final touches before 2.60

libtokencap adding timingsafe* string comparators

.clang-format

@@ -0,0 +1,148 @@
+---
+Language:        Cpp
+# BasedOnStyle:  Google
+AccessModifierOffset: -1
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: true
+AlignEscapedNewlines: Left
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AllowShortBlocksOnASingleLine: true
+AllowShortCaseLabelsOnASingleLine: true
+AllowShortFunctionsOnASingleLine: false
+AllowShortIfStatementsOnASingleLine: true
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: true
+AlwaysBreakTemplateDeclarations: Yes
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:   
+  AfterClass:      false
+  AfterControlStatement: false
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Attach
+BreakBeforeInheritanceComma: false
+BreakInheritanceList: BeforeColon
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     80
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: true
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:   
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks:   Preserve
+IncludeCategories: 
+  - Regex:           '^<ext/.*\.h>'
+    Priority:        2
+  - Regex:           '^<.*\.h>'
+    Priority:        1
+  - Regex:           '^<.*'
+    Priority:        2
+  - Regex:           '.*'
+    Priority:        3
+IncludeIsMainRegex: '([-_](test|unittest))?$'
+IndentCaseLabels: true
+IndentPPDirectives: None
+IndentWidth:     2
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: false
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+ObjCBinPackProtocolList: Never
+ObjCBlockIndentWidth: 2
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 1
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakString: 1000
+PenaltyBreakTemplateDeclaration: 10
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 200
+PointerAlignment: Right
+RawStringFormats: 
+  - Language:        Cpp
+    Delimiters:      
+      - cc
+      - CC
+      - cpp
+      - Cpp
+      - CPP
+      - 'c++'
+      - 'C++'
+    CanonicalDelimiter: ''
+    BasedOnStyle:    google
+  - Language:        TextProto
+    Delimiters:      
+      - pb
+      - PB
+      - proto
+      - PROTO
+    EnclosingFunctions: 
+      - EqualsProto
+      - EquivToProto
+      - PARSE_PARTIAL_TEXT_PROTO
+      - PARSE_TEST_PROTO
+      - PARSE_TEXT_PROTO
+      - ParseTextOrDie
+      - ParseTextProtoOrDie
+    CanonicalDelimiter: ''
+    BasedOnStyle:    google
+ReflowComments:  true
+SortIncludes:    false
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 2
+SpacesInAngles:  false
+SpacesInContainerLiterals: true
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard:        Auto
+TabWidth:        8
+UseTab:          Never
+...
+

