aboutsummaryrefslogtreecommitdiff
path: root/src/afl-fuzz-bitmap.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/afl-fuzz-bitmap.c')
-rw-r--r--src/afl-fuzz-bitmap.c125
1 files changed, 72 insertions, 53 deletions
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index be8f504e..69fe6562 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -35,15 +35,15 @@ void write_bitmap(afl_state_t *afl) {
u8 fname[PATH_MAX];
s32 fd;
- if (!afl->bitmap_changed) return;
+ if (!afl->bitmap_changed) { return; }
afl->bitmap_changed = 0;
snprintf(fname, PATH_MAX, "%s/fuzz_bitmap", afl->out_dir);
fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
- if (fd < 0) PFATAL("Unable to open '%s'", fname);
+ if (fd < 0) { PFATAL("Unable to open '%s'", fname); }
- ck_write(fd, afl->virgin_bits, MAP_SIZE, fname);
+ ck_write(fd, afl->virgin_bits, afl->fsrv.map_size, fname);
close(fd);
@@ -102,11 +102,16 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) {
(cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) ||
(cur[3] && vir[3] == 0xff) || (cur[4] && vir[4] == 0xff) ||
(cur[5] && vir[5] == 0xff) || (cur[6] && vir[6] == 0xff) ||
- (cur[7] && vir[7] == 0xff))
+ (cur[7] && vir[7] == 0xff)) {
+
ret = 2;
- else
+
+ } else {
+
ret = 1;
+ }
+
#else
if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) ||
@@ -129,9 +134,12 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) {
}
- if (unlikely(ret) && likely(virgin_map == afl->virgin_bits))
+ if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) {
+
afl->bitmap_changed = 1;
+ }
+
return ret;
}
@@ -145,8 +153,6 @@ u32 count_bits(afl_state_t *afl, u8 *mem) {
u32 i = (afl->fsrv.map_size >> 2);
u32 ret = 0;
- if (i == 0) i = 1;
-
while (i--) {
u32 v = *(ptr++);
@@ -181,17 +187,15 @@ u32 count_bytes(afl_state_t *afl, u8 *mem) {
u32 i = (afl->fsrv.map_size >> 2);
u32 ret = 0;
- if (i == 0) i = 1;
-
while (i--) {
u32 v = *(ptr++);
- if (!v) continue;
- if (v & 0x000000ff) ++ret;
- if (v & 0x0000ff00) ++ret;
- if (v & 0x00ff0000) ++ret;
- if (v & 0xff000000) ++ret;
+ if (!v) { continue; }
+ if (v & 0x000000ff) { ++ret; }
+ if (v & 0x0000ff00) { ++ret; }
+ if (v & 0x00ff0000) { ++ret; }
+ if (v & 0xff000000) { ++ret; }
}
@@ -208,8 +212,6 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) {
u32 i = (afl->fsrv.map_size >> 2);
u32 ret = 0;
- if (i == 0) i = 1;
-
while (i--) {
u32 v = *(ptr++);
@@ -217,11 +219,11 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) {
/* This is called on the virgin bitmap, so optimize for the most likely
case. */
- if (v == 0xffffffff) continue;
- if ((v & 0x000000ff) != 0x000000ff) ++ret;
- if ((v & 0x0000ff00) != 0x0000ff00) ++ret;
- if ((v & 0x00ff0000) != 0x00ff0000) ++ret;
- if ((v & 0xff000000) != 0xff000000) ++ret;
+ if (v == 0xffffffff) { continue; }
+ if ((v & 0x000000ff) != 0x000000ff) { ++ret; }
+ if ((v & 0x0000ff00) != 0x0000ff00) { ++ret; }
+ if ((v & 0x00ff0000) != 0x00ff0000) { ++ret; }
+ if ((v & 0xff000000) != 0xff000000) { ++ret; }
}
@@ -246,8 +248,6 @@ void simplify_trace(afl_state_t *afl, u64 *mem) {
u32 i = (afl->fsrv.map_size >> 3);
- if (i == 0) i = 1;
-
while (i--) {
/* Optimize for sparse bitmaps. */
@@ -265,10 +265,12 @@ void simplify_trace(afl_state_t *afl, u64 *mem) {
mem8[6] = simplify_lookup[mem8[6]];
mem8[7] = simplify_lookup[mem8[7]];
- } else
+ } else {
*mem = 0x0101010101010101ULL;
+ }
+
++mem;
}
@@ -281,8 +283,6 @@ void simplify_trace(afl_state_t *afl, u32 *mem) {
u32 i = (afl->fsrv.map_size >> 2);
- if (i == 0) i = 1;
-
while (i--) {
/* Optimize for sparse bitmaps. */
@@ -332,11 +332,17 @@ void init_count_class16(void) {
u32 b1, b2;
- for (b1 = 0; b1 < 256; b1++)
- for (b2 = 0; b2 < 256; b2++)
+ for (b1 = 0; b1 < 256; b1++) {
+
+ for (b2 = 0; b2 < 256; b2++) {
+
count_class_lookup16[(b1 << 8) + b2] =
(count_class_lookup8[b1] << 8) | count_class_lookup8[b2];
+ }
+
+ }
+
}
#ifdef WORD_SIZE_64
@@ -347,8 +353,6 @@ void classify_counts(afl_forkserver_t *fsrv) {
u32 i = (fsrv->map_size >> 3);
- if (i == 0) i = 1;
-
while (i--) {
/* Optimize for sparse bitmaps. */
@@ -378,8 +382,6 @@ void classify_counts(afl_forkserver_t *fsrv) {
u32 i = (fsrv->map_size >> 2);
- if (i == 0) i = 1;
-
while (i--) {
/* Optimize for sparse bitmaps. */
@@ -411,7 +413,7 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) {
while (i < afl->fsrv.map_size) {
