From 920e9402a4d6101bbbed2ef7584d85a3c3de0eaa Mon Sep 17 00:00:00 2001
From: Joshua Rogers <jrogers@opera.com>
Date: Fri, 2 Apr 2021 22:23:11 +0000
Subject:  Add support for standalone leak-sanitizer, introducting the
 environment variable AFL_USE_LSAN.

AFL_USE_LSAN introduces the macro __AFL_CHECK_LEAK() which will check
for a memory leak when the macro is run. This is especially helpful
when using __AFL_LOOP().

If __AFL_LEAK_CHECK() is not used when AFL_USE_LSAN=1 is set,
the leak checker will run when the program exits.
---
 src/afl-analyze.c    | 19 +++++++++++++++++++
 src/afl-as.c         |  7 ++++---
 src/afl-cc.c         | 16 ++++++++++++++--
 src/afl-forkserver.c | 17 +++++++++++++----
 src/afl-fuzz-init.c  | 17 ++++++++++++++++-
 src/afl-showmap.c    |  4 ++++
 src/afl-tmin.c       | 18 ++++++++++++++++++
 7 files changed, 88 insertions(+), 10 deletions(-)

(limited to 'src')

diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index 86b0f7e9..90305714 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -781,6 +781,19 @@ static void set_up_environment(void) {
 
   }
 
+  x = get_afl_env("LSAN_OPTIONS");
+
+  if (x) {
+
+    if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) {
+
+      FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY(
+          LSAN_ERROR) " - please fix!");
+
+    }
+
+  }
+
   setenv("ASAN_OPTIONS",
          "abort_on_error=1:"
          "detect_leaks=0:"
@@ -818,6 +831,12 @@ static void set_up_environment(void) {
                          "handle_sigfpe=0:"
                          "handle_sigill=0", 0);
 
+   setenv("LSAN_OPTIONS",
+         "exitcode=" STRINGIFY(MSAN_ERROR) ":"
+         "fast_unwind_on_malloc=0",
+         0);
+
+
   if (get_afl_env("AFL_PRELOAD")) {
 
     if (qemu_mode) {
diff --git a/src/afl-as.c b/src/afl-as.c
index 7de267a3..dfae44f2 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -517,11 +517,12 @@ static void add_instrumentation(void) {
     } else {
 
       char modeline[100];
-      snprintf(modeline, sizeof(modeline), "%s%s%s%s",
+      snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
                getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
                getenv("AFL_USE_ASAN") ? ", ASAN" : "",
                getenv("AFL_USE_MSAN") ? ", MSAN" : "",
-               getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
+               getenv("AFL_USE_UBSAN") ? ", UBSAN" : "",
+               getenv("AFL_USE_LSAN") ? ", LSAN" : "");
 
       OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", ins_lines,
           use_64bit ? "64" : "32", modeline, inst_ratio);
@@ -585,7 +586,7 @@ int main(int argc, char **argv) {
         "AFL_QUIET: suppress verbose output\n"
         "AFL_KEEP_ASSEMBLY: leave instrumented assembly files\n"
         "AFL_AS_FORCE_INSTRUMENT: force instrumentation for asm sources\n"
-        "AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN:\n"
+        "AFL_HARDEN, AFL_USE_ASAN, AFL_USE_MSAN, AFL_USE_UBSAN, AFL_USE_LSAN:\n"
         "  used in the instrumentation summary message\n",
         argv[0]);
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 5251465b..e0478503 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -758,7 +758,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
     if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
       have_instr_list = 1;
 
-    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
+    if (!(strcmp(cur, "-fsanitize=address") && strcmp(cur, "-fsanitize=memory")))
       asan_set = 1;
 
     if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
@@ -817,6 +817,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   }
 
+  if (getenv("AFL_USE_LSAN")) {
+    cc_params[cc_par_cnt++] = "-fsanitize=leak";
+  }
+
   if (getenv("AFL_USE_CFISAN")) {
 
     if (!lto_mode) {
@@ -914,6 +918,13 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   }
 
+  if (getenv("AFL_USE_LSAN")) {
+    cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h";
+  }
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_CHECK_LEAK()=__lsan_do_leak_check()";
+
   cc_params[cc_par_cnt++] =
       "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = "
       "1;";
@@ -1740,7 +1751,8 @@ int main(int argc, char **argv, char **envp) {
           "  AFL_USE_ASAN: activate address sanitizer\n"
           "  AFL_USE_CFISAN: activate control flow sanitizer\n"
           "  AFL_USE_MSAN: activate memory sanitizer\n"
-          "  AFL_USE_UBSAN: activate undefined behaviour sanitizer\n");
+          "  AFL_USE_UBSAN: activate undefined behaviour sanitizer\n"
+          "  AFL_USE_LSAN: activate leak-checker sanitizer\n");
 
       if (have_gcc_plugin)
         SAYF(
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 68995388..fa89713a 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -483,7 +483,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
     if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 1); }
 
-    /* Set sane defaults for ASAN if nothing else specified. */
+    /* Set sane defaults for ASAN if nothing else is specified. */
 
     if (!getenv("ASAN_OPTIONS"))
       setenv("ASAN_OPTIONS",
@@ -500,7 +500,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
              "handle_sigill=0",
              1);
 
-    /* Set sane defaults for UBSAN if nothing else specified. */
+    /* Set sane defaults for UBSAN if nothing else is specified. */
 
     if (!getenv("UBSAN_OPTIONS"))
       setenv("UBSAN_OPTIONS",
@@ -538,6 +538,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
            "handle_sigill=0",
            1);
 