.custom-format.py

@@ -0,0 +1,120 @@
+#!/usr/bin/env python3
+#
+# american fuzzy lop++ - custom code formatter
+# --------------------------------------------
+#
+# Written and maintaned by Andrea Fioraldi <andreafioraldi@gmail.com>
+#
+# Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
+# Copyright 2019 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+import subprocess
+import sys
+import os
+import re
+
+# string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # future use
+
+with open(".clang-format") as f:
+    fmt = f.read()
+
+CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
+if CLANG_FORMAT_BIN is None:
+    o = 0
+    try:
+        p = subprocess.Popen(["clang-format", "--version"], stdout=subprocess.PIPE)
+        o, _ = p.communicate()
+        o = str(o, "utf-8")
+        o = o[len("clang-format version "):].strip()
+        o = o[:o.find(".")]
+        o = int(o)
+    except: pass
+    if o < 7:
+        if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
+            CLANG_FORMAT_BIN = 'clang-format-7'
+        elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
+            CLANG_FORMAT_BIN = 'clang-format-8'
+        elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
+            CLANG_FORMAT_BIN = 'clang-format-9'
+        elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0:
+            CLANG_FORMAT_BIN = 'clang-format-10'
+        else:
+            print ("clang-format 7 or above is needed. Aborted.")
+            exit(1)
+    else:
+        CLANG_FORMAT_BIN = 'clang-format'
+            
+COLUMN_LIMIT = 80
+for line in fmt.split("\n"):
+    line = line.split(":")
+    if line[0].strip() == "ColumnLimit":
+        COLUMN_LIMIT = int(line[1].strip())
+
+
+def custom_format(filename):
+    p = subprocess.Popen([CLANG_FORMAT_BIN, filename], stdout=subprocess.PIPE)
+    src, _ = p.communicate()
+    src = str(src, "utf-8")
+
+    in_define = False
+    last_line = None
+    out = ""
+    
+    for line in src.split("\n"):
+        if line.startswith("#"):
+            if line.startswith("#define"):
+                in_define = True
+        
+        if "/*" in line and not line.strip().startswith("/*") and line.endswith("*/") and len(line) < (COLUMN_LIMIT-2):
+            cmt_start = line.rfind("/*")
+            line = line[:cmt_start] + " " * (COLUMN_LIMIT-2 - len(line)) + line[cmt_start:]
+
+        define_padding = 0
+        if last_line is not None and in_define and last_line.endswith("\\"):
+            last_line = last_line[:-1]
+            define_padding = max(0, len(last_line[last_line.rfind("\n")+1:]))
+
+        if last_line is not None and last_line.strip().endswith("{") and line.strip() != "":
+            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
+        elif last_line is not None and last_line.strip().startswith("}") and line.strip() != "":
+            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
+        elif line.strip().startswith("}") and last_line is not None and last_line.strip() != "":
+            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
+
+        if not line.endswith("\\"):
+            in_define = False
+
+        out += line + "\n"
+        last_line = line
+
+    return (out)
+
+args = sys.argv[1:]
+if len(args) == 0:
+    print ("Usage: ./format.py [-i] <filename>")
+    print ()
+    print (" The -i option, if specified, let the script to modify in-place")
+    print (" the source files. By default the results are written to stdout.")
+    print()
+    exit(1)
+
+in_place = False
+if args[0] == "-i":
+    in_place = True
+    args = args[1:]
+
+for filename in args:
+    code = custom_format(filename)
+    if in_place:
+        with open(filename, "w") as f:
+            f.write(code)
+    else:
+        print(code)
+

.gitignore

@@ -1,6 +1,7 @@
+.test
+.test2
 *.o
 *.so
-.gitignore
 afl-analyze
 afl-as
 afl-clang
@@ -16,8 +17,21 @@ afl-gotcpu
 afl-qemu-trace
 afl-showmap
 afl-tmin
+afl-analyze.8
+afl-clang-fast++.8
+afl-clang-fast.8
+afl-cmin.8
+afl-fuzz.8
+afl-gcc.8
+afl-gcc-fast.8
+afl-g++-fast.8
+afl-gotcpu.8
+afl-plot.8
+afl-showmap.8
+afl-system-config.8
+afl-tmin.8
+afl-whatsup.8
+qemu_mode/libcompcov/compcovtest
 as
-qemu_mode/qemu-3.1.0
-qemu_mode/qemu-3.1.0.tar.xz
-unicorn_mode/unicorn
-unicorn_mode/unicorn-*
+qemu_mode/qemu-*
+core\.*

.travis.yml

@@ -1,11 +1,49 @@
 language: c
 
+branches:
+  only:
+    - master
+
+matrix:
+  include:
+  - os: linux
+    dist: bionic
+    env: NAME="bionic-amd64" MODERN="yes" GCC="7"
+  - os: linux
+    dist: xenial
+    env: NAME="xenial-amd64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0"
+  - os: linux
+    dist: trusty
+    env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
+  - os: linux
+    dist: xenial
+    arch: arm64
+    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
+#  - os: osx
+#    osx_image: xcode11.2
+#    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
+
+jobs:
+  allow_failures:
+    - os: osx
+
 env:
-  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1
+  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_STOP_MANUALLY=1
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1
+ # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1
+
+before_install:
+  # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE}
+  - echo Testing on $NAME
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi
+  - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev ; fi
+  - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev ; fi
 
 script:
-  - make
-  - ./afl-gcc ./test-instr.c -o test-instr
-  - mkdir seeds; mkdir out
-  - echo "" > seeds/nil_seed
-  - timeout --preserve-status 5s ./afl-fuzz -i seeds -o out/ -- ./test-instr
+  - gcc -v
+  - clang -v
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ; fi
+  - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ; fi
+  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then make ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
+  - make tests

