changed run_target

include/afl-fuzz.h

@@ -842,10 +842,10 @@ u32  count_bytes(afl_state_t *, u8 *);
 u32  count_non_255_bytes(afl_state_t *, u8 *);
 #ifdef WORD_SIZE_64
 void simplify_trace(afl_state_t *, u64 *);
-void classify_counts(afl_state_t *, u64 *);
+void classify_counts(afl_forkserver_t *);
 #else
 void simplify_trace(afl_state_t *, u32 *);
-void classify_counts(afl_state_t *, u32 *);
+void classify_counts(afl_forkserver_t *);
 #endif
 void init_count_class16(void);
 void minimize_bits(afl_state_t *, u8 *, u8 *);

include/forkserver.h

@@ -97,10 +97,12 @@ void afl_fsrv_init(afl_forkserver_t *fsrv);
 void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from);
 void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
                     volatile u8 *stop_soon_p, u8 debug_child_output);
-fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
-                                      volatile u8 *     stop_soon_p);
-void              afl_fsrv_killall(void);
-void              afl_fsrv_deinit(afl_forkserver_t *fsrv);
+fsrv_run_result_t afl_fsrv_run_target(
+    afl_forkserver_t *fsrv, u32 timeout,
+    void(classify_counts_func)(afl_forkserver_t *fsrv),
+    volatile u8 *stop_soon_p);
+void afl_fsrv_killall(void);
+void afl_fsrv_deinit(afl_forkserver_t *fsrv);
 
 #ifdef __APPLE__
 #define MSG_FORK_ON_APPLE                                                    \

llvm_mode/afl-clang-fast.c

@@ -184,7 +184,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
       sprintf(llvm_fullpath, CLANGPP_BIN);
     cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath;
 
-  } else if (!strcmp(name, "afl-clang-fast") || !strcmp(name, "afl-clang-lto")) {
+  } else if (!strcmp(name, "afl-clang-fast") ||
+
+             !strcmp(name, "afl-clang-lto")) {
 
     u8 *alt_cc = getenv("AFL_CC");
     if (USE_BINDIR)
@@ -194,8 +196,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
     cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)llvm_fullpath;
 
   } else {
+
     fprintf(stderr, "Name of the binary: %s\n", argv[0]);
-    FATAL("Name of the binary is not a known name, expected afl-clang-fast(++) or afl-clang-lto(++)");
+    FATAL(
+        "Name of the binary is not a known name, expected afl-clang-fast(++) "
+        "or afl-clang-lto(++)");
+
   }
 
   /* There are three ways to compile with afl-clang-fast. In the traditional

src/afl-forkserver.c

@@ -643,16 +643,16 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
 /* Execute target application, monitoring for timeouts. Return status
    information. The called program will update afl->fsrv->trace_bits. */
 
-fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
-                                      volatile u8 *     stop_soon_p) {
+fsrv_run_result_t afl_fsrv_run_target(
+    afl_forkserver_t *fsrv, u32 timeout,
+    void(classify_counts_func)(afl_forkserver_t *fsrv),
+    volatile u8 *stop_soon_p) {
 
   s32 res;
   u32 exec_ms;
 
   int status = 0;
 
-  u32 timeout = fsrv->exec_tmout;
-
   /* After this memset, fsrv->trace_bits[] are effectively volatile, so we
      must prevent any earlier operations from venturing into that
      territory. */
@@ -732,6 +732,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
      behave very normally and do not have to be treated as volatile. */
 
   MEM_BARRIER();
+  u32 tb4 = *(u32 *)fsrv->trace_bits;
+
+  if (likely(classify_counts_func)) classify_counts_func(fsrv);
 
   /* Report outcome to caller. */
 
@@ -756,7 +759,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
 
   }
 
-  if ((*(u32 *)fsrv->trace_bits) == EXEC_FAIL_SIG) return FSRV_RUN_NOINST;
+  if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR;
 
   return FSRV_RUN_OK;
 

src/afl-fuzz-bitmap.c

@@ -351,9 +351,11 @@ void init_count_class16(void) {
 
 #ifdef WORD_SIZE_64
 
-void classify_counts(afl_state_t *afl, u64 *mem) {
+void classify_counts(afl_forkserver_t *fsrv) {
 
