AFL without globals (#220)

* moved globals to afl, shm and fsrv 

* moved argv to afl state, less bugs

* fixed unicorn docu

* lists everywhere

* merged custom mutators

* fixed leaks in afl-fuzz

src/afl-fuzz-mutators.c

@@ -25,25 +25,24 @@
 
 #include "afl-fuzz.h"
 
-void load_custom_mutator(const char*);
+void load_custom_mutator(afl_state_t*, const char*);
 #ifdef USE_PYTHON
-void load_custom_mutator_py(const char*);
+void load_custom_mutator_py(afl_state_t*, const char*);
 #endif
 
-void setup_custom_mutator(void) {
+void setup_custom_mutator(afl_state_t *afl) {
 
   /* Try mutator library first */
   u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY");
 
   if (fn) {
-
-    if (limit_time_sig)
+    if (afl->limit_time_sig)
       FATAL(
           "MOpt and custom mutator are mutually exclusive. We accept pull "
           "requests that integrates MOpt with the optional mutators "
           "(custom/radamsa/redquenn/...).");
 
-    load_custom_mutator(fn);
+    load_custom_mutator(afl, fn);
 
     return;
 
@@ -55,16 +54,16 @@ void setup_custom_mutator(void) {
 
   if (module_name) {
 
-    if (limit_time_sig)
+    if (afl->limit_time_sig)
       FATAL(
           "MOpt and Python mutator are mutually exclusive. We accept pull "
           "requests that integrates MOpt with the optional mutators "
           "(custom/radamsa/redquenn/...).");
 
-    if (init_py_module(module_name))
+    if (init_py_module(afl, module_name))
       FATAL("Failed to initialize Python module");
 
-    load_custom_mutator_py(module_name);
+    load_custom_mutator_py(afl, module_name);
 
   }
 
@@ -75,82 +74,81 @@ void setup_custom_mutator(void) {
 
 }
 
-void destroy_custom_mutator(void) {
+void destroy_custom_mutator(afl_state_t *afl) {
 
-  if (mutator) {
+  if (afl->mutator) {
 
-    if (mutator->dh)
-      dlclose(mutator->dh);
+    if (afl->mutator->dh)
+      dlclose(afl->mutator->dh);
     else {
 
       /* Python mutator */
 #ifdef USE_PYTHON
-      finalize_py_module();
+      finalize_py_module(afl);
 #endif
 
     }
 
-    ck_free(mutator);
-
+    ck_free(afl->mutator);
   }
 
 }
 
-void load_custom_mutator(const char* fn) {
+void load_custom_mutator(afl_state_t *afl, const char *fn) {
 
   void* dh;
-  mutator = ck_alloc(sizeof(struct custom_mutator));
+  afl->mutator = ck_alloc(sizeof(struct custom_mutator));
 
-  mutator->name = fn;
+  afl->mutator->name = fn;
   ACTF("Loading custom mutator library from '%s'...", fn);
 
   dh = dlopen(fn, RTLD_NOW);
   if (!dh) FATAL("%s", dlerror());
-  mutator->dh = dh;
+  afl->mutator->dh = dh;
 
   /* Mutator */
   /* "afl_custom_init", optional for backward compatibility */
-  mutator->afl_custom_init = dlsym(dh, "afl_custom_init");
-  if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found.");
+  afl->mutator->afl_custom_init = dlsym(dh, "afl_custom_init");
+  if (!afl->mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found.");
 
   /* "afl_custom_fuzz" or "afl_custom_mutator", required */
-  mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz");
-  if (!mutator->afl_custom_fuzz) {
+  afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz");
+  if (!afl->mutator->afl_custom_fuzz) {
 
     /* Try "afl_custom_mutator" for backward compatibility */
     WARNF("Symbol 'afl_custom_fuzz' not found. Try 'afl_custom_mutator'.");
 
-    mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator");
-    if (!mutator->afl_custom_fuzz)
+    afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator");
+    if (!afl->mutator->afl_custom_fuzz)
       FATAL("Symbol 'afl_custom_mutator' not found.");
 
   }
 
   /* "afl_custom_pre_save", optional */
-  mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save");
-  if (!mutator->afl_custom_pre_save)
+  afl->mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save");
+  if (!afl->mutator->afl_custom_pre_save)
     WARNF("Symbol 'afl_custom_pre_save' not found.");
 
   u8 notrim = 0;
   /* "afl_custom_init_trim", optional */
-  mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim");
-  if (!mutator->afl_custom_init_trim)
+  afl->mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim");
+  if (!afl->mutator->afl_custom_init_trim)
     WARNF("Symbol 'afl_custom_init_trim' not found.");
 
   /* "afl_custom_trim", optional */
-  mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim");
-  if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found.");
+  afl->mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim");
+  if (!afl->mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found.");
 