+    /* LSAN, too, does not support abort_on_error=1. */
+
+    if (!getenv("LSAN_OPTIONS"))
+     setenv("LSAN_OPTIONS",
+            "exitcode=" STRINGIFY(LSAN_ERROR) ":"
+            "fast_unwind_on_malloc=0",
+            1);
+
     fsrv->init_child_func(fsrv, argv);
 
     /* Use a distinctive bitmap signature to tell the parent about execv()
@@ -1210,8 +1218,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
   if (unlikely(
           /* A normal crash/abort */
           (WIFSIGNALED(fsrv->child_status)) ||
-          /* special handling for msan */
-          (fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) ||
+          /* special handling for msan and lsan */
+          (fsrv->uses_asan && (WEXITSTATUS(fsrv->child_status) == MSAN_ERROR ||
+          WEXITSTATUS(fsrv->child_status) == LSAN_ERROR)) ||
           /* the custom crash_exitcode was returned by the target */
           (fsrv->uses_crash_exitcode &&
            WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode))) {
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 82c1799e..24f5c5b5 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -2466,6 +2466,20 @@ void check_asan_opts(afl_state_t *afl) {
 
   }
 
+  x = get_afl_env("LSAN_OPTIONS");
+
+  if (x) {
+
+    if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) {
+
+      FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY(
+          LSAN_ERROR) " - please fix!");
+
+    }
+
+  }
+
+
 }
 
 /* Handle stop signal (Ctrl-C, etc). */
@@ -2711,7 +2725,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
   }
 
   if (memmem(f_data, f_len, "__asan_init", 11) ||
-      memmem(f_data, f_len, "__msan_init", 11)) {
+      memmem(f_data, f_len, "__msan_init", 11) ||
+      memmem(f_data, f_len, "__lsan_init", 11)) {
 
     afl->fsrv.uses_asan = 1;
 
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 7bf5a9c7..bf076683 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -570,6 +570,10 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
          "handle_sigfpe=0:"
          "handle_sigill=0",
          0);
+  setenv("LSAN_OPTIONS",
+         "exitcode=" STRINGIFY(LSAN_ERROR) ":"
+         "fast_unwind_on_malloc=0",
+          0);
 
   setenv("UBSAN_OPTIONS",
          "halt_on_error=1:"
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 7ef8b9bf..a2741a07 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -712,6 +712,19 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
 
   }
 
+  x = get_afl_env("LSAN_OPTIONS");
+
+  if (x) {
+
+    if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) {
+
+      FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY(
+          LSAN_ERROR) " - please fix!");
+
+    }
+
+  }
+
   setenv("ASAN_OPTIONS",
          "abort_on_error=1:"
          "detect_leaks=0:"
@@ -749,6 +762,11 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
                          "handle_sigfpe=0:"
                          "handle_sigill=0", 0);
 
+   setenv("LSAN_OPTIONS",
+         "exitcode=" STRINGIFY(LSAN_ERROR) ":"
+         "fast_unwind_on_malloc=0",
+         0);
+
   if (get_afl_env("AFL_PRELOAD")) {
 
     if (fsrv->qemu_mode) {
-- 
cgit v1.2.3


From 6514e33ab6733dd4e7ae0d3eeec83db06b3f451f Mon Sep 17 00:00:00 2001
From: Joshua Rogers <jrogers@opera.com>
Date: Fri, 2 Apr 2021 22:32:38 +0000
Subject: Replace __AFL_CHECK_LEAK with __AFL_LEAK_CHECK to be more proper.

Fix spelling mistakes.

Correctly call LSAN_ERROR not MSAN_ERROR.
---
 src/afl-analyze.c | 2 +-
 src/afl-cc.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index 90305714..f961f13a 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -832,7 +832,7 @@ static void set_up_environment(void) {
                          "handle_sigill=0", 0);
 
    setenv("LSAN_OPTIONS",
-         "exitcode=" STRINGIFY(MSAN_ERROR) ":"
+         "exitcode=" STRINGIFY(LSAN_ERROR) ":"
          "fast_unwind_on_malloc=0",
          0);
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index e0478503..975b28d1 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -923,7 +923,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
   }
 
   cc_params[cc_par_cnt++] =
-      "-D__AFL_CHECK_LEAK()=__lsan_do_leak_check()";
+      "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()";
 
   cc_params[cc_par_cnt++] =
       "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = "
-- 
cgit v1.2.3


From afc4da47f78a24d5e441e3815e5b322d1b27fd56 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <jrogers@opera.com>
Date: Sat, 3 Apr 2021 14:50:35 +0000
Subject: Fix typos, Use symbolize=0 for LSAN, Remove syntactic sugar.

