ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 03:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

nit with code formatt-ed

Browse Source
This commit is contained in:
mio
2025-01-23 19:11:45 +08:00
parent c4d576b4e0
commit 5c239d9207
6 changed files with 268 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/afl-fuzz.h
View File

@ -615,8 +615,7 @@ typedef struct afl_state {
u32 *n_fuzz; u32 *n_fuzz;
u8 *n_fuzz_dup; u8 *n_fuzz_dup;
u8 *classified_n_fuzz; u8 *classified_n_fuzz;
u8 *simplitied_n_fuzz; u8 *simplified_n_fuzz;
volatile u8 stop_soon, /* Ctrl-C pressed? */ volatile u8 stop_soon, /* Ctrl-C pressed? */
clear_screen; /* Window resized? */ clear_screen; /* Window resized? */

4
include/debug.h
View File

@ -357,9 +357,9 @@ static inline const char *colorfilter(const char *x) {
do { \ do { \
\ \
if (res < 0) \ if (res < 0) \
ABORT(x); \ PFATAL(x); \
else \ else \
ABORT(x); \ FATAL(x); \
\ \
} while (0) } while (0)

26
src/afl-cc.c
View File

@ -246,13 +246,13 @@ static inline void insert_object(aflcc_state_t *aflcc, u8 *obj, u8 *fmt,
/* Insert params into the new argv, make clang load the pass. */ /* Insert params into the new argv, make clang load the pass. */
static inline void load_llvm_pass(aflcc_state_t *aflcc, u8 *pass) { static inline void load_llvm_pass(aflcc_state_t *aflcc, u8 *pass) {
if (getenv("AFL_SAN_NO_INST")) {
if (!be_quiet) {
DEBUGF("Instrument disabled\n");
}
return;
}
if (getenv("AFL_SAN_NO_INST")) {
if (!be_quiet) { DEBUGF("SAND: Coverage instrumentation disabled\n"); }
return;
}
#if LLVM_MAJOR >= 11 /* use new pass manager */ #if LLVM_MAJOR >= 11 /* use new pass manager */
#if LLVM_MAJOR < 16 #if LLVM_MAJOR < 16
@ -2069,6 +2069,7 @@ void add_sanitizers(aflcc_state_t *aflcc, char **envp) {
} }
aflcc->have_cfisan = 1; aflcc->have_cfisan = 1;
} }
} }
@ -2086,11 +2087,12 @@ void add_native_pcguard(aflcc_state_t *aflcc) {
*/ */
if (aflcc->have_rust_asanrt) { return; } if (aflcc->have_rust_asanrt) { return; }
if (getenv("AFL_SAN_NO_INST")) { if (getenv("AFL_SAN_NO_INST")) {
if (!be_quiet) {
DEBUGF("Instrument disabled\n"); if (!be_quiet) { DEBUGF("SAND: Coverage instrumentation disabled\n"); }
}
return; return;
} }
/* If llvm-config doesn't figure out LLVM_MAJOR, just /* If llvm-config doesn't figure out LLVM_MAJOR, just
go on anyway and let compiler complain if doesn't work. */ go on anyway and let compiler complain if doesn't work. */
@ -2126,10 +2128,10 @@ void add_native_pcguard(aflcc_state_t *aflcc) {
void add_optimized_pcguard(aflcc_state_t *aflcc) { void add_optimized_pcguard(aflcc_state_t *aflcc) {
if (getenv("AFL_SAN_NO_INST")) { if (getenv("AFL_SAN_NO_INST")) {
if (!be_quiet) {
DEBUGF("Instrument disabled\n"); if (!be_quiet) { DEBUGF("SAND: Coverage instrumentation disabled\n"); }
}
return; return;
} }
#if LLVM_MAJOR >= 13 #if LLVM_MAJOR >= 13

