6 files changed, 137 insertions, 29 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 6def3ee7..c0449e64 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -51,7 +51,7 @@ static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
 static u8   clang_mode;                /* Invoked as afl-clang*?            */
 static u8   llvm_fullpath[PATH_MAX];
 static u8   instrument_mode, instrument_opt_mode, ngram_size, ctx_k, lto_mode;
-static u8   compiler_mode, plusplus_mode, have_instr_env = 0;
+static u8   compiler_mode, plusplus_mode, have_instr_env = 0, need_aflpplib = 0;
 static u8   have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0;
 static u8  *lto_flag = AFL_CLANG_FLTO, *argvnull;
 static u8   debug;
@@ -310,6 +310,71 @@ static u8 *find_object(u8 *obj, u8 *argv0) {
 
 }
 
+void parse_fsanitize(char *string) {
+
+  char *p, *ptr = string + strlen("-fsanitize=");
+  char *new = malloc(strlen(string) + 1);
+  char *tmp = malloc(strlen(ptr));
+  u32   count = 0, len, ende = 0;
+
+  if (!new || !tmp) { FATAL("could not aquire memory"); }
+  strcpy(new, "-fsanitize=");
+
+  do {
+
+    p = strchr(ptr, ',');
+    if (!p) {
+
+      p = ptr + strlen(ptr) + 1;
+      ende = 1;
+
+    }
+
+    len = p - ptr;
+    if (len) {
+
+      strncpy(tmp, ptr, len);
+      tmp[len] = 0;
+      // fprintf(stderr, "Found: %s\n", tmp);
+      ptr += len + 1;
+      if (*tmp) {
+
+        u32 copy = 1;
+        if (!strcmp(tmp, "fuzzer")) {
+
+          need_aflpplib = 1;
+          copy = 0;
+
+        } else if (!strncmp(tmp, "fuzzer", 6)) {
+
+          copy = 0;
+
+        }
+
+        if (copy) {
+
+          if (count) { strcat(new, ","); }
+          strcat(new, tmp);
+          ++count;
+
+        }
+
+      }
+
+    } else {
+
+      ptr++;                                    /*fprintf(stderr, "NO!\n"); */
+
+    }
+
+  } while (!ende);
+
+  strcpy(string, new);
+  // fprintf(stderr, "string: %s\n", string);
+  // fprintf(stderr, "new: %s\n", new);
+
+}
+
 /* Copy argv to cc_params, making the necessary edits. */
 
 static void edit_params(u32 argc, char **argv, char **envp) {
@@ -433,13 +498,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
           alloc_printf("-fplugin=%s/afl-gcc-cmptrs-pass.so", obj_path);
       cc_params[cc_par_cnt++] = fplugin_arg;
 
-    } else {
-
-      fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
-      cc_params[cc_par_cnt++] = fplugin_arg;
-
     }
 
+    fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
+    cc_params[cc_par_cnt++] = fplugin_arg;
     cc_params[cc_par_cnt++] = "-fno-if-conversion";
     cc_params[cc_par_cnt++] = "-fno-if-conversion2";
 
@@ -759,6 +821,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
     }
 
+    if (compiler_mode == GCC_PLUGIN && !strcmp(cur, "-pipe")) { continue; }
+
     if (!strcmp(cur, "-z") || !strcmp(cur, "-Wl,-z")) {
 
       u8 *param = *(argv + 1);
@@ -779,20 +843,35 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
     }
 
-    if ((!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) ||
-         !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) &&
-        (strncmp(cur, "sanitize-coverage-allow",
-                 strlen("sanitize-coverage-allow")) &&
-         strncmp(cur, "sanitize-coverage-deny",
-                 strlen("sanitize-coverage-deny")) &&
-         instrument_mode != INSTRUMENT_LLVMNATIVE)) {
+    if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) {
+
+      have_instr_list = 1;
+
+    }
+
+    if (!strncmp(cur, "-fsanitize=", strlen("-fsanitize=")) &&
+        strchr(cur, ',')) {
+
+      parse_fsanitize(cur);
+      if (!cur || strlen(cur) <= strlen("-fsanitize=")) { continue; }
+
+    } else if ((!strncmp(cur, "-fsanitize=fuzzer-",
+
+                         strlen("-fsanitize=fuzzer-")) ||
+                !strncmp(cur, "-fsanitize-coverage",
+                         strlen("-fsanitize-coverage"))) &&
+               (strncmp(cur, "sanitize-coverage-allow",
+                        strlen("sanitize-coverage-allow")) &&
+                strncmp(cur, "sanitize-coverage-deny",
+                        strlen("sanitize-coverage-deny")) &&
+                instrument_mode != INSTRUMENT_LLVMNATIVE)) {
 
       if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); }
       continue;
 