---
 src/afl-analyze.c    | 8 ++++----
 src/afl-cc.c         | 2 +-
 src/afl-forkserver.c | 3 ++-
 src/afl-fuzz-init.c  | 5 ++---
 src/afl-showmap.c    | 4 +++-
 src/afl-tmin.c       | 3 ++-
 6 files changed, 14 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index f961f13a..38a40556 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -785,10 +785,9 @@ static void set_up_environment(void) {
 
   if (x) {
 
-    if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) {
+    if (!strstr(x, "symbolize=0")) {
 
-      FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY(
-          LSAN_ERROR) " - please fix!");
+      FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!");
 
     }
 
@@ -833,7 +832,8 @@ static void set_up_environment(void) {
 
    setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
-         "fast_unwind_on_malloc=0",
+         "fast_unwind_on_malloc=0:"
+         "symbolize=0",
          0);
 
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 975b28d1..650e4e43 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -758,7 +758,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
     if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
       have_instr_list = 1;
 
-    if (!(strcmp(cur, "-fsanitize=address") && strcmp(cur, "-fsanitize=memory")))
+    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
       asan_set = 1;
 
     if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index fa89713a..f102b73b 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -543,7 +543,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
     if (!getenv("LSAN_OPTIONS"))
      setenv("LSAN_OPTIONS",
             "exitcode=" STRINGIFY(LSAN_ERROR) ":"
-            "fast_unwind_on_malloc=0",
+            "fast_unwind_on_malloc=0:"
+            "symbolize=0",
             1);
 
     fsrv->init_child_func(fsrv, argv);
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 24f5c5b5..6f663021 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -2470,10 +2470,9 @@ void check_asan_opts(afl_state_t *afl) {
 
   if (x) {
 
-    if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) {
+    if (!strstr(x, "symbolize=0")) {
 
-      FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY(
-          LSAN_ERROR) " - please fix!");
+      FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!");
 
     }
 
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index bf076683..2b7d200b 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -570,9 +570,11 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
          "handle_sigfpe=0:"
          "handle_sigill=0",
          0);
+
   setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
-         "fast_unwind_on_malloc=0",
+         "fast_unwind_on_malloc=0:"
+         "symbolize=0",
           0);
 
   setenv("UBSAN_OPTIONS",
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index a2741a07..c257b67c 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -764,7 +764,8 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
 
    setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
-         "fast_unwind_on_malloc=0",
+         "fast_unwind_on_malloc=0:"
+         "symbolize=0",
          0);
 
   if (get_afl_env("AFL_PRELOAD")) {
-- 
cgit v1.2.3


From fee74700836c3694c2037c1e708846150e52d5bd Mon Sep 17 00:00:00 2001
From: Joshua Rogers <jrogers@opera.com>
Date: Sat, 3 Apr 2021 14:57:52 +0000
Subject: Remove check for exit_code on LSAN and replace it with check for
 symbolize=0.

---
 src/afl-tmin.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index c257b67c..3a196e2e 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -716,10 +716,9 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
 
   if (x) {
 
-    if (!strstr(x, "exit_code=" STRINGIFY(LSAN_ERROR))) {
+    if (!strstr(x, "symbolize=0")) {
 
-      FATAL("Custom LSAN_OPTIONS set without exit_code=" STRINGIFY(
-          LSAN_ERROR) " - please fix!");
+      FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!");
 
     }
 
-- 
cgit v1.2.3


From 99819cf5d1cbc262810f26098a5796c9d1262bc5 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <jrogers@opera.com>
Date: Sun, 4 Apr 2021 12:45:52 +0000
Subject: Move definition of __AFL_LEAK_CHECK inside ifguards, use
 LSAN_OPTIONS=print_suppressions=0

---
 src/afl-analyze.c    |  3 ++-
 src/afl-cc.c         | 10 +++-------
 src/afl-forkserver.c |  3 ++-
 src/afl-showmap.c    |  3 ++-
 src/afl-tmin.c       |  3 ++-
 5 files changed, 11 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index 38a40556..f4436980 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -833,7 +833,8 @@ static void set_up_environment(void) {
    setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
          "fast_unwind_on_malloc=0:"
-         "symbolize=0",
+         "symbolize=0:"
+         "print_suppressions=0",
          0);
 
 
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 650e4e43..e2dd06e2 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -819,6 +819,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   if (getenv("AFL_USE_LSAN")) {
     cc_params[cc_par_cnt++] = "-fsanitize=leak";
+    cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h";
+    cc_params[cc_par_cnt++] =
+        "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()";
   }
 
   if (getenv("AFL_USE_CFISAN")) {
@@ -918,13 +921,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   }
 
-  if (getenv("AFL_USE_LSAN")) {
-    cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h";
-  }
-
-  cc_params[cc_par_cnt++] =
-      "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()";
-
   cc_params[cc_par_cnt++] =
       "-D__AFL_COVERAGE_START_OFF()=int __afl_selective_coverage_start_off = "
       "1;";
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index f102b73b..ac7a1600 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -544,7 +544,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
      setenv("LSAN_OPTIONS",
             "exitcode=" STRINGIFY(LSAN_ERROR) ":"
             "fast_unwind_on_malloc=0:"
-            "symbolize=0",
+            "symbolize=0:"
+            "print_suppressions=0",
             1);
 
     fsrv->init_child_func(fsrv, argv);
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 2b7d200b..df91a4c2 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -574,7 +574,8 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
   setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
          "fast_unwind_on_malloc=0:"
-         "symbolize=0",
+         "symbolize=0:"
+         "print_suppressions=0",
           0);
 
   setenv("UBSAN_OPTIONS",
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 3a196e2e..eb5e0dcf 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -764,7 +764,8 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
    setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
          "fast_unwind_on_malloc=0:"
-         "symbolize=0",
+         "symbolize=0:"
+         "print_suppressions=0",
          0);
 
   if (get_afl_env("AFL_PRELOAD")) {
-- 
cgit v1.2.3


From 3c846859eef4d17d2587ea28db83c680b51723a7 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Sun, 4 Apr 2021 20:05:02 +0200
Subject: cleanup