- if (*(src++)) dst[i >> 3] |= 1 << (i & 7);
+ if (*(src++)) { dst[i >> 3] |= 1 << (i & 7); }
++i;
}
@@ -437,27 +439,35 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) {
sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time);
- if (afl->splicing_with >= 0)
+ if (afl->splicing_with >= 0) {
+
sprintf(ret + strlen(ret), "+%06d", afl->splicing_with);
+ }
+
sprintf(ret + strlen(ret), ",op:%s", afl->stage_short);
if (afl->stage_cur_byte >= 0) {
sprintf(ret + strlen(ret), ",pos:%d", afl->stage_cur_byte);
- if (afl->stage_val_type != STAGE_VAL_NONE)
+ if (afl->stage_val_type != STAGE_VAL_NONE) {
+
sprintf(ret + strlen(ret), ",val:%s%+d",
(afl->stage_val_type == STAGE_VAL_BE) ? "be:" : "",
afl->stage_cur_val);
- } else
+ }
+
+ } else {
sprintf(ret + strlen(ret), ",rep:%d", afl->stage_cur_val);
+ }
+
}
- if (hnb == 2) strcat(ret, ",+cov");
+ if (hnb == 2) { strcat(ret, ",+cov"); }
return ret;
@@ -481,7 +491,7 @@ static void write_crash_readme(afl_state_t *afl) {
/* Do not die on errors here - that would be impolite. */
- if (unlikely(fd < 0)) return;
+ if (unlikely(fd < 0)) { return; }
f = fdopen(fd, "w");
@@ -526,7 +536,7 @@ static void write_crash_readme(afl_state_t *afl) {
u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
- if (unlikely(len == 0)) return 0;
+ if (unlikely(len == 0)) { return 0; }
u8 *queue_fn = "";
u8 hnb = '\0';
@@ -559,7 +569,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (!(hnb = has_new_bits(afl, afl->virgin_bits))) {
- if (unlikely(afl->crash_mode)) ++afl->total_crashes;
+ if (unlikely(afl->crash_mode)) { ++afl->total_crashes; }
return 0;
}
@@ -592,11 +602,14 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0);
- if (unlikely(res == FSRV_RUN_ERROR))
+ if (unlikely(res == FSRV_RUN_ERROR)) {
+
FATAL("Unable to execute target application");
+ }
+
fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
- if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", queue_fn);
+ if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", queue_fn); }
ck_write(fd, mem, len, queue_fn);
close(fd);
@@ -615,7 +628,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_tmouts;
- if (afl->unique_hangs >= KEEP_UNIQUE_HANG) return keeping;
+ if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; }
if (likely(!afl->dumb_mode)) {
@@ -625,7 +638,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
simplify_trace(afl, (u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
- if (!has_new_bits(afl, afl->virgin_tmout)) return keeping;
+ if (!has_new_bits(afl, afl->virgin_tmout)) { return keeping; }
}
@@ -645,9 +658,13 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
timeout actually uncovers a crash. Make sure we don't discard it if
so. */
- if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) goto keep_as_crash;
+ if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) {
+
+ goto keep_as_crash;
- if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) return keeping;
+ }
+
+ if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; }
}
@@ -679,7 +696,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_crashes;
- if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) return keeping;
+ if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; }
if (likely(!afl->dumb_mode)) {
@@ -689,11 +706,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
simplify_trace(afl, (u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
- if (!has_new_bits(afl, afl->virgin_crash)) return keeping;
+ if (!has_new_bits(afl, afl->virgin_crash)) { return keeping; }
}
- if (unlikely(!afl->unique_crashes)) write_crash_readme(afl);
+ if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); }
#ifndef SIMPLE_FILES
@@ -729,9 +746,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
break;
- case FSRV_RUN_ERROR: FATAL("Unable to execute target application");
+ case FSRV_RUN_ERROR:
+ FATAL("Unable to execute target application");
- default: return keeping;
+ default:
+ return keeping;
}
@@ -739,7 +758,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
test case, too. */
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
- if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", fn);
+ if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn); }
ck_write(fd, mem, len, fn);
close(fd);
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-23 10:35:28 +0000