-  u32 i = (afl->fsrv.map_size >> 3);
+  u32 *mem = (u32 *)fsrv->trace_bits;
+
+  u32 i = (fsrv->map_size >> 3);
 
   if (i == 0) i = 1;
 
@@ -380,9 +382,11 @@ void classify_counts(afl_state_t *afl, u64 *mem) {
 
 #else
 
-void classify_counts(afl_state_t *afl, u32 *mem) {
+void classify_counts(afl_forkserver_t *fsrv) {
 
-  u32 i = (afl->fsrv.map_size >> 2);
+  u64 *mem = (u64 *)fsrv->trace_bits;
+
+  u32 i = (fsrv->map_size >> 2);
 
   if (i == 0) i = 1;
 

src/afl-fuzz-run.c

@@ -35,15 +35,7 @@
 fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv,
                              u32 timeout) {
 
-  fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon);
-
-#ifdef WORD_SIZE_64
-  classify_counts(afl, (u64 *)fsrv->trace_bits);
-#else
-  classify_counts(afl, (u32 *)fsrv->trace_bits);
-#endif                                                     /* ^WORD_SIZE_64 */
-
-  return res;
+  return afl_fsrv_run_target(fsrv, timeout, classify_counts, &afl->stop_soon);
 
 }
 

src/afl-showmap.c

@@ -106,7 +106,10 @@ static const u8 count_class_binary[256] = {
 
 };
 
-static void classify_counts(u8 *mem, const u8 *map) {
+static void classify_counts(afl_forkserver_t *fsrv) {
+
+  u8 *      mem = fsrv->trace_bits;
+  const u8 *map = binary_mode ? count_class_binary : count_class_human;
 
   u32 i = MAP_SIZE;
 
@@ -240,12 +243,12 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem,
 
   write_to_testcase(fsrv, mem, len);
 
-  fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon);
-  if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR)
+  if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts,
+                          &stop_soon) == FSRV_RUN_ERROR) {
+
     FATAL("Error running target");
 
-  classify_counts(fsrv->trace_bits,
-                  binary_mode ? count_class_binary : count_class_human);
+  }
 
   if (stop_soon) {
 
@@ -375,8 +378,7 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) {
   if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
     FATAL("Unable to execute '%s'", argv[0]);
 
-  classify_counts(fsrv->trace_bits,
-                  binary_mode ? count_class_binary : count_class_human);
+  classify_counts(fsrv);
 
   if (!quiet_mode) SAYF(cRST "-- Program output ends --\n");
 
@@ -587,7 +589,7 @@ static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
         break;
 
       ck_free(fsrv->target_path);
-      fsrv->target_path = 0;
+      fsrv->target_path = NULL;
 
     }
 

src/afl-tmin.c

@@ -100,8 +100,29 @@ static const u8 count_class_lookup[256] = {
 
 };
 
-static void classify_counts(u8 *mem) {
+/* Apply mask to classified bitmap (if set). */
 
+static void apply_mask(u32 *mem, u32 *mask) {
+
+  u32 i = (MAP_SIZE >> 2);
+
+  if (!mask) return;
+
+  while (i--) {
+
+    *mem &= ~*mask;
+    mem++;
+    mask++;
+
+  }
+
+}
+
+static void classify_counts(afl_forkserver_t *fsrv) {
+
+  if (hang_mode) return;                              /* We only want hangs */
+
+  u8 *mem = fsrv->trace_bits;
   u32 i = MAP_SIZE;
 
   if (edges_only) {
@@ -124,23 +145,7 @@ static void classify_counts(u8 *mem) {
 
   }
 
-}
-
-/* Apply mask to classified bitmap (if set). */
-
-static void apply_mask(u32 *mem, u32 *mask) {
-
-  u32 i = (MAP_SIZE >> 2);
-
-  if (!mask) return;
-
-  while (i--) {
-
-    *mem &= ~*mask;
-    mem++;
-    mask++;
-
-  }
+  apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
 
 }
 
@@ -250,17 +255,11 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
 
   write_to_testcase(fsrv, mem, len);
 
-  fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, &stop_soon);
+  fsrv_run_result_t ret =
+      afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon);
 
   if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child");
 
-  if (!hang_mode) {
-
-    classify_counts(fsrv->trace_bits);
-    apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
-
-  }
-
   if (stop_soon) {
 
     SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST);