diff options
Diffstat (limited to 'instrumentation')
| -rw-r--r-- | instrumentation/LLVMInsTrim.so.cc | 4 | ||||
| -rw-r--r-- | instrumentation/README.gcc_plugin.md | 2 | ||||
| -rw-r--r-- | instrumentation/README.lto.md | 33 | ||||
| -rw-r--r-- | instrumentation/README.persistent_mode.md | 45 | ||||
| -rw-r--r-- | instrumentation/SanitizerCoveragePCGUARD.so.cc | 18 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 57 | ||||
| -rw-r--r-- | instrumentation/afl-gcc-pass.so.cc | 36 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-common.cc | 34 | ||||
| -rw-r--r-- | instrumentation/afl-llvm-lto-instrumentlist.so.cc | 9 | ||||
| -rw-r--r-- | instrumentation/split-compares-pass.so.cc | 15 |
10 files changed, 141 insertions, 112 deletions
diff --git a/instrumentation/LLVMInsTrim.so.cc b/instrumentation/LLVMInsTrim.so.cc index 61a420ba..6b3231e6 100644 --- a/instrumentation/LLVMInsTrim.so.cc +++ b/instrumentation/LLVMInsTrim.so.cc @@ -268,8 +268,8 @@ struct InsTrim : public ModulePass { for (auto &BB : F) if (BB.size() > 0) ++bb_cnt; - SAYF(cMGN "[D] " cRST "Function %s size %zu %u\n", - F.getName().str().c_str(), F.size(), bb_cnt); + DEBUGF("Function %s size %zu %u\n", F.getName().str().c_str(), F.size(), + bb_cnt); } diff --git a/instrumentation/README.gcc_plugin.md b/instrumentation/README.gcc_plugin.md index 919801d1..12449efd 100644 --- a/instrumentation/README.gcc_plugin.md +++ b/instrumentation/README.gcc_plugin.md @@ -147,7 +147,7 @@ The numerical value specified within the loop controls the maximum number of iterations before AFL will restart the process from scratch. This minimizes the impact of memory leaks and similar glitches; 1000 is a good starting point. -A more detailed template is shown in ../examples/persistent_demo/. +A more detailed template is shown in ../utils/persistent_mode/. Similarly to the previous mode, the feature works only with afl-gcc-fast or afl-clang-fast; #ifdef guards can be used to suppress it when using other compilers. diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index abdbd2ac..a2814173 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -60,7 +60,12 @@ AUTODICTIONARY: 11 strings found ## Getting llvm 11+ -### Installing llvm from the llvm repository (version 11) +### Installing llvm version 11 + +llvm 11 should be available in all current Linux repositories. +If you use an outdated Linux distribution read the next section. + +### Installing llvm from the llvm repository (version 12) Installing the llvm snapshot builds is easy and mostly painless: @@ -73,11 +78,11 @@ then add the pgp key of llvm and install the packages: ``` wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - apt-get update && apt-get upgrade -y -apt-get install -y clang-11 clang-tools-11 libc++1-11 libc++-11-dev \ - libc++abi1-11 libc++abi-11-dev libclang1-11 libclang-11-dev \ - libclang-common-11-dev libclang-cpp11 libclang-cpp11-dev liblld-11 \ - liblld-11-dev liblldb-11 liblldb-11-dev libllvm11 libomp-11-dev \ - libomp5-11 lld-11 lldb-11 llvm-11 llvm-11-dev llvm-11-runtime llvm-11-tools +apt-get install -y clang-12 clang-tools-12 libc++1-12 libc++-12-dev \ + libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \ + libclang-common-12-dev libclang-cpp12 libclang-cpp12-dev liblld-12 \ + liblld-12-dev liblldb-12 liblldb-12-dev libllvm12 libomp-12-dev \ + libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools ``` ### Building llvm yourself (version 12) @@ -120,16 +125,22 @@ While compiling, a dictionary based on string comparisons is automatically generated and put into the target binary. This dictionary is transfered to afl-fuzz on start. This improves coverage statistically by 5-10% :) +Note that if for any reason you do not want to use the autodictionary feature +then just set the environment variable `AFL_NO_AUTODICT` when starting afl-fuzz. + ## Fixed memory map -To speed up fuzzing, it is possible to set a fixed