   /* "afl_custom_post_trim", optional */
-  mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim");
-  if (!mutator->afl_custom_post_trim)
+  afl->mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim");
+  if (!afl->mutator->afl_custom_post_trim)
     WARNF("Symbol 'afl_custom_post_trim' not found.");
 
   if (notrim) {
 
-    mutator->afl_custom_init_trim = NULL;
-    mutator->afl_custom_trim = NULL;
-    mutator->afl_custom_post_trim = NULL;
+    afl->mutator->afl_custom_init_trim = NULL;
+    afl->mutator->afl_custom_trim = NULL;
+    afl->mutator->afl_custom_post_trim = NULL;
     WARNF(
         "Custom mutator does not implement all three trim APIs, standard "
         "trimming will be used.");
@@ -158,34 +156,35 @@ void load_custom_mutator(const char* fn) {
   }
 
   /* "afl_custom_havoc_mutation", optional */
-  mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation");
-  if (!mutator->afl_custom_havoc_mutation)
+  afl->mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation");
+  if (!afl->mutator->afl_custom_havoc_mutation)
     WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
 
   /* "afl_custom_havoc_mutation", optional */
-  mutator->afl_custom_havoc_mutation_probability =
+  afl->mutator->afl_custom_havoc_mutation_probability = 
       dlsym(dh, "afl_custom_havoc_mutation_probability");
-  if (!mutator->afl_custom_havoc_mutation_probability)
+  if (!afl->mutator->afl_custom_havoc_mutation_probability)
     WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
 
   /* "afl_custom_queue_get", optional */
-  mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get");
-  if (!mutator->afl_custom_queue_get)
+  afl->mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get");
+  if (!afl->mutator->afl_custom_queue_get)
     WARNF("Symbol 'afl_custom_queue_get' not found.");
 
   /* "afl_custom_queue_new_entry", optional */
-  mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry");
-  if (!mutator->afl_custom_queue_new_entry)
+  afl->mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry");
+  if (!afl->mutator->afl_custom_queue_new_entry)
     WARNF("Symbol 'afl_custom_queue_new_entry' not found");
 
   OKF("Custom mutator '%s' installed successfully.", fn);
 
   /* Initialize the custom mutator */
-  if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF));
+  if (afl->mutator->afl_custom_init)
+    afl->mutator->afl_custom_init(afl, UR(afl, 0xFFFFFFFF));
 
 }
 
-u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) {
+u8 trim_case_custom(afl_state_t *afl, struct queue_entry* q, u8* in_buf) {
 
   static u8 tmp[64];
   static u8 clean_trace[MAP_SIZE];
@@ -194,18 +193,18 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) {
   u32 trim_exec = 0;
   u32 orig_len = q->len;
 
-  stage_name = tmp;
-  bytes_trim_in += q->len;
+  afl->stage_name = tmp;
+  afl->bytes_trim_in += q->len;
 
   /* Initialize trimming in the custom mutator */
-  stage_cur = 0;
-  stage_max = mutator->afl_custom_init_trim(in_buf, q->len);
+  afl->stage_cur = 0;
+  afl->stage_max = afl->mutator->afl_custom_init_trim(afl, in_buf, q->len);
 
-  if (not_on_tty && debug)
-    SAYF("[Custom Trimming] START: Max %d iterations, %u bytes", stage_max,
+  if (afl->not_on_tty && afl->debug)
+    SAYF("[Custom Trimming] START: Max %d iterations, %u bytes", afl->stage_max,
          q->len);
 
-  while (stage_cur < stage_max) {
+  while (afl->stage_cur < afl->stage_max) {
 
     sprintf(tmp, "ptrim %s", DI(trim_exec));
 
@@ -214,26 +213,26 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) {
     u8*    retbuf = NULL;
     size_t retlen = 0;
 
-    mutator->afl_custom_trim(&retbuf, &retlen);
+    afl->mutator->afl_custom_trim(afl, &retbuf, &retlen);
 
     if (retlen > orig_len)
       FATAL(
           "Trimmed data returned by custom mutator is larger than original "
           "data");
 
-    write_to_testcase(retbuf, retlen);
+    write_to_testcase(afl, retbuf, retlen);
 
-    fault = run_target(argv, exec_tmout);
-    ++trim_execs;
+    fault = run_target(afl, afl->fsrv.exec_tmout);
+    ++afl->trim_execs;
 
-    if (stop_soon || fault == FAULT_ERROR) {
+    if (afl->stop_soon || fault == FAULT_ERROR) {
 
       free(retbuf);
       goto abort_trimming;
 
     }
 
-    cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);
+    cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST);
 
     if (cksum == q->exec_cksum) {
 
@@ -246,24 +245,24 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) {
       if (!needs_write) {
 
         needs_write = 1;
-        memcpy(clean_trace, trace_bits, MAP_SIZE);
+        memcpy(clean_trace, afl->fsrv.trace_bits, MAP_SIZE);
 
