Merge pull request #2269 from AFLplusplus/dev

push to stable
2025-06-12 18:18:07 +00:00 · 2024-12-13 12:28:39 +01:00
parent 223b14134c bbffece7d7
commit 0c69d0a0d8
6 changed files with 342 additions and 237 deletions
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -28,7 +28,7 @@ MAN_PATH    ?= $(PREFIX)/share/man/man8
 BUILD_DATE  ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
-VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
+VERSION     = $(shell grep '^ *$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
 SYS = $(shell uname -s)
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -5,7 +5,12 @@
 ### Version ++4.31a (dev)
-  - your PR?
+  - loose file and shared memory permissions on Android and iPhone
  - afl-cc:
    - -fsanitize=fuzzer now inserts libAFLDriver.a addtionally early to help
      compiling if LLVMFuzzerTestOneOnput is in an .a archive
    - added __sanitizer_weak_hook_* functions (in case that is helpful in
      weird setups)
 ### Version ++4.30c (release)
--- a/include/config.h
+++ b/include/config.h
@ -21,69 +21,81 @@
 */
 #ifndef _HAVE_CONFIG_H
-#define _HAVE_CONFIG_H
+  #define _HAVE_CONFIG_H
-/* Version string: */
+  /* Version string: */
-// c = release, a = volatile github dev, e = experimental branch
+  // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.31a"
+  #define VERSION "++4.31a"
-/******************************************************
+  /******************************************************
- *                                                    *
+   *                                                    *
- *  Settings that may be of interest to power users:  *
+   *  Settings that may be of interest to power users:  *
- *                                                    *
+   *                                                    *
- ******************************************************/
+   ******************************************************/
-/* Default shared memory map size. Most targets just need a coverage map
+  /* Default shared memory map size. Most targets just need a coverage map
-   between 20-250kb. Plus there is an auto-detection feature in afl-fuzz.
+     between 20-250kb. Plus there is an auto-detection feature in afl-fuzz.
-   However if a target has problematic constructors and init arrays then
+     However if a target has problematic constructors and init arrays then
-   this can fail. Hence afl-fuzz deploys a larger default map. The largest
+     this can fail. Hence afl-fuzz deploys a larger default map. The largest
-   map seen so far is the xlsx fuzzer for libreoffice which is 5MB.
+     map seen so far is the xlsx fuzzer for libreoffice which is 5MB.
-   At runtime this value can be overriden via AFL_MAP_SIZE.
+     At runtime this value can be overriden via AFL_MAP_SIZE.
-   Default: 8MB (defined in bytes) */
+     Default: 8MB (defined in bytes) */
-#define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024)
+  #define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024)
-/* Default time until when no more coverage finds are happening afl-fuzz
+  /* Default time until when no more coverage finds are happening afl-fuzz
-   switches to exploitation mode. It automatically switches back when new
+     switches to exploitation mode. It automatically switches back when new
-   coverage is found.
+     coverage is found.
-   Default: 300 (seconds) */
+     Default: 300 (seconds) */
-#define STRATEGY_SWITCH_TIME 1000
+  #define STRATEGY_SWITCH_TIME 1000
-/* Default file permission umode when creating files (default: 0600) */
+  /* Default file permission umode when creating files (default: 0600) */
-#define DEFAULT_PERMISSION 0600
+  #define DEFAULT_PERMISSION 0600
  #ifdef __APPLE__
    #include <TargetConditionals.h>
    #if TARGET_OS_IOS
      #undef DEFAULT_PERMISSION
      #define 0666
    #endif
  #endif
  #ifdef __ANDROID__
    #undef DEFAULT_PERMISSION
    #define 0666
  #endif
 /* SkipDet's global configuration */
-#define MINIMAL_BLOCK_SIZE 64
+  #define MINIMAL_BLOCK_SIZE 64
-#define SMALL_DET_TIME (60 * 1000 * 1000U)
+  #define SMALL_DET_TIME (60 * 1000 * 1000U)
-#define MAXIMUM_INF_EXECS (16 * 1024U)
+  #define MAXIMUM_INF_EXECS (16 * 1024U)
-#define MAXIMUM_QUICK_EFF_EXECS (64 * 1024U)
+  #define MAXIMUM_QUICK_EFF_EXECS (64 * 1024U)
-#define THRESHOLD_DEC_TIME (20 * 60 * 1000U)
+  #define THRESHOLD_DEC_TIME (20 * 60 * 1000U)
-/* Set the Prob of selecting eff_bytes 3 times more than original,
+  /* Set the Prob of selecting eff_bytes 3 times more than original,
-   Now disabled */
+     Now disabled */
-#define EFF_HAVOC_RATE 3
+  #define EFF_HAVOC_RATE 3
-/* CMPLOG/REDQUEEN TUNING
+  /* CMPLOG/REDQUEEN TUNING
- *
+   *
- * Here you can modify tuning and solving options for CMPLOG.