Android.bp

@@ -0,0 +1,140 @@
+cc_defaults {
+  name: "afl-defaults",
+
+  cflags: [
+    "-funroll-loops",
+    "-Wno-pointer-sign",
+    "-Wno-pointer-arith",
+    "-Wno-sign-compare",
+    "-Wno-unused-parameter",
+    "-Wno-unused-function",
+    "-Wno-format",
+    "-Wno-user-defined-warnings",
+    "-DUSE_TRACE_PC=1",
+    "-DBIN_PATH=\"out/host/linux-x86/bin\"",
+    "-DDOC_PATH=\"out/host/linux-x86/shared/doc/afl\"",
+    "-D__USE_GNU",
+  ],
+}
+
+cc_binary {
+  name: "afl-fuzz",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-fuzz.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-showmap",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-showmap.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-tmin",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-tmin.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-analyze",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-analyze.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-gotcpu",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-gotcpu.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast++",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_library_static {
+  name: "afl-llvm-rt",
+  compile_multilib: "both",
+  vendor_available: true,
+  host_supported: true,
+  recovery_available: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-llvm-rt.o.c",
+  ],
+}

Android.mk

@@ -0,0 +1 @@
+Makefile

CONTRIBUTING.md

@@ -0,0 +1,19 @@
+# How to submit a Pull Request to AFLplusplus
+
+Each modified source file, before merging, must be formatted.
+
+```
+make code-formatter
+```
+
+This should be fine if you modified one of the files already present in the
+project, otherwise run:
+
+```
+./.custom-format.py -i file-that-you-have-created.c
+```
+
+Regarding the coding style, please follow the AFL style.
+No camel case at all and use the AFL's macros when possible (e.g. WARNF, FATAL, ...).
+
+Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles (or your patches to our pre-existing Makefiles) to be as much general as possible.

Dockerfile

@@ -0,0 +1,32 @@
+FROM ubuntu:eoan
+MAINTAINER David Carlier <devnexen@gmail.com>
+LABEL "about"="AFLplusplus docker image"
+RUN apt-get update && apt-get install -y \
+    --no-install-suggests --no-install-recommends \
+    automake \
+    bison \
+    build-essential \
+    clang \
+    clang-9 \
+    flex \
+    gcc-9 \
+    gcc-9-plugin-dev \
+    gcc-9-multilib \
+    libc++-9-dev \
+    libtool \
+    libtool-bin \
+    libglib2.0-dev \
+    llvm-9-dev \
+    python-setuptools \
+    python2.7-dev \
+    wget \
+    ca-certificates \
+    libpixman-1-dev \
+    && rm -rf /var/lib/apt/lists/*
+ARG CC=gcc-9
+ARG CXX=g++-9
+ARG LLVM_CONFIG=llvm-config-9
+COPY . /app
+RUN cd /app && make clean && make distrib && \
+    make install && cd .. && rm -rf /app
+WORKDIR /work

Makefile

@@ -2,7 +2,7 @@
 # american fuzzy lop - makefile
 # -----------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 # 
 # Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
 # 
@@ -16,50 +16,113 @@
 # For Heiko:
 #TEST_MMAP=1
 
-PROGNAME    = afl
-VERSION     = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
-
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin
 HELPER_PATH = $(PREFIX)/lib/afl
 DOC_PATH    = $(PREFIX)/share/doc/afl
 MISC_PATH   = $(PREFIX)/share/afl
+MAN_PATH    = $(PREFIX)/man/man8
+
+PROGNAME    = afl
+VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 
 # PROGS intentionally omit afl-as, which gets installed elsewhere.
 
 PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
 SH_PROGS    = afl-plot afl-cmin afl-whatsup afl-system-config
+MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8)
 
 CFLAGS     ?= -O3 -funroll-loops
-CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-	      -DBIN_PATH=\"$(BIN_PATH)\"
+CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ \
+	      -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+              -DDOC_PATH=\"$(DOC_PATH)\" -Wno-unused-function
 
