4 files changed, 114 insertions, 9 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index c9f84c61..1c1be711 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -139,7 +139,8 @@ struct queue_entry {
       var_behavior,                     /* Variable behavior?               */
       favored,                          /* Currently favored?               */
       fs_redundant,                     /* Marked as redundant in the fs?   */
-      fully_colorized;                  /* Do not run redqueen stage again  */
+      fully_colorized,                  /* Do not run redqueen stage again  */
+      is_ascii;                         /* Is the input just ascii text?    */
 
   u32 bitmap_size,                      /* Number of bits set in bitmap     */
       fuzz_level;                       /* Number of fuzzing iterations     */
@@ -333,7 +334,7 @@ typedef struct afl_env_vars {
       afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
       afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
       afl_bench_until_crash, afl_debug_child_output, afl_autoresume,
-      afl_cal_fast;
+      afl_cal_fast, afl_cycle_schedules, afl_expand_havoc;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_skip_crashes, *afl_preload;
@@ -347,6 +348,13 @@ struct afl_pass_stat {
 
 };
 
+struct foreign_sync {
+
+  u8 *   dir;
+  time_t ctime;
+
+};
+
 typedef struct afl_state {
 
   /* Position of this state in the global states list */
@@ -454,7 +462,9 @@ typedef struct afl_state {
       fixed_seed,                       /* do not reseed                    */
       fast_cal,                         /* Try to calibrate faster?         */
       disable_trim,                     /* Never trim in fuzz_one           */
-      shmem_testcase_mode;              /* If sharedmem testcases are used  */
+      shmem_testcase_mode,              /* If sharedmem testcases are used  */
+      expand_havoc,                /* perform expensive havoc after no find */
+      cycle_schedules;                  /* cycle power schedules ?          */
 
   u8 *virgin_bits,                      /* Regions yet untouched by fuzzing */
       *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
@@ -546,6 +556,10 @@ typedef struct afl_state {
       *queue_top,                       /* Top of the list                  */
       *q_prev100;                       /* Previous 100 marker              */
 
+  // growing buf
+  struct queue_entry **queue_buf;
+  size_t               queue_size;
+
   struct queue_entry **top_rated;           /* Top entries for bitmap bytes */
 
   struct extra_data *extras;            /* Extra tokens to fuzz with        */
@@ -574,6 +588,15 @@ typedef struct afl_state {
   u8 describe_op_buf_256[256]; /* describe_op will use this to return a string
                                   up to 256 */
 
+  unsigned long long int last_avg_exec_update;
+  u32                    last_avg_execs;
+  float                  last_avg_execs_saved;
+
+/* foreign sync */
+#define FOREIGN_SYNCS_MAX 32
+  u8                  foreign_sync_cnt;
+  struct foreign_sync foreign_syncs[FOREIGN_SYNCS_MAX];
+
 #ifdef _AFL_DOCUMENT_MUTATIONS
   u8  do_document;
   u32 document_counter;
@@ -937,6 +960,7 @@ void   fix_up_banner(afl_state_t *, u8 *);
 void   check_if_tty(afl_state_t *);
 void   setup_signal_handlers(void);
 void   save_cmdline(afl_state_t *, u32, char **);
+void   read_foreign_testcases(afl_state_t *, int);
 
 /* CmpLog */
 
diff --git a/include/config.h b/include/config.h
index 4503c3e9..344a368f 100644
--- a/include/config.h
+++ b/include/config.h
@@ -401,5 +401,28 @@
 
 // #define IGNORE_FINDS
 
+/* Text mutations */
+
+/* Minimum length of a queue input to be evaluated for "is_ascii"? */
+
+#define AFL_TXT_MIN_LEN 12
+
+/* What is the minimum percentage of ascii characters present to be classifed
+   as "is_ascii"? */
+
+#define AFL_TXT_MIN_PERCENT 94
+
+/* How often to perform ASCII mutations 0 = disable, 1-8 are good values */
+
+#define AFL_TXT_BIAS 6
+
+/* Maximum length of a string to tamper with */
+
+#define AFL_TXT_STRING_MAX_LEN 1024
+
+/* Maximum mutations on a string */
+
+#define AFL_TXT_STRING_MAX_MUTATIONS 6
+
 #endif                                                  /* ! _HAVE_CONFIG_H */
 