92
src/afl-fuzz-bitmap.c
View File

@ -303,7 +303,6 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
u8 san_crash_only = (afl->san_case_status & SAN_CRASH_ONLY); u8 san_crash_only = (afl->san_case_status & SAN_CRASH_ONLY);
u8 non_cov_incr = (afl->san_case_status & NON_COV_INCREASE_BUG); u8 non_cov_incr = (afl->san_case_status & NON_COV_INCREASE_BUG);
if (new_bits & 0xf0) { if (new_bits & 0xf0) {
new_bits -= 0x80; new_bits -= 0x80;
@ -463,17 +462,16 @@ void write_crash_readme(afl_state_t *afl) {
} }
static void bitmap_set(u8 *map, u32 index) { static void bitmap_set(u8 *map, u32 index) {
map[index / 8] |= (1u << ( index % 8 ));
}
// static u8 bitmap_clear(u8* map, u32 index) { map[index / 8] |= (1u << (index % 8));
// map[index / 8] &= ~(1u << (index % 8));
// } }
static u8 bitmap_read(u8 *map, u32 index) { static u8 bitmap_read(u8 *map, u32 index) {
return (map[index / 8] >> (index % 8)) & 1;
}
return (map[index / 8] >> (index % 8)) & 1;
}
/* Check if the result of an execve() during routine fuzzing is interesting, /* Check if the result of an execve() during routine fuzzing is interesting,
save or queue the input test case for further analysis if so. Returns 1 if save or queue the input test case for further analysis if so. Returns 1 if
@ -516,11 +514,17 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
/* Mask out var bytes */ /* Mask out var bytes */
if (unlikely(afl->san_binary_length)) { if (unlikely(afl->san_binary_length)) {
for (u32 i = 0; i < afl->fsrv.map_size; i++) { for (u32 i = 0; i < afl->fsrv.map_size; i++) {
if (afl->var_bytes[i] && afl->fsrv.trace_bits[i]) { if (afl->var_bytes[i] && afl->fsrv.trace_bits[i]) {
afl->fsrv.trace_bits[i] = 1; afl->fsrv.trace_bits[i] = 1;
} }
} }
} }
/* Update path frequency. */ /* Update path frequency. */
@ -544,66 +548,93 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
/* Only "normal" inputs seem interested to us */ /* Only "normal" inputs seem interested to us */
if (likely(fault == afl->crash_mode)) { if (likely(fault == afl->crash_mode)) {
if (unlikely(afl->san_binary_length) && likely(afl->san_abstraction == SIMPLIFY_TRACE)) { if (unlikely(afl->san_binary_length) &&
memcpy(afl->san_fsrvs[0].trace_bits, afl->fsrv.trace_bits, afl->fsrv.map_size); likely(afl->san_abstraction == SIMPLIFY_TRACE)) {
classify_counts_mem((u64*)afl->san_fsrvs[0].trace_bits, afl->fsrv.map_size);
memcpy(afl->san_fsrvs[0].trace_bits, afl->fsrv.trace_bits,
afl->fsrv.map_size);
classify_counts_mem((u64 *)afl->san_fsrvs[0].trace_bits,
afl->fsrv.map_size);
simplify_trace(afl, afl->san_fsrvs[0].trace_bits); simplify_trace(afl, afl->san_fsrvs[0].trace_bits);
// cksum_simplified = hash64(afl->san_fsrvs[0].trace_bits, afl->fsrv.map_size, HASH_CONST); // cksum_simplified = hash64(afl->san_fsrvs[0].trace_bits,
cksum_simplified = hash32_xxh32(afl->san_fsrvs[0].trace_bits, afl->fsrv.map_size, HASH_CONST); // afl->fsrv.map_size, HASH_CONST);
cksum_simplified = hash32_xxh32(afl->san_fsrvs[0].trace_bits,
afl->fsrv.map_size, HASH_CONST);
if (unlikely(!bitmap_read(afl->simplified_n_fuzz, cksum_simplified))) {
if ( unlikely(!bitmap_read(afl->simplitied_n_fuzz, cksum_simplified))) {
feed_san = 1; feed_san = 1;
bitmap_set(afl->simplitied_n_fuzz, cksum_simplified); bitmap_set(afl->simplified_n_fuzz, cksum_simplified);
} }
} }
if (unlikely(afl->san_binary_length) && unlikely(afl->san_abstraction == COVERAGE_INCREASE)) { if (unlikely(afl->san_binary_length) &&
unlikely(afl->san_abstraction == COVERAGE_INCREASE)) {
/* Check if the input increase the coverage */ /* Check if the input increase the coverage */
new_bits = has_new_bits_unclassified(afl, afl->virgin_bits); new_bits = has_new_bits_unclassified(afl, afl->virgin_bits);
