last_kill_signal, describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,"))); #else snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, - afl->unique_crashes, afl->last_kill_signal); + afl->saved_crashes, afl->last_kill_signal); #endif /* ^!SIMPLE_FILES */ - ++afl->unique_crashes; + ++afl->saved_crashes; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 6fc926f0..28a3ae3f 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -59,7 +59,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } @@ -76,7 +76,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->skip_requested) { afl->skip_requested = 0; - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 4c030c0a..e4b83fa5 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -638,8 +638,8 @@ void read_foreign_testcases(afl_state_t *afl, int first) { if (first) { - afl->last_path_time = 0; - afl->queued_at_start = afl->queued_paths; + afl->last_find_time = 0; + afl->queued_at_start = afl->queued_items; } @@ -812,7 +812,7 @@ void read_testcases(afl_state_t *afl, u8 *directory) { free(nl); /* not tracked */ - if (!afl->queued_paths && directory == NULL) { + if (!afl->queued_items && directory == NULL) { SAYF("\n" cLRD "[-] " cRST "Looks like there are no valid test cases in the input directory! The " @@ -841,8 +841,8 @@ void read_testcases(afl_state_t *afl, u8 *directory) { } - afl->last_path_time = 0; - afl->queued_at_start = afl->queued_paths; + afl->last_find_time = 0; + afl->queued_at_start = afl->queued_items; } @@ -855,7 +855,7 @@ void perform_dry_run(afl_state_t *afl) { u32 cal_failures = 0, idx; u8 * use_mem; - for (idx = 0; idx < afl->queued_paths; idx++) { + for (idx = 0; idx < afl->queued_items; idx++) { q = afl->queue_buf[idx]; if (unlikely(!q || q->disabled)) { continue; } @@ -920,7 +920,7 @@ void perform_dry_run(afl_state_t *afl) { q->was_fuzzed = 1; --afl->pending_not_fuzzed; - --afl->active_paths; + --afl->active_items; } @@ -1051,7 +1051,7 @@ void perform_dry_run(afl_state_t *afl) { q->was_fuzzed = 1; --afl->pending_not_fuzzed; - --afl->active_paths; + --afl->active_items; } @@ -1059,14 +1059,14 @@ void perform_dry_run(afl_state_t *afl) { q->perf_score = 0; u32 i = 0; - while (unlikely(i < afl->queued_paths && afl->queue_buf[i] && + while (unlikely(i < afl->queued_items && afl->queue_buf[i] && afl->queue_buf[i]->disabled)) { ++i; } - if (i < afl->queued_paths && afl->queue_buf[i]) { + if (i < afl->queued_items && afl->queue_buf[i]) { afl->queue = afl->queue_buf[i]; @@ -1077,7 +1077,7 @@ void perform_dry_run(afl_state_t *afl) { } afl->max_depth = 0; - for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) { + for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { if (!afl->queue_buf[i]->disabled && afl->queue_buf[i]->depth > afl->max_depth) @@ -1118,16 +1118,16 @@ void perform_dry_run(afl_state_t *afl) { if (cal_failures) { - if (cal_failures == afl->queued_paths) { + if (cal_failures == afl->queued_items) { FATAL("All test cases time out or crash, giving up!"); } WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.", - cal_failures, ((double)cal_failures) * 100 / afl->queued_paths); + cal_failures, ((double)cal_failures) * 100 / afl->queued_items); - if (cal_failures * 5 > afl->queued_paths) { + if (cal_failures * 5 > afl->queued_items) { WARNF(cLRD "High percentage of rejected test cases, check settings!"); @@ -1139,14 +1139,14 @@ void perform_dry_run(afl_state_t *afl) { u32 duplicates = 0, i; - for (idx = 0; idx < afl->queued_paths; idx++) { + for (idx = 0; idx < afl->queued_items; idx++) { q = afl->queue_buf[idx]; if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; } u32 done = 0; for (i = idx + 1; - i < afl->queued_paths && !done && likely(afl->queue_buf[i]); i++) { + i < afl->queued_items && !done && likely(afl->queue_buf[i]); i++) { struct queue_entry *p = afl->queue_buf[i]; if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; } @@ -1162,7 +1162,7 @@ void perform_dry_run(afl_state_t *afl) { p->was_fuzzed = 1; --afl->pending_not_fuzzed; - --afl->active_paths; + --afl->active_items; } @@ -1175,7 +1175,7 @@ void perform_dry_run(afl_state_t *afl) { q->was_fuzzed = 1; --afl->pending_not_fuzzed; - --afl->active_paths; + --afl->active_items; } @@ -1196,7 +1196,7 @@ void perform_dry_run(afl_state_t *afl) { afl->max_depth = 0; - for (idx = 0; idx < afl->queued_paths; idx++) { + for (idx = 0; idx < afl->queued_items; idx++) { if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled && afl->queue_buf[idx]->depth > afl->max_depth) @@ -1254,7 +1254,7 @@ void pivot_inputs(afl_state_t *afl) { ACTF("Creating hard links for all input files..."); - for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) { + for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { q = afl->queue_buf[i]; @@ -1293,7 +1293,7 @@ void pivot_inputs(afl_state_t *afl) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { - if (src_id < afl->queued_paths) { + if (src_id < afl->queued_items) { struct queue_entry *s = afl->queue_buf[src_id]; @@ -1391,11 +1391,11 @@ u32 find_start_position(afl_state_t *afl) { (void)i; /* Ignore errors */ close(fd); - off = strstr(tmp, "cur_path : "); + off = strstr(tmp, "cur_item : "); if (!off) { return 0; } ret = atoi(off + 20); - if (ret >= afl->queued_paths) { ret = 0; } + if (ret >= afl->queued_items) { ret = 0; } return ret; } @@ -2040,9 +2040,9 @@ void setup_dirs_fds(afl_state_t *afl) { fprintf( afl->fsrv.plot_file, - "# relative_time, cycles_done, cur_path, paths_total, " - "pending_total, pending_favs, map_size, unique_crashes, " - "unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n"); + "# relative_time, cycles_done, cur_item, corpus_count, " + "pending_total, pending_favs, map_size, saved_crashes, " + "saved_hangs, max_depth, execs_per_sec, total_execs, edges_found\n"); } else { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index f4d3b77f..426a6507 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -423,7 +423,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && - afl->queued_paths > 10) { + afl->queued_items > 10) { /* Otherwise, still possibly skip non-favored cases, albeit less often. The odds of skipping stuff are higher for already-fuzzed inputs and @@ -447,9 +447,9 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->not_on_tty)) { ACTF( - "Fuzzing test case #%u (%u total, %llu uniq crashes found, " + "Fuzzing test case #%u (%u total, %llu crashes saved, " "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...", - afl->current_entry, afl->queued_paths, afl->unique_crashes, + afl->current_entry, afl->queued_items, afl->saved_crashes, afl->queue_cur->perf_score, afl->queue_cur->exec_us, likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0, afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii); @@ -492,7 +492,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->stop_soon) || res != afl->crash_mode) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -519,7 +519,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->stop_soon)) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -547,7 +547,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->queue_cur->perf_score = orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + if (unlikely(perf_score <= 0 && afl->active_items > 1)) { goto abandon_entry; @@ -566,8 +566,8 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->cmplog_lvl == 3 || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || afl->queue_cur->favored || - !(afl->fsrv.total_execs % afl->queued_paths) || - get_cur_time() - afl->last_path_time > 300000) { // 300 seconds + !