---
 src/afl-analyze.c    | 3 +--
 src/afl-cc.c         | 5 +++--
 src/afl-forkserver.c | 7 ++++---
 src/afl-fuzz-init.c  | 1 -
 src/afl-tmin.c       | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index 7d7519fa..aabdbf1a 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -833,14 +833,13 @@ static void set_up_environment(char **argv) {
                          "handle_sigfpe=0:"
                          "handle_sigill=0", 0);
 
-   setenv("LSAN_OPTIONS",
+  setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
          "fast_unwind_on_malloc=0:"
          "symbolize=0:"
          "print_suppressions=0",
          0);
 
-
   if (get_afl_env("AFL_PRELOAD")) {
 
     if (qemu_mode) {
diff --git a/src/afl-cc.c b/src/afl-cc.c
index d4c0a6b7..3af31b3c 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -820,10 +820,11 @@ static void edit_params(u32 argc, char **argv, char **envp) {
   }
 
   if (getenv("AFL_USE_LSAN")) {
+
     cc_params[cc_par_cnt++] = "-fsanitize=leak";
     cc_params[cc_par_cnt++] = "-includesanitizer/lsan_interface.h";
-    cc_params[cc_par_cnt++] =
-        "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()";
+    cc_params[cc_par_cnt++] = "-D__AFL_LEAK_CHECK()=__lsan_do_leak_check()";
+
   }
 
   if (getenv("AFL_USE_CFISAN")) {
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index cd04e23d..2c502621 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -560,7 +560,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
     /* LSAN, too, does not support abort_on_error=1. */
 
     if (!getenv("LSAN_OPTIONS"))
-     setenv("LSAN_OPTIONS",
+      setenv("LSAN_OPTIONS",
             "exitcode=" STRINGIFY(LSAN_ERROR) ":"
             "fast_unwind_on_malloc=0:"
             "symbolize=0:"
@@ -1314,8 +1314,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
           /* A normal crash/abort */
           (WIFSIGNALED(fsrv->child_status)) ||
           /* special handling for msan and lsan */
-          (fsrv->uses_asan && (WEXITSTATUS(fsrv->child_status) == MSAN_ERROR ||
-          WEXITSTATUS(fsrv->child_status) == LSAN_ERROR)) ||
+          (fsrv->uses_asan &&
+           (WEXITSTATUS(fsrv->child_status) == MSAN_ERROR ||
+            WEXITSTATUS(fsrv->child_status) == LSAN_ERROR)) ||
           /* the custom crash_exitcode was returned by the target */
           (fsrv->uses_crash_exitcode &&
            WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode))) {
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 48f3289d..e505abd4 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -2502,7 +2502,6 @@ void check_asan_opts(afl_state_t *afl) {
 
   }
 
-
 }
 
 /* Handle stop signal (Ctrl-C, etc). */
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 6aad748c..6656712a 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -763,7 +763,7 @@ static void set_up_environment(afl_forkserver_t *fsrv, char **argv) {
                          "handle_sigfpe=0:"
                          "handle_sigill=0", 0);
 
-   setenv("LSAN_OPTIONS",
+  setenv("LSAN_OPTIONS",
          "exitcode=" STRINGIFY(LSAN_ERROR) ":"
          "fast_unwind_on_malloc=0:"
          "symbolize=0:"
-- 
cgit v1.2.3


From bfe7e3fd55cc4cfc8ae334b68095e7b26b8ec8a5 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Wed, 7 Apr 2021 14:20:50 +0200
Subject: fix forkserver timeout error msg

---
 src/afl-forkserver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 2c502621..727e7f8d 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -821,7 +821,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
   if (fsrv->last_run_timed_out) {
 
-    FATAL("Timeout while initializing fork server (adjusting -t may help)");
+    FATAL(
+        "Timeout while initializing fork server (setting "
+        "AFL_FORKSRV_INIT_TMOUT may help)");
 
   }
 
-- 
cgit v1.2.3


From 9c517199b25e5fb43c38737021002249fd506ad7 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Thu, 8 Apr 2021 10:03:36 +0200
Subject: removed -lc++ linking for lto

---
 src/afl-cc.c | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'src')

diff --git a/src/afl-cc.c b/src/afl-cc.c
index 3af31b3c..1f89bac5 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -430,9 +430,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
     cc_params[cc_par_cnt++] = "-Wno-unused-command-line-argument";
 
-    if (lto_mode && plusplus_mode)
-      cc_params[cc_par_cnt++] = "-lc++";  // needed by fuzzbench, early
-
     if (lto_mode && have_instr_env) {
 
       cc_params[cc_par_cnt++] = "-Xclang";
-- 
cgit v1.2.3


From 019b26de58a4e7eb4b95aab6425beba4efb853f4 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Fri, 9 Apr 2021 11:19:40 +0200
Subject: fix afl_custom_queue_new_entry when syncing

---
 src/afl-fuzz-queue.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index e5f51a6c..811e805c 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -478,7 +478,11 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
         u8 *fname_orig = NULL;
 
         /* At the initialization stage, queue_cur is NULL */
-        if (afl->queue_cur) fname_orig = afl->queue_cur->fname;
+        if (afl->queue_cur && !afl->syncing_party) {
+
+          fname_orig = afl->queue_cur->fname;
+
+        }
 
         el->afl_custom_queue_new_entry(el->data, fname, fname_orig);
 
-- 
cgit v1.2.3


From c19d1f0c7519fe7d1234e695c497a78f24aaf8b7 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Fri, 9 Apr 2021 12:22:16 +0200
Subject: update grammar-mutator, show better fuzzing strategy yields

