ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-07 15:51:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

making AFL_MAP_SIZE obsolete

Browse Source
This commit is contained in:
van Hauser 2021-02-01 12:01:23 +01:00
parent 522eacce71
commit 981ffb27a8
15 changed files with 211 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
afl-cmin
View File

@ -343,7 +343,7 @@ BEGIN {
stat_format = "-f '%z %N'" # *BSD, MacOS stat_format = "-f '%z %N'" # *BSD, MacOS
} }
cmdline = "cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} \\; | sort -k1n -k2r" cmdline = "cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} \\; | sort -k1n -k2r"
cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format") | sort -k1n -k2r" cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
while (cmdline | getline) { while (cmdline | getline) {
sub(/^[0-9]+ (\.\/)?/,"",$0) sub(/^[0-9]+ (\.\/)?/,"",$0)
infilesSmallToBig[i++] = $0 infilesSmallToBig[i++] = $0
@ -355,7 +355,7 @@ BEGIN {
# Make sure that we're not dealing with a directory. # Make sure that we're not dealing with a directory.
if (0 == system("test -d "in_dir"/"first_file)) { if (0 == system("test -d "in_dir"/"first_file)) {
print "[-] Error: The input directory contains subdirectories - please fix." > "/dev/stderr" print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr"
exit 1 exit 1
} }

2
docs/Changelog.md
View File

@ -16,6 +16,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
to be placed in the source code. to be placed in the source code.
Check out instrumentation/README.instrument_list.md Check out instrumentation/README.instrument_list.md
- afl-fuzz - afl-fuzz
- Making AFL_MAP_SIZE obsolete - afl-fuzz now learns on start the
target map size
- upgraded cmplog/redqueen: solving for floating point, solving - upgraded cmplog/redqueen: solving for floating point, solving
transformations (e.g. toupper, tolower, to/from hex, xor, transformations (e.g. toupper, tolower, to/from hex, xor,
arithmetics, etc.). this is costly hence new command line option arithmetics, etc.). this is costly hence new command line option

3
include/forkserver.h
View File

@ -120,11 +120,14 @@ void afl_fsrv_init(afl_forkserver_t *fsrv);
void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from);
void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
volatile u8 *stop_soon_p, u8 debug_child_output); volatile u8 *stop_soon_p, u8 debug_child_output);
u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv,
volatile u8 *stop_soon_p, u8 debug_child_output);
void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len); void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len);
fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
volatile u8 *stop_soon_p); volatile u8 *stop_soon_p);
void afl_fsrv_killall(void); void afl_fsrv_killall(void);
void afl_fsrv_deinit(afl_forkserver_t *fsrv); void afl_fsrv_deinit(afl_forkserver_t *fsrv);
void afl_fsrv_kill(afl_forkserver_t *fsrv);
#ifdef __APPLE__ #ifdef __APPLE__
#define MSG_FORK_ON_APPLE \ #define MSG_FORK_ON_APPLE \

1
include/sharedmem.h
View File

@ -51,6 +51,7 @@ typedef struct sharedmem {
size_t map_size; /* actual allocated size */ size_t map_size; /* actual allocated size */
int cmplog_mode; int cmplog_mode;
int shmemfuzz_mode;
struct cmp_map *cmp_map; struct cmp_map *cmp_map;
} sharedmem_t; } sharedmem_t;

28
src/afl-forkserver.c
View File

@ -682,11 +682,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) {
if (ignore_autodict) { if (!ignore_autodict) {
if (!be_quiet) { WARNF("Ignoring offered AUTODICT feature."); }
} else {
if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) { if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) {
@ -969,7 +965,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} }
static void afl_fsrv_kill(afl_forkserver_t *fsrv) { /* Stop the forkserver and child */
void afl_fsrv_kill(afl_forkserver_t *fsrv) {
if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); }
if (fsrv->fsrv_pid > 0) { if (fsrv->fsrv_pid > 0) {
@ -979,13 +977,28 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
} }
close(fsrv->fsrv_ctl_fd);
close(fsrv->fsrv_st_fd);
fsrv->fsrv_pid = -1;
fsrv->child_pid = -1;
}
/* Get the map size from the target forkserver */
u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv,
volatile u8 *stop_soon_p, u8 debug_child_output) {
afl_fsrv_start(fsrv, argv, stop_soon_p, debug_child_output);
return fsrv->map_size;
} }
/* Delete the current testcase and write the buf to the testcase file */ /* Delete the current testcase and write the buf to the testcase file */
void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
if (fsrv->shmem_fuzz) { if (likely(fsrv->use_shmem_fuzz && fsrv->shmem_fuzz)) {
if (unlikely(len > MAX_FILE)) len = MAX_FILE; if (unlikely(len > MAX_FILE)) len = MAX_FILE;
@ -1042,6 +1055,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
} }
// fprintf(stderr, "WRITE %d %u\n", fd, len);
ck_write(fd, buf, len, fsrv->out_file); ck_write(fd, buf, len, fsrv->out_file);
if (fsrv->use_stdin) { if (fsrv->use_stdin) {