if (unlikely(new_bits)) { if (unlikely(new_bits)) { feed_san = 1; }
feed_san = 1;
}
} }
if (unlikely(afl->san_binary_length) && likely(afl->san_abstraction == UNIQUE_TRACE)) { if (unlikely(afl->san_binary_length) &&
cksum_unique = hash32_xxh32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); likely(afl->san_abstraction == UNIQUE_TRACE)) {
if (unlikely(!bitmap_read(afl->n_fuzz_dup, cksum) && fault == afl->crash_mode)) {
cksum_unique =
hash32_xxh32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
if (unlikely(!bitmap_read(afl->n_fuzz_dup, cksum) &&
fault == afl->crash_mode)) {
feed_san = 1; feed_san = 1;
bitmap_set(afl->n_fuzz_dup, cksum_unique); bitmap_set(afl->n_fuzz_dup, cksum_unique);
} }
} }
if (feed_san) { if (feed_san) {
/* The input seems interested to other sanitizers, feed it into extra binaries. */
/* The input seems interested to other sanitizers, feed it into extra
* binaries. */
for (san_idx = 0; san_idx < afl->san_binary_length; san_idx++) { for (san_idx = 0; san_idx < afl->san_binary_length; san_idx++) {
len = write_to_testcase(afl, &mem, len, 0); len = write_to_testcase(afl, &mem, len, 0);
san_fault = fuzz_run_target(afl, &afl->san_fsrvs[san_idx], afl->san_fsrvs[san_idx].exec_tmout); san_fault = fuzz_run_target(afl, &afl->san_fsrvs[san_idx],
afl->san_fsrvs[san_idx].exec_tmout);
// DEBUGF("ASAN Result: %hhd\n", asan_fault); // DEBUGF("ASAN Result: %hhd\n", asan_fault);
if (unlikely(san_fault && fault == afl->crash_mode)) { if (unlikely(san_fault && fault == afl->crash_mode)) {
/* sanitizers discovers distinct bugs! */ /* sanitizers discovers distinct bugs! */
afl->san_case_status |= SAN_CRASH_ONLY; afl->san_case_status |= SAN_CRASH_ONLY;
} }
if (san_fault == FSRV_RUN_CRASH) { if (san_fault == FSRV_RUN_CRASH) {
/* Treat this execution as fault detected by ASAN */ /* Treat this execution as fault detected by ASAN */
// fault = san_fault; // fault = san_fault;
/* That's pretty enough, break to avoid more overhead. */ /* That's pretty enough, break to avoid more overhead. */
break; break;
} else { } else {
// or keep san_fault as ok // or keep san_fault as ok
san_fault = FSRV_RUN_OK; san_fault = FSRV_RUN_OK;
} }
} }
} }
} }
/* If there is no crash, everything is fine. */ /* If there is no crash, everything is fine. */
@ -612,23 +643,31 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
/* Keep only if there are new bits in the map, add to queue for /* Keep only if there are new bits in the map, add to queue for
future fuzzing, etc. */ future fuzzing, etc. */
if (!unlikely(afl->san_abstraction == COVERAGE_INCREASE && feed_san)) { if (!unlikely(afl->san_abstraction == COVERAGE_INCREASE && feed_san)) {
/* If we are in coverage increasing abstraction and have fed input to sanitizers, we are
sure it has new bits.*/ /* If we are in coverage increasing abstraction and have fed input to
sanitizers, we are sure it has new bits.*/
new_bits = has_new_bits_unclassified(afl, afl->virgin_bits); new_bits = has_new_bits_unclassified(afl, afl->virgin_bits);
} }
if (likely(!new_bits)) { if (likely(!new_bits)) {
if (san_fault == FSRV_RUN_OK) { if (san_fault == FSRV_RUN_OK) {
if (unlikely(afl->crash_mode)) { ++afl->total_crashes; } if (unlikely(afl->crash_mode)) { ++afl->total_crashes; }
return 0; return 0;
} else { } else {
afl->san_case_status |= NON_COV_INCREASE_BUG; afl->san_case_status |= NON_COV_INCREASE_BUG;
fault = san_fault; fault = san_fault;
classified = new_bits; classified = new_bits;
goto may_save_fault; goto may_save_fault;
} }
} }
fault = san_fault; fault = san_fault;
classified = new_bits; classified = new_bits;
@ -758,6 +797,7 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
keeping = 1; keeping = 1;
} }
may_save_fault: may_save_fault:
switch (fault) { switch (fault) {