-PYTHON_INCLUDE	?= /usr/include/python2.7
+AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c)
+
+ifneq "($filter %3.7m, $(shell python3.7m-config --includes 2>/dev/null)" ""
+  PYTHON_INCLUDE  ?= $(shell python3.7m-config --includes)
+  PYTHON_LIB      ?= $(shell python3.7m-config --ldflags)
+  PYTHON_VERSION   = 3.7m
+else
+  ifneq "($filter %3.7, $(shell python3.7-config --includes) 2> /dev/null" ""
+    PYTHON_INCLUDE  ?= $(shell python3.7-config --includes)
+    PYTHON_LIB      ?= $(shell python3.7-config --ldflags)
+    PYTHON_VERSION   = 3.7
+  else
+    ifneq "($filter %2.7, $(shell python2.7-config --includes) 2> /dev/null" ""
+      PYTHON_INCLUDE  ?= $(shell python2.7-config --includes)
+      PYTHON_LIB      ?= $(shell python2.7-config --ldflags)
+      PYTHON_VERSION   = 2.7
+    endif
+  endif
+endif
+
+PYTHON_INCLUDE	?= $(shell test -e /usr/include/python3.7m && echo /usr/include/python3.7m)
+PYTHON_INCLUDE	?= $(shell test -e /usr/include/python3.7 && echo /usr/include/python3.7)
+PYTHON_INCLUDE	?= $(shell test -e /usr/include/python2.7 && echo /usr/include/python2.7)
+
+ifneq "($filter %3.7m, $(PYTHON_INCLUDE))" ""
+    PYTHON_VERSION ?= 3.7m
+    PYTHON_LIB  ?= -lpython3.7m
+else
+    ifneq "($filter %3.7, $(PYTHON_INCLUDE))" ""
+        PYTHON_VERSION ?= 3.7
+    else
+        ifneq "($filter %2.7, $(PYTHON_INCLUDE))" ""
+            PYTHON_VERSION ?= 2.7
+            PYTHON_LIB     ?= -lpython2.7
+        else
+            PYTHON_VERSION ?= none
+        endif
+    endif
+endif
+
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -I)
+else
+    BUILD_DATE ?= $(shell date -I)
+endif
 
 ifneq "$(filter Linux GNU%,$(shell uname))" ""
   LDFLAGS  += -ldl
 endif
 
+ifneq "$(findstring FreeBSD, $(shell uname))" ""
+  CFLAGS += -pthread
+endif
+
+ifneq "$(findstring NetBSD, $(shell uname))" ""
+  CFLAGS += -pthread
+endif
+
 ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
   TEST_CC   = afl-gcc
 else
   TEST_CC   = afl-clang
 endif
 
-COMM_HDR    = alloc-inl.h config.h debug.h types.h
+COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
 
 
-ifeq "$(shell echo '\#include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test -I$(PYTHON_INCLUDE) -lpython2.7 2>/dev/null && echo 1 || echo 0 )" "1"
+ifeq "$(shell echo '\#include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test -I$(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	PYTHON_OK=1
-	PYFLAGS=-DUSE_PYTHON -I$(PYTHON_INCLUDE) -lpython2.7
+	PYFLAGS=-DUSE_PYTHON -I$(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB)
 else
 	PYTHON_OK=0
 	PYFLAGS=
 endif
 
+ifdef STATIC
+  $(info Compiling static version of binaries)
+  # Disable python for static compilation to simplify things
+  PYTHON_OK=0
+  PYFLAGS=
 
-ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
+  CFLAGS += -static
+  LDFLAGS += -lm -lrt -lpthread -lz -lutil
+endif
+
+ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
 	SHMAT_OK=1
 else
 	SHMAT_OK=0
@@ -76,10 +139,44 @@ endif
 
 all:	test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done
 
+man:    $(MANPAGES) 
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+
+tests:	source-only
+	@cd test ; ./test.sh
+	@rm -f test/errors
+
+performance-tests:	performance-test
+test-performance:	performance-test
+
+performance-test:	source-only
+	@cd test ; ./test-performance.sh
+
+
+help:
+	@echo "HELP --- the following make targets exist:"
+	@echo "=========================================="
+	@echo "all: just the main afl++ binaries"
+	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa"
+	@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap, radamsa"
+	@echo "distrib: everything (for both binary-only and source code fuzzing)"
+	@echo "man: creates simple man pages from the help option of the programs"
+	@echo "install: installs everything you have compiled with the build option above"
+	@echo "clean: cleans everything. for qemu_mode it means it deletes all downloads as well"
+	@echo "code-format: format the code, do this before you commit and send a PR please!"
+	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
+	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
+	@echo "help: shows these build options :-)"
+	@echo "=========================================="
+	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
+
 
 ifndef AFL_NO_X86
 
 test_x86:
+	@echo "[*] Checking for the default compiler cc..."
+	@which $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
 	@echo "[*] Checking for the ability to compile x86 code..."
 	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
 	@rm -f .test1
@@ -110,12 +207,12 @@ ifeq "$(PYTHON_OK)" "1"
 
 test_python27:
 	@rm -f .test 2> /dev/null
-	@echo "[+] Python 2.7 support seems to be working."
+	@echo "[+] Python $(PYTHON_VERSION) support seems to be working."
 