14
src/afl-fuzz-init.c
View File

@ -766,13 +766,16 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
} }
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) { /*
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size,
afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE; HASH_CONST); afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1; afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
} }
*/
} }
@ -2490,6 +2493,7 @@ void setup_testcase_shmem(afl_state_t *afl) {
// we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1); u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
afl->shm_fuzz->shmemfuzz_mode = 1;
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }

73
src/afl-fuzz.c
View File

@ -342,7 +342,6 @@ int main(int argc, char **argv_orig, char **envp) {
afl->debug = debug; afl->debug = debug;
afl_fsrv_init(&afl->fsrv); afl_fsrv_init(&afl->fsrv);
if (debug) { afl->fsrv.debug = true; } if (debug) { afl->fsrv.debug = true; }
read_afl_environment(afl, envp); read_afl_environment(afl, envp);
if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; } if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; }
exit_1 = !!afl->afl_env.afl_bench_just_one; exit_1 = !!afl->afl_env.afl_bench_just_one;
@ -702,7 +701,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->in_bitmap) { FATAL("Multiple -B options not supported"); } if (afl->in_bitmap) { FATAL("Multiple -B options not supported"); }
afl->in_bitmap = optarg; afl->in_bitmap = optarg;
read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size);
break; break;
case 'C': /* crash mode */ case 'C': /* crash mode */
@ -1369,13 +1367,6 @@ int main(int argc, char **argv_orig, char **envp) {
set_scheduler_mode(SCHEDULER_MODE_LOW_LATENCY); set_scheduler_mode(SCHEDULER_MODE_LOW_LATENCY);
#endif #endif
afl->fsrv.trace_bits =
afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);
if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); }
memset(afl->virgin_tmout, 255, afl->fsrv.map_size);
memset(afl->virgin_crash, 255, afl->fsrv.map_size);
init_count_class16(); init_count_class16();
if (afl->is_main_node && check_main_node_exists(afl) == 1) { if (afl->is_main_node && check_main_node_exists(afl) == 1) {
@ -1542,6 +1533,70 @@ int main(int argc, char **argv_orig, char **envp) {
} }
afl->argv = use_argv; afl->argv = use_argv;
afl->fsrv.trace_bits =
afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);
if (!afl->non_instrumented_mode) {
afl->fsrv.map_size = 4194304; // dummy temporary value
u32 new_map_size = afl_fsrv_get_mapsize(
&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child);
if (new_map_size && new_map_size != 4194304) {
// only reinitialize when it makes sense
if (map_size != new_map_size) {
// if (map_size < new_map_size ||
// (new_map_size > map_size && new_map_size - map_size >
// MAP_SIZE)) {
OKF("Re-initializing maps to %u bytes", new_map_size);
afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size);
afl->virgin_tmout = ck_realloc(afl->virgin_tmout, map_size);
afl->virgin_crash = ck_realloc(afl->virgin_crash, map_size);
afl->var_bytes = ck_realloc(afl->var_bytes, map_size);
afl->top_rated = ck_realloc(afl->top_rated, map_size * sizeof(void *));
afl->clean_trace = ck_realloc(afl->clean_trace, map_size);
afl->clean_trace_custom = ck_realloc(afl->clean_trace_custom, map_size);
afl->first_trace = ck_realloc(afl->first_trace, map_size);
afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, map_size);
afl_shm_deinit(&afl->shm);
afl_fsrv_kill(&afl->fsrv);
afl->fsrv.map_size = new_map_size;
afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size,
afl->non_instrumented_mode);
setenv("AFL_NO_AUTODICT", "1", 1); // loaded already
afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
afl->afl_env.afl_debug_child);
}
map_size = new_map_size;
}
afl->fsrv.map_size = map_size;
}
// after we have the correct bitmap size we can read the bitmap -B option
// and set the virgin maps
if (!afl->in_bitmap) {
memset(afl->virgin_bits, 255, afl->fsrv.map_size);
} else {
read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size);
}
memset(afl->virgin_tmout, 255, afl->fsrv.map_size);
memset(afl->virgin_crash, 255, afl->fsrv.map_size);
if (afl->cmplog_binary) { if (afl->cmplog_binary) {

