5 files changed, 57 insertions, 16 deletions

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 565e9afd..f201782a 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -384,13 +384,15 @@ typedef struct afl_env_vars {
       afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
       afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
       afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
-      afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new;
+      afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
+      afl_exit_on_seed_issues;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload,
       *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
       *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
-      *afl_testcache_entries, *afl_kill_signal, *afl_target_env;
+      *afl_testcache_entries, *afl_kill_signal, *afl_target_env,
+      *afl_persistent_record;
 
 } afl_env_vars_t;
 
@@ -482,7 +484,6 @@ typedef struct afl_state {
       no_unlink,                        /* do not unlink cur_input          */
       debug,                            /* Debug mode                       */
       custom_only,                      /* Custom mutator only mode         */
-      python_only,                      /* Python-only mode                 */
       is_main_node,                     /* if this is the main node         */
       is_secondary_node;                /* if this is a secondary instance  */
 
@@ -571,6 +572,7 @@ typedef struct afl_state {
       blocks_eff_select,                /* Blocks selected as fuzzable      */
       start_time,                       /* Unix start time (ms)             */
       last_sync_time,                   /* Time of last sync                */
+      last_sync_cycle,                  /* Cycle no. of the last sync       */
       last_path_time,                   /* Time for most recent path (ms)   */
       last_crash_time,                  /* Time for most recent crash (ms)  */
       last_hang_time;                   /* Time for most recent hang (ms)   */
diff --git a/include/android-ashmem.h b/include/android-ashmem.h
index 91699b27..1bfd3220 100644
--- a/include/android-ashmem.h
+++ b/include/android-ashmem.h
@@ -2,26 +2,27 @@
   #ifndef _ANDROID_ASHMEM_H
     #define _ANDROID_ASHMEM_H
 
+    #define _GNU_SOURCE
+    #include <sys/syscall.h>
+    #include <unistd.h>
     #include <fcntl.h>
     #include <linux/ashmem.h>
     #include <sys/ioctl.h>
     #include <sys/mman.h>
-
-    #if __ANDROID_API__ >= 26
-      #define shmat bionic_shmat
-      #define shmctl bionic_shmctl
-      #define shmdt bionic_shmdt
-      #define shmget bionic_shmget
-    #endif
     #include <sys/shm.h>
-    #undef shmat
-    #undef shmctl
-    #undef shmdt
-    #undef shmget
     #include <stdio.h>
-
     #define ASHMEM_DEVICE "/dev/ashmem"
 
+int shmdt(const void *address) {
+
+    #if defined(SYS_shmdt)
+  return syscall(SYS_shmdt, address);
+    #else
+  return syscall(SYS_ipc, SHMDT, 0, 0, 0, address, 0);
+    #endif
+
+}
+
 int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
 
   int ret = 0;
diff --git a/include/config.h b/include/config.h
index c93a6d51..aa24ea6c 100644
--- a/include/config.h
+++ b/include/config.h
@@ -26,7 +26,7 @@
 /* Version string: */
 
 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++3.12c"
+#define VERSION "++3.13a"
 
 /******************************************************
  *                                                    *
@@ -71,7 +71,17 @@
 /* Maximum allowed fails per CMP value. Default: 128 */
 #define CMPLOG_FAIL_MAX 96
 
+/* -------------------------------------*/
 /* Now non-cmplog configuration options */
+/* -------------------------------------*/
+
+/* If a persistent target keeps state and found crashes are not reproducable
+   then enable this option and set the AFL_PERSISTENT_RECORD env variable
+   to a number. These number of testcases prior and including the crash case
+   will be kept and written to the crash/ directory as RECORD:... files.
+   Note that every crash will be written, not only unique ones! */
+
+//#define AFL_PERSISTENT_RECORD
 
 /* console output colors: There are three ways to configure its behavior
  * 1. default: colored outputs fixed on: defined USE_COLOR && defined
@@ -396,6 +406,10 @@
 
 #define MSAN_ERROR 86
 
+/* Distinctive exit code used to indicate LSAN trip condition: */
+
+#define LSAN_ERROR 23
+
 /* Designated file descriptors for forkserver commands (the application will
    use FORKSRV_FD and FORKSRV_FD + 1): */
 
diff --git a/include/envs.h b/include/envs.h
index d7578045..ebe98257 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -26,6 +26,7 @@ static char *afl_environment_variables[] = {
     "AFL_BENCH_UNTIL_CRASH",
     "AFL_CAL_FAST",
     "AFL_CC",
+    "AFL_CC_COMPILER",
     "AFL_CMIN_ALLOW_ANY",
     "AFL_CMIN_CRASHES_ONLY",
     "AFL_CMPLOG_ONLY_NEW",
@@ -48,8 +49,16 @@ static char *afl_environment_variables[] = {
     "AFL_DUMB_FORKSRV",
     "AFL_ENTRYPOINT",
     "AFL_EXIT_WHEN_DONE",
+    "AFL_EXIT_ON_SEED_ISSUES",
     "AFL_FAST_CAL",
     "AFL_FORCE_UI",
+    "AFL_FRIDA_DEBUG_MAPS",
+    "AFL_FRIDA_EXCLUDE_RANGES",
+    "AFL_FRIDA_INST_NO_OPTIMIZE",
+    "AFL_FRIDA_INST_NO_PREFETCH",
+    "AFL_FRIDA_INST_RANGES",
+    "AFL_FRIDA_INST_STRICT",
+    "AFL_FRIDA_INST_TRACE",
     "AFL_FUZZER_ARGS",  // oss-fuzz
     "AFL_GDB",
     "AFL_GCC_ALLOWLIST",
@@ -130,6 +139,7 @@ static char *afl_environment_variables[] = {
     "AFL_PASSTHROUGH",
     "AFL_PATH",
     "AFL_PERFORMANCE_FILE",
+    "AFL_PERSISTENT_RECORD",
     "AFL_PRELOAD",
     "AFL_TARGET_ENV",
     "AFL_PYTHON_MODULE",
@@ -173,6 +183,7 @@ static char *afl_environment_variables[] = {
     "AFL_USE_TRACE_PC",
     "AFL_USE_UBSAN",
     "AFL_USE_CFISAN",
+    "AFL_USE_LSAN",
     "AFL_WINE_PATH",
     "AFL_NO_SNAPSHOT",
     "AFL_EXPAND_HAVOC_NOW",
diff --git a/include/forkserver.h b/include/forkserver.h
index ac027f81..48db94c7 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -77,6 +77,8 @@ typedef struct afl_forkserver {
 
   bool qemu_mode;                       /* if running in qemu mode or not   */
 
+  bool frida_mode;                     /* if running in frida mode or not   */
+
   bool use_stdin;                       /* use stdin for sending data       */
 
   bool no_unlink;                       /* do not unlink cur_input          */
@@ -94,6 +96,17 @@ typedef struct afl_forkserver {
 
   char *cmplog_binary;                  /* the name of the cmplog binary    */
 
+  /* persistent mode replay functionality */
+  u32 persistent_record;                /* persistent replay setting        */
+#ifdef AFL_PERSISTENT_RECORD
+  u32  persistent_record_idx;           /* persistent replay cache ptr      */
+  u32  persistent_record_cnt;           /* persistent replay counter        */
+  u8 * persistent_record_dir;
+  u8 **persistent_record_data;
+  u32 *persistent_record_len;
+  s32  persistent_record_pid;
+#endif
+
   /* Function to kick off the forkserver child */
   void (*init_child_func)(struct afl_forkserver *fsrv, char **argv);