38
src/afl-fuzz-stats.c
View File

@ -356,8 +356,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
1000; 1000;
if (!runtime_ms) { runtime_ms = 1; } if (!runtime_ms) { runtime_ms = 1; }
fprintf( fprintf(f,
f,
"start_time : %llu\n" "start_time : %llu\n"
"last_update : %llu\n" "last_update : %llu\n"
"run_time : %llu\n" "run_time : %llu\n"
@ -425,9 +424,10 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
afl->queued_discovered, afl->queued_imported, afl->queued_variable, afl->queued_discovered, afl->queued_imported, afl->queued_variable,
afl->max_depth, afl->current_entry, afl->pending_favored, afl->max_depth, afl->current_entry, afl->pending_favored,
afl->pending_not_fuzzed, stability, bitmap_cvg, afl->saved_crashes, afl->pending_not_fuzzed, stability, bitmap_cvg, afl->saved_crashes,
afl->saved_hangs, afl->total_tmouts, afl->last_find_time / 1000, afl->last_crash_time / 1000, afl->saved_hangs, afl->total_tmouts, afl->last_find_time / 1000,
afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->last_crash_time / 1000, afl->last_hang_time / 1000,
afl->fsrv.exec_tmout, afl->slowest_exec_ms, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout,
afl->slowest_exec_ms,
#ifndef __HAIKU__ #ifndef __HAIKU__
#ifdef __APPLE__ #ifdef __APPLE__
(unsigned long int)(rus.ru_maxrss >> 20), (unsigned long int)(rus.ru_maxrss >> 20),
@ -442,10 +442,11 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
#else #else
-1, -1,
#endif #endif
t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, afl->expand_havoc, t_bytes, afl->fsrv.real_map_size, afl->var_byte_count,
afl->a_extras_cnt, afl->q_testcase_cache_size, afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size,
afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner, afl->q_testcase_cache_count, afl->q_testcase_evictions,
afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
afl->fsrv.qemu_mode ? "qemu " : "",
afl->fsrv.cs_mode ? "coresight" : "", afl->fsrv.cs_mode ? "coresight" : "",
afl->non_instrumented_mode ? " non_instrumented " : "", afl->non_instrumented_mode ? " non_instrumented " : "",
afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
@ -453,20 +454,23 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "",
afl->deferred_mode ? "deferred " : "", afl->deferred_mode ? "deferred " : "",
(afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode ||
afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || afl->non_instrumented_mode || afl->no_forkserver ||
afl->persistent_mode || afl->deferred_mode) afl->crash_mode || afl->persistent_mode || afl->deferred_mode)
? "" ? ""
: "default", : "default",
afl->orig_cmdline); afl->orig_cmdline);
if (afl->san_binary_length) { if (afl->san_binary_length) {
for (u8 i = 0; i < afl->san_binary_length; i++) { for (u8 i = 0; i < afl->san_binary_length; i++) {
fprintf(f, fprintf(f,
"extra_binary : %s\n" "extra_binary : %s\n"
"total_execs : %llu\n", "total_execs : %llu\n",
afl->san_binary[i], afl->san_binary[i], afl->san_fsrvs[i].total_execs);
afl->san_fsrvs[i].total_execs);
} }
} }
/* ignore errors */ /* ignore errors */
@ -552,7 +556,7 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
afl->plot_prev_md == afl->max_depth && afl->plot_prev_md == afl->max_depth &&
afl->plot_prev_ed == afl->fsrv.total_execs) || afl->plot_prev_ed == afl->fsrv.total_execs) ||
!afl->queue_cycle || !afl->queue_cycle ||
get_cur_time() - afl->start_time <= 1000))) { get_cur_time() - afl->start_time <= 60000))) {
return; return;
@ -581,11 +585,13 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
afl->queue_cycle - 1, afl->current_entry, afl->queued_items, afl->queue_cycle - 1, afl->current_entry, afl->queued_items,
afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg,
afl->saved_crashes, afl->saved_hangs, afl->max_depth, eps, afl->saved_crashes, afl->saved_hangs, afl->max_depth, eps,
afl->plot_prev_ed, t_bytes, afl->total_crashes, (u32)afl->san_binary_length); /* ignore errors */ afl->plot_prev_ed, t_bytes, afl->total_crashes,
(u32)afl->san_binary_length); /* ignore errors */
for (u32 i = 0; i < afl->san_binary_length; i++) { for (u32 i = 0; i < afl->san_binary_length; i++) {
fprintf(afl->fsrv.plot_file, ", %llu", afl->san_fsrvs[i].total_execs); fprintf(afl->fsrv.plot_file, ", %llu", afl->san_fsrvs[i].total_execs);
} }
fprintf(afl->fsrv.plot_file, "\n"); fprintf(afl->fsrv.plot_file, "\n");