---
 src/afl-fuzz-stats.c | 72 ++++++++++++++++++++++++++++++++--------------------
 1 file changed, 45 insertions(+), 27 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 2c814d90..b9a94ac3 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -861,9 +861,9 @@ void show_stats(afl_state_t *afl) {
        " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
        " path geometry " bSTG bH5 bH2 bVL "\n");
 
-  if (afl->skip_deterministic) {
+  if (likely(afl->skip_deterministic)) {
 
-    strcpy(tmp, "n/a, n/a, n/a");
+    strcpy(tmp, "disabled (default, enable with -D)");
 
   } else {
 
@@ -881,7 +881,7 @@ void show_stats(afl_state_t *afl) {
                 "    levels : " cRST "%-10s" bSTG       bV "\n",
        tmp, u_stringify_int(IB(0), afl->max_depth));
 
-  if (!afl->skip_deterministic) {
+  if (unlikely(!afl->skip_deterministic)) {
 
     sprintf(tmp, "%s/%s, %s/%s, %s/%s",
             u_stringify_int(IB(0), afl->stage_finds[STAGE_FLIP8]),
@@ -897,7 +897,7 @@ void show_stats(afl_state_t *afl) {
                 "   pending : " cRST "%-10s" bSTG       bV "\n",
        tmp, u_stringify_int(IB(0), afl->pending_not_fuzzed));
 
-  if (!afl->skip_deterministic) {
+  if (unlikely(!afl->skip_deterministic)) {
 
     sprintf(tmp, "%s/%s, %s/%s, %s/%s",
             u_stringify_int(IB(0), afl->stage_finds[STAGE_ARITH8]),
@@ -913,7 +913,7 @@ void show_stats(afl_state_t *afl) {
                 "  pend fav : " cRST "%-10s" bSTG       bV "\n",
        tmp, u_stringify_int(IB(0), afl->pending_favored));
 
-  if (!afl->skip_deterministic) {
+  if (unlikely(!afl->skip_deterministic)) {
 
     sprintf(tmp, "%s/%s, %s/%s, %s/%s",
             u_stringify_int(IB(0), afl->stage_finds[STAGE_INTEREST8]),
@@ -929,7 +929,7 @@ void show_stats(afl_state_t *afl) {
                 " own finds : " cRST "%-10s" bSTG       bV "\n",
        tmp, u_stringify_int(IB(0), afl->queued_discovered));
 
-  if (!afl->skip_deterministic) {
+  if (unlikely(!afl->skip_deterministic)) {
 
     sprintf(tmp, "%s/%s, %s/%s, %s/%s",
             u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]),
@@ -974,35 +974,52 @@ void show_stats(afl_state_t *afl) {
                   : cRST),
        tmp);
 
-  if (afl->shm.cmplog_mode) {
+  if (unlikely(afl->afl_env.afl_python_module)) {
 
-    sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s",
+    sprintf(tmp, "%s/%s, ",
             u_stringify_int(IB(0), afl->stage_finds[STAGE_PYTHON]),
-            u_stringify_int(IB(1), afl->stage_cycles[STAGE_PYTHON]),
-            u_stringify_int(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]),
-            u_stringify_int(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]),
+            u_stringify_int(IB(1), afl->stage_cycles[STAGE_PYTHON]));
+
+  } else {
+
+    strcpy(tmp, "unused, ");
+
+  }
+
+  if (unlikely(afl->afl_env.afl_custom_mutator_library)) {
+
+    sprintf(tmp, "%s%s/%s, ", tmp,
+            u_stringify_int(IB(2), afl->stage_finds[STAGE_PYTHON]),
+            u_stringify_int(IB(3), afl->stage_cycles[STAGE_PYTHON]));
+
+  } else {
+
+    strcat(tmp, "unused, ");
+
+  }
+
+  if (unlikely(afl->shm.cmplog_mode)) {
+
+    sprintf(tmp, "%s%s/%s, %s/%s", tmp,
             u_stringify_int(IB(4), afl->stage_finds[STAGE_COLORIZATION]),
             u_stringify_int(IB(5), afl->stage_cycles[STAGE_COLORIZATION]),
             u_stringify_int(IB(6), afl->stage_finds[STAGE_ITS]),
             u_stringify_int(IB(7), afl->stage_cycles[STAGE_ITS]));
 
-    SAYF(bV bSTOP "   custom/rq : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",
-         tmp);
-
   } else {
 
-    sprintf(tmp, "%s/%s, %s/%s",
-            u_stringify_int(IB(0), afl->stage_finds[STAGE_PYTHON]),
-            u_stringify_int(IB(1), afl->stage_cycles[STAGE_PYTHON]),
-            u_stringify_int(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]),
-            u_stringify_int(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]));
-
-    SAYF(bV bSTOP "   py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",
-         tmp);
+    strcat(tmp, "unused, unused ");
 
   }
 
-  if (!afl->bytes_trim_out) {
+  SAYF(bV bSTOP "py/custom/rq : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",
+       tmp);
+
+  if (likely(afl->disable_trim)) {
+
+    sprintf(tmp, "disabled, ");
+
+  } else if (unlikely(!afl->bytes_trim_out)) {
 
     sprintf(tmp, "n/a, ");
 
@@ -1015,12 +1032,13 @@ void show_stats(afl_state_t *afl) {
 
   }
 
-  if (!afl->blocks_eff_total) {
+  if (likely(afl->skip_deterministic)) {
 
-    u8 tmp2[128];
+    strcat(tmp, "disabled");
 