 else
 
 test_python27:
-	@echo "[-] You seem to need to install the package python2.7-dev, but it is optional so we continue"
+	@echo "[-] You seem to need to install the package python3.7-dev or python2.7-dev (and perhaps python[23]-apt), but it is optional so we continue"
 
 endif
 
@@ -123,45 +220,82 @@ endif
 ready:
 	@echo "[+] Everything seems to be working, ready to compile."
 
-afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+afl-gcc: src/afl-gcc.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
 	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
 
-afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
 	ln -sf afl-as as
 
-afl-common.o : afl-common.c
-	$(CC) $(CFLAGS) -c afl-common.c
+src/afl-common.o : src/afl-common.c include/common.h
+	$(CC) $(CFLAGS) -c src/afl-common.c -o src/afl-common.o
 
-sharedmem.o : sharedmem.c
-	$(CC) $(CFLAGS) -c sharedmem.c
+src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
+	$(CC) $(CFLAGS) -c src/afl-forkserver.c -o src/afl-forkserver.o
 
-afl-fuzz: afl-fuzz.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS) $(PYFLAGS)
+src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
+	$(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 
-afl-showmap: afl-showmap.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS)
+radamsa: src/third_party/libradamsa/libradamsa.so
+	cp src/third_party/libradamsa/libradamsa.so .
 
-afl-tmin: afl-tmin.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS)
+src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
+	$(MAKE) -C src/third_party/libradamsa/
 
-afl-analyze: afl-analyze.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS)
+afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
 
-afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
+
+afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+
+afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
+
+afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
+
+
+# document all mutations and only do one run (use with only one input file!)
+document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
+
+
+code-format:
+	./.custom-format.py -i src/*.c
+	./.custom-format.py -i include/*.h
+	./.custom-format.py -i libdislocator/*.c 
+	./.custom-format.py -i libtokencap/*.c 
+	./.custom-format.py -i llvm_mode/*.c
+	./.custom-format.py -i llvm_mode/*.h
+	./.custom-format.py -i llvm_mode/*.cc
+	./.custom-format.py -i gcc_plugin/*.c
+	#./.custom-format.py -i gcc_plugin/*.h
+	./.custom-format.py -i gcc_plugin/*.cc
+	./.custom-format.py -i experimental/*/*.c
+	./.custom-format.py -i experimental/*/*.h
+	./.custom-format.py -i qemu_mode/patches/*.h
+	./.custom-format.py -i qemu_mode/libcompcov/*.c
+	./.custom-format.py -i qemu_mode/libcompcov/*.cc
+	./.custom-format.py -i qemu_mode/libcompcov/*.h
+	./.custom-format.py -i qbdi_mode/*.c
+	./.custom-format.py -i qbdi_mode/*.cpp
+	./.custom-format.py -i *.h
+	./.custom-format.py -i *.c
 
 
 ifndef AFL_NO_X86
 
 test_build: afl-gcc afl-as afl-showmap
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
-	echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
+	@unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 )
+	./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
-	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
 	@echo "[+] All right, the instrumentation seems to be working!"
 
 else
@@ -181,19 +315,69 @@ all_done: test_build
 .NOTPARALLEL: clean
 
 clean:
-	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.0.tar.xz afl-qemu-trace afl-gcc-fast  afl-gcc-pass.so  afl-gcc-rt.o  afl-g++-fast
-	rm -rf out_dir qemu_mode/qemu-3.1.0
-	$(MAKE) -C llvm_mode clean
+	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so *.8
+	rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM
+	-$(MAKE) -C llvm_mode clean
+	-$(MAKE) -C gcc_plugin clean
 	$(MAKE) -C libdislocator clean
 	$(MAKE) -C libtokencap clean
+	$(MAKE) -C experimental/socket_fuzzing clean
+	$(MAKE) -C experimental/argv_fuzzing clean
+	$(MAKE) -C qemu_mode/unsigaction clean
+	$(MAKE) -C qemu_mode/libcompcov clean
+	$(MAKE) -C src/third_party/libradamsa/ clean
+	-rm -rf unicorn_mode/unicorn
 