63
src/afl-fuzz.c
View File

@ -258,7 +258,8 @@ static void usage(u8 *argv0, int more_help) {
"random\n" "random\n"
" -N - do not unlink the fuzzing input file (for devices " " -N - do not unlink the fuzzing input file (for devices "
"etc.)\n" "etc.)\n"
" -n - fuzz without instrumentation (non-instrumented mode)\n" " -n - fuzz without instrumentation (non-instrumented "
"mode)\n"
" -x dict_file - fuzzer dictionary (see README.md, specify up to 4 " " -x dict_file - fuzzer dictionary (see README.md, specify up to 4 "
"times)\n" "times)\n"
" -w san_binary - Specify the extra sanitizer instrumented binaries,\n" " -w san_binary - Specify the extra sanitizer instrumented binaries,\n"
@ -611,7 +612,8 @@ int main(int argc, char **argv_orig, char **envp) {
afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing
// still available: HjJkKqruvwz // still available: HjJkKqruvwz
while ((opt = getopt(argc, argv, while (
(opt = getopt(argc, argv,
"+aw:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:" "+aw:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:"
"T:uUV:WXx:YzZ")) > 0) { "T:uUV:WXx:YzZ")) > 0) {
@ -749,12 +751,16 @@ int main(int argc, char **argv_orig, char **envp) {
case 'w': { case 'w': {
if (afl->san_binary_length == MAX_EXTRA_SAN_BINARY) { if (afl->san_binary_length == MAX_EXTRA_SAN_BINARY) {
FATAL("Only %d extra sanitizer instrumented binaries are supported.", MAX_EXTRA_SAN_BINARY);
FATAL("Only %d extra sanitizer instrumented binaries are supported.",
MAX_EXTRA_SAN_BINARY);
} }
afl->shm.sanfuzz_mode = 1; afl->shm.sanfuzz_mode = 1;
afl->san_binary[afl->san_binary_length++] = optarg; afl->san_binary[afl->san_binary_length++] = optarg;
break; break;
} }
case 's': { case 's': {
@ -1744,7 +1750,7 @@ int main(int argc, char **argv_orig, char **envp) {
} }
afl->n_fuzz_dup = ck_alloc(N_FUZZ_SIZE_BITMAP * sizeof(u8)); afl->n_fuzz_dup = ck_alloc(N_FUZZ_SIZE_BITMAP * sizeof(u8));
afl->simplitied_n_fuzz = ck_alloc(N_FUZZ_SIZE_BITMAP * sizeof(u8)); afl->simplified_n_fuzz = ck_alloc(N_FUZZ_SIZE_BITMAP * sizeof(u8));
if (get_afl_env("AFL_NO_FORKSRV")) { afl->no_forkserver = 1; } if (get_afl_env("AFL_NO_FORKSRV")) { afl->no_forkserver = 1; }
if (get_afl_env("AFL_NO_CPU_RED")) { afl->no_cpu_meter_red = 1; } if (get_afl_env("AFL_NO_CPU_RED")) { afl->no_cpu_meter_red = 1; }
@ -2416,7 +2422,9 @@ int main(int argc, char **argv_orig, char **envp) {
if (!afl->fsrv.out_file) { setup_stdio_file(afl); } if (!afl->fsrv.out_file) { setup_stdio_file(afl); }