(afl->fsrv.total_execs % afl->queued_items) || + get_cur_time() - afl->last_find_time > 300000) { // 300 seconds if (input_to_state_stage(afl, in_buf, out_buf, len)) { @@ -630,7 +630,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_val_type = STAGE_VAL_NONE; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; prev_cksum = afl->queue_cur->exec_cksum; @@ -734,7 +734,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; @@ -766,7 +766,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; @@ -802,7 +802,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; @@ -909,7 +909,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->blocks_eff_total += EFF_ALEN(len); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; @@ -952,7 +952,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; @@ -995,7 +995,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; @@ -1087,7 +1087,7 @@ skip_bitflip: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; @@ -1217,7 +1217,7 @@ skip_bitflip: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; @@ -1346,7 +1346,7 @@ skip_bitflip: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; @@ -1412,7 +1412,7 @@ skip_arith: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; @@ -1500,7 +1500,7 @@ skip_arith: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; @@ -1589,7 +1589,7 @@ skip_arith: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; @@ -1662,7 +1662,7 @@ skip_interest: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; @@ -1718,7 +1718,7 @@ skip_interest: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; @@ -1776,7 +1776,7 @@ skip_user_extras: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; @@ -1806,7 +1806,7 @@ custom_mutator_stage: const u32 max_seed_size = MAX_FILE, saved_max = afl->stage_max; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; #ifdef INTROSPECTION afl->mutation[0] = 0; @@ -1850,7 +1850,7 @@ custom_mutator_stage: do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (unlikely(tid == afl->current_entry || @@ -1890,7 +1890,7 @@ custom_mutator_stage: /* If we're finding new stuff, let's run for a bit longer, limits permitting. */ - if (afl->queued_paths != havoc_queued) { + if (afl->queued_items != havoc_queued) { if (perf_score <= afl->havoc_max_mult * 100) { @@ -1899,7 +1899,7 @@ custom_mutator_stage: } - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; } @@ -1926,7 +1926,7 @@ custom_mutator_stage: if (!has_custom_fuzz) goto havoc_stage; - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; @@ -1972,9 +1972,9 @@ havoc_stage: temp_len = len; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; if (afl->custom_mutators_count) { @@ -2023,7 +2023,7 @@ havoc_stage: } - if (unlikely(get_cur_time() - afl->last_path_time > 5000 /* 5 seconds */ && + if (unlikely(get_cur_time() - afl->last_find_time > 5000 /* 5 seconds */ && afl->ready_for_splicing_count > 1)) { /* add expensive havoc cases here if there is no findings in the last 5s */ @@ -2669,7 +2669,7 @@ havoc_stage: u32 tid; do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); @@ -2757,7 +2757,7 @@ havoc_stage: /* If we're finding new stuff, let's run for a bit longer, limits permitting. */ - if (afl->queued_paths != havoc_queued) { + if (afl->queued_items != havoc_queued) { if (perf_score <= afl->havoc_max_mult * 100) { @@ -2766,13 +2766,13 @@ havoc_stage: } - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; } } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (!splice_cycle) { @@ -2821,7 +2821,7 @@ retry_splicing: do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); @@ -2945,7 +2945,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && - afl->queued_paths > 10) { + afl->queued_items > 10) { /* Otherwise, still possibly skip non-favored cases, albeit less often. The odds of skipping stuff are higher for already-fuzzed inputs and @@ -2968,8 +2968,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->not_on_tty) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", - afl->current_entry, afl->queued_paths, afl->unique_crashes); + ACTF("Fuzzing test case #%u (%u total, %llu crashes saved)...", + afl->current_entry, afl->queued_items, afl->saved_crashes); fflush(stdout); } @@ -3010,7 +3010,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->stop_soon || res != afl->crash_mode) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -3037,7 +3037,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (unlikely(afl->stop_soon)) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -3064,7 +3064,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { else orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + if (unlikely(perf_score <= 0 && afl->active_items > 1)) { goto abandon_entry; @@ -3082,8 +3082,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->cmplog_lvl == 3 || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || - !(afl->fsrv.total_execs % afl->queued_paths) || - get_cur_time() - afl->last_path_time > 300000) { // 300 seconds + !(afl->fsrv.total_execs % afl->queued_items) || + get_cur_time() - afl->last_find_time > 300000) { // 300 seconds if (input_to_state_stage(afl, in_buf, out_buf, len)) { @@ -3101,10 +3101,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { cur_ms_lv = get_cur_time(); if (!(afl->key_puppet == 0 && - ((cur_ms_lv - afl->last_path_time < (u32)afl->limit_time_puppet) || + ((cur_ms_lv - afl->last_find_time < (u32)afl->limit_time_puppet) || (afl->last_crash_time != 0 && cur_ms_lv - afl->last_crash_time < (u32)afl->limit_time_puppet) || - afl->last_path_time == 0))) { + afl->last_find_time == 0))) { afl->key_puppet = 1; goto pacemaker_fuzzing; @@ -3156,7 +3156,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_val_type = STAGE_VAL_NONE; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; prev_cksum = afl->queue_cur->exec_cksum; @@ -3259,7 +3259,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for afl->stage_cur */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; @@ -3290,7 +3290,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for afl->stage_cur */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; @@ -3325,7 +3325,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for afl->stage_cur */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; @@ -3431,7 +3431,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->blocks_eff_total += EFF_ALEN(len); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; @@ -3473,7 +3473,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; @@ -3515,7 +3515,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for i = 0; i < len - 3 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; @@ -3605,7 +3605,7 @@ skip_bitflip: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; @@ -3731,7 +3731,7 @@ skip_bitflip: } /* for i = 0; i < len - 1 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; @@ -3856,7 +3856,7 @@ skip_bitflip: } /* for i = 0; i < len - 3 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; @@ -3921,7 +3921,7 @@ skip_arith: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; @@ -4007,7 +4007,7 @@ skip_arith: } /* for i = 0; i < len - 1 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; @@ -4094,7 +4094,7 @@ skip_arith: } /* for i = 0; i < len - 3 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; @@ -4167,7 +4167,7 @@ skip_interest: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; @@ -4223,7 +4223,7 @@ skip_interest: } /* for i = 0; i <= len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; @@ -4282,7 +4282,7 @@ skip_user_extras: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; @@ -4335,7 +4335,7 @@ pacemaker_fuzzing: if (unlikely(afl->orig_hit_cnt_puppet == 0)) { - afl->orig_hit_cnt_puppet = afl->queued_paths + afl->unique_crashes; + afl->orig_hit_cnt_puppet = afl->queued_items + afl->saved_crashes; afl->last_limit_time_start = get_cur_time(); afl->SPLICE_CYCLES_puppet = (rand_below( @@ -4380,9 +4380,9 @@ pacemaker_fuzzing: temp_len = len; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; u32 r_max; @@ -4948,7 +4948,7 @@ pacemaker_fuzzing: u32 tid; do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || @@ -5029,7 +5029,7 @@ pacemaker_fuzzing: ++*MOpt_globals.pTime; - u64 temp_total_found = afl->queued_paths + afl->unique_crashes; + u64 temp_total_found = afl->queued_items + afl->saved_crashes; if (common_fuzz_stuff(afl, out_buf, temp_len)) { @@ -5048,7 +5048,7 @@ pacemaker_fuzzing: /* If we're finding new stuff, let's run for a bit longer, limits permitting. */ - if (afl->queued_paths != havoc_queued) { + if (afl->queued_items != havoc_queued) { if (perf_score <= afl->havoc_max_mult * 100) { @@ -5057,15 +5057,15 @@ pacemaker_fuzzing: } - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; } - if (unlikely(afl->queued_paths + afl->unique_crashes > + if (unlikely(afl->queued_items + afl->saved_crashes > temp_total_found)) { u64 temp_temp_puppet = - afl->queued_paths + afl->unique_crashes - temp_total_found; + afl->queued_items + afl->saved_crashes - temp_total_found; afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet; if (MOpt_globals.is_pilot_mode) { @@ -5099,7 +5099,7 @@ pacemaker_fuzzing: ++afl->stage_cur) { */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (MOpt_globals.is_pilot_mode) { @@ -5149,7 +5149,7 @@ pacemaker_fuzzing: do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); @@ -5235,8 +5235,8 @@ pacemaker_fuzzing: if (afl->key_puppet == 1) { if (unlikely( - afl->queued_paths + afl->unique_crashes > - ((afl->queued_paths + afl->unique_crashes) * limit_time_bound + + afl->queued_items + afl->saved_crashes > + ((afl->queued_items + afl->saved_crashes) * limit_time_bound + afl->orig_hit_cnt_puppet))) { afl->key_puppet = 0; @@ -5251,7 +5251,7 @@ pacemaker_fuzzing: afl->total_pacemaker_time += *MOpt_globals.pTime; *MOpt_globals.pTime = 0; - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (MOpt_globals.is_pilot_mode) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 1523d556..2d76e4d2 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -31,7 +31,7 @@ inline u32 select_next_queue_entry(afl_state_t *afl) { - u32 s = rand_below(afl, afl->queued_paths); + u32 s = rand_below(afl, afl->queued_items); double p = rand_next_percent(afl); /* fprintf(stderr, "select: p=%f s=%u ... p < prob[s]=%f ? s=%u : alias[%u]=%u" @@ -69,7 +69,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q, void create_alias_table(afl_state_t *afl) { - u32 n = afl->queued_paths, i = 0, a, g; + u32 n = afl->queued_items, i = 0, a, g; double sum = 0; afl->alias_table = @@ -547,19 +547,19 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { if (likely(q->len > 4)) afl->ready_for_splicing_count++; - ++afl->queued_paths; - ++afl->active_paths; + ++afl->queued_items; + ++afl->active_items; ++afl->pending_not_fuzzed; afl->cycles_wo_finds = 0; struct queue_entry **queue_buf = afl_realloc( - AFL_BUF_PARAM(queue), afl->queued_paths * sizeof(struct queue_entry *)); + AFL_BUF_PARAM(queue), afl->queued_items * sizeof(struct queue_entry *)); if (unlikely(!queue_buf)) { PFATAL("alloc"); } - queue_buf[afl->queued_paths - 1] = q; - q->id = afl->queued_paths - 1; + queue_buf[afl->queued_items - 1] = q; + q->id = afl->queued_items - 1; - afl->last_path_time = get_cur_time(); + afl->last_find_time = get_cur_time(); if (afl->custom_mutators_count) { @@ -583,7 +583,7 @@ void destroy_queue(afl_state_t *afl) { u32 i; - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { struct queue_entry *q; @@ -737,7 +737,7 @@ void cull_queue(afl_state_t *afl) { afl->queued_favored = 0; afl->pending_favored = 0; - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { afl->queue_buf[i]->favored = 0; @@ -782,7 +782,7 @@ void cull_queue(afl_state_t *afl) { } - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { if (likely(!afl->queue_buf[i]->disabled)) { @@ -915,7 +915,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } - u32 n_paths; + u32 n_items; double factor = 1.0; long double fuzz_mu; @@ -933,26 +933,26 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { case COE: fuzz_mu = 0.0; - n_paths = 0; + n_items = 0; // Don't modify perf_score for unfuzzed seeds if (q->fuzz_level == 0) break; u32 i; - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { if (likely(!afl->queue_buf[i]->disabled)) { fuzz_mu += log2(afl->n_fuzz[afl->queue_buf[i]->n_fuzz_entry]); - n_paths++; + n_items++; } } - if (unlikely(!n_paths)) { FATAL("Queue state corrupt"); } + if (unlikely(!n_items)) { FATAL("Queue state corrupt"); } - fuzz_mu = fuzz_mu / n_paths; + fuzz_mu = fuzz_mu / n_items; if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) { @@ -1018,7 +1018,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { -- rare. the simpler algo however is good when rare is not. // the newer the entry, the higher the pref_score perf_score *= (1 + (double)((double)q->depth / - (double)afl->queued_paths)); + (double)afl->queued_items)); // with special focus on the last 8 entries if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 - (afl->max_depth - q->depth)) / 5)); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 0a6e5eee..e363dffd 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -276,7 +276,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, #endif u64 orig_hit_cnt, new_hit_cnt, exec_cksum; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_name = "colorization"; afl->stage_short = "colorization"; @@ -424,7 +424,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; #if defined(_DEBUG) || defined(CMPLOG_INTROSPECTION) FILE *f = stderr; @@ -461,7 +461,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, if (afl->colorize_success && afl->cmplog_lvl < 3 && (positions > CMPLOG_POSITIONS_MAX && len / positions == 1 && - afl->active_paths / afl->colorize_success > CMPLOG_CORPUS_PERCENT)) { + afl->active_items / afl->colorize_success > CMPLOG_CORPUS_PERCENT)) { #ifdef _DEBUG fprintf(stderr, "Colorization unsatisfactory\n"); @@ -517,7 +517,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { u64 orig_hit_cnt, new_hit_cnt; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; #ifdef _DEBUG dump("DATA", buf, len); @@ -525,7 +525,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (unlikely(new_hit_cnt != orig_hit_cnt)) { @@ -2720,7 +2720,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_name = "input-to-state"; afl->stage_short = "its"; @@ -2845,7 +2845,7 @@ exit_its: } #ifdef CMPLOG_COMBINE - if (afl->queued_paths + afl->unique_crashes > orig_hit_cnt + 1) { + if (afl->queued_items + afl->saved_crashes > orig_hit_cnt + 1) { // copy the current virgin bits so we can recover the information u8 *virgin_save = afl_realloc((void **)&afl->eff_buf, afl->shm.map_size); @@ -2897,7 +2897,7 @@ exit_its: #endif - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2789b56f..d730876a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -953,7 +953,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } @@ -970,7 +970,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->skip_requested) { afl->skip_requested = 0; - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 152bebe9..289f7e09 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -147,10 +147,10 @@ void load_stats_file(afl_state_t *afl) { afl->fsrv.total_execs = strtoull(lptr, &nptr, 10); break; case 10: - if (!strcmp(keystring, "paths_total ")) { + if (!strcmp(keystring, "corpus_count ")) { - u32 paths_total = strtoul(lptr, &nptr, 10); - if (paths_total != afl->queued_paths) { + u32 corpus_count = strtoul(lptr, &nptr, 10); + if (corpus_count != afl->queued_items) { WARNF( "queue/ has been modified -- things might not work, you're " @@ -162,11 +162,11 @@ void load_stats_file(afl_state_t *afl) { break; case 12: - if (!strcmp(keystring, "paths_found ")) + if (!strcmp(keystring, "corpus_found ")) afl->queued_discovered = strtoul(lptr, &nptr, 10); break; case 13: - if (!strcmp(keystring, "paths_imported ")) + if (!strcmp(keystring, "corpus_imported ")) afl->queued_imported = strtoul(lptr, &nptr, 10); break; case 14: @@ -174,12 +174,12 @@ void load_stats_file(afl_state_t *afl) { afl->max_depth = strtoul(lptr, &nptr, 10); break; case 21: - if (!strcmp(keystring, "unique_crashes ")) - afl->unique_crashes = strtoull(lptr, &nptr, 10); + if (!strcmp(keystring, "saved_crashes ")) + afl->saved_crashes = strtoull(lptr, &nptr, 10); break; case 22: - if (!strcmp(keystring, "unique_hangs ")) - afl->unique_hangs = strtoull(lptr, &nptr, 10); + if (!strcmp(keystring, "saved_hangs ")) + afl->saved_hangs = strtoull(lptr, &nptr, 10); break; default: break; @@ -190,7 +190,7 @@ void load_stats_file(afl_state_t *afl) { } - if (afl->unique_crashes) { write_crash_readme(afl); } + if (afl->saved_crashes) { write_crash_readme(afl); } return; @@ -243,96 +243,95 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif - fprintf(f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" - "fuzzer_pid : %u\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - "execs_ps_last_min : %0.02f\n" - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" - "slowest_exec_ms : %u\n" - "peak_rss_mb : %lu\n" - "cpu_affinity : %d\n" - "edges_found : %u\n" - "total_edges : %u\n" - "var_byte_count : %u\n" - "havoc_expansion : %u\n" - "auto_dict_entries : %u\n" - "testcache_size : %llu\n" - "testcache_count : %u\n" - "testcache_evict : %u\n" - "afl_banner : %s\n" - "afl_version : " VERSION - "\n" - "target_mode : %s%s%s%s%s%s%s%s%s%s\n" - "command_line : %s\n", - (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, - (afl->prev_run_time + cur_time - afl->start_time) / 1000, - (u32)getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, - afl->cycles_wo_finds, afl->fsrv.total_execs, - afl->fsrv.total_execs / - ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) / - 1000), - afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored, - afl->queued_discovered, afl->queued_imported, afl->max_depth, - afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, - afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, - afl->unique_hangs, afl->last_path_time / 1000, - afl->last_crash_time / 1000, afl->last_hang_time / 1000, - afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, - afl->slowest_exec_ms, + fprintf( + f, + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "execs_ps_last_min : %0.02f\n" + "corpus_count : %u\n" + "corpus_favored : %u\n" + "corpus_found : %u\n" + "corpus_imported : %u\n" + "corpus_variable : %u\n" + "max_depth : %u\n" + "cur_item : %u\n" + "pending_favs : %u\n" + "pending_total : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "saved_crashes : %llu\n" + "saved_hangs : %llu\n" + "last_find : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" + "slowest_exec_ms : %u\n" + "peak_rss_mb : %lu\n" + "cpu_affinity : %d\n" + "edges_found : %u\n" + "total_edges : %u\n" + "var_byte_count : %u\n" + "havoc_expansion : %u\n" + "auto_dict_entries : %u\n" + "testcache_size : %llu\n" + "testcache_count : %u\n" + "testcache_evict : %u\n" + "afl_banner : %s\n" + "afl_version : " VERSION + "\n" + "target_mode : %s%s%s%s%s%s%s%s%s%s\n" + "command_line : %s\n", + (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, + (afl->prev_run_time + cur_time - afl->start_time) / 1000, (u32)getpid(), + afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, + afl->fsrv.total_execs, + afl->fsrv.total_execs / + ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) / + 1000), + afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored, + afl->queued_discovered, afl->queued_imported, afl->queued_variable, + afl->max_depth, afl->current_entry, afl->pending_favored, + afl->pending_not_fuzzed, stability, bitmap_cvg, afl->saved_crashes, + afl->saved_hangs, afl->last_find_time / 1000, afl->last_crash_time / 1000, + afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, + afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifndef __HAIKU__ #ifdef __APPLE__ - (unsigned long int)(rus.ru_maxrss >> 20), + (unsigned long int)(rus.ru_maxrss >> 20), #else - (unsigned long int)(rus.ru_maxrss >> 10), + (unsigned long int)(rus.ru_maxrss >> 10), #endif #else - -1UL, + -1UL, #endif #ifdef HAVE_AFFINITY - afl->cpu_aff, + afl->cpu_aff, #else - -1, + -1, #endif - t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, - afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size, - afl->q_testcase_cache_count, afl->q_testcase_evictions, - afl->use_banner, afl->unicorn_mode ? "unicorn" : "", - afl->fsrv.qemu_mode ? "qemu " : "", - afl->fsrv.cs_mode ? "coresight" : "", - afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", - afl->persistent_mode ? "persistent " : "", - afl->shmem_testcase_mode ? "shmem_testcase " : "", - afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || - afl->non_instrumented_mode || afl->no_forkserver || - afl->crash_mode || afl->persistent_mode || afl->deferred_mode) - ? "" - : "default", - afl->orig_cmdline); + t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, afl->expand_havoc, + afl->a_extras_cnt, afl->q_testcase_cache_size, + afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner, + afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", + afl->fsrv.cs_mode ? "coresight" : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", + afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", + afl->deferred_mode ? "deferred " : "", + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || + afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || + afl->persistent_mode || afl->deferred_mode) + ? "" + : "default", + afl->orig_cmdline); /* ignore errors */ @@ -373,13 +372,13 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, if (unlikely(!afl->force_ui_update && (afl->stop_soon || - (afl->plot_prev_qp == afl->queued_paths && + (afl->plot_prev_qp == afl->queued_items && afl->plot_prev_pf == afl->pending_favored && afl->plot_prev_pnf == afl->pending_not_fuzzed && afl->plot_prev_ce == afl->current_entry && afl->plot_prev_qc == afl->queue_cycle && - afl->plot_prev_uc == afl->unique_crashes && - afl->plot_prev_uh == afl->unique_hangs && + afl->plot_prev_uc == afl->saved_crashes && + afl->plot_prev_uh == afl->saved_hangs && afl->plot_prev_md == afl->max_depth && afl->plot_prev_ed == afl->fsrv.total_execs) || !afl->queue_cycle || @@ -389,29 +388,29 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, } - afl->plot_prev_qp = afl->queued_paths; + afl->plot_prev_qp = afl->queued_items; afl->plot_prev_pf = afl->pending_favored; afl->plot_prev_pnf = afl->pending_not_fuzzed; afl->plot_prev_ce = afl->current_entry; afl->plot_prev_qc = afl->queue_cycle; - afl->plot_prev_uc = afl->unique_crashes; - afl->plot_prev_uh = afl->unique_hangs; + afl->plot_prev_uc = afl->saved_crashes; + afl->plot_prev_uh = afl->saved_hangs; afl->plot_prev_md = afl->max_depth; afl->plot_prev_ed = afl->fsrv.total_execs; /* Fields in the file: - relative_time, afl->cycles_done, cur_path, paths_total, paths_not_fuzzed, - favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, + relative_time, afl->cycles_done, cur_item, corpus_count, corpus_not_fuzzed, + favored_not_fuzzed, saved_crashes, saved_hangs, max_depth, execs_per_sec, edges_found */ fprintf(afl->fsrv.plot_file, "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, " "%u\n", ((afl->prev_run_time + get_cur_time() - afl->start_time) / 1000), - afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, + afl->queue_cycle - 1, afl->current_entry, afl->queued_items, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, - afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps, + afl->saved_crashes, afl->saved_hangs, afl->max_depth, eps, afl->plot_prev_ed, t_bytes); /* ignore errors */ fflush(afl->fsrv.plot_file); @@ -611,9 +610,9 @@ void show_stats(afl_state_t *afl) { /* AFL_EXIT_ON_TIME. */ - if (unlikely(afl->last_path_time && !afl->non_instrumented_mode && + if (unlikely(afl->last_find_time && !afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && - (cur_ms - afl->last_path_time) > afl->exit_on_time)) { + (cur_ms - afl->last_find_time) > afl->exit_on_time)) { afl->stop_soon = 2; @@ -704,10 +703,10 @@ void show_stats(afl_state_t *afl) { /* Since `total_crashes` does not get reloaded from disk on restart, it indicates if we found crashes this round already -> paint red. - If it's 0, but `unique_crashes` is set from a past run, paint in yellow. */ - char *crash_color = afl->total_crashes ? cLRD - : afl->unique_crashes ? cYEL - : cRST; + If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */ + char *crash_color = afl->total_crashes ? cLRD + : afl->saved_crashes ? cYEL + : cRST; /* Lord, forgive me this. */ @@ -721,7 +720,7 @@ void show_stats(afl_state_t *afl) { } else { - u64 min_wo_finds = (cur_ms - afl->last_path_time) / 1000 / 60; + u64 min_wo_finds = (cur_ms - afl->last_find_time) / 1000 / 60; /* First queue cycle: don't stop now! */ if (afl->queue_cycle == 1 || min_wo_finds < 15) { @@ -762,48 +761,48 @@ void show_stats(afl_state_t *afl) { except when resuming fuzzing or running in non-instrumented mode. */ if (!afl->non_instrumented_mode && - (afl->last_path_time || afl->resuming_fuzz || afl->queue_cycle == 1 || + (afl->last_find_time || afl->resuming_fuzz || afl->queue_cycle == 1 || afl->in_bitmap || afl->crash_mode)) { - u_stringify_time_diff(time_tmp, cur_ms, afl->last_path_time); - SAYF(bV bSTOP " last new path : " cRST "%-33s ", time_tmp); + u_stringify_time_diff(time_tmp, cur_ms, afl->last_find_time); + SAYF(bV bSTOP " last new find : " cRST "%-33s ", time_tmp); } else { if (afl->non_instrumented_mode) { - SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST + SAYF(bV bSTOP " last new find : " cPIN "n/a" cRST " (non-instrumented mode) "); } else { - SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD + SAYF(bV bSTOP " last new find : " cRST "none yet " cLRD "(odd, check syntax!) "); } } - SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", - u_stringify_int(IB(0), afl->queued_paths)); + SAYF(bSTG bV bSTOP " corpus count : " cRST "%-5s " bSTG bV "\n", + u_stringify_int(IB(0), afl->queued_items)); /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH limit with a '+' appended to the count. */ - sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_crashes), - (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_crashes), + (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time); - SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP - " uniq crashes : %s%-6s" bSTG bV "\n", + SAYF(bV bSTOP "last saved crash : " cRST "%-33s " bSTG bV bSTOP + "saved crashes : %s%-6s" bSTG bV "\n", time_tmp, crash_color, tmp); - sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_hangs), - (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_hangs), + (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time); - SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP - " uniq hangs : " cRST "%-6s" bSTG bV "\n", + SAYF(bV bSTOP " last saved hang : " cRST "%-33s " bSTG bV bSTOP + " saved hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); SAYF(bVR bH bSTOP cCYA @@ -816,7 +815,7 @@ void show_stats(afl_state_t *afl) { sprintf(tmp, "%s%s%u (%0.01f%%)", u_stringify_int(IB(0), afl->current_entry), afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level, - ((double)afl->current_entry * 100) / afl->queued_paths); + ((double)afl->current_entry * 100) / afl->queued_items); SAYF(bV bSTOP " now processing : " cRST "%-18s " bSTG bV bSTOP, tmp); @@ -830,10 +829,10 @@ void show_stats(afl_state_t *afl) { : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), tmp); - sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), - ((double)afl->cur_skipped_paths * 100) / afl->queued_paths); + sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_items), + ((double)afl->cur_skipped_items * 100) / afl->queued_items); - SAYF(bV bSTOP " paths timed out : " cRST "%-18s " bSTG bV, tmp); + SAYF(bV bSTOP " runs timed out : " cRST "%-18s " bSTG bV, tmp); sprintf(tmp, "%0.02f bits/tuple", t_bytes ? (((double)t_bits) / t_bytes) : 0); @@ -844,12 +843,12 @@ void show_stats(afl_state_t *afl) { " findings in depth " bSTG bH10 bH5 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), - ((double)afl->queued_favored) * 100 / afl->queued_paths); + ((double)afl->queued_favored) * 100 / afl->queued_items); /* Yeah... it's still going on... halp? */ SAYF(bV bSTOP " now trying : " cRST "%-22s " bSTG bV bSTOP - " favored paths : " cRST "%-20s" bSTG bV "\n", + " favored items : " cRST "%-20s" bSTG bV "\n", afl->stage_name, tmp); if (!afl->stage_max) { @@ -867,13 +866,13 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " stage execs : " cRST "%-23s" bSTG bV bSTOP, tmp); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_with_cov), - ((double)afl->queued_with_cov) * 100 / afl->queued_paths); + ((double)afl->queued_with_cov) * 100 / afl->queued_items); SAYF(" new edges on : " cRST "%-20s" bSTG bV "\n", tmp); - sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_crashes), - u_stringify_int(IB(1), afl->unique_crashes), - (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + sprintf(tmp, "%s (%s%s saved)", u_stringify_int(IB(0), afl->total_crashes), + u_stringify_int(IB(1), afl->saved_crashes), + (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); if (afl->crash_mode) { @@ -905,16 +904,16 @@ void show_stats(afl_state_t *afl) { } - sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_tmouts), - u_stringify_int(IB(1), afl->unique_tmouts), - (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + sprintf(tmp, "%s (%s%s saved)", u_stringify_int(IB(0), afl->total_tmouts), + u_stringify_int(IB(1), afl->saved_tmouts), + (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-20s" bSTG bV "\n", tmp); /* Aaaalmost there... hold on! */ SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH2 bHT bH10 bH2 - bH bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); + bH bHB bH bSTOP cCYA " item geometry " bSTG bH5 bH2 bVL "\n"); if (unlikely(afl->custom_only)) { @@ -1222,7 +1221,7 @@ void show_init_stats(afl_state_t *afl) { } - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { q = afl->queue_buf[i]; if (unlikely(q->disabled)) { continue; } @@ -1290,13 +1289,13 @@ void show_init_stats(afl_state_t *afl) { } - if (afl->queued_paths > 100) { + if (afl->queued_items > 100) { WARNF(cLRD "You probably have far too many input files! Consider trimming " "down."); - } else if (afl->queued_paths > 20) { + } else if (afl->queued_items > 20) { WARNF("You have lots of input files; try starting small."); @@ -1311,8 +1310,8 @@ void show_init_stats(afl_state_t *afl) { " Bitmap range : " cRST "%u to %u bits (average: %0.02f bits)\n" cGRA " Exec timing : " cRST "%s to %s us (average: %s us)\n", - afl->queued_favored, afl->queued_variable, afl->queued_paths - count, - afl->queued_paths, min_bits, max_bits, + afl->queued_favored, afl->queued_variable, afl->queued_items - count, + afl->queued_items, min_bits, max_bits, ((double)afl->total_bitmap_size) / (afl->total_bitmap_entries ? afl->total_bitmap_entries : 1), stringify_int(IB(0), min_us), stringify_int(IB(1), max_us), diff --git a/src/afl-fuzz-statsd.c b/src/afl-fuzz-statsd.c index 461bbbf6..e835c8ea 100644 --- a/src/afl-fuzz-statsd.c +++ b/src/afl-fuzz-statsd.c @@ -42,46 +42,48 @@ // For DogstatsD #define STATSD_TAGS_TYPE_SUFFIX 1 -#define STATSD_TAGS_SUFFIX_METRICS \ - METRIC_PREFIX \ - ".cycle_done:%llu|g%s\n" METRIC_PREFIX \ - ".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \ - ".execs_done:%llu|g%s\n" METRIC_PREFIX \ - ".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \ - ".paths_total:%u|g%s\n" METRIC_PREFIX \ - ".paths_favored:%u|g%s\n" METRIC_PREFIX \ - ".paths_found:%u|g%s\n" METRIC_PREFIX \ - ".paths_imported:%u|g%s\n" METRIC_PREFIX ".max_depth:%u|g%s\n" METRIC_PREFIX \ - ".cur_path:%u|g%s\n" METRIC_PREFIX ".pending_favs:%u|g%s\n" METRIC_PREFIX \ - ".pending_total:%u|g%s\n" METRIC_PREFIX \ - ".variable_paths:%u|g%s\n" METRIC_PREFIX \ - ".unique_crashes:%llu|g%s\n" METRIC_PREFIX \ - ".unique_hangs:%llu|g%s\n" METRIC_PREFIX \ - ".total_crashes:%llu|g%s\n" METRIC_PREFIX \ - ".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \ - ".edges_found:%u|g%s\n" METRIC_PREFIX \ +#define STATSD_TAGS_SUFFIX_METRICS \ + METRIC_PREFIX \ + ".cycle_done:%llu|g%s\n" METRIC_PREFIX \ + ".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \ + ".execs_done:%llu|g%s\n" METRIC_PREFIX \ + ".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \ + ".corpus_count:%u|g%s\n" METRIC_PREFIX \ + ".corpus_favored:%u|g%s\n" METRIC_PREFIX \ + ".corpus_found:%u|g%s\n" METRIC_PREFIX \ + ".corpus_imported:%u|g%s\n" METRIC_PREFIX \ + ".max_depth:%u|g%s\n" METRIC_PREFIX ".cur_item:%u|g%s\n" METRIC_PREFIX \ + ".pending_favs:%u|g%s\n" METRIC_PREFIX \ + ".pending_total:%u|g%s\n" METRIC_PREFIX \ + ".corpus_variable:%u|g%s\n" METRIC_PREFIX \ + ".saved_crashes:%llu|g%s\n" METRIC_PREFIX \ + ".saved_hangs:%llu|g%s\n" METRIC_PREFIX \ + ".total_crashes:%llu|g%s\n" METRIC_PREFIX \ + ".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \ + ".edges_found:%u|g%s\n" METRIC_PREFIX \ ".var_byte_count:%u|g%s\n" METRIC_PREFIX ".havoc_expansion:%u|g%s\n" // For Librato, InfluxDB, SignalFX #define STATSD_TAGS_TYPE_MID 2 -#define STATSD_TAGS_MID_METRICS \ - METRIC_PREFIX \ - ".cycle_done%s:%llu|g\n" METRIC_PREFIX \ - ".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \ - ".execs_done%s:%llu|g\n" METRIC_PREFIX \ - ".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \ - ".paths_total%s:%u|g\n" METRIC_PREFIX \ - ".paths_favored%s:%u|g\n" METRIC_PREFIX \ - ".paths_found%s:%u|g\n" METRIC_PREFIX \ - ".paths_imported%s:%u|g\n" METRIC_PREFIX ".max_depth%s:%u|g\n" METRIC_PREFIX \ - ".cur_path%s:%u|g\n" METRIC_PREFIX ".pending_favs%s:%u|g\n" METRIC_PREFIX \ - ".pending_total%s:%u|g\n" METRIC_PREFIX \ - ".variable_paths%s:%u|g\n" METRIC_PREFIX \ - ".unique_crashes%s:%llu|g\n" METRIC_PREFIX \ - ".unique_hangs%s:%llu|g\n" METRIC_PREFIX \ - ".total_crashes%s:%llu|g\n" METRIC_PREFIX \ - ".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \ - ".edges_found%s:%u|g\n" METRIC_PREFIX \ +#define STATSD_TAGS_MID_METRICS \ + METRIC_PREFIX \ + ".cycle_done%s:%llu|g\n" METRIC_PREFIX \ + ".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \ + ".execs_done%s:%llu|g\n" METRIC_PREFIX \ + ".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \ + ".corpus_count%s:%u|g\n" METRIC_PREFIX \ + ".corpus_favored%s:%u|g\n" METRIC_PREFIX \ + ".corpus_found%s:%u|g\n" METRIC_PREFIX \ + ".corpus_imported%s:%u|g\n" METRIC_PREFIX \ + ".max_depth%s:%u|g\n" METRIC_PREFIX ".cur_item%s:%u|g\n" METRIC_PREFIX \ + ".pending_favs%s:%u|g\n" METRIC_PREFIX \ + ".pending_total%s:%u|g\n" METRIC_PREFIX \ + ".corpus_variable%s:%u|g\n" METRIC_PREFIX \ + ".saved_crashes%s:%llu|g\n" METRIC_PREFIX \ + ".saved_hangs%s:%llu|g\n" METRIC_PREFIX \ + ".total_crashes%s:%llu|g\n" METRIC_PREFIX \ + ".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \ + ".edges_found%s:%u|g\n" METRIC_PREFIX \ ".var_byte_count%s:%u|g\n" METRIC_PREFIX ".havoc_expansion%s:%u|g\n" void statsd_setup_format(afl_state_t *afl) { @@ -238,11 +240,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) { afl->fsrv.total_execs / ((double)(get_cur_time() + afl->prev_run_time - afl->start_time) / 1000), - tags, afl->queued_paths, tags, afl->queued_favored, tags, + tags, afl->queued_items, tags, afl->queued_favored, tags, afl->queued_discovered, tags, afl->queued_imported, tags, afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored, tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags, - afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes, + afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes, tags, afl->slowest_exec_ms, tags, count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count, tags, afl->expand_havoc, tags); @@ -256,11 +258,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) { afl->fsrv.total_execs / ((double)(get_cur_time() + afl->prev_run_time - afl->start_time) / 1000), - tags, afl->queued_paths, tags, afl->queued_favored, tags, + tags, afl->queued_items, tags, afl->queued_favored, tags, afl->queued_discovered, tags, afl->queued_imported, tags, afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored, tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags, - afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes, + afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes, tags, afl->slowest_exec_ms, tags, count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count, tags, afl->expand_havoc); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 195366bd..f59bb47c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -129,7 +129,7 @@ static void usage(u8 *argv0, int more_help) { " -D - enable deterministic fuzzing (once per queue entry)\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" - " pacemaker mode (minutes of no new paths). 0 = " + " pacemaker mode (minutes of no new finds). 0 = " "immediately,\n" " -1 = immediately and together with normal mutation.