5 files changed, 57 insertions, 33 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 7afab850..6f634b53 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -98,7 +98,8 @@ typedef enum {
 
 } compiler_mode_id;
 
-static u8 cwd[4096];
+static u8   cwd[4096];
+static char opt_level = '3';
 
 char instrument_mode_string[18][18] = {
 
@@ -881,9 +882,17 @@ static void instrument_mode_old_environ(aflcc_state_t *aflcc) {
 */
 static void instrument_mode_new_environ(aflcc_state_t *aflcc) {
 
+  u8 *ptr2;
+
+  if ((ptr2 = getenv("AFL_OPT_LEVEL"))) {
+
+    opt_level = ptr2[0];  // ignore invalid data
+
+  }
+
   if (!getenv("AFL_LLVM_INSTRUMENT")) { return; }
 
-  u8 *ptr2 = strtok(getenv("AFL_LLVM_INSTRUMENT"), ":,;");
+  ptr2 = strtok(getenv("AFL_LLVM_INSTRUMENT"), ":,;");
 
   while (ptr2) {
 
@@ -2561,6 +2570,33 @@ void add_gcc_plugin(aflcc_state_t *aflcc) {
 
 }
 
+char *get_opt_level() {
+
+  static char levels[8][8] = {"-O0", "-O1", "-O2",    "-O3",
+                              "-Oz", "-Os", "-Ofast", "-Og"};
+  switch (opt_level) {
+
+    case '0':
+      return levels[0];
+    case '1':
+      return levels[1];
+    case '2':
+      return levels[2];
+    case 'z':
+      return levels[4];
+    case 's':
+      return levels[5];
+    case 'f':
+      return levels[6];
+    case 'g':
+      return levels[7];
+    default:
+      return levels[3];
+
+  }
+
+}
+
 /* Add some miscellaneous params required by our instrumentation. */
 void add_misc_params(aflcc_state_t *aflcc) {
 
@@ -2592,7 +2628,7 @@ void add_misc_params(aflcc_state_t *aflcc) {
   if (!getenv("AFL_DONT_OPTIMIZE")) {
 
     insert_param(aflcc, "-g");
-    if (!aflcc->have_o) insert_param(aflcc, "-O3");
+    if (!aflcc->have_o) insert_param(aflcc, get_opt_level());
     if (!aflcc->have_unroll) insert_param(aflcc, "-funroll-loops");
     // if (strlen(aflcc->march_opt) > 1 && aflcc->march_opt[0] == '-')
     //     insert_param(aflcc, aflcc->march_opt);
@@ -2922,6 +2958,8 @@ static void maybe_usage(aflcc_state_t *aflcc, int argc, char **argv) {
         SAYF(
             "\nGCC Plugin-specific environment variables:\n"
             "  AFL_GCC_CMPLOG: log operands of comparisons (RedQueen mutator)\n"
+            "  AFL_GCC_DISABLE_VERSION_CHECK: disable GCC plugin version "
+            "control\n"
             "  AFL_GCC_OUT_OF_LINE: disable inlined instrumentation\n"
             "  AFL_GCC_SKIP_NEVERZERO: do not skip zero on trace counters\n"
             "  AFL_GCC_INSTRUMENT_FILE: enable selective instrumentation by "
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 51299009..9f619c14 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -495,9 +495,9 @@ static void report_error_and_exit(int error) {
       FATAL(
           "AFL_MAP_SIZE is not set and fuzzing target reports that the "
           "required size is very large. Solution: Run the fuzzing target "
-          "stand-alone with the environment variable AFL_DEBUG=1 set and set "
-          "the value for __afl_final_loc in the AFL_MAP_SIZE environment "
-          "variable for afl-fuzz.");
+          "stand-alone with the environment variable AFL_DUMP_MAP_SIZE=1 set "
+          "the displayed value in the AFL_MAP_SIZE environment variable for "
+          "afl-fuzz.");
       break;
     case FS_ERROR_MAP_ADDR:
       FATAL(
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index a9397232..af6e6d4c 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -1714,13 +1714,15 @@ static u8 delete_files(u8 *path, u8 *prefix) {
 
   while ((d_ent = readdir(d))) {
 
-    if (d_ent->d_name[0] != '.' &&
-        (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) {
+    if ((d_ent->d_name[0] != '.' &&
+         (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix))))
+        /* heiko: don't forget the SHA1 files */
+        || strspn(d_ent->d_name, "0123456789abcdef") == 2 * 20 /* TODO use 2 * HASH_LENGTH */
+       ) {
 
       u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
       if (unlink(fname)) { PFATAL("Unable to delete '%s'", fname); }
       ck_free(fname);
-
     }
 
   }
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index a7465330..e0127e54 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -56,6 +56,8 @@ char *get_fuzzing_state(afl_state_t *afl) {
 
     if (unlikely(percent_cur >= 80 && percent_total >= 80)) {
 
+      if (unlikely(afl->afl_env.afl_exit_when_done)) { afl->stop_soon = 2; }
+
       return fuzzing_state[3];
 
     } else if (unlikely(percent_cur >= 55 && percent_total >= 55)) {
@@ -822,15 +824,6 @@ void show_stats_normal(afl_state_t *afl) {
 
   }
 
-  /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */
-
-  if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 &&
-               !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)) {
-
-    afl->stop_soon = 2;
-
-  }
-
   /* AFL_EXIT_ON_TIME. */
 
   /* If no coverage was found yet, check whether run time is greater than
@@ -998,14 +991,14 @@ void show_stats_normal(afl_state_t *afl) {
     } else
 
       /* Subsequent cycles, but we're still making finds. */
-      if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) {
+      if (afl->cycles_wo_finds < 2 || min_wo_finds <= 30) {
 
         strcpy(tmp, cYEL);
 
       } else
 
         /* No finds for a long time and no test cases to try. */
-        if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed &&
+        if (afl->cycles_wo_finds > 1 && !afl->pending_not_fuzzed &&
             min_wo_finds > 120) {
 
           strcpy(tmp, cLGN);
@@ -1656,15 +1649,6 @@ void show_stats_pizza(afl_state_t *afl) {
 
   }
 
-  /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */
-
-  if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 &&
-               !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)) {
-
-    afl->stop_soon = 2;
-
-  }
-
   /* AFL_EXIT_ON_TIME. */
 
   /* If no coverage was found yet, check whether run time is greater than
@@ -1813,14 +1797,14 @@ void show_stats_pizza(afl_state_t *afl) {
     } else
 
       /* Subsequent cycles, but we're still making finds. */
-      if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) {
+      if (afl->cycles_wo_finds < 2 || min_wo_finds <= 30) {
 
         strcpy(tmp, cYEL);
 
       } else
 
         /* No finds for a long time and no test cases to try. */
-        if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed &&
+        if (afl->cycles_wo_finds > 1 && !afl->pending_not_fuzzed &&
             min_wo_finds > 120) {
 
           strcpy(tmp, cLGN);
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 7a940031..c61eae1f 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -2937,9 +2937,9 @@ int main(int argc, char **argv_orig, char **envp) {
                       3600 */
                    )) {
 
-        if (afl->use_splicing) {
+        ++afl->cycles_wo_finds;
 
-          ++afl->cycles_wo_finds;
+        if (afl->use_splicing) {
 
           if (unlikely(afl->shm.cmplog_mode &&
                        afl->cmplog_max_filesize < MAX_FILE)) {