+   * Here you can modify tuning and solving options for CMPLOG.
- * Note that these are run-time options for afl-fuzz, no target
+   * Note that these are run-time options for afl-fuzz, no target
- * recompilation required.
+   * recompilation required.
- *
+   *
- */
+   */
-/* If a redqueen pass finds more than one solution, try to combine them? */
+  /* If a redqueen pass finds more than one solution, try to combine them? */
-#define CMPLOG_COMBINE
+  #define CMPLOG_COMBINE
-/* Minimum % of the corpus to perform cmplog on. Default: 10% */
+  /* Minimum % of the corpus to perform cmplog on. Default: 10% */
-#define CMPLOG_CORPUS_PERCENT 5U
+  #define CMPLOG_CORPUS_PERCENT 5U
-/* Number of potential positions from which we decide if cmplog becomes
+  /* Number of potential positions from which we decide if cmplog becomes
-   useless, default 12288 */
+     useless, default 12288 */
-#define CMPLOG_POSITIONS_MAX (12 * 1024)
+  #define CMPLOG_POSITIONS_MAX (12 * 1024)
-/* Maximum allowed fails per CMP value. Default: 96 */
+  /* Maximum allowed fails per CMP value. Default: 96 */
-#define CMPLOG_FAIL_MAX 96
+  #define CMPLOG_FAIL_MAX 96
 /* -------------------------------------*/
 /* Now non-cmplog configuration options */
@ -115,22 +127,22 @@
 /* Comment out to disable terminal colors (note that this makes afl-analyze
   a lot less nice): */
-#define USE_COLOR
+  #define USE_COLOR
-#ifdef USE_COLOR
+  #ifdef USE_COLOR
-  /* Comment in to always enable terminal colors */
+    /* Comment in to always enable terminal colors */
-  /* Comment out to enable runtime controlled terminal colors via AFL_NO_COLOR
+    /* Comment out to enable runtime controlled terminal colors via AFL_NO_COLOR
-   */
+     */
-  #define ALWAYS_COLORED 1
+    #define ALWAYS_COLORED 1
-#endif
+  #endif
-/* StatsD config
+  /* StatsD config
-   Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment
+     Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment
-   variable.
+     variable.
-*/
+  */
-#define STATSD_UPDATE_SEC 1
+  #define STATSD_UPDATE_SEC 1
-#define STATSD_DEFAULT_PORT 8125
+  #define STATSD_DEFAULT_PORT 8125
-#define STATSD_DEFAULT_HOST "127.0.0.1"
+  #define STATSD_DEFAULT_HOST "127.0.0.1"
 /* If you want to have the original afl internal memory corruption checks.
   Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */
@ -139,70 +151,70 @@
 /* Comment out to disable fancy boxes and use poor man's 7-bit UI: */
-#ifndef DISABLE_FANCY
+  #ifndef DISABLE_FANCY
-  #define FANCY_BOXES
+    #define FANCY_BOXES
-#endif
+  #endif
 /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
   also used for detecting hangs; the actual value is auto-scaled: */
-#define EXEC_TIMEOUT 1000U
+  #define EXEC_TIMEOUT 1000U
 /* Timeout rounding factor when auto-scaling (milliseconds): */
-#define EXEC_TM_ROUND 20U
+  #define EXEC_TM_ROUND 20U
-/* 64bit arch MACRO */
+  /* 64bit arch MACRO */
-#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
+  #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
-  #define WORD_SIZE_64 1
+    #define WORD_SIZE_64 1
-#endif
+  #endif
 /* Default memory limit for child process (MB) 0 = disabled : */
-#define MEM_LIMIT 0U
+  #define MEM_LIMIT 0U
 /* Default memory limit when running in QEMU mode (MB) 0 = disabled : */
-#define MEM_LIMIT_QEMU 0U
+  #define MEM_LIMIT_QEMU 0U
 /* Default memory limit when running in Unicorn mode (MB) 0 = disabled : */
-#define MEM_LIMIT_UNICORN 0U
+  #define MEM_LIMIT_UNICORN 0U
 /* Number of calibration cycles per every new test case (and for test
   cases that show variable behavior): */
-#define CAL_CYCLES_FAST 3U
+  #define CAL_CYCLES_FAST 3U
-#define CAL_CYCLES 7U
+  #define CAL_CYCLES 7U
-#define CAL_CYCLES_LONG 12U
+  #define CAL_CYCLES_LONG 12U
 /* Number of subsequent timeouts before abandoning an input file: */
-#define TMOUT_LIMIT 250U
+  #define TMOUT_LIMIT 250U
 /* Maximum number of unique hangs or crashes to record: */
-#define KEEP_UNIQUE_HANG 500U
+  #define KEEP_UNIQUE_HANG 500U
-#define KEEP_UNIQUE_CRASH 10000U
+  #define KEEP_UNIQUE_CRASH 10000U
 /* Baseline number of random tweaks during a single 'havoc' stage: */
-#define HAVOC_CYCLES 256U
+  #define HAVOC_CYCLES 256U
-#define HAVOC_CYCLES_INIT 1024U
+  #define HAVOC_CYCLES_INIT 1024U
 /* Maximum multiplier for the above (should be a power of two, beware
   of 32-bit int overflows): */
-#define HAVOC_MAX_MULT 64U
+  #define HAVOC_MAX_MULT 64U
-#define HAVOC_MAX_MULT_MOPT 64U
+  #define HAVOC_MAX_MULT_MOPT 64U
 /* Absolute minimum number of havoc cycles (after all adjustments): */
-#define HAVOC_MIN 12U
+  #define HAVOC_MIN 12U
-/* Power Schedule Divisor */
+  /* Power Schedule Divisor */
-#define POWER_BETA 1U
+  #define POWER_BETA 1U
-#define MAX_FACTOR (POWER_BETA * 32)
+  #define MAX_FACTOR (POWER_BETA * 32)
 /* Maximum stacking for havoc-stage tweaks. The actual value is calculated
   like this:
@ -213,124 +225,124 @@
   In other words, the default (n = 4) produces 2, 4, 8, 16
   stacked tweaks: */
-#define HAVOC_STACK_POW2 4U
+  #define HAVOC_STACK_POW2 4U
 /* Caps on block sizes for cloning and deletion operations. Each of these
   ranges has a 33% probability of getting picked, except for the first
   two cycles where smaller blocks are favored: */
-#define HAVOC_BLK_SMALL 32U
+  #define HAVOC_BLK_SMALL 32U
-#define HAVOC_BLK_MEDIUM 128U
+  #define HAVOC_BLK_MEDIUM 128U
-#define HAVOC_BLK_LARGE 1500U
+  #define HAVOC_BLK_LARGE 1500U
 /* Extra-large blocks, selected very rarely (<5% of the time): */
-#define HAVOC_BLK_XL 32768U
+  #define HAVOC_BLK_XL 32768U
 /* Probabilities of skipping non-favored entries in the queue, expressed as
   percentages: */
-#define SKIP_TO_NEW_PROB 99     /* ...when there are new, pending favorites */
+  #define SKIP_TO_NEW_PROB 99   /* ...when there are new, pending favorites */
-#define SKIP_NFAV_OLD_PROB 95   /* ...no new favs, cur entry already fuzzed */
+  #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
-#define SKIP_NFAV_NEW_PROB 75   /* ...no new favs, cur entry not fuzzed yet */
+  #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
 /* Splicing cycle count: */
-#define SPLICE_CYCLES 15
+  #define SPLICE_CYCLES 15
 /* Nominal per-splice havoc cycle length: */
-#define SPLICE_HAVOC 32