\n" " See docs/README.MOpt.md\n" @@ -214,7 +214,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" - "AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period\n" + "AFL_EXIT_ON_TIME: exit when no new coverage finds are made within the specified time period\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" @@ -1607,7 +1607,7 @@ int main(int argc, char **argv_orig, char **envp) { read_testcases(afl, NULL); // read_foreign_testcases(afl, 1); for the moment dont do this - OKF("Loaded a total of %u seeds.", afl->queued_paths); + OKF("Loaded a total of %u seeds.", afl->queued_items); pivot_inputs(afl); @@ -1929,7 +1929,7 @@ int main(int argc, char **argv_orig, char **envp) { // ensure we have at least one seed that is not disabled. u32 entry, valid_seeds = 0; - for (entry = 0; entry < afl->queued_paths; ++entry) + for (entry = 0; entry < afl->queued_items; ++entry) if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; } if (!afl->pending_not_fuzzed || !valid_seeds) { @@ -1951,7 +1951,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 max_ms = 0; - for (entry = 0; entry < afl->queued_paths; ++entry) + for (entry = 0; entry < afl->queued_items; ++entry) if (!afl->queue_buf[entry]->disabled) if (afl->queue_buf[entry]->exec_us > max_ms) max_ms = afl->queue_buf[entry]->exec_us; @@ -1993,7 +1993,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->start_time = get_cur_time(); u32 runs_in_current_cycle = (u32)-1; - u32 prev_queued_paths = 0; + u32 prev_queued_items = 0; u8 skipped_fuzz; #ifdef INTROSPECTION @@ -2014,7 +2014,7 @@ int main(int argc, char **argv_orig, char **envp) { cull_queue(afl); if (unlikely((!afl->old_seed_selection && - runs_in_current_cycle > afl->queued_paths) || + runs_in_current_cycle > afl->queued_items) || (afl->old_seed_selection && !afl->queue_cur))) { if (unlikely((afl->last_sync_cycle < afl->queue_cycle || @@ -2027,25 +2027,25 @@ int main(int argc, char **argv_orig, char **envp) { ++afl->queue_cycle; runs_in_current_cycle = (u32)-1; - afl->cur_skipped_paths = 0; + afl->cur_skipped_items = 0; if (unlikely(afl->old_seed_selection)) { afl->current_entry = 0; - while (unlikely(afl->current_entry < afl->queued_paths && + while (unlikely(afl->current_entry < afl->queued_items && afl->queue_buf[afl->current_entry]->disabled)) { ++afl->current_entry; } - if (afl->current_entry >= afl->queued_paths) { afl->current_entry = 0; } + if (afl->current_entry >= afl->queued_items) { afl->current_entry = 0; } afl->queue_cur = afl->queue_buf[afl->current_entry]; if (unlikely(seek_to)) { - if (unlikely(seek_to >= afl->queued_paths)) { + if (unlikely(seek_to >= afl->queued_items)) { // This should never happen. FATAL("BUG: seek_to location out of bounds!\n"); @@ -2070,7 +2070,7 @@ int main(int argc, char **argv_orig, char **envp) { /* If we had a full queue cycle with no new finds, try recombination strategies next. */ - if (unlikely(afl->queued_paths == prev_queued + if (unlikely(afl->queued_items == prev_queued /* FIXME TODO BUG: && (get_cur_time() - afl->start_time) >= 3600 */ )) { @@ -2148,7 +2148,7 @@ int main(int argc, char **argv_orig, char **envp) { fprintf(afl->introspection_file, "CYCLE cycle=%llu cycle_wo_finds=%llu expand_havoc=%u queue=%u\n", afl->queue_cycle, afl->cycles_wo_finds, afl->expand_havoc, - afl->queued_paths); + afl->queued_items); #endif if (afl->cycle_schedules) { @@ -2188,7 +2188,7 @@ int main(int argc, char **argv_orig, char **envp) { } // we must recalculate the scores of all queue entries - for (u32 i = 0; i < afl->queued_paths; i++) { + for (u32 i = 0; i < afl->queued_items; i++) { if (likely(!afl->queue_buf[i]->disabled)) { @@ -2200,7 +2200,7 @@ int main(int argc, char **argv_orig, char **envp) { } - prev_queued = afl->queued_paths; + prev_queued = afl->queued_items; } @@ -2210,11 +2210,11 @@ int main(int argc, char **argv_orig, char **envp) { if (likely(!afl->old_seed_selection)) { - if (unlikely(prev_queued_paths < afl->queued_paths || + if (unlikely(prev_queued_items < afl->queued_items || afl->reinit_table)) { // we have new queue entries since the last run, recreate alias table - prev_queued_paths = afl->queued_paths; + prev_queued_items = afl->queued_items; create_alias_table(afl); } @@ -2230,10 +2230,10 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->old_seed_selection)) { - while (++afl->current_entry < afl->queued_paths && + while (++afl->current_entry < afl->queued_items && afl->queue_buf[afl->current_entry]->disabled) ; - if (unlikely(afl->current_entry >= afl->queued_paths || + if (unlikely(afl->current_entry >= afl->queued_items || afl->queue_buf[afl->current_entry] == NULL || afl->queue_buf[afl->current_entry]->disabled)) afl->queue_cur = NULL; @@ -2321,11 +2321,11 @@ stop_fuzzing: u8 time_tmp[64]; u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time); ACTF( - "Statistics: %u new paths found, %.02f%% coverage achieved, %llu " - "crashes found, %llu timeouts found, total runtime %s", + "Statistics: %u new corpus items found, %.02f%% coverage achieved, " + "%llu crashes saved, %llu timeouts saved, total runtime %s", afl->queued_discovered, - ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->unique_crashes, - afl->unique_hangs, time_tmp); + ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->saved_crashes, + afl->saved_hangs, time_tmp); } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 7fb8f821..c1d4ff03 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -242,8 +242,11 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, #else u8 *shm_str; + // for qemu+unicorn we have to increase by 8 to account for potential + // compcov map overwrite shm->shm_id = - shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); + shmget(IPC_PRIVATE, map_size == MAP_SIZE ? map_size + 8 : map_size, + IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 262df6bd..1a314653 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -7,6 +7,7 @@ #include <unistd.h> int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { + if (i < 24) return 0; if (buf[0] != 'A') return 0; if (buf[1] != 'B') return 0; @@ -16,17 +17,25 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) { if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) abort(); return 0; + } #ifdef __AFL_COMPILER int main(int argc, char *argv[]) { - unsigned char buf[1024]; - ssize_t i; - while(__AFL_LOOP(1000)) { - i = read(0, (char*)buf, sizeof(buf) - 1); + + unsigned char buf[1024]; + ssize_t i; + while (__AFL_LOOP(1000)) { + + i = read(0, (char *)buf, sizeof(buf) - 1); if (i > 0) buf[i] = 0; LLVMFuzzerTestOneInput(buf, i); + } + return 0; + } + #endif + diff --git a/test/test-fpExtra.sh b/test/test-fpExtra.sh new file mode 100755 index 00000000..aecc6258 --- /dev/null +++ b/test/test-fpExtra.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +. ./test-pre.sh + +test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { + $ECHO "$GREY[*] llvm_mode laf-intel/compcov testing splitting floating point types with Nan, infinity, minusZero" + for testcase in ./test-fp_minusZerocases.c ./test-fp_Infcases.c ./test-fp_NaNcases.c; do + #for testcase in ./test-fp_cases.c ./test-fp_Infcases.c ./test-fp_NaNcases.c ./test-fp_minusZerocases.c ; do + for I in float double "long double"; do + #for I in double; do + for BITS in 64 32 16 8; do + #for BITS in 64; do + bin="$testcase-split-$I-$BITS.compcov" +#AFL_DONT_OPTIMIZE=1 AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -DFLOAT_TYPE="$I" -S "$testcase" +#AFL_DONT_OPTIMIZE=1 AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -DFLOAT_TYPE="$I" -S -emit-llvm "$testcase" +AFL_DONT_OPTIMIZE=1 AFL_LLVM_INSTRUMENT=AFL AFL_DEBUG=1 AFL_LLVM_LAF_SPLIT_COMPARES_BITW=$BITS AFL_LLVM_LAF_SPLIT_COMPARES=1 AFL_LLVM_LAF_SPLIT_FLOATS=1 ../afl-clang-fast -DFLOAT_TYPE="$I" -o "$bin" "$testcase" > test.out 2>&1; + if ! test -e "$bin"; then + cat test.out + $ECHO "$RED[!] llvm_mode laf-intel/compcov float splitting failed! ($testcase with type $I split to $BITS)!"; + CODE=1 + break + fi + if ! "$bin"; then + $ECHO "$RED[!] llvm_mode laf-intel/compcov float splitting resulted in miscompilation (type $I split to $BITS)!"; + CODE=1 + break + fi + rm -f "$bin" test.out || true + done + done + done + rm -f test-fp_cases*.compcov test.out + +} || { + $ECHO "$YELLOW[-] llvm_mode not compiled, cannot test" + INCOMPLETE=1 +} + +. ./test-post.sh diff --git a/test/test-fp_Infcases.c b/test/test-fp_Infcases.c new file mode 100644 index 00000000..458202d6 --- /dev/null +++ b/test/test-fp_Infcases.c @@ -0,0 +1,124 @@ +/* test cases for floating point comparison transformations + * compile with -DFLOAT_TYPE=float + * or -DFLOAT_TYPE=double + * or -DFLOAT_TYPE="long double" + */ + +#include <assert.h> +#define _GNU_SOURCE +#include <math.h> /* for NaNs and infinity values */ + +int main() { + + volatile FLOAT_TYPE a, b; + +#ifdef INFINITY + FLOAT_TYPE inf = (FLOAT_TYPE)INFINITY; +#else + FLOAT_TYPE inf = 1.0 / 0.0; /* produces infinity */ +#endif + FLOAT_TYPE negZero = 1.0 / -inf; + FLOAT_TYPE posZero = 0.0; + + /* plus infinity */ + a = (1.0 / 0.0); /* positive infinity */ + b = (1.0 / 0.0); /* positive infinity */ + assert(!