diff options
| -rw-r--r-- | include/afl-fuzz.h | 24 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 11 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-common.h | 5 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-inl.h | 507 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 65 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 178 |
6 files changed, 175 insertions, 615 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index ae15b28f..f6874785 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -457,27 +457,27 @@ extern s32 // because Python sets stuff it should not ... #ifdef _POSIX_C_SOURCE - #define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE - #undef _POSIX_C_SOURCE +#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE +#undef _POSIX_C_SOURCE #endif #ifdef _XOPEN_SOURCE - #define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE - #undef _XOPEN_SOURCE +#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE +#undef _XOPEN_SOURCE #endif #include <Python.h> #ifdef _SAVE_POSIX_C_SOURCE - #ifdef _POSIX_C_SOURCE - #undef _POSIX_C_SOURCE - #endif - #define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE +#ifdef _POSIX_C_SOURCE +#undef _POSIX_C_SOURCE +#endif +#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE #endif #ifdef _SAVE_XOPEN_SOURCE - #ifdef _XOPEN_SOURCE - #undef _XOPEN_SOURCE - #endif - #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE +#ifdef _XOPEN_SOURCE +#undef _XOPEN_SOURCE +#endif +#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE #endif extern PyObject* py_module; diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 1925f5f8..142d6331 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -378,10 +378,15 @@ int main(int argc, char** argv) { if (argc < 2 || strcmp(argv[1], "-h") == 0) { #ifdef USE_TRACE_PC - printf(cCYA "afl-clang-fast" VERSION cRST - " [tpcg] by <lszekeres@google.com>\n" + printf( + cCYA + "afl-clang-fast" VERSION cRST + " [tpcg] by <lszekeres@google.com>\n" #else - printf(cCYA "afl-clang-fast" VERSION cRST " by <lszekeres@google.com>\n" + printf( + cCYA + "afl-clang-fast" VERSION cRST + " by <lszekeres@google.com>\n" #endif /* ^USE_TRACE_PC */ "\n" "afl-clang-fast[++] [options]\n" diff --git a/qemu_mode/patches/afl-qemu-common.h b/qemu_mode/patches/afl-qemu-common.h index 147cec4c..2b7bd51c 100644 --- a/qemu_mode/patches/afl-qemu-common.h +++ b/qemu_mode/patches/afl-qemu-common.h @@ -58,9 +58,14 @@ extern u8 afl_compcov_level; extern unsigned char afl_fork_child; extern unsigned char is_persistent; extern target_long persistent_stack_offset; +extern unsigned char persistent_first_pass; +extern unsigned char persistent_save_gpr; +extern target_ulong persistent_saved_gpr[CPU_NB_REGS]; extern __thread abi_ulong afl_prev_loc; +void afl_debug_dump_saved_regs(); + void afl_persistent_loop(); void tcg_gen_afl_call0(void *func); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 3d29d3df..8b137891 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -1,508 +1 @@ -/* - american fuzzy lop++ - high-performance binary-only instrumentation - ------------------------------------------------------------------- - - Originally written by Andrew Griffiths <agriffiths@google.com> and - Michal Zalewski <lcamtuf@google.com> - - TCG instrumentation and block chaining support by Andrea Biondo - <andrea.biondo965@gmail.com> - - QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero - counters by Andrea Fioraldi <andreafioraldi@gmail.com> - - Copyright 2015, 2016, 2017 Google Inc. All rights reserved. - Copyright 2019 AFLplusplus Project. All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - This code is a shim patched into the separately-distributed source - code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality - to implement