14
src/afl-sharedmem.c
View File

@ -66,9 +66,17 @@ static list_t shm_list = {.element_prealloc_count = 0};
void afl_shm_deinit(sharedmem_t *shm) { void afl_shm_deinit(sharedmem_t *shm) {
if (shm == NULL) return; if (shm == NULL) { return; }
list_remove(&shm_list, shm); list_remove(&shm_list, shm);
if (shm->shmemfuzz_mode) {
unsetenv(SHM_FUZZ_ENV_VAR);
} else {
unsetenv(SHM_ENV_VAR);
}
#ifdef USEMMAP #ifdef USEMMAP
if (shm->map != NULL) { if (shm->map != NULL) {
@ -94,6 +102,8 @@ void afl_shm_deinit(sharedmem_t *shm) {
if (shm->cmplog_mode) { if (shm->cmplog_mode) {
unsetenv(CMPLOG_SHM_ENV_VAR);
if (shm->cmp_map != NULL) { if (shm->cmp_map != NULL) {
munmap(shm->cmp_map, shm->map_size); munmap(shm->cmp_map, shm->map_size);

41
src/afl-showmap.c
View File

@ -86,7 +86,8 @@ static u8 quiet_mode, /* Hide non-essential messages? */
remove_shm = 1, /* remove shmem? */ remove_shm = 1, /* remove shmem? */
collect_coverage, /* collect coverage */ collect_coverage, /* collect coverage */
have_coverage, /* have coverage? */ have_coverage, /* have coverage? */
no_classify; /* do not classify counts */ no_classify, /* do not classify counts */
debug; /* debug mode */
static volatile u8 stop_soon, /* Ctrl-C pressed? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */
child_crashed; /* Child crashed? */ child_crashed; /* Child crashed? */
@ -743,6 +744,7 @@ int main(int argc, char **argv_orig, char **envp) {
char **argv = argv_cpy_dup(argc, argv_orig); char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0}; afl_forkserver_t fsrv_var = {0};
if (getenv("AFL_DEBUG")) { debug = 1; }
fsrv = &fsrv_var; fsrv = &fsrv_var;
afl_fsrv_init(fsrv); afl_fsrv_init(fsrv);
map_size = get_map_size(); map_size = get_map_size();
@ -991,14 +993,16 @@ int main(int argc, char **argv_orig, char **envp) {
// if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); }
setenv("AFL_NO_AUTODICT", "1", 1);
/* initialize cmplog_mode */ /* initialize cmplog_mode */
shm.cmplog_mode = 0; shm.cmplog_mode = 0;
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
setup_signal_handlers(); setup_signal_handlers();
set_up_environment(fsrv); set_up_environment(fsrv);
fsrv->target_path = find_binary(argv[optind]); fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
if (!quiet_mode) { if (!quiet_mode) {
@ -1051,6 +1055,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* initialize cmplog_mode */ /* initialize cmplog_mode */
shm_fuzz->cmplog_mode = 0; shm_fuzz->cmplog_mode = 0;
u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
shm_fuzz->shmemfuzz_mode = 1;
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
#ifdef USEMMAP #ifdef USEMMAP
setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@ -1063,6 +1068,38 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->shmem_fuzz_len = (u32 *)map; fsrv->shmem_fuzz_len = (u32 *)map;
fsrv->shmem_fuzz = map + sizeof(u32); fsrv->shmem_fuzz = map + sizeof(u32);
u32 save_be_quiet = be_quiet;
be_quiet = debug;
fsrv->map_size = 4194304; // dummy temporary value
u32 new_map_size = afl_fsrv_get_mapsize(
fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
? 1
: 0);
be_quiet = save_be_quiet;
if (new_map_size) {
// only reinitialize when it makes sense
if (map_size < new_map_size ||
(new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {
if (!be_quiet)
ACTF("Aquired new map size for target: %u bytes\n", new_map_size);
afl_shm_deinit(&shm);
afl_fsrv_kill(fsrv);
fsrv->map_size = new_map_size;
fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0);
}
map_size = new_map_size;
}
fsrv->map_size = map_size;
if (in_dir) { if (in_dir) {
DIR * dir_in, *dir_out = NULL; DIR * dir_in, *dir_out = NULL;