diff --git a/include/envs.h b/include/envs.h
index 86222418..c1c7d387 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -34,6 +34,7 @@ static char *afl_environment_variables[] = {
     "AFL_CUSTOM_MUTATOR_LIBRARY",
     "AFL_CUSTOM_MUTATOR_ONLY",
     "AFL_CXX",
+    "AFL_CYCLE_SCHEDULES",
     "AFL_DEBUG",
     "AFL_DEBUG_CHILD_OUTPUT",
     "AFL_DEBUG_GDB",
@@ -129,6 +130,7 @@ static char *afl_environment_variables[] = {
     "AFL_USE_CFISAN",
     "AFL_WINE_PATH",
     "AFL_NO_SNAPSHOT",
+    "AFL_EXPAND_HAVOC_NOW",
     NULL
 
 };
diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h
index b73a001e..a75d69c0 100644
--- a/include/snapshot-inl.h
+++ b/include/snapshot-inl.h
@@ -25,8 +25,7 @@
 // From AFL-Snapshot-LKM/include/afl_snapshot.h (must be kept synced)
 
 #include <sys/ioctl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <stdlib.h>
 #include <fcntl.h>
 
 #define AFL_SNAPSHOT_FILE_NAME "/dev/afl_snapshot"
@@ -35,25 +34,82 @@
 
 #define AFL_SNAPSHOT_IOCTL_DO _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 1)
 #define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 2)
+#define AFL_SNAPSHOT_EXCLUDE_VMRANGE \
+  _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, struct afl_snapshot_vmrange_args *)
+#define AFL_SNAPSHOT_INCLUDE_VMRANGE \
+  _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 4, struct afl_snapshot_vmrange_args *)
+#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 5, int)
+#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 6)
+
+// Trace new mmaped ares and unmap them on restore.
+#define AFL_SNAPSHOT_MMAP 1
+// Do not snapshot any page (by default all writeable not-shared pages
+// are shanpshotted.
+#define AFL_SNAPSHOT_BLOCK 2
+// Snapshot file descriptor state, close newly opened descriptors
+#define AFL_SNAPSHOT_FDS 4
+// Snapshot registers state
+#define AFL_SNAPSHOT_REGS 8
+// Perform a restore when exit_group is invoked
+#define AFL_SNAPSHOT_EXIT 16
+// TODO(andrea) allow not COW snapshots (high perf on small processes)
+// Disable COW, restore all the snapshotted pages
+#define AFL_SNAPSHOT_NOCOW 32
+// Do not snapshot Stack pages
+#define AFL_SNAPSHOT_NOSTACK 64
+
+struct afl_snapshot_vmrange_args {
+
+  unsigned long start, end;
+
+};
 
 static int afl_snapshot_dev_fd;
 
-static int afl_snapshot_init(void) {
+static int afl_snapshot_init() {
 
   afl_snapshot_dev_fd = open(AFL_SNAPSHOT_FILE_NAME, 0);
   return afl_snapshot_dev_fd;
 
 }
 
-static int afl_snapshot_do() {
+static void afl_snapshot_exclude_vmrange(void *start, void *end) {
+
+  struct afl_snapshot_vmrange_args args = {(unsigned long)start,
+                                           (unsigned long)end};
+  ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_EXCLUDE_VMRANGE, &args);
+
+}
+
+static void afl_snapshot_include_vmrange(void *start, void *end) {
+
+  struct afl_snapshot_vmrange_args args = {(unsigned long)start,
+                                           (unsigned long)end};
+  ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_INCLUDE_VMRANGE, &args);
+
+}
+
+static int afl_snapshot_take(int config) {
+
+  return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_TAKE, config);
+
+}
+
+static int afl_snapshot_do(void) {
 
   return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO);
 
 }
 
-static int afl_snapshot_clean(void) {
+static void afl_snapshot_restore(void) {
+
+  ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_RESTORE);
+
+}
+
+static void afl_snapshot_clean(void) {
 
-  return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN);
+  ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN);
 
 }