AFL-style instrumentation and to take care of the remaining - parts of the AFL fork server logic. - - The resulting QEMU binary is essentially a standalone instrumentation - tool; for an example of how to leverage it for other purposes, you can - have a look at afl-showmap.c. - - */ - -#include <sys/shm.h> -#include "../../config.h" - -#define PERSISTENT_DEFAULT_MAX_CNT 1000 - -/*************************** - * VARIOUS AUXILIARY STUFF * - ***************************/ - -/* This snippet kicks in when the instruction pointer is positioned at - _start and does the usual forkserver stuff, not very different from - regular instrumentation injected via afl-as.h. */ - -#define AFL_QEMU_CPU_SNIPPET2 \ - do { \ - \ - if (itb->pc == afl_entry_point) { \ - \ - afl_setup(); \ - afl_forkserver(cpu); \ - \ - } \ - \ - } while (0) - -/* We use one additional file descriptor to relay "needs translation" - messages between the child and the fork server. */ - -#define TSL_FD (FORKSRV_FD - 1) - -/* This is equivalent to afl-as.h: */ - -static unsigned char - dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */ -unsigned char *afl_area_ptr = dummy; /* Exported for afl_gen_trace */ - -/* Exported variables populated by the code patched into elfload.c: */ - -abi_ulong afl_entry_point, /* ELF entry point (_start) */ - afl_start_code, /* .text start pointer */ - afl_end_code; /* .text end pointer */ - -abi_ulong afl_persistent_addr, afl_persistent_ret_addr; -unsigned int afl_persistent_cnt; - -u8 afl_compcov_level; - -__thread abi_ulong afl_prev_loc; - -/* Set in the child process in forkserver mode: */ - -static int forkserver_installed = 0; -unsigned char afl_fork_child; -unsigned int afl_forksrv_pid; -unsigned char is_persistent; -target_long persistent_stack_offset; - -/* Instrumentation ratio: */ - -unsigned int afl_inst_rms = MAP_SIZE; /* Exported for afl_gen_trace */ - -/* Function declarations. */ - -static void afl_setup(void); -static void afl_forkserver(CPUState *); - -static void afl_wait_tsl(CPUState *, int); -static void afl_request_tsl(target_ulong, target_ulong, uint32_t, uint32_t, - TranslationBlock *, int); - -/* Data structures passed around by the translate handlers: */ - -struct afl_tb { - - target_ulong pc; - target_ulong cs_base; - uint32_t flags; - uint32_t cf_mask; - -}; - -struct afl_tsl { - - struct afl_tb tb; - char is_chain; - -}; - -struct afl_chain { - - struct afl_tb last_tb; - uint32_t cf_mask; - int tb_exit; - -}; - -/* Some forward decls: */ - -TranslationBlock *tb_htable_lookup(CPUState *, target_ulong, target_ulong, - uint32_t, uint32_t); -static inline TranslationBlock *tb_find(CPUState *, TranslationBlock *, int, - uint32_t); -static inline void tb_add_jump(TranslationBlock *tb, int n, - TranslationBlock *tb_next); - -/************************* - * ACTUAL IMPLEMENTATION * - *************************/ - -/* Set up SHM region and initialize other stuff. */ - -static void afl_setup(void) { - - char *id_str = getenv(SHM_ENV_VAR), *inst_r = getenv("AFL_INST_RATIO"); - - int shm_id; - - if (inst_r) { - - unsigned int r; - - r = atoi(inst_r); - - if (r > 100) r = 100; - if (!r) r = 1; - - afl_inst_rms = MAP_SIZE * r / 100; - - } - - if (id_str) { - - shm_id = atoi(id_str); - afl_area_ptr = shmat(shm_id, NULL, 0); - - if (afl_area_ptr == (void *)-1) exit(1); - - /* With AFL_INST_RATIO set to a low value, we want to touch the bitmap - so that the parent doesn't give up on us. */ - - if (inst_r) afl_area_ptr[0] = 1; - - } - - if (getenv("AFL_INST_LIBS")) { - - afl_start_code = 0; - afl_end_code = (abi_ulong)-1; - - } - - if (getenv("AFL_CODE_START")) - afl_start_code = strtoll(getenv("AFL_CODE_START"), NULL, 16); - if (getenv("AFL_CODE_END")) - afl_end_code = strtoll(getenv("AFL_CODE_END"), NULL, 