37
src/afl-tmin.c
View File

@ -79,7 +79,8 @@ static u8 crash_mode, /* Crash-centric mode? */
edges_only, /* Ignore hit counts? */ edges_only, /* Ignore hit counts? */
exact_mode, /* Require path match for crashes? */ exact_mode, /* Require path match for crashes? */
remove_out_file, /* remove out_file on exit? */ remove_out_file, /* remove out_file on exit? */
remove_shm = 1; /* remove shmem on exit? */ remove_shm = 1, /* remove shmem on exit? */
debug; /* debug mode */
static volatile u8 stop_soon; /* Ctrl-C pressed? */ static volatile u8 stop_soon; /* Ctrl-C pressed? */
@ -878,6 +879,7 @@ int main(int argc, char **argv_orig, char **envp) {
char **argv = argv_cpy_dup(argc, argv_orig); char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0}; afl_forkserver_t fsrv_var = {0};
if (getenv("AFL_DEBUG")) { debug = 1; }
fsrv = &fsrv_var; fsrv = &fsrv_var;
afl_fsrv_init(fsrv); afl_fsrv_init(fsrv);
map_size = get_map_size(); map_size = get_map_size();
@ -1074,6 +1076,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !in_file || !output_file) { usage(argv[0]); } if (optind == argc || !in_file || !output_file) { usage(argv[0]); }
check_environment_vars(envp); check_environment_vars(envp);
setenv("AFL_NO_AUTODICT", "1", 1);
if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) { if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
@ -1102,7 +1105,6 @@ int main(int argc, char **argv_orig, char **envp) {
/* initialize cmplog_mode */ /* initialize cmplog_mode */
shm.cmplog_mode = 0; shm.cmplog_mode = 0;
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
atexit(at_exit_handler); atexit(at_exit_handler);
setup_signal_handlers(); setup_signal_handlers();
@ -1110,6 +1112,7 @@ int main(int argc, char **argv_orig, char **envp) {
set_up_environment(fsrv); set_up_environment(fsrv);
fsrv->target_path = find_binary(argv[optind]); fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
detect_file_args(argv + optind, out_file, &fsrv->use_stdin); detect_file_args(argv + optind, out_file, &fsrv->use_stdin);
if (fsrv->qemu_mode) { if (fsrv->qemu_mode) {
@ -1181,6 +1184,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* initialize cmplog_mode */ /* initialize cmplog_mode */
shm_fuzz->cmplog_mode = 0; shm_fuzz->cmplog_mode = 0;
u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
shm_fuzz->shmemfuzz_mode = 1;
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
#ifdef USEMMAP #ifdef USEMMAP
setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@ -1195,12 +1199,39 @@ int main(int argc, char **argv_orig, char **envp) {
read_initial_file(); read_initial_file();
afl_fsrv_start( fsrv->map_size = 4194304; // dummy temporary value
u32 new_map_size = afl_fsrv_get_mapsize(
fsrv, use_argv, &stop_soon, fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) (get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
? 1 ? 1
: 0); : 0);
if (new_map_size) {
if (map_size < new_map_size ||
(new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {
if (!be_quiet)
ACTF("Aquired new map size for target: %u bytes\n", new_map_size);
afl_shm_deinit(&shm);
afl_fsrv_kill(fsrv);
fsrv->map_size = new_map_size;
fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0);
afl_fsrv_start(fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") ||
get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
? 1
: 0);
}
map_size = new_map_size;
}
fsrv->map_size = map_size;
if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz)
shm_fuzz = deinit_shmem(fsrv, shm_fuzz); shm_fuzz = deinit_shmem(fsrv, shm_fuzz);

5
test-instr.c
View File

@ -32,7 +32,8 @@ int main(int argc, char **argv) {
} else { } else {
if (argc >= 3 && strcmp(argv[1], "-f") == 0) if (argc >= 3 && strcmp(argv[1], "-f") == 0) {
if ((fd = open(argv[2], O_RDONLY)) < 0) { if ((fd = open(argv[2], O_RDONLY)) < 0) {
fprintf(stderr, "Error: unable to open %s\n", argv[2]); fprintf(stderr, "Error: unable to open %s\n", argv[2]);
@ -40,6 +41,8 @@ int main(int argc, char **argv) {
} }
}
if (read(fd, buf, sizeof(buf)) < 1) { if (read(fd, buf, sizeof(buf)) < 1) {
printf("Hum?\n"); printf("Hum?\n");

