about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/ci.yml3
-rw-r--r--docs/Changelog.md2
-rw-r--r--docs/fuzzing_binary-only_targets.md8
-rw-r--r--instrumentation/afl-compiler-rt.o.c39
-rw-r--r--instrumentation/afl-llvm-common.h8
-rw-r--r--qemu_mode/QEMUAFL_VERSION2
m---------qemu_mode/qemuafl0
-rw-r--r--src/afl-fuzz-queue.c2
-rw-r--r--src/afl-fuzz-stats.c22
9 files changed, 53 insertions, 33 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 04cbaca8..a7601080 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,8 @@ jobs:
       - name: debug
         run: apt-cache search plugin-dev | grep gcc-; echo; apt-cache search clang-format- | grep clang-format-
       - name: update
-        run: sudo apt-get update && sudo apt-get upgrade -y
+        run: sudo apt-get update
+        # && sudo apt-get upgrade -y
       - name: install packages
         run: sudo apt-get install -y -m -f --install-suggests build-essential git libtool libtool-bin automake bison libglib2.0-0 clang llvm-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build
       - name: compiler installed
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 8f71fd83..f4fa4382 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -11,6 +11,8 @@
     - add CFI sanitizer variant to gcc targets
     - llvm 16 support (thanks to @devnexen!)
     - support llvm 15 native pcguard changes
+  - qemu_mode:
+    - fix _RANGES envs to allow hyphens in the filenames
   - new custom module: autotoken, grammar free fuzzer for text inputs
   - LTO autoken and llvm_mode: added AFL_LLVM_DICT2FILE_NO_MAIN support
   - better sanitizer default options support for all tools
diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md
index 266920e6..9d9d6bb6 100644
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@@ -201,10 +201,10 @@ afl-clang-fast's.
 ### RetroWrite
 
 RetroWrite is a static binary rewriter that can be combined with AFL++. If you
-have an x86_64 binary that still has its symbols (i.e., not stripped binary), is
-compiled with position independent code (PIC/PIE), and does not contain C++
-exceptions, then the RetroWrite solution might be for you. It decompiles to ASM
-files which can then be instrumented with afl-gcc.
+have an x86_64 or arm64 binary that does not contain C++ exceptions and - if
+x86_64 - still has it's symbols and compiled with position independent code
+(PIC/PIE), then the RetroWrite solution might be for you.
+It decompiles to ASM files which can then be instrumented with afl-gcc.
 
 Binaries that are statically instrumented for fuzzing using RetroWrite are close
 in performance to compiler-instrumented binaries and outperform the QEMU-based
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 9871d7f4..94022a65 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -1539,12 +1539,16 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
   if (start == stop || *start) return;
 
   x = getenv("AFL_INST_RATIO");
-  if (x) { inst_ratio = (u32)atoi(x); }
+  if (x) {
 
-  if (!inst_ratio || inst_ratio > 100) {
+    inst_ratio = (u32)atoi(x);
 
-    fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
-    abort();
+    if (!inst_ratio || inst_ratio > 100) {
+
+      fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
+      abort();
+
+    }
 
   }
 
@@ -1568,10 +1572,16 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
 
       while (start < stop) {
 
-        if (likely(inst_ratio == 100) || R(100) < inst_ratio)
-          *start = offset;
-        else
-          *start = 0;  // write to map[0]
+        if (likely(inst_ratio == 100) || R(100) < inst_ratio) {
+
+          *(start++) = offset;
+
+        } else {
+
+          *(start++) = 0;  // write to map[0]
+
+        }
+
         if (unlikely(++offset >= __afl_final_loc)) { offset = 4; }
 
       }
@@ -1592,12 +1602,15 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
 
   while (start < stop) {
 
-    if (likely(inst_ratio == 100) || R(100) < inst_ratio)
-      *start = ++__afl_final_loc;
-    else
-      *start = 0;  // write to map[0]
+    if (likely(inst_ratio == 100) || R(100) < inst_ratio) {
+
+      *(start++) = ++__afl_final_loc;
 
-    start++;
+    } else {
+
+      *(start++) = 0;  // write to map[0]
+
+    }
 
   }
 
diff --git a/instrumentation/afl-llvm-common.h b/instrumentation/afl-llvm-common.h
index 0112c325..16a13da5 100644
--- a/instrumentation/afl-llvm-common.h
+++ b/instrumentation/afl-llvm-common.h
@@ -37,10 +37,10 @@ typedef long double max_align_t;
   #define MNAME M.getSourceFileName()
   #define FMNAME F.getParent()->getSourceFileName()
   #if LLVM_VERSION_MAJOR >= 16
-  // None becomes deprecated
-  // the standard std::nullopt_t is recommended instead
-  // from C++17 and onwards.
-  constexpr std::nullopt_t None = std::nullopt;
+// None becomes deprecated
+// the standard std::nullopt_t is recommended instead
+// from C++17 and onwards.
+constexpr std::nullopt_t None = std::nullopt;
   #endif
 #else
   #define MNAME std::string("")
diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION
index 9c68f02c..39e41f79 100644
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@@ -1 +1 @@
-a8af9cbde7
+74c583b11a
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
-Subproject a8af9cbde71e333ce72a46f15e655d0b82ed093
+Subproject 74c583b11ac508b90660723da7ee9ff7ff77ee9
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 65446799..4eb55bb3 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -67,7 +67,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
   if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
 
     u32 hits = afl->n_fuzz[q->n_fuzz_entry];
-    if (likely(hits)) { weight *= (log10(hits) + 1); }
+    if (likely(hits)) { weight /= (log10(hits) + 1); }
 
   }
 
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index db4bf24e..65caf5ee 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -670,9 +670,14 @@ void show_stats_normal(afl_state_t *afl) {
 
   /* AFL_EXIT_ON_TIME. */
 
-  if (unlikely(afl->last_find_time && !afl->non_instrumented_mode &&
-               afl->afl_env.afl_exit_on_time &&
-               (cur_ms - afl->last_find_time) > afl->exit_on_time)) {
+  /* If no coverage was found yet, check whether run time is greater than
+   * exit_on_time. */
+
+  if (unlikely(!afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time &&
+               ((afl->last_find_time &&
+                 (cur_ms - afl->last_find_time) > afl->exit_on_time) ||
+                (!afl->last_find_time &&
+                 (cur_ms - afl->start_time) > afl->exit_on_time)))) {
 
     afl->stop_soon = 2;
 
@@ -1471,12 +1476,11 @@ void show_stats_pizza(afl_state_t *afl) {
   /* If no coverage was found yet, check whether run time is greater than
    * exit_on_time. */
 
-  if (unlikely(
-          !afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time &&
-          ((afl->last_find_time &&
-            (cur_ms - afl->last_find_time) > afl->exit_on_time) ||
-           (!afl->last_find_time && (afl->prev_run_time + cur_ms -
-                                     afl->start_time) > afl->exit_on_time)))) {
+  if (unlikely(!afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time &&
+               ((afl->last_find_time &&
+                 (cur_ms - afl->last_find_time) > afl->exit_on_time) ||
+                (!afl->last_find_time &&
+                 (cur_ms - afl->start_time) > afl->exit_on_time)))) {
 
     afl->stop_soon = 2;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-21 17:12:48 +0000