+  #define SPLICE_HAVOC 32
 /* Maximum offset for integer addition / subtraction stages: */
-#define ARITH_MAX 35
+  #define ARITH_MAX 35
 /* Limits for the test case trimmer. The absolute minimum chunk size; and
   the starting and ending divisors for chopping up the input file: */
-#define TRIM_MIN_BYTES 4
+  #define TRIM_MIN_BYTES 4
-#define TRIM_START_STEPS 16
+  #define TRIM_START_STEPS 16
-#define TRIM_END_STEPS 1024
+  #define TRIM_END_STEPS 1024
 /* Maximum size of input file, in bytes (keep under 100MB, default 1MB):
   (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c
   and afl-fuzz-state.c have to be changed as well! */
-#define MAX_FILE (1 * 1024 * 1024L)
+  #define MAX_FILE (1 * 1024 * 1024L)
 /* The same, for the test case minimizer: */
-#define TMIN_MAX_FILE (10 * 1024 * 1024L)
+  #define TMIN_MAX_FILE (10 * 1024 * 1024L)
 /* Block normalization steps for afl-tmin: */
-#define TMIN_SET_MIN_SIZE 4
+  #define TMIN_SET_MIN_SIZE 4
-#define TMIN_SET_STEPS 128
+  #define TMIN_SET_STEPS 128
 /* Maximum dictionary token size (-x), in bytes: */
-#define MAX_DICT_FILE 128
+  #define MAX_DICT_FILE 128
 /* Length limits for auto-detected dictionary tokens: */
-#define MIN_AUTO_EXTRA 3
+  #define MIN_AUTO_EXTRA 3
-#define MAX_AUTO_EXTRA 32
+  #define MAX_AUTO_EXTRA 32
 /* Maximum number of user-specified dictionary tokens to use in deterministic
   steps; past this point, the "extras/user" step will be still carried out,
   but with proportionally lower odds: */
-#define MAX_DET_EXTRAS 256
+  #define MAX_DET_EXTRAS 256
 /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
   (first value), and to keep in memory as candidates. The latter should be much
   higher than the former. */
-#define USE_AUTO_EXTRAS 4096
+  #define USE_AUTO_EXTRAS 4096
-#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8)
+  #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8)
 /* Scaling factor for the effector map used to skip some of the more
   expensive deterministic steps. The actual divisor is set to
   2^EFF_MAP_SCALE2 bytes: */
-#define EFF_MAP_SCALE2 3
+  #define EFF_MAP_SCALE2 3
 /* Minimum input file length at which the effector logic kicks in: */
-#define EFF_MIN_LEN 128
+  #define EFF_MIN_LEN 128
 /* Maximum effector density past which everything is just fuzzed
   unconditionally (%): */
-#define EFF_MAX_PERC 90
+  #define EFF_MAX_PERC 90
 /* UI refresh frequency (Hz): */
-#define UI_TARGET_HZ 5
+  #define UI_TARGET_HZ 5
 /* Fuzzer stats file, queue stats and plot update intervals (sec): */
-#define STATS_UPDATE_SEC 60
+  #define STATS_UPDATE_SEC 60
-#define PLOT_UPDATE_SEC 5
+  #define PLOT_UPDATE_SEC 5
-#define QUEUE_UPDATE_SEC 1800
+  #define QUEUE_UPDATE_SEC 1800
 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
-#define AVG_SMOOTHING 16
+  #define AVG_SMOOTHING 16
 /* Sync interval (every n havoc cycles): */
-#define SYNC_INTERVAL 8
+  #define SYNC_INTERVAL 8
 /* Sync time (minimum time between syncing in ms, time is halfed for -M main
   nodes) - default is 20 minutes: */
-#define SYNC_TIME (20 * 60 * 1000)
+  #define SYNC_TIME (20 * 60 * 1000)
 /* Output directory reuse grace period (minutes): */
-#define OUTPUT_GRACE 25
+  #define OUTPUT_GRACE 25
 /* Uncomment to use simple file names (id_NNNNNN): */
@ -338,45 +350,45 @@
 /* List of interesting values to use in fuzzing. */
-#define INTERESTING_8                                    \
+  #define INTERESTING_8                                    \
-  -128,    /* Overflow signed 8-bit when decremented  */ \
+    -128,    /* Overflow signed 8-bit when decremented  */ \
-      -1,  /*                                         */ \
+        -1,  /*                                         */ \
-      0,   /*                                         */ \
+        0,   /*                                         */ \
-      1,   /*                                         */ \
+        1,   /*                                         */ \