16); - - /* Maintain for compatibility */ - if (getenv("AFL_QEMU_COMPCOV")) { afl_compcov_level = 1; } - if (getenv("AFL_COMPCOV_LEVEL")) { - - afl_compcov_level = atoi(getenv("AFL_COMPCOV_LEVEL")); - - } - - /* pthread_atfork() seems somewhat broken in util/rcu.c, and I'm - not entirely sure what is the cause. This disables that - behaviour, and seems to work alright? */ - - rcu_disable_atfork(); - - is_persistent = getenv("AFL_QEMU_PERSISTENT_ADDR") != NULL; - - if (is_persistent) { - - afl_persistent_addr = strtoll(getenv("AFL_QEMU_PERSISTENT_ADDR"), NULL, 16); - if (getenv("AFL_QEMU_PERSISTENT_RET")) - afl_persistent_ret_addr = - strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 16); - /* If AFL_QEMU_PERSISTENT_RET is not specified patch the return addr */ - - } - - if (getenv("AFL_QEMU_PERSISTENT_CNT")) - afl_persistent_cnt = strtoll(getenv("AFL_QEMU_PERSISTENT_CNT"), NULL, 16); - else - afl_persistent_cnt = PERSISTENT_DEFAULT_MAX_CNT; - -} - -/* Fork server logic, invoked once we hit _start. */ - -static void afl_forkserver(CPUState *cpu) { - - static unsigned char tmp[4]; - - if (forkserver_installed == 1) return; - forkserver_installed = 1; - - // if (!afl_area_ptr) return; // not necessary because of fixed dummy buffer - - pid_t child_pid; - int t_fd[2]; - u8 child_stopped = 0; - - /* Tell the parent that we're alive. If the parent doesn't want - to talk, assume that we're not running in forkserver mode. */ - - if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; - - afl_forksrv_pid = getpid(); - - /* All right, let's await orders... */ - - while (1) { - - int status; - u32 was_killed; - - /* Whoops, parent dead? */ - - if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2); - - /* If we stopped the child in persistent mode, but there was a race - condition and afl-fuzz already issued SIGKILL, write off the old - process. */ - - if (child_stopped && was_killed) { - - child_stopped = 0; - if (waitpid(child_pid, &status, 0) < 0) exit(8); - - } - - if (!child_stopped) { - - /* Establish a channel with child to grab translation commands. We'll - read from t_fd[0], child will write to TSL_FD. */ - - if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3); - close(t_fd[1]); - - child_pid = fork(); - if (child_pid < 0) exit(4); - - if (!child_pid) { - - /* Child process. Close descriptors and run free. */ - - afl_fork_child = 1; - close(FORKSRV_FD); - close(FORKSRV_FD + 1); - close(t_fd[0]); - return; - - } - - /* Parent. */ - - close(TSL_FD); - - } else { - - /* Special handling for persistent mode: if the child is alive but - currently stopped, simply restart it with SIGCONT. */ - - kill(child_pid, SIGCONT); - child_stopped = 0; - - } - - /* Parent. */ - - if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5); - - /* Collect translation requests until child dies and closes the pipe. */ - - afl_wait_tsl(cpu, t_fd[0]); - - /* Get and relay exit status to parent. */ - - if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(6); - - /* In persistent mode, the child stops itself with SIGSTOP to indicate - a successful run. In this case, we want to wake it up without forking - again. */ - - if (WIFSTOPPED(status)) child_stopped = 1; - - if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); - - } - -} - -/* A simplified persistent mode handler, used as explained in README.llvm. */ - -void afl_persistent_loop() { - - static u8 first_pass = 1; - static u32 cycle_cnt; - static struct afl_tsl exit_cmd_tsl = {{-1, 0, 0, 0}, NULL}; - - if (!afl_fork_child) return; - - if (first_pass) { - - /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate. - On subsequent calls, the parent will take care of that, but on the first - iteration, it's our job to erase any trace of whatever happened - before the loop. */ - - if (is_persistent) { - - memset(afl_area_ptr, 0, MAP_SIZE); - afl_area_ptr[0] = 1; - afl_prev_loc = 0; - - } - - cycle_cnt = afl_persistent_cnt; - first_pass = 0; - persistent_stack_offset = TARGET_LONG_BITS / 8; - - return; - - } - - if (is_persistent) { - - if (--cycle_cnt) { - - if (write(TSL_FD, &exit_cmd_tsl, sizeof(struct afl_tsl)) != - sizeof(struct afl_tsl)) { - - /* Exit the persistent loop on pipe error */ - exit(0); - - } - - raise(SIGSTOP); - - afl_area_ptr[0] = 1; - afl_prev_loc = 0; - - } else { - - exit(0); - - } - - } - -} - -/* This code is invoked whenever QEMU decides that it doesn't have a - translation of a particular block and needs to compute it, or when it - decides to chain two TBs together. When this happens, we tell the parent to - mirror the operation, so that the next fork() has a cached copy. */ - -static void afl_request_tsl(target_ulong pc, target_ulong cb, uint32_t flags, - uint32_t cf_mask, TranslationBlock *last_tb, - int tb_exit) { - - struct afl_tsl t; - struct afl_chain c; - - if (!afl_fork_child) return; - - t.tb.pc = pc; - t.tb.cs_base = cb; - t.tb.flags = flags; - t.tb.cf_mask = cf_mask; - t.is_chain = (last_tb != NULL); - - if (write(TSL_FD, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) - return; - - if (t.is_chain) { - - c.last_tb.pc = last_tb->pc; - c.last_tb.cs_base = last_tb->cs_base; - c.last_tb.flags = last_tb->flags; - c.cf_mask = cf_mask; - c.tb_exit = tb_exit; - - if (write(TSL_FD, &c, sizeof(struct afl_chain)) != sizeof(struct afl_chain)) - return; - - } - -} - -/* Check if an address is valid in the current mapping */ - -static inline int is_valid_addr(target_ulong addr) { - - int l, flags; - target_ulong page; - void * p; - - page = addr & TARGET_PAGE_MASK; - l = (page + TARGET_PAGE_SIZE) - addr; - - flags = page_get_flags(page); - if (!(flags & PAGE_VALID) || !(flags & PAGE_READ)) return 0; - - return 1; - -} - -/* This is the other side of the same channel. Since timeouts are handled by - afl-fuzz simply killing the child, we can just wait until the pipe breaks. */ - -static void afl_wait_tsl(CPUState *cpu, int fd) { - - struct afl_tsl t; - struct afl_chain c; - TranslationBlock *tb, *last_tb; - - while (1) { - - u8 invalid_pc = 0; - - /* Broken pipe means it's time to return to the fork server routine. */ - - if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) break; - - /* Exit command for persistent */ - - if (t.tb.pc == (target_ulong)(-1)) return; - - tb = tb_htable_lookup(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask); - - if (!tb) { - - /* The child may request to transate a block of memory that is not - mapped in the parent (e.g. jitted code or dlopened code). - This causes a SIGSEV in gen_intermediate_code() and associated - subroutines. We simply avoid caching of such blocks. */ - - if (is_valid_addr(t.tb.pc)) { - - mmap_lock(); - tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask); - mmap_unlock(); - - } else { - - invalid_pc = 1; - - } - - } - - if (t.is_chain) { - - if (read(fd, &c, sizeof(struct afl_chain)) != sizeof(struct afl_chain)) - break; - - if (!invalid_pc) { - - last_tb = tb_htable_lookup(cpu, c.last_tb.pc, c.last_tb.cs_base, - c.last_tb.flags, c.cf_mask); - if (last_tb) { tb_add_jump(last_tb, c.tb_exit, tb); } - - } - - } - - } - - close(fd); - -} diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index f11b686c..020340a3 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -65,7 +65,7 @@ static void afl_compcov_log_32(target_ulong cur_loc, target_ulong arg1, static void afl_compcov_log_64(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { - + register uintptr_t idx = cur_loc; if ((arg1 & 0xff) == (arg2 & 0xff)) { @@ -134,22 +134,71 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, } +#define