-    sprintf(tmp2, "n/a");
-    strcat(tmp, tmp2);
+  } else if (unlikely(!afl->blocks_eff_total)) {
+
+    strcat(tmp, "n/a");
 
   } else {
 
-- 
cgit v1.2.3


From 0c06371cda94e916f62b6456e86b849333acb338 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Tue, 13 Apr 2021 11:16:12 +0200
Subject: display dictionary usage in havoc only mode

---
 src/afl-fuzz-stats.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index b9a94ac3..ed4787ea 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -939,6 +939,14 @@ void show_stats(afl_state_t *afl) {
             u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]),
             u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO]));
 
+  } else if (unlikely(!afl->extras_cnt)) {
+
+    strcpy(tmp, "n/a");
+
+  } else {
+
+    strcpy(tmp, "havoc mode");
+
   }
 
   SAYF(bV bSTOP "  dictionary : " cRST "%-36s " bSTG bV bSTOP
-- 
cgit v1.2.3


From 50bb931ea604a83784609dc71934a4a8f8feb156 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Tue, 13 Apr 2021 11:26:27 +0200
Subject: ui custom mutator only display

---
 src/afl-fuzz-stats.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index ed4787ea..e0e24a18 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -861,7 +861,11 @@ void show_stats(afl_state_t *afl) {
        " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
        " path geometry " bSTG bH5 bH2 bVL "\n");
 
-  if (likely(afl->skip_deterministic)) {
+  if (unlikely(afl->custom_only)) {
+
+    strcpy(tmp, "disabled (custom mutator only mode)");
+
+  } else if (likely(afl->skip_deterministic)) {
 
     strcpy(tmp, "disabled (default, enable with -D)");
 
@@ -939,7 +943,7 @@ void show_stats(afl_state_t *afl) {
             u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]),
             u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO]));
 
-  } else if (unlikely(!afl->extras_cnt)) {
+  } else if (unlikely(!afl->extras_cnt || afl->custom_only)) {
 
     strcpy(tmp, "n/a");
 
-- 
cgit v1.2.3


From be880f2476963b8ebebe9d8cc196e4e74104c7a6 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Tue, 13 Apr 2021 13:01:50 +0200
Subject: add AFL_EXIT_ON_SEED_ISSUES

---
 src/afl-fuzz-init.c  | 8 +++++++-
 src/afl-fuzz-state.c | 7 +++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index e505abd4..b6bfbc29 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -881,7 +881,7 @@ void perform_dry_run(afl_state_t *afl) {
 
       case FSRV_RUN_TMOUT:
 
-        if (afl->timeout_given) {
+        if (afl->timeout_given && !afl->afl_env.afl_exit_on_seed_issues) {
 
           /* if we have a timeout but a timeout value was given then always
              skip. The '+' meaning has been changed! */
@@ -1036,6 +1036,12 @@ void perform_dry_run(afl_state_t *afl) {
 
         }
 
+        if (afl->afl_env.afl_exit_on_seed_issues) {
+
+          FATAL("As AFL_EXIT_ON_SEED_ISSUES is set, afl-fuzz exits.");
+
+        }
+
         /* Remove from fuzzing queue but keep for splicing */
 
         struct queue_entry *p = afl->queue;
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index f65ff1bb..28d3339a 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -306,6 +306,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->cycle_schedules = afl->afl_env.afl_cycle_schedules =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_EXIT_ON_SEED_ISSUES",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_exit_on_seed_issues =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_EXPAND_HAVOC_NOW",
 
                               afl_environment_variable_len)) {
-- 
cgit v1.2.3


From 5e72568a455bde8ac389b8b234cbdbbb0d33e015 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Wed, 14 Apr 2021 17:52:43 +0200
Subject: ui update

---
 src/afl-fuzz-stats.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index e0e24a18..009cebf6 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -1074,7 +1074,7 @@ void show_stats(afl_state_t *afl) {
   //
   //} else {
 
-  SAYF(bV bSTOP "        trim : " cRST "%-36s " bSTG bV RESET_G1, tmp);
+  SAYF(bV bSTOP "    trim/eff : " cRST "%-36s " bSTG bV RESET_G1, tmp);
 
   //}
 
-- 
cgit v1.2.3


From ab0f13ed068a7ef47cc84e6871428e1812382688 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Thu, 15 Apr 2021 00:11:32 +0200
Subject: fix writing stat file on exit

---
 src/afl-fuzz-stats.c | 43 +++++++++++++++++++++++--------------------
 src/afl-fuzz.c       |  1 -
 2 files changed, 23 insertions(+), 21 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 009cebf6..fa1f3c70 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -355,18 +355,18 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
 void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
                             double eps) {
 
-  if (unlikely(afl->stop_soon) ||
-      unlikely(afl->plot_prev_qp == afl->queued_paths &&
-               afl->plot_prev_pf == afl->pending_favored &&
-               afl->plot_prev_pnf == afl->pending_not_fuzzed &&
-               afl->plot_prev_ce == afl->current_entry &&
-               afl->plot_prev_qc == afl->queue_cycle &&
-               afl->plot_prev_uc == afl->unique_crashes &&
-               afl->plot_prev_uh == afl->unique_hangs &&
-               afl->plot_prev_md == afl->max_depth &&
-               afl->plot_prev_ed == afl->fsrv.total_execs) ||
-      unlikely(!afl->queue_cycle) ||
-      unlikely(get_cur_time() - afl->start_time <= 60)) {
+  if (unlikely(!afl->force_ui_update &&
+               (afl->stop_soon ||
+                (afl->plot_prev_qp == afl->queued_paths &&
+                 afl->plot_prev_pf == afl->pending_favored &&
+                 afl->plot_prev_pnf == afl->pending_not_fuzzed &&
+                 afl->plot_prev_ce == afl->current_entry &&
+                 afl->plot_prev_qc == afl->queue_cycle &&
+                 afl->plot_prev_uc == afl->unique_crashes &&
+                 afl->plot_prev_uh == afl->unique_hangs &&
+                 afl->plot_prev_md == afl->max_depth &&
+                 afl->plot_prev_ed == afl->fsrv.total_execs) ||
+                !afl->queue_cycle || get_cur_time() - afl->start_time <= 60))) {
 
     return;
 
