about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--custom_mutators/symcc/symcc.c28
-rw-r--r--docs/Changelog.md6
-rw-r--r--instrumentation/afl-llvm-common.cc4
-rw-r--r--instrumentation/compare-transform-pass.so.cc14
-rw-r--r--src/afl-cc.c5
-rw-r--r--src/afl-fuzz-queue.c3
-rw-r--r--src/afl-fuzz-stats.c18
7 files changed, 49 insertions, 29 deletions
diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c
index 86f23343..33e11772 100644
--- a/custom_mutators/symcc/symcc.c
+++ b/custom_mutators/symcc/symcc.c
@@ -22,10 +22,10 @@ afl_state_t *afl_struct;
 typedef struct my_mutator {
 
   afl_state_t *afl;
-  u8 *         mutator_buf;
-  u8 *         out_dir;
-  u8 *         tmp_dir;
-  u8 *         target;
+  u8          *mutator_buf;
+  u8          *out_dir;
+  u8          *tmp_dir;
+  u8          *target;
   uint32_t     seed;
 
 } my_mutator_t;
@@ -101,7 +101,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
 
 /* When a new queue entry is added we run this input with the symcc
    instrumented binary */
-uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
+uint8_t afl_custom_queue_new_entry(my_mutator_t  *data,
                                    const uint8_t *filename_new_queue,
                                    const uint8_t *filename_orig_queue) {
 
@@ -176,7 +176,7 @@ uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
 
     struct dirent **nl;
     int32_t         items = scandir(data->tmp_dir, &nl, NULL, NULL);
-    u8 *            origin_name = basename(filename_new_queue);
+    u8             *origin_name = basename(filename_new_queue);
     int32_t         i;
     if (items > 0) {
 
@@ -187,8 +187,8 @@ uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
         DBG("test=%s\n", fn);
         if (stat(source_name, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) {
 
-          u8 *destination_name =
-              alloc_printf("%s/%s.%s", data->out_dir, origin_name, nl[i]->d_name);
+          u8 *destination_name = alloc_printf("%s/%s.%s", data->out_dir,
+                                              origin_name, nl[i]->d_name);
           rename(source_name, destination_name);
           ck_free(destination_name);
           DBG("found=%s\n", source_name);
@@ -248,7 +248,7 @@ uint32_t afl_custom_fuzz_count(my_mutator_t *data, const u8 *buf,
     for (i = 0; i < (u32)items; ++i) {
 
       struct stat st;
-      u8 *        fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
+      u8         *fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
       DBG("test=%s\n", fn);
       if (stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) {
 
@@ -282,12 +282,12 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
 
   if (items <= 0) return 0;
 
-  for (i = 0; i < (u32)items; ++i) {
+  for (i = 0; i < (s32)items; ++i) {
 
-    struct stat st;
-    u8 *        fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
+    if (!done) {
 
-    if (done == 0) {
+      struct stat st;
+      u8         *fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
 
       if (stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) {
 
@@ -306,10 +306,10 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
       }
 
       unlink(fn);
+      ck_free(fn);
 
     }
 
-    ck_free(fn);
     free(nl[i]);
 
   }
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 6736e42b..d6478ca0 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -23,6 +23,7 @@
     - disable xml/curl/g_ string transform functions because we do not check
       for null pointers ... TODO
     - ensure shared memory variables are visible in weird build setups
+    - compatability to new LLVM 19 changes
   * afl-cmin
     - work with input files that have a space
   * afl-showmap
@@ -63,12 +64,13 @@
   - afl-whatsup:
     - now also displays current average speed
     - small bugfixes
-  - Fixes for aflpp custom mutator and standalone tool
+  - custom mutators:
+    - fixes for aflpp custom mutator and standalone tool
+    - important fix to the symcc custom mutator
   - Minor edits to afl-persistent-config
   - Prevent temporary files being left behind on aborted afl-whatsup
   - More CPU benchmarks added to benchmark/
 
-
 ### Version ++4.10c (release)
   - afl-fuzz:
     - default power schedule is now EXPLORE, due a fix in fast schedules
diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc
index ed9268dc..50954324 100644
--- a/instrumentation/afl-llvm-common.cc
+++ b/instrumentation/afl-llvm-common.cc
@@ -136,7 +136,11 @@ bool isIgnoreFunction(const llvm::Function *F) {
 
   for (auto const &ignoreListFunc : ignoreList) {
 
+#if LLVM_VERSION_MAJOR >= 19
+    if (F->getName().starts_with(ignoreListFunc)) { return true; }
+#else
     if (F->getName().startswith(ignoreListFunc)) { return true; }
+#endif
 
   }
 
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index 496d69fc..36149f35 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -54,6 +54,12 @@
   #define nullptr 0
 #endif
 