-      16,  /* One-off with common buffer size         */ \
+        16,  /* One-off with common buffer size         */ \
-      32,  /* One-off with common buffer size         */ \
+        32,  /* One-off with common buffer size         */ \
-      64,  /* One-off with common buffer size         */ \
+        64,  /* One-off with common buffer size         */ \
-      100, /* One-off with common buffer size         */ \
+        100, /* One-off with common buffer size         */ \
-      127                        /* Overflow signed 8-bit when incremented  */
+        127                      /* Overflow signed 8-bit when incremented  */
-#define INTERESTING_8_LEN 9
+  #define INTERESTING_8_LEN 9
-#define INTERESTING_16                                    \
+  #define INTERESTING_16                                    \
-  -32768,   /* Overflow signed 16-bit when decremented */ \
+    -32768,   /* Overflow signed 16-bit when decremented */ \
-      -129, /* Overflow signed 8-bit                   */ \
+        -129, /* Overflow signed 8-bit                   */ \
-      128,  /* Overflow signed 8-bit                   */ \
+        128,  /* Overflow signed 8-bit                   */ \
-      255,  /* Overflow unsig 8-bit when incremented   */ \
+        255,  /* Overflow unsig 8-bit when incremented   */ \
-      256,  /* Overflow unsig 8-bit                    */ \
+        256,  /* Overflow unsig 8-bit                    */ \
-      512,  /* One-off with common buffer size         */ \
+        512,  /* One-off with common buffer size         */ \
-      1000, /* One-off with common buffer size         */ \
+        1000, /* One-off with common buffer size         */ \
-      1024, /* One-off with common buffer size         */ \
+        1024, /* One-off with common buffer size         */ \
-      4096, /* One-off with common buffer size         */ \
+        4096, /* One-off with common buffer size         */ \
-      32767                      /* Overflow signed 16-bit when incremented */
+        32767                    /* Overflow signed 16-bit when incremented */
-#define INTERESTING_16_LEN 10
+  #define INTERESTING_16_LEN 10
-#define INTERESTING_32                                          \
+  #define INTERESTING_32                                          \
-  -2147483648LL,  /* Overflow signed 32-bit when decremented */ \
+    -2147483648LL,  /* Overflow signed 32-bit when decremented */ \
-      -100663046, /* Large negative number (endian-agnostic) */ \
+        -100663046, /* Large negative number (endian-agnostic) */ \
-      -32769,     /* Overflow signed 16-bit                  */ \
+        -32769,     /* Overflow signed 16-bit                  */ \
-      32768,      /* Overflow signed 16-bit                  */ \
+        32768,      /* Overflow signed 16-bit                  */ \
-      65535,      /* Overflow unsig 16-bit when incremented  */ \
+        65535,      /* Overflow unsig 16-bit when incremented  */ \
-      65536,      /* Overflow unsig 16 bit                   */ \
+        65536,      /* Overflow unsig 16 bit                   */ \
-      100663045,  /* Large positive number (endian-agnostic) */ \
+        100663045,  /* Large positive number (endian-agnostic) */ \
-      2139095040, /* float infinite                          */ \
+        2139095040, /* float infinite                          */ \
-      2147483647                 /* Overflow signed 32-bit when incremented */
+        2147483647               /* Overflow signed 32-bit when incremented */
-#define INTERESTING_32_LEN 9
+  #define INTERESTING_32_LEN 9
 /***********************************************************
 *                                                         *
@ -386,72 +398,72 @@
 /* Call count interval between reseeding the PRNG from /dev/urandom: */
-#define RESEED_RNG 2500000
+  #define RESEED_RNG 2500000
 /* The default maximum testcase cache size in MB, 0 = disable.