I386_RESTORE_STATE_FOR_PERSISTENT \ + do { \ + \ + if (persistent_save_gpr) { \ + \ + int i; \ + TCGv_ptr gpr_sv; \ + \ + TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass); \ + TCGv first_pass = tcg_temp_local_new(); \ + TCGv one = tcg_const_tl(1); \ + tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0); \ + \ + TCGLabel *lbl_save_gpr = gen_new_label(); \ + TCGLabel *lbl_finish_restore_gpr = gen_new_label(); \ + tcg_gen_brcond_tl(TCG_COND_EQ, first_pass, one, lbl_save_gpr); \ + \ + for (i = 0; i < CPU_NB_REGS; ++i) { \ + \ + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); \ + tcg_gen_ld_tl(gpr_sv, cpu_regs[i], 0); \ + \ + } \ + \ + tcg_gen_br(lbl_finish_restore_gpr); \ + \ + gen_set_label(lbl_save_gpr); \ + \ + for (i = 0; i < CPU_NB_REGS; ++i) { \ + \ + gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]); \ + tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0); \ + \ + } \ + \ + gen_set_label(lbl_finish_restore_gpr); \ + tcg_temp_free(first_pass); \ + \ + } \ + if (afl_persistent_ret_addr == 0) { \ + \ + TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \ + TCGv stack_off = tcg_temp_new(); \ + tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); \ + tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); \ + tcg_temp_free(stack_off); \ + \ + } \ + \ + } while (0) + #define AFL_QEMU_TARGET_i386_SNIPPET \ if (is_persistent) { \ \ if (s->pc == afl_persistent_addr) { \ \ + I386_RESTORE_STATE_FOR_PERSISTENT; \ + tcg_gen_afl_call0(afl_debug_dump_saved_regs); \ + \ if (afl_persistent_ret_addr == 0) { \ \ - TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \ - TCGv stack_off = tcg_temp_new(); \ - tcg_gen_ld_tl(stack_off, stack_off_ptr, 0); \ - tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off); \ - tcg_temp_free(stack_off); \ + TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \ + tcg_gen_st_tl(paddr, cpu_regs[R_ESP], 0); \ \ } \ - TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr); \ - tcg_gen_st_tl(paddr, cpu_regs[R_ESP], 0); \ tcg_gen_afl_call0(&afl_persistent_loop); \ \ } else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 82643722..59483b8f 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2296,57 +2296,57 @@ abandon_entry: struct MOpt_globals_t { - u64 *finds; - u64 *finds_v2; - u64 *cycles; - u64 *cycles_v2; - u64 *cycles_v3; - u32 is_pilot_mode; - u64 *pTime; - const u64 period; - char *havoc_stagename; - char *splice_stageformat; - char *havoc_stagenameshort; - char *splice_stagenameshort; - -} MOpt_globals_pilot = { - stage_finds_puppet[0], - stage_finds_puppet_v2[0], - stage_cycles_puppet[0], - stage_cycles_puppet_v2[0], - stage_cycles_puppet_v3[0], - 1, - &tmp_pilot_time, - period_pilot, - "MOpt-havoc", - "MOpt-splice %u", - "MOpt_havoc", - "MOpt_splice" -}, MOpt_globals_core = { - core_operator_finds_puppet, - core_operator_finds_puppet_v2, - core_operator_cycles_puppet, - core_operator_cycles_puppet_v2, - core_operator_cycles_puppet_v3, - 0, - &tmp_core_time, - period_core, - "MOpt-core-havoc", - "MOpt-core-splice %u", - "MOpt_core_havoc", - "MOpt_core_splice" -}; - + u64* finds; + u64* finds_v2; + u64* cycles; + u64* cycles_v2; + u64* cycles_v3; + u32 is_pilot_mode; + u64* pTime; + const u64 period; + char* havoc_stagename; + char* splice_stageformat; + char* havoc_stagenameshort; + char* splice_stagenameshort; + +} MOpt_globals_pilot = {stage_finds_puppet[0], + + stage_finds_puppet_v2[0], + stage_cycles_puppet[0], + stage_cycles_puppet_v2[0], + stage_cycles_puppet_v3[0], + 1, + &tmp_pilot_time, + period_pilot, + "MOpt-havoc", + "MOpt-splice %u", + "MOpt_havoc", + "MOpt_splice"}, + MOpt_globals_core = {core_operator_finds_puppet, + core_operator_finds_puppet_v2, + core_operator_cycles_puppet, + core_operator_cycles_puppet_v2, + core_operator_cycles_puppet_v3, + 0, + &tmp_core_time, + period_core, + "MOpt-core-havoc", + "MOpt-core-splice %u", + "MOpt_core_havoc", + "MOpt_core_splice"}; /* MOpt mode */ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { if (!MOpt_globals.is_pilot_mode) { + if (swarm_num == 1) { key_module = 2; return 0; + } + } s32 len, fd, temp_len, i, j; @@ -2614,9 +2614,9 @@ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { } - } /* if (stage_cur & 7) == 7 */ + } /* if (stage_cur & 7) == 7 */ - } /* for stage_cur */ + } /* for stage_cur */ new_hit_cnt = queued_paths + unique_crashes; @@ -2643,7 +2643,7 @@ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { FLIP_BIT(out_buf, stage_cur); FLIP_BIT(out_buf, stage_cur + 1); - } /* for stage_cur */ + } /* for stage_cur */ new_hit_cnt = queued_paths + unique_crashes; @@ -2674,7 +2674,7 @@ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { FLIP_BIT(out_buf, stage_cur + 2); FLIP_BIT(out_buf, stage_cur + 3); - } /* for stage_cur */ + } /* for stage_cur */ new_hit_cnt = queued_paths + unique_crashes; @@ -2751,7 +2751,7 @@ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { out_buf[stage_cur] ^= 0xFF; - } /* for stage_cur */ + } /* for stage_cur */ /* If the effector map is more than EFF_MAX_PERC dense, just flag the whole thing as worth fuzzing, since we wouldn't be saving much time @@ -2808,7 +2808,7 @@ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { *(u16*)(out_buf + i) ^= 0xFFFF; - } /* for i = 0; i < len */ + } /* for i = 0; i < len */ new_hit_cnt = queued_paths + unique_crashes; @@ -2846,7 +2846,7 @@ u8 common_fuzzing(char** argv, struct MOpt_globals_t MOpt_globals) { *(u32*)(out_buf + i) ^= 0xFFFFFFFF; - } /* for i = 0; i < len - 3 */ + } /* for i = 0; i < len - 3 */ new_hit_cnt = queued_paths + unique_crashes; @@ -2924,7 +2924,7 @@ skip_bitflip: } - } /* for i = 0; i < len */ + } /* for i = 0; i < len */ new_hit_cnt = queued_paths + unique_crashes; @@ -3026,7 +3026,7 @@ skip_bitflip: } - } /* for i = 0; i < len - 1 */ + } /* for i = 0; i < len - 1 */ new_hit_cnt = queued_paths + unique_crashes; @@ -3127,7 +3127,7 @@ skip_bitflip: } - } /* for i = 0; i < len - 3 */ + } /* for i = 0; i < len - 3 */ new_hit_cnt = queued_paths + unique_crashes; @@ -3188,7 +3188,7 @@ skip_arith: } - } /* for i = 0; i < len */ + } /* for i = 0; i < len */ new_hit_cnt = queued_paths + unique_crashes; @@ -3262,7 +3262,7 @@ skip_arith: *(u16*)(out_buf + i) = orig; - } /* for i = 0; i < len - 1 */ + } /* for i = 0; i < len - 1 */ new_hit_cnt = queued_paths + unique_crashes; @@ -3337,7 +3337,7 @@ skip_arith: *(u32*)(out_buf + i) = orig; - } /* for i = 0; i < len - 3 */ + } /* for i = 0; i < len - 3 */ new_hit_cnt = queued_paths + unique_crashes; @@ -3403,7 +3403,7 @@ skip_interest: /* Restore all the clobbered memory. */ memcpy(out_buf + i, in_buf + i, last_len); - } /* for i = 0; i < len */ + } /* for i = 0; i < len */ new_hit_cnt = queued_paths + unique_crashes; @@ -3454,7 +3454,7 @@ skip_interest: /* Copy head */ ex_tmp[i] = out_buf[i]; - } /* for i = 0; i <= len */ + } /* for i = 0; i <= len */ ck_free(ex_tmp); @@ -3508,7 +3508,7 @@ skip_user_extras: /* Restore all the clobbered memory. */ memcpy(out_buf + i, in_buf + i, last_len); - } /* for i = 0; i < len */ + } /* for i = 0; i < len */ new_hit_cnt = queued_paths + unique_crashes; @@ -3573,7 +3573,7 @@ pacemaker_fuzzing: } - } /* if key_puppet == 1 */ + } /* if key_puppet == 1 */ { @@ -3906,11 +3906,11 @@ pacemaker_fuzzing: MOpt_globals.cycles_v2[STAGE_OverWrite75] += 1; break; - } /* case 15 */ + } /* case 15 */ - } /* switch select_algorithm() */ + } /* switch select_algorithm() */ - } /* for i=0; i < use_stacking */ + } /* for i=0; i < use_stacking */ *MOpt_globals.pTime += 1; @@ -3954,13 +3954,14 @@ pacemaker_fuzzing: } - } /* if */ + } /* if */ - } /* for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { */ + } /* for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { */ new_hit_cnt = queued_paths + unique_crashes; if (MOpt_globals.is_pilot_mode) { + if (!splice_cycle) { stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; @@ -3970,7 +3971,9 @@ pacemaker_fuzzing: stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_SPLICE] += stage_max; + } + } #ifndef IGNORE_FINDS @@ -4073,7 +4076,7 @@ pacemaker_fuzzing: goto havoc_stage_puppet; - } /* if splice_cycle */ + } /* if splice_cycle */ #endif /* !IGNORE_FINDS */ @@ -4129,23 +4132,24 @@ pacemaker_fuzzing: new_hit_cnt = queued_paths + unique_crashes; if (MOpt_globals.is_pilot_mode) { + swarm_fitness[swarm_now] = (double)(total_puppet_find - temp_puppet_find) / ((double)(tmp_pilot_time) / period_pilot_tmp); + } u64 temp_stage_finds_puppet = 0; for (i = 0; i < operator_num; ++i) { if (MOpt_globals.is_pilot_mode) { + double temp_eff = 0.0; - if (MOpt_globals.cycles_v2[i] > - MOpt_globals.cycles[i]) - temp_eff = (double)(MOpt_globals.finds_v2[i] - - MOpt_globals.finds[i]) / - (double)(MOpt_globals.cycles_v2[i] - - MOpt_globals.cycles[i]); + if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles[i]) + temp_eff = + (double)(MOpt_globals.finds_v2[i] - MOpt_globals.finds[i]) / + (double)(MOpt_globals.cycles_v2[i] - MOpt_globals.cycles[i]); if (eff_best[swarm_now][i] < temp_eff) { @@ -4153,23 +4157,27 @@ pacemaker_fuzzing: L_best[swarm_now][i] = x_now[swarm_now][i]; } + } - MOpt_globals.finds[i] = MOpt_globals.finds_v2[i]; + MOpt_globals.finds[i] = MOpt_globals.finds_v2[i]; MOpt_globals.cycles[i] = MOpt_globals.cycles_v2[i]; temp_stage_finds_puppet += MOpt_globals.finds[i]; - } /* for i = 0; i < operator_num */ + } /* for i = 0; i < operator_num */ if (MOpt_globals.is_pilot_mode) { + swarm_now = swarm_now + 1; if (swarm_now == swarm_num) { key_module = 1; for (i = 0; i < operator_num; ++i) { - core_operator_cycles_puppet_v2[i] = core_operator_cycles_puppet[i]; - core_operator_cycles_puppet_v3[i] = core_operator_cycles_puppet[i]; + core_operator_cycles_puppet_v2[i] = + core_operator_cycles_puppet[i]; + core_operator_cycles_puppet_v3[i] = + core_operator_cycles_puppet[i]; core_operator_finds_puppet_v2[i] = core_operator_finds_puppet[i]; } @@ -4190,12 +4198,12 @@ pacemaker_fuzzing: if (swarm_now < 0 || swarm_now > swarm_num - 1) PFATAL("swarm_now error number %d", swarm_now); - } /* if swarm_now == swarm_num */ + } /* if swarm_now == swarm_num */ - /* adjust pointers dependent on 'swarm_now' */ - MOpt_globals_pilot.finds = stage_finds_puppet[swarm_now]; - MOpt_globals_pilot.finds_v2 = stage_finds_puppet_v2[swarm_now]; - MOpt_globals_pilot.cycles = stage_cycles_puppet[swarm_now]; + /* adjust pointers dependent on 'swarm_now' */ + MOpt_globals_pilot.finds = stage_finds_puppet[swarm_now]; + MOpt_globals_pilot.finds_v2 = stage_finds_puppet_v2[swarm_now]; + MOpt_globals_pilot.cycles = stage_cycles_puppet[swarm_now]; MOpt_globals_pilot.cycles_v2 = stage_cycles_puppet_v2[swarm_now]; MOpt_globals_pilot.cycles_v3 = stage_cycles_puppet_v3[swarm_now]; @@ -4205,13 +4213,13 @@ pacemaker_fuzzing: old_hit_count = new_hit_cnt; - } /* if pilot_mode */ + } /* if pilot_mode */ - } /* if (unlikely(*MOpt_globals.pTime > MOpt_globals.period)) */ + } /* if (unlikely(*MOpt_globals.pTime > MOpt_globals.period)) */ - } /* block */ + } /* block */ - } /* block */ + } /* block */ return ret_val; @@ -4219,9 +4227,9 @@ pacemaker_fuzzing: #undef FLIP_BIT -#define pilot_fuzzing(a) common_fuzzing((a), MOpt_globals_pilot) +#define pilot_fuzzing(a) common_fuzzing((a), MOpt_globals_pilot) -#define core_fuzzing(a) common_fuzzing((a), MOpt_globals_core) +#define core_fuzzing(a) common_fuzzing((a), MOpt_globals_core) void pso_updating(void) { |