     }
 
-    if (!strcmp(cur, "-fsanitize=fuzzer")) {
+    if (need_aflpplib || !strcmp(cur, "-fsanitize=fuzzer")) {
 
       u8 *afllib = find_object("libAFLDriver.a", argv[0]);
 
@@ -823,7 +902,15 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
       }
 
-      continue;
+      if (need_aflpplib) {
+
+        need_aflpplib = 0;
+
+      } else {
+
+        continue;
+
+      }
 
     }
 
@@ -831,9 +918,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
     if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
     if (!strcmp(cur, "-m64")) bit_mode = 64;
 
-    if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
-      have_instr_list = 1;
-
     if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
       asan_set = 1;
 
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 02d697ab..d8dbdfbe 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -795,8 +795,14 @@ void cull_queue(afl_state_t *afl) {
 
 u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
 
-  u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles;
-  u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries;
+  u32 cal_cycles = afl->total_cal_cycles;
+  u32 bitmap_entries = afl->total_bitmap_entries;
+
+  if (unlikely(!cal_cycles)) { cal_cycles = 1; }
+  if (unlikely(!bitmap_entries)) { bitmap_entries = 1; }
+
+  u32 avg_exec_us = afl->total_cal_us / cal_cycles;
+  u32 avg_bitmap_size = afl->total_bitmap_size / bitmap_entries;
   u32 perf_score = 100;
 
   /* Adjust score based on execution speed of this path, compared to the
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index c0e72ae6..ee4a3298 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -363,7 +363,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
   ++q->cal_failed;
 
   afl->stage_name = "calibration";
-  afl->stage_max = afl->afl_env.afl_cal_fast ? 3 : CAL_CYCLES;
+  afl->stage_max = afl->afl_env.afl_cal_fast ? CAL_CYCLES_FAST : CAL_CYCLES;
 
   /* Make sure the forkserver is up before we do anything, and let's not
      count its spin-up time toward binary calibration. */
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index ddfd4b31..0576f84f 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -265,6 +265,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_cmplog_only_new =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_NO_STARTUP_CALIBRATION",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_no_startup_calibration =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
 
             afl->afl_env.afl_no_ui =
@@ -597,11 +604,7 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
 
   }
 
-  if (afl->afl_env.afl_pizza_mode == 0) {
-
-    afl->afl_env.afl_pizza_mode = 1;
-
-  } else {
+  if (afl->afl_env.afl_pizza_mode) {
 
     afl->pizza_is_served = 1;
 
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 2e151abb..1f0fcab1 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -273,6 +273,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
       "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n"
       "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n"
+      "AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once\n"
       "AFL_NO_UI: switch status screen off\n"
 
       DYN_COLOR
@@ -2150,7 +2151,16 @@ int main(int argc, char **argv_orig, char **envp) {
   memset(afl->virgin_tmout, 255, map_size);
   memset(afl->virgin_crash, 255, map_size);
 
-  perform_dry_run(afl);
+  if (likely(!afl->afl_env.afl_no_startup_calibration)) {
+
+    perform_dry_run(afl);
+
+  } else {
+
+    ACTF("skipping initial seed calibration due option override");
+    usleep(1000);
+
+  }
 
   if (afl->q_testcase_max_cache_entries) {
 
@@ -2550,7 +2560,7 @@ stop_fuzzing:
   write_bitmap(afl);
   save_auto(afl);
 
-  if (afl->afl_env.afl_pizza_mode) {
+  if (afl->pizza_is_served) {
 
     SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST,
          afl->stop_soon == 2 ? "programmatically" : "by the chef");
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 4bcd1d59..07f30326 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -1240,7 +1240,12 @@ int main(int argc, char **argv_orig, char **envp) {
 
     u32 save_be_quiet = be_quiet;
     be_quiet = !debug;
-    fsrv->map_size = 4194304;  // dummy temporary value
+    if (map_size > 4194304) {
+        fsrv->map_size = map_size;
+    }
+    else {
+        fsrv->map_size = 4194304; // dummy temporary value
+    }
     u32 new_map_size =
         afl_fsrv_get_mapsize(fsrv, use_argv, &stop_soon,
                              (get_afl_env("AFL_DEBUG_CHILD") ||