   A value between 50 and 250 is a good default value. Note that the
   number of entries will be auto assigned if not specified via the
   AFL_TESTCACHE_ENTRIES env variable */
-#define TESTCASE_CACHE_SIZE 50
+  #define TESTCASE_CACHE_SIZE 50
 /* Maximum line length passed from GCC to 'as' and used for parsing
   configuration files: */
-#define MAX_LINE 8192
+  #define MAX_LINE 8192
 /* Environment variable used to pass SHM ID to the called program. */
-#define SHM_ENV_VAR "__AFL_SHM_ID"
+  #define SHM_ENV_VAR "__AFL_SHM_ID"
 /* Environment variable used to pass SHM FUZZ ID to the called program. */
-#define SHM_FUZZ_ENV_VAR "__AFL_SHM_FUZZ_ID"
+  #define SHM_FUZZ_ENV_VAR "__AFL_SHM_FUZZ_ID"
 /* Other less interesting, internal-only variables. */
-#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
+  #define CLANG_ENV_VAR "__AFL_CLANG_MODE"
-#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
+  #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
-#define PERSIST_ENV_VAR "__AFL_PERSISTENT"
+  #define PERSIST_ENV_VAR "__AFL_PERSISTENT"
-#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
+  #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
 /* In-code signatures for deferred and persistent mode. */
-#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
+  #define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
-#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
+  #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
 /* Distinctive bitmap signature used to indicate failed execution: */
-#define EXEC_FAIL_SIG 0xfee1dead
+  #define EXEC_FAIL_SIG 0xfee1dead
 /* Distinctive exit code used to indicate MSAN trip condition: */
-#define MSAN_ERROR 86
+  #define MSAN_ERROR 86
 /* Distinctive exit code used to indicate LSAN trip condition: */
-#define LSAN_ERROR 23
+  #define LSAN_ERROR 23
 /* Designated file descriptors for forkserver commands (the application will
   use FORKSRV_FD and FORKSRV_FD + 1): */
-#define FORKSRV_FD 198
+  #define FORKSRV_FD 198
 /* Fork server init timeout multiplier: we'll wait the user-selected
   timeout plus this much for the fork server to spin up. */
-#define FORK_WAIT_MULT 10
+  #define FORK_WAIT_MULT 10
 /* Calibration timeout adjustments, to be a bit more generous when resuming
   fuzzing sessions or trying to calibrate already-added internal finds.
   The first value is a percentage, the other is in milliseconds: */
-#define CAL_TMOUT_PERC 125
+  #define CAL_TMOUT_PERC 125
-#define CAL_TMOUT_ADD 50
+  #define CAL_TMOUT_ADD 50
 /* Number of chances to calibrate a case before giving up: */
-#define CAL_CHANCES 3
+  #define CAL_CHANCES 3
 /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
   2; you probably want to keep it under 18 or so for performance reasons
@ -459,42 +471,42 @@
   problems with complex programs). You need to recompile the target binary
   after changing this - otherwise, SEGVs may ensue. */
-#define MAP_SIZE_POW2 16
+  #define MAP_SIZE_POW2 16
 /* Do not change this unless you really know what you are doing. */
-#define MAP_SIZE (1U << MAP_SIZE_POW2)
+  #define MAP_SIZE (1U << MAP_SIZE_POW2)
-#if MAP_SIZE <= 2097152
+  #if MAP_SIZE <= 2097152
-  #define MAP_INITIAL_SIZE (2 << 20)  // = 2097152
+    #define MAP_INITIAL_SIZE (2 << 20)  // = 2097152
-#else
+  #else
-  #define MAP_INITIAL_SIZE MAP_SIZE
+    #define MAP_INITIAL_SIZE MAP_SIZE
-#endif
+  #endif
 /* Maximum allocator request size (keep well under INT_MAX): */
-#define MAX_ALLOC 0x40000000
+  #define MAX_ALLOC 0x40000000
 /* A made-up hashing seed: */
-#define HASH_CONST 0xa5b35705
+  #define HASH_CONST 0xa5b35705
 /* Constants for afl-gotcpu to control busy loop timing: */