-install: all
-	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+distrib: all radamsa
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	$(MAKE) -C experimental/socket_fuzzing
+	$(MAKE) -C experimental/argv_fuzzing
+	cd qemu_mode && sh ./build_qemu_support.sh
+	cd unicorn_mode && sh ./build_unicorn_support.sh
+
+binary-only: all radamsa
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	$(MAKE) -C experimental/socket_fuzzing
+	$(MAKE) -C experimental/argv_fuzzing
+	cd qemu_mode && sh ./build_qemu_support.sh
+	cd unicorn_mode && sh ./build_unicorn_support.sh
+
+source-only: all radamsa
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+
+%.8:	%
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
+	@echo .SH NAME >> $@
+	@echo .B $* >> $@
+	@echo >> $@
+	@echo .SH SYNOPSIS >> $@
+	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> $@
+	@echo >> $@
+	@echo .SH OPTIONS >> $@
+	@echo .nf >> $@
+	@./$* -h 2>&1 | tail -n +4 >> $@
+	@echo >> $@
+	@echo .SH AUTHOR >> $@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@
+	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> $@
+	@echo >> $@
+	@echo .SH LICENSE >> $@
+	@echo Apache License Version 2.0, January 2004 >> $@
+
+install: all $(MANPAGES)
+	install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
 	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
 	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
-	#if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
 ifndef AFL_TRACE_PC
 	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
 else
@@ -204,17 +388,27 @@ endif
 	if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libradamsa.so ]; then set -e; install -m 755 libradamsa.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
+	$(MAKE) -C experimental/socket_fuzzing install
+	$(MAKE) -C experimental/argv_fuzzing install
 
 	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
 	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi
 
+	mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
+	install -m0644 -D *.8 ${DESTDIR}$(MAN_PATH)
+
 	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
 	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
 	install -m 644 docs/README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
 	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
 	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
 
-publish: clean
+#publish: clean
 #	test "`basename $$PWD`" = "afl" || exit 1
 #	test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
 #	cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \

README.md

@@ -1,35 +1,78 @@
 # american fuzzy lop plus plus (afl++)
 
+  ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master)
+
+  Release Version: 2.59c 
+
+  Github Version: 2.59d
+
+  includes all necessary/interesting changes from Google's afl 2.56b
+
+
   Originally developed by Michal "lcamtuf" Zalewski.
 
   Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)
 
-  afl++ is maintained by Marc Heuse <mh@mh-sec.de>, Heiko Eissfeldt
-  <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>.
+  afl++ is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>,
+  Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de> and
+  Andrea Fioraldi <andreafioraldi@gmail.com>.
+
+  Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl),
+  it is unlikely to receive any noteable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288)
+
 
 ## The enhancements compared to the original stock afl
 
   Many improvements were made over the official afl release - which did not
-  get any improvements since November 2017.
+  get any feature improvements since November 2017.
 
-  Among others afl++ has, e.g. more performant llvm_mode, supporting
-  llvm up to version 8, Qemu 3.1, more speed and crashfixes for Qemu,
-  laf-intel feature for Qemu (with libcompcov) and more.
+  Among other changes afl++ has a more performant llvm_mode, supports
+  llvm up to version 10, QEMU 3.1, more speed and crashfixes for QEMU,
+  better *BSD and Android support and much, much more.
 
-  Additionally the following patches have been integrated:
+  Additionally the following features and patches have been integrated:
 
-  * AFLfast's power schedules by Marcel Boehme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
+  * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
 
-  * C. Hollers afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl)
+  * The new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
 
-  * the new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
+  * InsTrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim)
 
-  * instrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim)
+  * C. Holler's afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl)
+
+  * Custom mutator by a library (instead of Python) by kyakdan
 
   * unicorn_mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk)
 
+  * laf-intel or CompCov support for llvm_mode, qemu_mode and unicorn_mode
+
+  * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage
+  
+  * Persistent mode and deferred forkserver for qemu_mode
+  
+  * Win32 PE binary-only fuzzing with QEMU and Wine
+
+  * Radamsa mutator (enable with `-R` to add or `-RR` to run it exclusivly).
+
+  * qbdi_mode: fuzz android native libraries via QBDI framework
+
+
   A more thorough list is available in the PATCHES file.
 