shared memory map. +To speed up fuzzing a little bit more, it is possible to set a fixed shared +memory map. Recommended is the value 0x10000. + In most cases this will work without any problems. However if a target uses early constructors, ifuncs or a deferred forkserver this can crash the target. -On unusual operating systems/processors/kernels or weird libraries this might -fail so to change the fixed address at compile time set -AFL_LLVM_MAP_ADDR with a better value (a value of 0 or empty sets the map address -to be dynamic - the original afl way, which is slower). + +Also on unusual operating systems/processors/kernels or weird libraries the +recommended 0x10000 address might not work, so then change the fixed address. + +To enable this feature set AFL_LLVM_MAP_ADDR with the address. ## Document edge IDs diff --git a/instrumentation/README.persistent_mode.md b/instrumentation/README.persistent_mode.md index e095f036..2cf76adf 100644 --- a/instrumentation/README.persistent_mode.md +++ b/instrumentation/README.persistent_mode.md @@ -11,7 +11,7 @@ and that its state can be resetted so that multiple calls can be performed without resource leaks and former runs having no impact on following runs (this can be seen by the `stability` indicator in the `afl-fuzz` UI). -Examples can be found in [examples/persistent_mode](../examples/persistent_mode). +Examples can be found in [utils/persistent_mode](../utils/persistent_mode). ## 2) TLDR; @@ -23,15 +23,20 @@ __AFL_FUZZ_INIT(); main() { + // anything else here, eg. command line arguments, initialization, etc. + #ifdef __AFL_HAVE_MANUAL_CONTROL __AFL_INIT(); #endif unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; // must be after __AFL_INIT + // and before __AFL_LOOP! while (__AFL_LOOP(10000)) { - int len = __AFL_FUZZ_TESTCASE_LEN; + int len = __AFL_FUZZ_TESTCASE_LEN; // don't use the macro directly in a + // call! + if (len < 8) continue; // check for a required/useful minimum input length /* Setup function call, e.g. struct target *tmp = libtarget_init() */ @@ -110,37 +115,13 @@ With the location selected, add this code in the appropriate spot: ``` You don't need the #ifdef guards, but including them ensures that the program -will keep working normally when compiled with a tool other than afl-clang-fast. - -Finally, recompile the program with afl-clang-fast/lto (afl-gcc or afl-clang will -*not* generate a deferred-initialization binary) - and you should be all set! +will keep working normally when compiled with a tool other than afl-clang-fast/ +afl-clang-lto/afl-gcc-fast. -*NOTE:* In the code between `main` and `__AFL_INIT()` should not be any code -run that is instrumented - otherwise a crash might occure. -In case this is useful (e.g. for expensive one time initialization) you can -try to do the following: +Finally, recompile the program with afl-clang-fast/afl-clang-lto/afl-gcc-fast +(afl-gcc or afl-clang will *not* generate a deferred-initialization binary) - +and you should be all set! -Add after the includes: -``` -extern unsigned char *__afl_area_ptr; -#define MAX_DUMMY_SIZE 256000 - -__attribute__((constructor(1))) void __afl_protect(void) { -#ifdef MAP_FIXED_NOREPLACE - __afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) -#endif - __afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); - if ((uint64_t)__afl_area_ptr == -1) - __afl_area_ptr = (unsigned char*) mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); -} - -``` -and just before `__AFL_INIT()`: -``` - munmap(__afl_area_ptr, MAX_DUMMY_SIZE); - __afl_area_ptr = NULL; -``` ## 4) Persistent mode @@ -169,7 +150,7 @@ the impact of memory leaks and similar glitches; 1000 is a good starting point, and going much higher increases the likelihood of hiccups without giving you any real performance benefits. -A more detailed template is shown in ../examples/persistent_demo/. +A more detailed template is shown in ../utils/persistent_mode/. Similarly to the previous mode, the feature works only with afl-clang-fast; #ifdef guards can be used to suppress it when using other compilers. diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index b3c55108..102b44a4 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -544,7 +544,9 @@ bool ModuleSanitizerCoverage::instrumentModule( be_quiet = 1; skip_nozero = getenv("AFL_LLVM_SKIP_NEVERZERO"); - // scanForDangerousFunctions(&M); + + initInstrumentList(); + scanForDangerousFunctions(&M); if (debug) { @@ -819,6 +821,8 @@ void ModuleSanitizerCoverage::instrumentFunction( Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) { if (F.empty()) return; + if (!isInInstrumentList(&F)) return; + if (F.getName().find(".module_ctor") != std::string::npos) return; // Should not instrument sanitizer init functions. if (F.getName().startswith("__sanitizer_")) @@ -1123,11 +1127,11 @@ void ModuleSanitizerCoverage::InjectTraceForCmp( Value * A1 = ICMP->getOperand(1); if (!A0->getType()->isIntegerTy()) continue; uint64_t TypeSize = DL->getTypeStoreSizeInBits(A0->getType()); - int CallbackIdx = - TypeSize == 8 - ? 0 - : TypeSize == 16 ? 1 - : TypeSize == 32 ? 2 : TypeSize == 64 ? 3 : -1; + int CallbackIdx = TypeSize == 8 ? 0 + : TypeSize == 16 ? 1 + : TypeSize == 32 ? 2 + : TypeSize == 64 ? 3 + : -1; if (CallbackIdx < 0) continue; // __sanitizer_cov_trace_cmp((type_size << 32) | predicate, A0, A1); auto CallbackFunc = SanCovTraceCmpFunction[CallbackIdx]; @@ -1315,6 +1319,7 @@ std::string ModuleSanitizerCoverage::getSectionEnd( } char ModuleSanitizerCoverageLegacyPass::ID = 0; + INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov", "Pass for instrumenting coverage on functions", false, false) @@ -1323,6 +1328,7 @@ INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass) INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov", "Pass for instrumenting coverage on functions", false, false) + ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass( const SanitizerCoverageOptions &Options, const std::vector<std::string> &AllowlistFiles, diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 864f5bb6..32e4da85 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -101,6 +101,11 @@ int __afl_sharedmem_fuzzing __attribute__((weak)); struct cmp_map *__afl_cmp_map; +/* Child pid? */ + +static s32 child_pid; +static void (*old_sigterm_handler)(int) = 0; + /* Running in persistent mode? */ static u8 is_persistent; @@ -109,6 +114,14 @@ static u8 is_persistent; static u8 _is_sancov; +/* ensure we kill the child on termination */ + +void at_exit(int signal) { + + if (child_pid > 0) { kill(child_pid, SIGKILL); } + +} + /* Uninspired gcc plugin instrumentation */ void __afl_trace(const u32 x) { @@ -150,6 +163,12 @@ static void __afl_map_shm_fuzz() { char *id_str = getenv(SHM_FUZZ_ENV_VAR); + if (getenv("AFL_DEBUG")) { + + fprintf(stderr, "DEBUG: fuzzcase shmem %s\n", id_str ? id_str : "none"); + + } + if (id_str) { u8 *map = NULL; @@ -182,7 +201,8 @@ static void __afl_map_shm_fuzz() { if (!map || map == (void *)-1) { - perror("Could not access fuzzign shared memory"); + perror("Could not access fuzzing shared memory"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -199,6 +219,7 @@ static void __afl_map_shm_fuzz() { } else { fprintf(stderr, "Error: variable for fuzzing shared memory is not set\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -322,6 +343,8 @@ static void __afl_map_shm(void) { send_forkserver_error(FS_ERROR_MAP_ADDR); else send_forkserver_error(FS_ERROR_MMAP); + perror("mmap for map"); + exit(2); } @@ -332,20 +355,22 @@ static void __afl_map_shm(void) { __afl_area_ptr = shmat(shm_id, (void *)__afl_map_addr, 0); -#endif - /* Whooooops. */ - if (__afl_area_ptr == (void *)-1) { + if (!