-#define CTEST_TARGET_MS 5000
+  #define CTEST_TARGET_MS 5000
-#define CTEST_CORE_TRG_MS 1000
+  #define CTEST_CORE_TRG_MS 1000
-#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
+  #define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
 /* Enable NeverZero counters in QEMU mode */
-#define AFL_QEMU_NOT_ZERO
+  #define AFL_QEMU_NOT_ZERO
 /* AFL RedQueen */
-#define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID"
+  #define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID"
 /* CPU Affinity lockfile env var */
-#define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE"
+  #define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE"
 /* Uncomment this to use inferior block-coverage-based instrumentation. Note
   that you need to recompile the target binary for this to have any effect: */
@ -517,28 +529,28 @@
 /* Minimum length of a queue input to be evaluated for "is_ascii"? */
-#define AFL_TXT_MIN_LEN 12
+  #define AFL_TXT_MIN_LEN 12
 /* Maximum length of a queue input to be evaluated for "is_ascii"? */
-#define AFL_TXT_MAX_LEN 65535
+  #define AFL_TXT_MAX_LEN 65535
 /* What is the minimum percentage of ascii characters present to be classifed
   as "is_ascii"? */
-#define AFL_TXT_MIN_PERCENT 99
+  #define AFL_TXT_MIN_PERCENT 99
 /* How often to perform ASCII mutations 0 = disable, 1-8 are good values */
-#define AFL_TXT_BIAS 6
+  #define AFL_TXT_BIAS 6
 /* Maximum length of a string to tamper with */
-#define AFL_TXT_STRING_MAX_LEN 1024
+  #define AFL_TXT_STRING_MAX_LEN 1024
 /* Maximum mutations on a string */
-#define AFL_TXT_STRING_MAX_MUTATIONS 6
+  #define AFL_TXT_STRING_MAX_MUTATIONS 6
 #endif                                                  /* ! _HAVE_CONFIG_H */
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@ -2670,6 +2670,89 @@ void __cmplog_rtn_llvm_stdstring_stdstring(u8 *stdstring1, u8 *stdstring2) {
 }
 /* llvm weak hooks */
 void __sanitizer_weak_hook_memcmp(void *pc, const void *s1, const void *s2,
                                  size_t n, int result) {
  __cmplog_rtn_hook_n((u8 *)s1, (u8 *)s2, (u64)n);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_memmem(void *pc, const void *s1, size_t len1,
                                  const void *s2, size_t len2, void *result) {
  __cmplog_rtn_hook_n((u8 *)s1, (u8 *)s2, len1 < len2 ? (u64)len1 : (u64)len2);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strncasecmp(void *pc, const void *s1, const void *s2,
                                       size_t n, int result) {
  __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strncasestr(void *pc, const void *s1, const void *s2,
                                       size_t n, char *result) {
  __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strncmp(void *pc, const void *s1, const void *s2,
                                   size_t n, int result) {
  __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strcasecmp(void *pc, const void *s1, const void *s2,
                                      int result) {
  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strcasestr(void *pc, const void *s1, const void *s2,
                                      size_t n, char *result) {
  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strcmp(void *pc, const void *s1, const void *s2,
                                  int result) {
  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
  (void)pc;
  (void)result;
 }
 void __sanitizer_weak_hook_strstr(void *pc, const void *s1, const void *s2,
                                  char *result) {
  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
  (void)pc;