for (u8 i = 0; i < afl->san_binary_length; i++) { for (u8 i = 0; i < afl->san_binary_length; i++) {
check_binary(afl, afl->san_binary[i]); check_binary(afl, afl->san_binary[i]);
} }
if (afl->cmplog_binary) { if (afl->cmplog_binary) {
@ -2579,34 +2587,50 @@ int main(int argc, char **argv_orig, char **envp) {
san_abstraction = getenv("AFL_SAN_ABSTRACTION"); san_abstraction = getenv("AFL_SAN_ABSTRACTION");
if (!san_abstraction || !strcmp(san_abstraction, "unique_trace")) { if (!san_abstraction || !strcmp(san_abstraction, "unique_trace")) {
afl->san_abstraction = UNIQUE_TRACE; afl->san_abstraction = UNIQUE_TRACE;
} else if (!strcmp(san_abstraction, "coverage_increase")) { } else if (!strcmp(san_abstraction, "coverage_increase")) {
afl->san_abstraction = COVERAGE_INCREASE; afl->san_abstraction = COVERAGE_INCREASE;
} else if (!strcmp(san_abstraction, "simplify_trace")) { } else if (!strcmp(san_abstraction, "simplify_trace")) {
afl->san_abstraction = SIMPLIFY_TRACE; afl->san_abstraction = SIMPLIFY_TRACE;
} else { } else {
WARNF("Unkown abstraction: %s, fallback to unique trace.\n", san_abstraction);
WARNF("Unkown abstraction: %s, fallback to unique trace.\n",
san_abstraction);
afl->san_abstraction = UNIQUE_TRACE; afl->san_abstraction = UNIQUE_TRACE;
} }
afl->no_saving_crash_seed = false; afl->no_saving_crash_seed = false;
if (!afl->san_binary_length && san_abstraction) { if (!afl->san_binary_length && san_abstraction) {
WARNF("No extra sanitizer instrumented binaries are given, do you forget -a?\n");
WARNF(
"No extra sanitizer instrumented binaries are given, do you forget "
"-a?\n");
} }
/* Maybe merge with cmplog but much cmplog code was already copy-paste style... */ /* Maybe merge with cmplog but much cmplog code was already copy-paste
* style... */
if (afl->san_binary_length) { if (afl->san_binary_length) {
for (u8 i = 0; i < afl->san_binary_length; i++) { for (u8 i = 0; i < afl->san_binary_length; i++) {
ACTF("Spawning forkserver for %s", afl->san_binary[i]); ACTF("Spawning forkserver for %s", afl->san_binary[i]);
afl_fsrv_init_dup(&afl->san_fsrvs[i], &afl->fsrv); afl_fsrv_init_dup(&afl->san_fsrvs[i], &afl->fsrv);
/* /*
* We don't really collect trace bits for sanitizer instrumented binary so we just allocate * We don't really collect trace bits for sanitizer instrumented binary so
* some dummy memory here. * we just allocate some dummy memory here.
*/ */
afl->san_fsrvs[i].trace_bits = ck_alloc(afl->fsrv.map_size + 8); /* One more u64 according to afl_shm_init*/ afl->san_fsrvs[i].trace_bits = ck_alloc(