+#if LLVM_MAJOR >= 19
+  #define STARTSWITH starts_with
+#else
+  #define STARTSWITH startswith
+#endif
+
 #include <set>
 #include "afl-llvm-common.h"
 
@@ -532,10 +538,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
     }
 
     if (!isSizedcmp) needs_null = true;
-    if (Callee->getName().startswith("g_") ||
-        Callee->getName().startswith("curl_") ||
-        Callee->getName().startswith("Curl_") ||
-        Callee->getName().startswith("xml"))
+    if (Callee->getName().STARTSWITH("g_") ||
+        Callee->getName().STARTSWITH("curl_") ||
+        Callee->getName().STARTSWITH("Curl_") ||
+        Callee->getName().STARTSWITH("xml"))
       nullCheck = true;
 
     Value *sizedValue = isSizedcmp ? callInst->getArgOperand(2) : NULL;
diff --git a/src/afl-cc.c b/src/afl-cc.c
index c872b2eb..7afab850 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -2366,8 +2366,7 @@ static void add_aflpplib(aflcc_state_t *aflcc) {
     insert_param(aflcc, afllib);
 
 #ifdef __APPLE__
-    insert_param(aflcc, "-Wl,-undefined");
-    insert_param(aflcc, "dynamic_lookup");
+    insert_param(aflcc, "-Wl,-undefined,dynamic_lookup");
 #endif
 
   }
@@ -2844,7 +2843,7 @@ static void maybe_usage(aflcc_state_t *aflcc, int argc, char **argv) {
         "  The best is LTO but it often needs RANLIB and AR settings outside "
         "of afl-cc.\n\n");
 
-#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
+#if LLVM_MAJOR >= 11 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
   #define NATIVE_MSG                                                   \
     "  LLVM-NATIVE:  use llvm's native PCGUARD instrumentation (less " \
     "performant)\n"
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 2318df60..784b377a 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -1301,7 +1301,8 @@ inline u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q) {
     static u32 do_once = 0;  // because even threaded we would want this. WIP
 
     while (unlikely(
-        afl->q_testcase_cache_size + len >= afl->q_testcase_max_cache_size ||
+        (afl->q_testcase_cache_size + len >= afl->q_testcase_max_cache_size &&
+         afl->q_testcase_cache_count > 1) ||
         afl->q_testcase_cache_count >= afl->q_testcase_max_cache_entries - 1)) {
 
       /* We want a max number of entries to the cache that we learn.
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index ffe56cde..eafeebba 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -322,7 +322,8 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
   if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; }
 #endif
   u64 runtime_ms = afl->prev_run_time + cur_time - afl->start_time;
-  u64 overhead_ms = (afl->calibration_time_us + afl->sync_time_us + afl->trim_time_us) / 1000;
+  u64 overhead_ms =
+      (afl->calibration_time_us + afl->sync_time_us + afl->trim_time_us) / 1000;
   if (!runtime_ms) { runtime_ms = 1; }
 
   fprintf(
@@ -632,7 +633,8 @@ void show_stats_normal(afl_state_t *afl) {
 
   if (afl->most_time_key && afl->queue_cycle) {
 
-    if (afl->most_time * 1000 + afl->sync_time_us / 1000 < cur_ms - afl->start_time) {
+    if (afl->most_time * 1000 + afl->sync_time_us / 1000 <
+        cur_ms - afl->start_time) {
 
       afl->most_time_key = 2;
       afl->stop_soon = 2;
@@ -1329,7 +1331,9 @@ void show_stats_normal(afl_state_t *afl) {
 
     sprintf(tmp, "disabled, ");
 
-  } else if (unlikely(!afl->bytes_trim_out)) {
+  } else if (unlikely(!afl->bytes_trim_out ||
+
+                      afl->bytes_trim_in <= afl->bytes_trim_out)) {
 
     sprintf(tmp, "n/a, ");
 
@@ -1346,7 +1350,9 @@ void show_stats_normal(afl_state_t *afl) {
 
     strcat(tmp, "disabled");
 
-  } else if (unlikely(!afl->blocks_eff_total)) {
+  } else if (unlikely(!afl->blocks_eff_total ||
+
+                      afl->blocks_eff_select >= afl->blocks_eff_total)) {
 
     strcat(tmp, "n/a");
 
@@ -1462,7 +1468,8 @@ void show_stats_pizza(afl_state_t *afl) {
 
   if (afl->most_time_key && afl->queue_cycle) {
 
-    if (afl->most_time * 1000 + afl->sync_time_us / 1000 < cur_ms - afl->start_time) {
+    if (afl->most_time * 1000 + afl->sync_time_us / 1000 <
+        cur_ms - afl->start_time) {
 
       afl->most_time_key = 2;
       afl->stop_soon = 2;
@@ -2503,3 +2510,4 @@ void update_sync_time(afl_state_t *afl, u64 *time) {
   *time = cur;
 
 }
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-22 20:35:54 +0000