1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
#ifndef _HAVE_AFL_RUN_H
#define _HAVE_AFL_RUN_H
#include "types.h"
#include "config.h"
#ifdef __cplusplus
extern "C"
{
#endif
/* functions called at initialization */
void aflrun_load_config(const char* config_str,
u8* check_at_begin, u8* log_at_begin, u64* log_check_interval,
double* trim_thr, double* queue_quant_thr, u32* min_num_exec);
void aflrun_load_freachables(const char* temp_path,
reach_t* num_ftargets, reach_t* num_freachables);
void aflrun_load_edges(const char* bb_edges, reach_t num_reachables);
void aflrun_load_dists(const char* dir, reach_t num_targets,
reach_t num_reachables, char** reachable_names);
void aflrun_init_fringes(
reach_t num_reachables, reach_t num_targets);
void aflrun_init_groups(reach_t num_targets);
void aflrun_init_globals(void* afl,
reach_t num_targets, reach_t num_reachables,
reach_t num_ftargets, reach_t num_freachables,
u8* virgin_reachables, u8* virgin_freachables, u8* virgin_ctx,
char** reachable_names, reach_t** reachable_to_targets,
reach_t* reachable_to_size, const char* out_dir,
const double* target_weights, u32 map_size, u8* div_switch,
const char* cycle_time);
void aflrun_remove_seed(u32 seed);
/* functions used to update fringe */
// path-sensitive fringe, called for mutated input and new imported seed
// One thing to note is that we don't consider seed that varies in coverage
// among different runs, in which case we only use the coverage of the first
// run (e.i. `common_fuzz_stuff` for mutated input and sync input or
// first calibration for imported seed)
u8 aflrun_has_new_path(const u8* freached, const u8* reached, const u8* path,
const ctx_t* virgin_trace, size_t len, u8 inc, u32 seed,
const u8* new_bits, const size_t* clusters, size_t num_clusters);
u8 aflrun_end_cycle();
void aflrun_update_fuzzed_quant(u32 id, double fuzzed_quant);
/* functions for debugging and inspecting */
void aflrun_check_state(void);
void aflrun_log_fringes(const char* path, u8 prog);
void aflrun_get_state(int* cycle_count, u32* cov_quant,
size_t* div_num_invalid, size_t* div_num_fringes);
u64 aflrun_queue_cycle(void);
u8 aflrun_get_mode(void);
bool aflrun_is_uni(void);
void aflrun_get_reached(reach_t* num_reached, reach_t* num_freached,
reach_t* num_reached_targets, reach_t* num_freached_targets);
double aflrun_get_seed_quant(u32 seed);
void aflrun_get_time(u64* last_reachable, u64* last_fringe,
u64* last_pro_fringe, u64* last_target, u64* last_ctx_reachable,
u64* last_ctx_fringe, u64* last_ctx_pro_fringe, u64* last_ctx_target);
/* functions called at begining of each cycle to assign energy */
// calculate energy for each seed
void aflrun_assign_energy(u32 num_seeds, const u32* seeds, double* ret);
void aflrun_set_num_active_seeds(u32 n);
u8 aflrun_cycle_end(u8*);
// update score and queue culling
void aflrun_update_fringe_score(u32 seed);
u32 aflrun_cull_queue(u32* seeds, u32 num);
void aflrun_set_favored_seeds(const u32* seeds, u32 num, u8 mode);
/* Functions for the second diversity idea */
// Get virgin maps associated with given targets, result goes into `ret_maps`
size_t aflrun_get_virgins(
const ctx_t* targets, size_t num, u8** ret_maps, size_t* ret_clusters);
size_t aflrun_max_clusters(u32 seed);
size_t aflrun_get_seed_virgins(u32 seed, u8** ret_maps, size_t* ret_clusters);
size_t aflrun_get_seed_tops(u32 seed, void*** ret_tops);
size_t aflrun_get_num_clusters(void);
size_t aflrun_get_all_tops(void*** ret_tops, u8 mode);
// For target clustering
#ifdef WORD_SIZE_64
void discover_word_mul(u8 *new_bits,
u64 *current, u64* const *virgins, size_t num, size_t idx, u8 modify);
#else
#error "Please use 64-bit to compile AFLRun"
#endif
void aflrun_commit_bit_seqs(const size_t* clusters, size_t num);
// AFL interfaces
u64 get_seed_fav_factor(void* afl_void, u32 seed);
double get_seed_perf_score(void* afl_void, u32 seed);
bool get_seed_div_favored(void* afl_void, u32 seed);
u8 get_seed_cov_favored(void* afl_void, u32 seed);
void disable_aflrun_extra(void* afl_void, u32 seed);
u64 get_cur_time(void);
#ifdef __cplusplus
}
#endif
#endif /* !_HAVE_AFL_RUN_H */
|