afl->fsrv.map_size + 8); /* One more u64 according to afl_shm_init*/
afl->san_fsrvs[i].map_size = afl->fsrv.map_size; afl->san_fsrvs[i].map_size = afl->fsrv.map_size;
afl->san_fsrvs[i].san_but_not_instrumented = 1; afl->san_fsrvs[i].san_but_not_instrumented = 1;
@ -2617,7 +2641,8 @@ int main(int argc, char **argv_orig, char **envp) {
afl->san_fsrvs[i].target_path = afl->san_binary[i]; afl->san_fsrvs[i].target_path = afl->san_binary[i];
afl->san_fsrvs[i].init_child_func = sanfuzz_exec_child; afl->san_fsrvs[i].init_child_func = sanfuzz_exec_child;
afl->san_fsrvs[i].child_kill_signal = afl->fsrv.child_kill_signal; // I believe cmplog also needs this. afl->san_fsrvs[i].child_kill_signal =
afl->fsrv.child_kill_signal; // I believe cmplog also needs this.
afl->san_fsrvs[i].fsrv_kill_signal = afl->fsrv.fsrv_kill_signal; afl->san_fsrvs[i].fsrv_kill_signal = afl->fsrv.fsrv_kill_signal;
if ((map_size <= DEFAULT_SHMEM_SIZE || if ((map_size <= DEFAULT_SHMEM_SIZE ||
@ -2640,7 +2665,8 @@ int main(int argc, char **argv_orig, char **envp) {
// only reinitialize when it needs to be larger // only reinitialize when it needs to be larger
if (map_size < new_map_size) { if (map_size < new_map_size) {
OKF("Re-initializing maps to %u bytes due to SAN instrumented binary", new_map_size); OKF("Re-initializing maps to %u bytes due to SAN instrumented binary",
new_map_size);
afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size);
afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size);
@ -2675,9 +2701,13 @@ int main(int argc, char **argv_orig, char **envp) {
} }
OKF("forkserver for %s successfully started", afl->san_binary[i]); OKF("forkserver for %s successfully started", afl->san_binary[i]);
} }
OKF("All forkservers for extra sanitizers instrumented binares are up and we have abstraction = %d", afl->san_abstraction); OKF("All forkservers for extra sanitizers instrumented binares are up and "
"we have abstraction = %d",
afl->san_abstraction);
} }
if (afl->cmplog_binary) { if (afl->cmplog_binary) {
@ -3576,11 +3606,12 @@ stop_fuzzing:
afl_fsrv_deinit(&afl->fsrv); afl_fsrv_deinit(&afl->fsrv);
for (u8 i = 0; i < afl->san_binary_length; i++) { for (u8 i = 0; i < afl->san_binary_length; i++) {
ck_free(afl->san_fsrvs[i].trace_bits); ck_free(afl->san_fsrvs[i].trace_bits);
afl_fsrv_deinit(&afl->san_fsrvs[i]); // TODO: Is this necessary? cmplog fksrv seems never deinit-ed? afl_fsrv_deinit(&afl->san_fsrvs[i]); // TODO: Is this necessary? cmplog
// fksrv seems never deinit-ed?
} }
/* remove tmpfile */ /* remove tmpfile */