12
test/test-basic.sh
View File

@ -11,8 +11,8 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1 AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1
test -e test-instr.plain && { test -e test-instr.plain && {
$ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded" $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded"
echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not" $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not"
@ -26,7 +26,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
} }
rm -f test-instr.plain.0 test-instr.plain.1 rm -f test-instr.plain.0 test-instr.plain.1
SKIP= SKIP=
TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || { } || {
@ -132,8 +132,8 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1 AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1
test -e test-instr.plain && { test -e test-instr.plain && {
$ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded" $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded"
echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not" $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not"
@ -146,7 +146,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc
CODE=1 CODE=1
} }
rm -f test-instr.plain.0 test-instr.plain.1 rm -f test-instr.plain.0 test-instr.plain.1
TUPLES=`echo 1|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 1|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 12 && {
$ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] ${AFL_GCC} run reported $TUPLES instrumented locations which is fine"
} || { } || {

10
test/test-gcc-plugin.sh
View File

@ -10,15 +10,15 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && {
AFL_HARDEN=1 ../afl-gcc-fast -o test-compcov.harden.gccpi test-compcov.c > /dev/null 2>&1 AFL_HARDEN=1 ../afl-gcc-fast -o test-compcov.harden.gccpi test-compcov.c > /dev/null 2>&1
test -e test-instr.plain.gccpi && { test -e test-instr.plain.gccpi && {
$ECHO "$GREEN[+] gcc_plugin compilation succeeded" $ECHO "$GREEN[+] gcc_plugin compilation succeeded"
echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain.gccpi > /dev/null 2>&1 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain.gccpi > /dev/null 2>&1
../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain.gccpi < /dev/null > /dev/null 2>&1 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain.gccpi < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not"
CODE=1 CODE=1
} || { } || {
$ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly"
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain.gccpi 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain.gccpi 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 1 -a "$TUPLES" -lt 9 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 9 && {
$ECHO "$GREEN[+] gcc_plugin run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] gcc_plugin run reported $TUPLES instrumented locations which is fine"
} || { } || {
@ -87,7 +87,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && {
echo foobar.c > instrumentlist.txt echo foobar.c > instrumentlist.txt
AFL_GCC_INSTRUMENT_FILE=instrumentlist.txt ../afl-gcc-fast -o test-compcov test-compcov.c > /dev/null 2>&1 AFL_GCC_INSTRUMENT_FILE=instrumentlist.txt ../afl-gcc-fast -o test-compcov test-compcov.c > /dev/null 2>&1
test -x test-compcov && test_compcov_binary_functionality ./test-compcov && { test -x test-compcov && test_compcov_binary_functionality ./test-compcov && {
echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 0 tuples" && { echo 1 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 0 tuples" && {
$ECHO "$GREEN[+] gcc_plugin instrumentlist feature works correctly" $ECHO "$GREEN[+] gcc_plugin instrumentlist feature works correctly"
} || { } || {
$ECHO "$RED[!] gcc_plugin instrumentlist feature failed" $ECHO "$RED[!] gcc_plugin instrumentlist feature failed"
@ -100,7 +100,7 @@ test -e ../afl-gcc-fast -a -e ../afl-compiler-rt.o && {
rm -f test-compcov test.out instrumentlist.txt rm -f test-compcov test.out instrumentlist.txt
../afl-gcc-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 ../afl-gcc-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1
test -e test-persistent && { test -e test-persistent && {
echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { echo foo | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && {
$ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly"
} || { } || {
$ECHO "$RED[!] gcc_plugin persistent mode feature failed to work" $ECHO "$RED[!] gcc_plugin persistent mode feature failed to work"