__afl_area_ptr || __afl_area_ptr == (void *)-1) { if (__afl_map_addr) send_forkserver_error(FS_ERROR_MAP_ADDR); else send_forkserver_error(FS_ERROR_SHMAT); + + perror("shmat for map"); _exit(1); } +#endif + /* Write something into the bitmap so that even with low AFL_INST_RATIO, our parent doesn't give up on us. */ @@ -363,6 +388,7 @@ static void __afl_map_shm(void) { fprintf(stderr, "can not acquire mmap for address %p\n", (void *)__afl_map_addr); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -397,7 +423,8 @@ static void __afl_map_shm(void) { shm_fd = shm_open(shm_file_path, O_RDWR, 0600); if (shm_fd == -1) { - fprintf(stderr, "shm_open() failed\n"); + perror("shm_open() failed\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -411,6 +438,7 @@ static void __afl_map_shm(void) { shm_fd = -1; fprintf(stderr, "mmap() failed\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(2); } @@ -422,7 +450,13 @@ static void __afl_map_shm(void) { __afl_cmp_map = shmat(shm_id, NULL, 0); #endif - if (__afl_cmp_map == (void *)-1) _exit(1); + if (!__afl_cmp_map || __afl_cmp_map == (void *)-1) { + + perror("shmat for cmplog"); + send_forkserver_error(FS_ERROR_SHM_OPEN); + _exit(1); + + } } @@ -432,7 +466,6 @@ static void __afl_map_shm(void) { static void __afl_start_snapshots(void) { static u8 tmp[4] = {0, 0, 0, 0}; - s32 child_pid; u32 status = 0; u32 already_read_first = 0; u32 was_killed; @@ -579,6 +612,7 @@ static void __afl_start_snapshots(void) { //(void)nice(-20); // does not seem to improve signal(SIGCHLD, old_sigchld_handler); + signal(SIGTERM, old_sigterm_handler); close(FORKSRV_FD); close(FORKSRV_FD + 1); @@ -633,6 +667,11 @@ static void __afl_start_snapshots(void) { static void __afl_start_forkserver(void) { + struct sigaction orig_action; + sigaction(SIGTERM, NULL, &orig_action); + old_sigterm_handler = orig_action.sa_handler; + signal(SIGTERM, at_exit); + #ifdef __linux__ if (/*!is_persistent &&*/ !__afl_cmp_map && !getenv("AFL_NO_SNAPSHOT") && afl_snapshot_init() >= 0) { @@ -645,7 +684,6 @@ static void __afl_start_forkserver(void) { #endif u8 tmp[4] = {0, 0, 0, 0}; - s32 child_pid; u32 status = 0; u32 already_read_first = 0; u32 was_killed; @@ -793,6 +831,7 @@ static void __afl_start_forkserver(void) { //(void)nice(-20); signal(SIGCHLD, old_sigchld_handler); + signal(SIGTERM, old_sigterm_handler); close(FORKSRV_FD); close(FORKSRV_FD + 1); @@ -992,7 +1031,7 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { // For stability analysis, if you want to know to which function unstable // edge IDs belong - uncomment, recompile+install llvm_mode, recompile // the target. libunwind and libbacktrace are better solutions. - // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // Set AFL_DEBUG_CHILD=1 and run afl-fuzz with 2>file to capture // the backtrace output /* uint32_t unstable[] = { ... unstable edge IDs }; diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index f94bb57f..e116e7d1 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -627,9 +627,8 @@ struct afl_pass : gimple_opt_pass { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded allowlist with %zu file and %zu function entries\n", - allowListFiles.size(), allowListFunctions.size()); + DEBUGF("loaded allowlist with %zu file and %zu function entries\n", + allowListFiles.size(), allowListFunctions.size()); } @@ -702,9 +701,8 @@ struct afl_pass : gimple_opt_pass { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded denylist with %zu file and %zu function entries\n", - denyListFiles.size(), denyListFunctions.size()); + DEBUGF("loaded denylist with %zu file and %zu function entries\n", + denyListFiles.size(), denyListFunctions.size()); } @@ -745,10 +743,10 @@ struct afl_pass : gimple_opt_pass { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the deny function list, " - "not instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the deny function list, not " + "instrumenting ... \n", + instFunction.c_str()); return false; } @@ -825,10 +823,10 @@ struct afl_pass : gimple_opt_pass { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allow function list, " - "instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the allow function list, instrumenting " + "... \n", + instFunction.c_str()); return true; } @@ -859,11 +857,11 @@ struct afl_pass : gimple_opt_pass { if (fnmatch(("*" + *it).c_str(), source_file.