       }
 
       /* Tell the custom mutator that the trimming was successful */
-      stage_cur = mutator->afl_custom_post_trim(1);
+      afl->stage_cur = afl->mutator->afl_custom_post_trim(afl, 1);
 
-      if (not_on_tty && debug)
+      if (afl->not_on_tty && afl->debug)
         SAYF("[Custom Trimming] SUCCESS: %d/%d iterations (now at %u bytes)",
-             stage_cur, stage_max, q->len);
+             afl->stage_cur, afl->stage_max, q->len);
 
     } else {
 
       /* Tell the custom mutator that the trimming was unsuccessful */
-      stage_cur = mutator->afl_custom_post_trim(0);
-      if (not_on_tty && debug)
-        SAYF("[Custom Trimming] FAILURE: %d/%d iterations", stage_cur,
-             stage_max);
+      afl->stage_cur = afl->mutator->afl_custom_post_trim(afl, 0);
+      if (afl->not_on_tty && afl->debug)
+        SAYF("[Custom Trimming] FAILURE: %d/%d iterations", afl->stage_cur,
+             afl->stage_max);
 
     }
 
@@ -271,11 +270,11 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) {
 
     /* Since this can be slow, update the screen every now and then. */
 
-    if (!(trim_exec++ % stats_update_freq)) show_stats();
+    if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl);
 
   }
 
-  if (not_on_tty && debug)
+  if (afl->not_on_tty && afl->debug)
     SAYF("[Custom Trimming] DONE: %u bytes -> %u bytes", orig_len, q->len);
 
   /* If we have made changes to in_buf, we also need to update the on-disk
@@ -294,60 +293,65 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) {
     ck_write(fd, in_buf, q->len, q->fname);
     close(fd);
 
-    memcpy(trace_bits, clean_trace, MAP_SIZE);
-    update_bitmap_score(q);
+    memcpy(afl->fsrv.trace_bits, clean_trace, MAP_SIZE);
+    update_bitmap_score(afl, q);
 
   }
 
 abort_trimming:
 
-  bytes_trim_out += q->len;
+  afl->bytes_trim_out += q->len;
   return fault;
 
 }
 
 #ifdef USE_PYTHON
-void load_custom_mutator_py(const char* module_name) {
+void load_custom_mutator_py(afl_state_t *afl, const char* module_name) {
 
-  mutator = ck_alloc(sizeof(struct custom_mutator));
+  PyObject **py_functions = afl->py_functions;
 
-  mutator->name = module_name;
+  afl->mutator = ck_alloc(sizeof(struct custom_mutator));
+
+  afl->mutator->name = module_name;
   ACTF("Loading Python mutator library from '%s'...", module_name);
 
-  if (py_functions[PY_FUNC_INIT]) mutator->afl_custom_init = init_py;
+  if (py_functions[PY_FUNC_INIT])
+    afl->mutator->afl_custom_init = init_py;
 
   /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator
      is quite different from the custom mutator. */
-  mutator->afl_custom_fuzz = fuzz_py;
+  afl->mutator->afl_custom_fuzz = fuzz_py;
 
   if (py_functions[PY_FUNC_PRE_SAVE])
-    mutator->afl_custom_pre_save = pre_save_py;
+    afl->mutator->afl_custom_pre_save = pre_save_py;
 
   if (py_functions[PY_FUNC_INIT_TRIM])
-    mutator->afl_custom_init_trim = init_trim_py;
+    afl->mutator->afl_custom_init_trim = init_trim_py;
 
   if (py_functions[PY_FUNC_POST_TRIM])
-    mutator->afl_custom_post_trim = post_trim_py;
-
-  if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py;
+    afl->mutator->afl_custom_post_trim = post_trim_py;
 
+  if (py_functions[PY_FUNC_TRIM])
+    afl->mutator->afl_custom_trim = trim_py;
+  
   if (py_functions[PY_FUNC_HAVOC_MUTATION])
-    mutator->afl_custom_havoc_mutation = havoc_mutation_py;
-
+    afl->mutator->afl_custom_havoc_mutation = havoc_mutation_py;
+  
   if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY])
-    mutator->afl_custom_havoc_mutation_probability =
-        havoc_mutation_probability_py;
+    afl->mutator->afl_custom_havoc_mutation_probability = 
+      havoc_mutation_probability_py;
 
   if (py_functions[PY_FUNC_QUEUE_GET])
-    mutator->afl_custom_queue_get = queue_get_py;
+    afl->mutator->afl_custom_queue_get = queue_get_py;
 
   if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY])
-    mutator->afl_custom_queue_new_entry = queue_new_entry_py;
+    afl->mutator->afl_custom_queue_new_entry = queue_new_entry_py;
 
   OKF("Python mutator '%s' installed successfully.", module_name);
 
   /* Initialize the custom mutator */
-  if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF));
+  if (afl->mutator->afl_custom_init)
+    afl->mutator->afl_custom_init(afl, UR(afl, 0xFFFFFFFF));
 
 }