8
test/test-llvm-lto.sh
View File

@ -16,15 +16,15 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && {
../afl-clang-lto -o test-instr.plain ../test-instr.c > /dev/null 2>&1 ../afl-clang-lto -o test-instr.plain ../test-instr.c > /dev/null 2>&1
test -e test-instr.plain && { test -e test-instr.plain && {
$ECHO "$GREEN[+] llvm_mode LTO compilation succeeded" $ECHO "$GREEN[+] llvm_mode LTO compilation succeeded"
echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] llvm_mode LTO instrumentation should be different on different input but is not" $ECHO "$RED[!] llvm_mode LTO instrumentation should be different on different input but is not"
CODE=1 CODE=1
} || { } || {
$ECHO "$GREEN[+] llvm_mode LTO instrumentation present and working correctly" $ECHO "$GREEN[+] llvm_mode LTO instrumentation present and working correctly"
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 7 && { test "$TUPLES" -gt 2 -a "$TUPLES" -lt 7 && {
$ECHO "$GREEN[+] llvm_mode LTO run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] llvm_mode LTO run reported $TUPLES instrumented locations which is fine"
} || { } || {
@ -59,7 +59,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && {
rm -f test-compcov test.out instrumentlist.txt rm -f test-compcov test.out instrumentlist.txt
../afl-clang-lto -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 ../afl-clang-lto -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1
test -e test-persistent && { test -e test-persistent && {
echo foo | ../afl-showmap -m none -o /dev/null -q -r ./test-persistent && { echo foo | AFL_QUIET=1 ../afl-showmap -m none -o /dev/null -q -r ./test-persistent && {
$ECHO "$GREEN[+] llvm_mode LTO persistent mode feature works correctly" $ECHO "$GREEN[+] llvm_mode LTO persistent mode feature works correctly"
} || { } || {
$ECHO "$RED[!] llvm_mode LTO persistent mode feature failed to work" $ECHO "$RED[!] llvm_mode LTO persistent mode feature failed to work"

10
test/test-llvm.sh
View File

@ -16,15 +16,15 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
AFL_HARDEN=1 ../afl-clang-fast -o test-compcov.harden test-compcov.c > /dev/null 2>&1 AFL_HARDEN=1 ../afl-clang-fast -o test-compcov.harden test-compcov.c > /dev/null 2>&1
test -e test-instr.plain && { test -e test-instr.plain && {
$ECHO "$GREEN[+] llvm_mode compilation succeeded" $ECHO "$GREEN[+] llvm_mode compilation succeeded"
echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 echo 0 | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1
../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1 AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain < /dev/null > /dev/null 2>&1
test -e test-instr.plain.0 -a -e test-instr.plain.1 && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && {
diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { diff test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && {
$ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not" $ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not"
CODE=1 CODE=1
} || { } || {
$ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly" $ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly"
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.plain 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && { test "$TUPLES" -gt 2 -a "$TUPLES" -lt 8 && {
$ECHO "$GREEN[+] llvm_mode run reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] llvm_mode run reported $TUPLES instrumented locations which is fine"
} || { } || {
@ -128,7 +128,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
test -e ../libLLVMInsTrim.so && { test -e ../libLLVMInsTrim.so && {
AFL_LLVM_INSTRUMENT=CFG AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out AFL_LLVM_INSTRUMENT=CFG AFL_LLVM_INSTRIM_LOOPHEAD=1 ../afl-clang-fast -o test-instr.instrim ../test-instr.c > /dev/null 2>test.out
test -e test-instr.instrim && { test -e test-instr.instrim && {
TUPLES=`echo 0|../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'` TUPLES=`echo 0|AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -- ./test-instr.instrim 2>&1 | grep Captur | awk '{print$3}'`
test "$TUPLES" -gt 1 -a "$TUPLES" -lt 5 && { test "$TUPLES" -gt 1 -a "$TUPLES" -lt 5 && {
$ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine" $ECHO "$GREEN[+] llvm_mode InsTrim reported $TUPLES instrumented locations which is fine"
} || { } || {
@ -216,7 +216,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
rm -rf errors test-cmplog in core.* rm -rf errors test-cmplog in core.*
../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1 ../afl-clang-fast -o test-persistent ../utils/persistent_mode/persistent_demo.c > /dev/null 2>&1
test -e test-persistent && { test -e test-persistent && {
echo foo | ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && { echo foo | AFL_QUIET=1 ../afl-showmap -m ${MEM_LIMIT} -o /dev/null -q -r ./test-persistent && {
$ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly"
} || { } || {
$ECHO "$RED[!] llvm_mode persistent mode feature failed to work" $ECHO "$RED[!] llvm_mode persistent mode feature failed to work"