Merge pull request #1766 from AFLplusplus/dev

v4.07c release
2025-06-11 01:31:37 +00:00 · 2023-06-12 10:03:15 +03:00 · 2023-06-12 10:03:15 +03:00 · af8c68a774
commit af8c68a774
parent 26cbc1e993 bf2727b763
7 changed files with 71 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -2,9 +2,9 @@

 <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250">

-Release version: [4.06c](https://github.com/AFLplusplus/AFLplusplus/releases)
+Release version: [4.07c](https://github.com/AFLplusplus/AFLplusplus/releases)

-GitHub version: 4.07a
+GitHub version: 4.07c

 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
--- a/TODO.md
+++ b/TODO.md
@ -2,6 +2,8 @@

 ## Should

+ - afl-crash-analysis
+ - show in the UI when fuzzing is "done"
 - test cmplog for less than 16bit
 - support persistent and deferred fork server in afl-showmap?
 - better autodetection of shifting runtime timeout values
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -3,7 +3,7 @@
  This is the list of all noteworthy changes made in every public
  release of the tool. See README.md for the general instruction manual.

-### Version ++4.07a (dev)
+### Version ++4.07c (release)
  - afl-fuzz:
    - reverse reading the seeds only on restarts (increases performance)
    - new env `AFL_POST_PROCESS_KEEP_ORIGINAL` to keep the orignal
@ -18,6 +18,7 @@
    - rewrote our PCGUARD pass to be compatible with LLVM 15+ shenanigans,
      requires LLVM 13+ now instead of 10.0.1+
    - fallback to native LLVM PCGUARD if our PCGUARD is unavailable
+    - fixed a crash in GCC CMPLOG
  - afl-showmap:
    - added custom mutator post_process and send support
    - add `-I filelist` option, an alternative to `-i in_dir`
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@ -279,3 +279,54 @@ If you find an interesting or important question missing, submit it via

  Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`.
 </p></details>
+
+<details>
+  <summary id="linker-errors">Linker errors.</summary><p>
+
+  If you compile C++ harnesses and see `undefined reference` errors for
+  variables named `__afl_...`, e.g.:
+
+  ```
+  /usr/bin/ld: /tmp/test-d3085f.o: in function `foo::test()':
+  test.cpp:(.text._ZN3fooL4testEv[_ZN3fooL4testEv]+0x35): undefined reference to `foo::__afl_connected'
+  clang: error: linker command failed with exit code 1 (use -v to see invocation)
+  ```
+
+  Then you use AFL++ macros like `__AFL_LOOP` within a namespace and this
+  will not work.
+
+  Solution: Move that harness portion to the global namespace, e.g. before:
+  ```
+  #include <cstdio>
+  namespace foo {
+    static void test() {
+      while(__AFL_LOOP(1000)) {
+        foo::function();
+      }
+    }
+  }
+
+  int main(int argc, char** argv) {
+    foo::test();
+    return 0;
+  }
+  ```
+  after:
+  ```
+  #include <cstdio>
+  static void mytest() {
+    while(__AFL_LOOP(1000)) {
+      foo::function();
+    }
+  }
+  namespace foo {
+    static void test() {
+      mytest();
+    }
+  }
+  int main(int argc, char** argv) {
+    foo::test();
+    return 0;
+  }
+  ```
+</p></details>
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@ -145,12 +145,15 @@ def deinit():  # optional for Python

 - `fuzz` (optional):

-    This method performs custom mutations on a given input. It also accepts an
-    additional test case. Note that this function is optional - but it makes
-    sense to use it. You would only skip this if `post_process` is used to fix
-    checksums etc. so if you are using it, e.g., as a post processing library.
-    Note that a length > 0 *must* be returned!
-    The returned output buffer is under **your** memory management!
+    This method performs your custom mutations on a given input.
+    The add_buf is the contents of another queue item that can be used for
+    splicing - or anything else - and can also be ignored. If you are not
+    using this additional data then define `splice_optout` (see above).
+    This function is optional.
+    Returing a length of 0 is valid and is interpreted as skipping this
+    one mutation result.
+    For non-Python: the returned output buffer is under **your** memory
+    management!

 - `describe` (optional):

--- a/include/config.h
+++ b/include/config.h
@ -26,7 +26,7 @@
 /* Version string: */

 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.07a"
+#define VERSION "++4.07c"

 /******************************************************
 *                                                    *
--- a/instrumentation/afl-gcc-cmptrs-pass.so.cc
+++ b/instrumentation/afl-gcc-cmptrs-pass.so.cc
@ -157,6 +157,9 @@ struct afl_cmptrs_pass : afl_base_pass {
    /* We expect it to be a record type.  */
    if (TREE_CODE(t) != RECORD_TYPE) return false;

+    /* The type has an identifier.  */
+    if (!TYPE_IDENTIFIER(t)) return false;
+
    /* The type of the template is basic_string.  */
    if (strcmp(IDENTIFIER_POINTER(TYPE_IDENTIFIER(t)), "basic_string") != 0)
      return false;
@ -201,7 +204,7 @@ struct afl_cmptrs_pass : afl_base_pass {
    /* Now go back to the first data member.  Its type should be a
       record type named _Alloc_hider.  */
    c = TREE_TYPE(c);
-    if (!c || TREE_CODE(c) != RECORD_TYPE ||
+    if (!c || TREE_CODE(c) != RECORD_TYPE || !TYPE_IDENTIFIER(t) ||
        strcmp(IDENTIFIER_POINTER(TYPE_IDENTIFIER(c)), "_Alloc_hider") != 0)
      return false;