@@ -531,7 +531,8 @@ void show_stats(afl_state_t *afl) {
 
   /* Roughly every minute, update fuzzer stats and save auto tokens. */
 
-  if (cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000) {
+  if (unlikely(afl->force_ui_update ||
+               cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000)) {
 
     afl->stats_last_stats_ms = cur_ms;
     write_stats_file(afl, t_bytes, t_byte_ratio, stab_ratio,
@@ -543,7 +544,8 @@ void show_stats(afl_state_t *afl) {
 
   if (unlikely(afl->afl_env.afl_statsd)) {
 
-    if (cur_ms - afl->statsd_last_send_ms > STATSD_UPDATE_SEC * 1000) {
+    if (unlikely(afl->force_ui_update && cur_ms - afl->statsd_last_send_ms >
+                                             STATSD_UPDATE_SEC * 1000)) {
 
       /* reset counter, even if send failed. */
       afl->statsd_last_send_ms = cur_ms;
@@ -555,7 +557,8 @@ void show_stats(afl_state_t *afl) {
 
   /* Every now and then, write plot data. */
 
-  if (cur_ms - afl->stats_last_plot_ms > PLOT_UPDATE_SEC * 1000) {
+  if (unlikely(afl->force_ui_update ||
+               cur_ms - afl->stats_last_plot_ms > PLOT_UPDATE_SEC * 1000)) {
 
     afl->stats_last_plot_ms = cur_ms;
     maybe_update_plot_file(afl, t_bytes, t_byte_ratio, afl->stats_avg_exec);
@@ -564,14 +567,14 @@ void show_stats(afl_state_t *afl) {
 
   /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */
 
-  if (!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 &&
-      !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done) {
+  if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 &&
+               !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)) {
 
     afl->stop_soon = 2;
 
   }
 
-  if (afl->total_crashes && afl->afl_env.afl_bench_until_crash) {
+  if (unlikely(afl->total_crashes && afl->afl_env.afl_bench_until_crash)) {
 
     afl->stop_soon = 2;
 
@@ -583,7 +586,7 @@ void show_stats(afl_state_t *afl) {
 
   /* If we haven't started doing things, bail out. */
 
-  if (!afl->queue_cur) { return; }
+  if (unlikely(!afl->queue_cur)) { return; }
 
   /* Compute some mildly useful bitmap stats. */
 
@@ -602,7 +605,7 @@ void show_stats(afl_state_t *afl) {
 
   SAYF(TERM_HOME);
 
-  if (afl->term_too_small) {
+  if (unlikely(afl->term_too_small)) {
 
     SAYF(cBRI
          "Your terminal is too small to display the UI.\n"
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 9688c84f..d9bf2b28 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -2130,7 +2130,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
 stop_fuzzing:
 
-  write_stats_file(afl, 0, 0, 0, 0);
   afl->force_ui_update = 1;  // ensure the screen is reprinted
   show_stats(afl);           // print the screen one last time
 
-- 
cgit v1.2.3


From 61a918f820da0d4c6285e8a9fe32fe2ab4c08510 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Thu, 15 Apr 2021 10:43:18 +0200
Subject: remove duplicate plot file write

---
 src/afl-fuzz.c | 1 -
 1 file changed, 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index d9bf2b28..a61a817a 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -2125,7 +2125,6 @@ int main(int argc, char **argv_orig, char **envp) {
   }
 
   write_bitmap(afl);
-  maybe_update_plot_file(afl, 0, 0, 0);
   save_auto(afl);
 
 stop_fuzzing:
-- 
cgit v1.2.3


From cd40fa1745de1aba6549dd37d1d94b0e26cce442 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Thu, 15 Apr 2021 11:04:39 +0200
Subject: fix warnings

---
 src/afl-fuzz-stats.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index fa1f3c70..d1e5e9f8 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -427,7 +427,7 @@ void show_stats(afl_state_t *afl) {
   u32 t_bytes, t_bits;
 
   u32 banner_len, banner_pad;
-  u8  tmp[256];
+  u8  tmp[256], tmp2[256];
   u8  time_tmp[64];
 
   u8 val_buf[8][STRINGIFY_VAL_SIZE_MAX];
@@ -991,31 +991,31 @@ void show_stats(afl_state_t *afl) {
 
   if (unlikely(afl->afl_env.afl_python_module)) {
 
-    sprintf(tmp, "%s/%s, ",
+    sprintf(tmp, "%s/%s,",
             u_stringify_int(IB(0), afl->stage_finds[STAGE_PYTHON]),
             u_stringify_int(IB(1), afl->stage_cycles[STAGE_PYTHON]));
 
   } else {
 
-    strcpy(tmp, "unused, ");
+    strcpy(tmp, "unused,");
 