(a < b)); + assert((a <= b)); + assert(!(a > b)); + assert((a >= b)); + assert(!(a != b)); + assert((a == b)); + + b = -(1.0 / 0.0); /* negative infinity */ + assert(!(a < b)); + assert(!(a <= b)); + assert((a > b)); + assert((a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 1.0 / -(1.0 / 0.0); /* negative 0 */ + assert(!(a < b)); + assert(!(a <= b)); + assert((a > b)); + assert((a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 0.0; /* positive 0 */ + assert(!(a < b)); + assert(!(a <= b)); + assert((a > b)); + assert((a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = -42.0; + assert(!(a < b)); + assert(!(a <= b)); + assert((a > b)); + assert((a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 42.0; + assert(!(a < b)); + assert(!(a <= b)); + assert((a > b)); + assert((a >= b)); + assert((a != b)); + assert(!(a == b)); + + /* negative infinity */ + a = -(1.0 / 0.0); + b = (1.0 / 0.0); /* positive infinity */ + assert((a < b)); + assert((a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = -(1.0 / 0.0); /* negative infinity */ + assert(!(a < b)); + assert((a <= b)); + assert(!(a > b)); + assert((a >= b)); + assert(!(a != b)); + assert((a == b)); + + b = 1.0 / -(1.0 / 0.0); /* negative 0 */ + assert((a < b)); + assert((a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 0.0; /* positive 0 */ + assert((a < b)); + assert((a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = -42.0; + assert((a < b)); + assert((a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 42.0; + assert((a < b)); + assert((a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + +} + diff --git a/test/test-fp_NaNcases.c b/test/test-fp_NaNcases.c new file mode 100644 index 00000000..94a0ff71 --- /dev/null +++ b/test/test-fp_NaNcases.c @@ -0,0 +1,86 @@ +/* test cases for floating point comparison transformations + * compile with -DFLOAT_TYPE=float + * or -DFLOAT_TYPE=double + * or -DFLOAT_TYPE="long double" + */ + +#include <assert.h> +#define _GNU_SOURCE +#include <math.h> /* for NaNs and infinity values */ + +int main() { + + volatile FLOAT_TYPE a, b; + + /* NaN */ +#ifdef NAN + a = (FLOAT_TYPE)NAN; /* produces NaN */ +#else + a = 0.0 / 0.0; /* produces NaN */ +#endif +#ifdef INFINITY + FLOAT_TYPE inf = (FLOAT_TYPE)INFINITY; +#else + FLOAT_TYPE inf = 1.0 / 0.0; /* produces infinity */ +#endif + FLOAT_TYPE negZero = 1.0 / -inf; + FLOAT_TYPE posZero = 0.0; + b = a; + + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 0.0; + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 1.0 / -(1.0 / 0.0); /* negative 0 */ + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = 42.0; + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = -42.0; + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = (1.0 / 0.0); /* positive infinity */ + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + + b = -(1.0 / 0.0); /* negative infinity */ + assert(!(a < b)); + assert(!(a <= b)); + assert(!(a > b)); + assert(!(a >= b)); + assert((a != b)); + assert(!(a == b)); + +} + diff --git a/test/test-fp_minusZerocases.c b/test/test-fp_minusZerocases.c new file mode 100644 index 00000000..f821f2ab --- /dev/null +++ b/test/test-fp_minusZerocases.c @@ -0,0 +1,35 @@ +/* test cases for floating point comparison transformations + * compile with -DFLOAT_TYPE=float + * or -DFLOAT_TYPE=double + * or -DFLOAT_TYPE="long double" + */ + +#include <assert.h> +#define _GNU_SOURCE +#include <math.h> /* for NaNs and infinity values */ + +int main() { + + volatile FLOAT_TYPE a, b; + + /* negative zero */ + a = 1.0 / -(1.0 / 0.0); /* negative 0 */ + b = 0.0; /* positive 0 */ + assert(!(a < b)); + assert((a <= b)); + assert(!(a > b)); + assert((a >= b)); + assert(!(a != b)); + assert((a == b)); + + a = 1.0 / -(1.0 / 0.0); /* negative 0 */ + b = 1.0 / -(1.0 / 0.0); /* negative 0 */ + assert(!(a < b)); + assert((a <= b)); + assert(!(a > b)); + assert((a >= b)); + assert(!(a != b)); + assert((a == b)); + +} + diff --git a/test/test-llvm-lto.sh b/test/test-llvm-lto.sh index 3e762acf..9ff2ec10 100755 --- a/test/test-llvm-lto.sh +++ b/test/test-llvm-lto.sh @@ -3,7 +3,7 @@ . ./test-pre.sh $ECHO "$BLUE[*] Testing: LTO llvm_mode" -test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { +test -e ../afl-clang-lto -a -e ../SanitizerCoverageLTO.so && { # on FreeBSD need to set AFL_CC test `uname -s` = 'FreeBSD' && { if type clang >/dev/null; then diff --git a/testcases/README.md b/testcases/README.md index a2f74d68..119fd272 100644 --- a/testcases/README.md +++ b/testcases/README.md @@ -1,6 +1,6 @@ # AFL++ starting test cases - (See [../README.md](../README.md) for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../docs/README.md). The archives/, images/, multimedia/, and others/ subdirectories contain small, standalone files that can be used to seed afl-fuzz when testing parsers for a diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl -Subproject d4915053d477dd827b3fe4b494173d3fbf9f456 +Subproject 9df92d6868e8b219886e4b7458e5e134c48ff2c diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 7150c205..116a22ba 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../../README.md for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../../docs/README.md). This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index 343fcce0..4e7ed1d1 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -5,7 +5,7 @@ The afl-clang-fast AFL_LLVM_DICT2FILE feature is much better, afl-clang-lto has that feature automatically integrated. - (See ../../README.md for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../../docs/README.md). This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of diff --git a/utils/libtokencap/libtokencap.so.c b/utils/libtokencap/libtokencap.so.c index 2b1e3903..0db044a1 100644 --- a/utils/libtokencap/libtokencap.so.c +++ b/utils/libtokencap/libtokencap.so.c @@ -171,7 +171,7 @@ static void __tokencap_load_mappings(void) { int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, sizeof(struct kinfo_vmentry)}; #endif - char *buf, *low, *high; + char * buf, *low, *high; size_t miblen = sizeof(mib) / sizeof(mib[0]); size_t len; @@ -345,11 +345,7 @@ static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) { wrt_ok &= (pos == write(__tokencap_out_file, buf, pos)); wrt_ok &= (2 == write(__tokencap_out_file, "\"\n", 2)); - if (!wrt_ok) { - - DEBUGF("%s", "writing to the token file failed\n"); - - } + if (!wrt_ok) { DEBUGF("%s", "writing to the token file failed\n"); } } |