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allowlist (%s), " - "instrumenting ... \n", - IDENTIFIER_POINTER(DECL_NAME(F->decl)), - source_file.c_str()); + DEBUGF( + "Function %s is in the allowlist (%s), instrumenting ... " + "\n", + IDENTIFIER_POINTER(DECL_NAME(F->decl)), + source_file.c_str()); return true; } diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index 189b4ec6..21c4d204 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -173,9 +173,8 @@ void initInstrumentList() { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded allowlist with %zu file and %zu function entries\n", - allowListFiles.size(), allowListFunctions.size()); + DEBUGF("loaded allowlist with %zu file and %zu function entries\n", + allowListFiles.size(), allowListFunctions.size()); } @@ -248,9 +247,8 @@ void initInstrumentList() { } if (debug) - SAYF(cMGN "[D] " cRST - "loaded denylist with %zu file and %zu function entries\n", - denyListFiles.size(), denyListFunctions.size()); + DEBUGF("loaded denylist with %zu file and %zu function entries\n", + denyListFiles.size(), denyListFunctions.size()); } @@ -409,10 +407,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the deny function list, " - "not instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the deny function list, not instrumenting " + "... \n", + instFunction.c_str()); return false; } @@ -489,10 +487,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), instFunction.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allow function list, " - "instrumenting ... \n", - instFunction.c_str()); + DEBUGF( + "Function %s is in the allow function list, instrumenting " + "... \n", + instFunction.c_str()); return true; } @@ -523,10 +521,10 @@ bool isInInstrumentList(llvm::Function *F) { if (fnmatch(("*" + *it).c_str(), source_file.c_str(), 0) == 0) { if (debug) - SAYF(cMGN "[D] " cRST - "Function %s is in the allowlist (%s), " - "instrumenting ... \n", - F->getName().str().c_str(), source_file.c_str()); + DEBUGF( + "Function %s is in the allowlist (%s), instrumenting ... " + "\n", + F->getName().str().c_str(), source_file.c_str()); return true; } diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index a7331444..416dbb88 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -105,15 +105,14 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { if (isInInstrumentList(&F)) { if (debug) - SAYF(cMGN "[D] " cRST "function %s is in the instrument file list\n", - F.getName().str().c_str()); + DEBUGF("function %s is in the instrument file list\n", + F.getName().str().c_str()); } else { if (debug) - SAYF(cMGN "[D] " cRST - "function %s is NOT in the instrument file list\n", - F.getName().str().c_str()); + DEBUGF("function %s is NOT in the instrument file list\n", + F.getName().str().c_str()); auto & Ctx = F.getContext(); AttributeList Attrs = F.getAttributes(); diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index 3f05dd97..33a87719 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -601,15 +601,12 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) { if (op_size != op1->getType()->getPrimitiveSizeInBits()) { continue; } const unsigned int sizeInBits = op0->getType()->getPrimitiveSizeInBits(); - const unsigned int precision = - sizeInBits == 32 - ? 24 - : sizeInBits == 64 - ? 53 - : sizeInBits == 128 ? 113 - : sizeInBits == 16 ? 11 - /* sizeInBits == 80 */ - : 65; + const unsigned int precision = sizeInBits == 32 ? 24 + : sizeInBits == 64 ? 53 + : sizeInBits == 128 ? 113 + : sizeInBits == 16 ? 11 + /* sizeInBits == 80 */ + : 65; const unsigned shiftR_exponent = precision - 1; const unsigned long long mask_fraction = |