   }
 
   if (unlikely(afl->afl_env.afl_custom_mutator_library)) {
 
-    sprintf(tmp, "%s%s/%s, ", tmp,
+    sprintf(tmp2, " %s%s/%s,", tmp,
             u_stringify_int(IB(2), afl->stage_finds[STAGE_PYTHON]),
             u_stringify_int(IB(3), afl->stage_cycles[STAGE_PYTHON]));
 
   } else {
 
-    strcat(tmp, "unused, ");
+    strcat(tmp2, " unused,");
 
   }
 
   if (unlikely(afl->shm.cmplog_mode)) {
 
-    sprintf(tmp, "%s%s/%s, %s/%s", tmp,
+    sprintf(tmp, "%s %s/%s, %s/%s", tmp2,
             u_stringify_int(IB(4), afl->stage_finds[STAGE_COLORIZATION]),
             u_stringify_int(IB(5), afl->stage_cycles[STAGE_COLORIZATION]),
             u_stringify_int(IB(6), afl->stage_finds[STAGE_ITS]),
@@ -1023,7 +1023,7 @@ void show_stats(afl_state_t *afl) {
 
   } else {
 
-    strcat(tmp, "unused, unused ");
+    sprintf(tmp, "%s unused, unused", tmp2);
 
   }
 
-- 
cgit v1.2.3


From b815c32f0ef789dd6d33f5de4d0b524664d41195 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Thu, 15 Apr 2021 12:22:05 +0200
Subject: fix ui

---
 src/afl-fuzz-stats.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index d1e5e9f8..a1559eac 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -1003,13 +1003,13 @@ void show_stats(afl_state_t *afl) {
 
   if (unlikely(afl->afl_env.afl_custom_mutator_library)) {
 
-    sprintf(tmp2, " %s%s/%s,", tmp,
+    sprintf(tmp2, "%s %s/%s,", tmp,
             u_stringify_int(IB(2), afl->stage_finds[STAGE_PYTHON]),
             u_stringify_int(IB(3), afl->stage_cycles[STAGE_PYTHON]));
 
   } else {
 
-    strcat(tmp2, " unused,");
+    sprintf(tmp2, "%s unused,", tmp);
 
   }
 
-- 
cgit v1.2.3


From 4f93220c4bfbffc51e18159d30e08884a4d7dfc1 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Thu, 15 Apr 2021 16:50:44 +0200
Subject: cmplog -l3: disable trimming, forcing input2stage for all

---
 src/afl-fuzz-redqueen.c | 26 +++++++++++++++++++++++++-
 src/afl-fuzz.c          |  8 ++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 9bfbf95b..cf1e5ea5 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -437,7 +437,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
 
   if (taint) {
 
-    if (afl->colorize_success &&
+    if (afl->colorize_success && afl->cmplog_lvl < 3 &&
         (len / positions == 1 && positions > CMPLOG_POSITIONS_MAX &&
          afl->active_paths / afl->colorize_success > CMPLOG_CORPUS_PERCENT)) {
 
@@ -1749,6 +1749,12 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
 
 #endif
 
+#ifdef _DEBUG
+      if (o->v0 != orig_o->v0 || o->v1 != orig_o->v1)
+        fprintf(stderr, "key=%u idx=%u o0=%llu v0=%llu o1=%llu v1=%llu\n", key,
+                idx, orig_o->v0, o->v0, orig_o->v1, o->v1);
+#endif
+
       // even for u128 and _ExtInt we do cmp_extend_encoding() because
       // if we got here their own special trials failed and it might just be
       // a cast from e.g. u64 to u128 from the input data.
@@ -2365,6 +2371,24 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
 
       status = 0;
 
+#ifdef _DEBUG
+      int w;
+      fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx,
+              SHAPE_BYTES(h->shape));
+      for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+        fprintf(stderr, "%02x", orig_o->v0[w]);
+      fprintf(stderr, " v0=");
+      for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+        fprintf(stderr, "%02x", o->v0[w]);
+      fprintf(stderr, " o1=");
+      for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+        fprintf(stderr, "%02x", orig_o->v1[w]);
+      fprintf(stderr, " v1=");
+      for (w = 0; w < SHAPE_BYTES(h->shape); ++w)
+        fprintf(stderr, "%02x", o->v1[w]);
+      fprintf(stderr, "\n");
+#endif
+
       if (unlikely(rtn_extend_encoding(
               afl, o->v0, o->v1, orig_o->v0, orig_o->v1, SHAPE_BYTES(h->shape),
               idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index a61a817a..2b035a23 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -855,6 +855,14 @@ int main(int argc, char **argv_orig, char **envp) {
               break;
             case '3':
               afl->cmplog_lvl = 3;
+
+              if (!afl->disable_trim) {
+
+                ACTF("Deactivating trimming due CMPLOG level 3");
+                afl->disable_trim = 1;
+
+              }
+
               break;
             case 'a':
             case 'A':
-- 
cgit v1.2.3


From e41d1183cca02fb4d6398df4fc3e028dfd9c5f72 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Fri, 16 Apr 2021 00:41:32 +0200
Subject: fix nits

---
 src/afl-fuzz-stats.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index a1559eac..52d9de87 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -866,7 +866,7 @@ void show_stats(afl_state_t *afl) {
 
   if (unlikely(afl->custom_only)) {
 
-    strcpy(tmp, "disabled (custom mutator only mode)");
+    strcpy(tmp, "disabled (custom-mutator-only mode)");
 
   } else if (likely(afl->skip_deterministic)) {
 
-- 
cgit v1.2.3