cleaned up maybe_add_auto calls

include/afl-fuzz.h

@@ -608,8 +608,6 @@ typedef struct afl_state {
   u32 document_counter;
 #endif
 
-  void *maybe_add_auto;
-
   /* statistics file */
   double last_bitmap_cvg, last_stability, last_eps;
 
@@ -911,7 +909,7 @@ u8 has_new_bits(afl_state_t *, u8 *);
 
 void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32);
 void load_extras(afl_state_t *, u8 *);
-void maybe_add_auto(void *, u8 *, u32);
+void maybe_add_auto(afl_state_t *, u8 *, u32);
 void save_auto(afl_state_t *);
 void load_auto(afl_state_t *);
 void destroy_extras(afl_state_t *);

include/forkserver.h

@@ -89,9 +89,9 @@ typedef struct afl_forkserver {
   /* Function to kick off the forkserver child */
   void (*init_child_func)(struct afl_forkserver *fsrv, char **argv);
 
-  u8 *function_opt;                     /* for autodictionary: afl ptr      */
+  u8 *afl_ptr;                     /* for autodictionary: afl ptr      */
 
-  void (*function_ptr)(void *afl_tmp, u8 *mem, u32 len);
+  void (*autodict_func)(void *afl_ptr, u8 *mem, u32 len);
 
 } afl_forkserver_t;
 

src/afl-forkserver.c

@@ -324,8 +324,7 @@ static void report_error_and_exit(int error) {
    cloning a stopped child. So, we just execute once, and then send commands
    through a pipe. The other part of this logic is in afl-as.h / llvm_mode */
 
-void __attribute__((hot))
+void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p,
-afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p,
                u8 debug_child_output) {
 
   int st_pipe[2], ctl_pipe[2];
@@ -631,13 +630,18 @@ afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p,
 
       if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) {
 
-        if (fsrv->function_ptr == NULL || fsrv->function_opt == NULL) {
+        if (fsrv->autodict_func == NULL || fsrv->afl_ptr == NULL) {
 
           // this is not afl-fuzz - we deny and return
-          if (fsrv->use_shmem_fuzz)
+          if (fsrv->use_shmem_fuzz) {
+
             status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ);
-          else
+
+          } else {
+
             status = (FS_OPT_ENABLED);
+
+          }
           if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) {
 
             FATAL("Writing to forkserver failed.");
@@ -650,11 +654,16 @@ afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p,
 
         if (!be_quiet) { ACTF("Using AUTODICT feature."); }
 
-        if (fsrv->use_shmem_fuzz)
+        if (fsrv->use_shmem_fuzz) {
+
           status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ);
-        else
+
+        } else { 
+
           status = (FS_OPT_ENABLED | FS_OPT_AUTODICT);
 
+        }
+
         if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) {
 
           FATAL("Writing to forkserver failed.");
@@ -673,7 +682,8 @@ afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p,
 
         }
 
-        u32 len = status, offset = 0, count = 0;
+        u32 offset = 0, count = 0;
+        u32 len = status;
         u8 *dict = ck_alloc(len);
         if (dict == NULL) {
 
@@ -704,7 +714,7 @@ afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p,
         while (offset < (u32)status &&
                (u8)dict[offset] + offset < (u32)status) {
 
-          fsrv->function_ptr(fsrv->function_opt, dict + offset + 1,
+          fsrv->autodict_func(fsrv->afl_ptr, dict + offset + 1,
                              (u8)dict[offset]);
           offset += (1 + dict[offset]);
           count++;

src/afl-fuzz-extras.c

@@ -354,13 +354,9 @@ static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) {
 }
 
 /* Maybe add automatic extra. */
-/* Ugly hack: afl state is transfered as u8* because we import data via
-   afl-forkserver.c - which is shared with other afl tools that do not
-   have the afl state struct */
 
-void maybe_add_auto(void *afl_tmp, u8 *mem, u32 len) {
+void maybe_add_auto(afl_state_t *afl, u8 *mem, u32 len) {
 
-  afl_state_t *afl = (afl_state_t *)afl_tmp;
   u32          i;
 
   /* Allow users to specify that they don't want auto dictionaries. */
@@ -544,7 +540,7 @@ void load_auto(afl_state_t *afl) {
 
     if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) {
 
-      maybe_add_auto((u8 *)afl, tmp, len);
+      maybe_add_auto(afl, tmp, len);
 
     }
 

src/afl-fuzz-one.c

@@ -681,7 +681,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
         if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
 
-          maybe_add_auto((u8 *)afl, a_collect, a_len);
+          maybe_add_auto(afl, a_collect, a_len);
 
         }
 
@@ -692,7 +692,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
         if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
 
-          maybe_add_auto((u8 *)afl, a_collect, a_len);
+          maybe_add_auto(afl, a_collect, a_len);
 
         }
 
@@ -2882,7 +2882,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
         if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
 
-          maybe_add_auto((u8 *)afl, a_collect, a_len);
+          maybe_add_auto(afl, a_collect, a_len);
 
         }
 
@@ -2893,7 +2893,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
         if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
 
-          maybe_add_auto((u8 *)afl, a_collect, a_len);
+          maybe_add_auto(afl, a_collect, a_len);
 
         }
 

src/afl-fuzz-redqueen.c

@@ -500,7 +500,7 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
 
   }
 
-  maybe_add_auto((u8 *)afl, (u8 *)&v, shape);
+  maybe_add_auto(afl, (u8 *)&v, shape);
 
   u64 rev;
   switch (shape) {
@@ -509,15 +509,15 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
       break;
     case 2:
       rev = SWAP16((u16)v);
-      maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
+      maybe_add_auto(afl, (u8 *)&rev, shape);
       break;
     case 4:
       rev = SWAP32((u32)v);
-      maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
+      maybe_add_auto(afl, (u8 *)&rev, shape);
       break;
     case 8:
       rev = SWAP64(v);
-      maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
+      maybe_add_auto(afl, (u8 *)&rev, shape);
       break;
 
   }
@@ -772,8 +772,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
 
       if (afl->pass_stats[key].total == 0) {
 
-        maybe_add_auto((u8 *)afl, o->v0, SHAPE_BYTES(h->shape));
+        maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape));
-        maybe_add_auto((u8 *)afl, o->v1, SHAPE_BYTES(h->shape));
+        maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape));
 
       }
 

src/afl-fuzz-state.c

@@ -112,8 +112,9 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
 
   afl->fsrv.use_stdin = 1;
   afl->fsrv.map_size = map_size;
-  afl->fsrv.function_opt = (u8 *)afl;
+  // afl_state_t is not available in forkserver.c
-  afl->fsrv.function_ptr = &maybe_add_auto;
+  afl->fsrv.afl_ptr = (void *)afl;
+  afl->fsrv.autodict_func = (void (*)(void *, u8 *, u32))&maybe_add_auto;
 
   afl->cal_cycles = CAL_CYCLES;
   afl->cal_cycles_long = CAL_CYCLES_LONG;