  (void)result;
 }
 /* COVERAGE manipulation features */
 // this variable is then used in the shm setup to create an additional map
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@ -1764,6 +1764,41 @@ static u8 fsanitize_fuzzer_comma(char *string) {
 }
 /* Add params to link with libAFLDriver.a on request */
 static void add_aflpplib(aflcc_state_t *aflcc) {
  if (!aflcc->need_aflpplib) return;
  u8 *afllib = find_object(aflcc, "libAFLDriver.a");
  if (!be_quiet) {
    OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a");
  }
  if (!afllib) {
    if (!be_quiet) {
      WARNF(
          "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in "
          "the flags - this will fail!");
    }
  } else {
    insert_param(aflcc, afllib);
 #ifdef __APPLE__
    insert_param(aflcc, "-Wl,-undefined,dynamic_lookup");
 #endif
  }
 }
 /*
  Parse and process possible -fsanitize related args, return PARAM_MISS
  if nothing matched. We have 3 main tasks here for these args:
@ -1777,6 +1812,7 @@ static u8 fsanitize_fuzzer_comma(char *string) {
 param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) {
  param_st final_ = PARAM_MISS;
  u8       insert = 0;
 // MACRO START
 #define HAVE_SANITIZER_SCAN_KEEP(v, k)        \
@ -1822,6 +1858,7 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) {
    if (scan) {
      aflcc->need_aflpplib = 1;
      insert = 1;
      final_ = PARAM_SCAN;
    } else {
@ -1842,6 +1879,7 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) {
      if (fsanitize_fuzzer_comma(cur_argv_)) {
        aflcc->need_aflpplib = 1;
        insert = 1;
        final_ = PARAM_SCAN;
      }
@ -1882,7 +1920,8 @@ param_st parse_fsanitize(aflcc_state_t *aflcc, u8 *cur_argv, u8 scan) {
  }
-  if (final_ == PARAM_KEEP) insert_param(aflcc, cur_argv);
+  if (final_ == PARAM_KEEP) { insert_param(aflcc, cur_argv); }
  if (insert) { add_aflpplib(aflcc); }
  return final_;
@ -2352,41 +2391,6 @@ void add_lto_passes(aflcc_state_t *aflcc) {
 }
 /* Add params to link with libAFLDriver.a on request */
 static void add_aflpplib(aflcc_state_t *aflcc) {
  if (!aflcc->need_aflpplib) return;
  u8 *afllib = find_object(aflcc, "libAFLDriver.a");
  if (!be_quiet) {
    OKF("Found '-fsanitize=fuzzer', replacing with libAFLDriver.a");
  }
  if (!afllib) {
    if (!be_quiet) {
      WARNF(
          "Cannot find 'libAFLDriver.a' to replace '-fsanitize=fuzzer' in "
          "the flags - this will fail!");
    }
  } else {
    insert_param(aflcc, afllib);
 #ifdef __APPLE__
    insert_param(aflcc, "-Wl,-undefined,dynamic_lookup");
 #endif
  }
 }
 /* Add params to link with runtimes depended by our instrumentation */
 void add_runtime(aflcc_state_t *aflcc) {
@ -2479,7 +2483,7 @@ void add_runtime(aflcc_state_t *aflcc) {
 #endif
-  add_aflpplib(aflcc);
+  add_aflpplib(aflcc);  // double insertion helps compiling
 #if defined(USEMMAP) && !defined(__HAIKU__) && !__APPLE__
  insert_param(aflcc, "-Wl,-lrt");
@ -2614,6 +2618,7 @@ void add_misc_params(aflcc_state_t *aflcc) {
    insert_param(aflcc, "-fno-builtin-strcasecmp");
    insert_param(aflcc, "-fno-builtin-strncasecmp");
    insert_param(aflcc, "-fno-builtin-memcmp");
    insert_param(aflcc, "-fno-builtin-memmem");
    insert_param(aflcc, "-fno-builtin-bcmp");
    insert_param(aflcc, "-fno-builtin-strstr");
    insert_param(aflcc, "-fno-builtin-strcasestr");
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -3430,7 +3430,7 @@ stop_fuzzing:
      ZLIBCLOSE(fr_fd);
      afl->var_byte_count = count_bytes(afl, afl->var_bytes);
-      OKF("Written fastresume.bin with %u bytes!", w);
+      OKF("fastresume.bin succesfully written with %u bytes.", w);
    } else {