+  | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode |
+  | ----------------------- |:-------:|:---------:|:----------:|:---------:|:------------:|
+  | laf-intel / CompCov     |         |     x     |            |  x86/arm  |   x86/arm    |
+  | NeverZero               |    x    |     x(1)  |      (2)   |     x     |      x       |
+  | Persistent mode         |         |     x     |     x      |    x86    |      x       |
+  | Whitelist               |         |     x     |     x      |           |              |
+  | InsTrim                 |         |     x     |            |           |              |
+
+  neverZero:
+
+  (1) only in LLVM >= 9.0 due to a bug in llvm in previous versions
+
+  (2) gcc create non-performant code, hence it is disabled in gcc_plugin
+
   So all in all this is the best-of AFL that is currently out there :-)
 
   For new versions and additional information, check out:
@@ -42,8 +85,55 @@
   read this file.
 
 
+## 0) Building and installing afl++
+
+afl++ has many build options.
+The easiest is to build and install everything:
+
+```shell
+$ make distrib
+$ sudo make install
+```
+
+Note that "make distrib" also builds llvm_mode, qemu_mode, unicorn_mode and
+more. If you just want plain afl then do "make all", however compiling and
+using at least llvm_mode is highly recommended for much better results -
+hence in this case 
+
+```shell
+$ make source-only
+```
+is what you should choose.
+
+These build options exist:
+
+* all: just the main afl++ binaries
+* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa
+* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap, radamsa
+* distrib: everything (for both binary-only and source code fuzzing)
+* install: installs everything you have compiled with the build options above
+* clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well
+* code-format: format the code, do this before you commit and send a PR please!
+* tests: runs test cases to ensure that all features are still working as they should
+* help: shows these build options
+
+[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html) you can also build statically linked versions of the 
+afl++ binaries by passing the STATIC=1 argument to make:
+
+```shell
+$ make all STATIC=1
+```
+
+Note that afl++ is faster and better the newer the compilers used are.
+Hence gcc-9 and especially llvm-9 should be the compilers of choice.
+If your distribution does not have them, you can use the Dockerfile:
+
+```shell
+$ docker build -t aflplusplus
+```
+
+
 ## 1) Challenges of guided fuzzing
--------------------------------
 
 Fuzzing is one of the most powerful and proven strategies for identifying
 security issues in real-world software; it is responsible for the vast
@@ -114,7 +204,7 @@ superior to blind fuzzing or coverage-only tools.
 PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++
 instead of afl-gcc/afl-g++ is much faster and has a few cool features.
 See llvm_mode/ - however few code does not compile with llvm.
-We support llvm versions 4.0 to 8.
+We support llvm versions 3.8.0 to 10.
 
 When source code is available, instrumentation can be injected by a companion
 tool that works as a drop-in replacement for gcc or clang in any standard build
@@ -136,14 +226,14 @@ For C++ programs, you'd would also want to set `CXX=/path/to/afl/afl-g++`.
 
 The clang wrappers (afl-clang and afl-clang++) can be used in the same way;
 clang users may also opt to leverage a higher-performance instrumentation mode,
-as described in [llvm_mode/README.llvm](llvm_mode/README.llvm).
-Clang/LLVM has a much better performance and works with LLVM version 4.0 to 8.
+as described in [llvm_mode/README.md](llvm_mode/README.md).
+Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 10.
 
 Using the LAF Intel performance enhancements are also recommended, see 
-[llvm_mode/README.laf-intel](llvm_mode/README.laf-intel)
+[llvm_mode/README.laf-intel.md](llvm_mode/README.laf-intel.md)
 
 Using partial instrumentation is also recommended, see
-[llvm_mode/README.whitelist](llvm_mode/README.whitelist)
+[llvm_mode/README.whitelist.md](llvm_mode/README.whitelist.md)
 
 When testing libraries, you need to find or write a simple program that reads
 data from stdin or from a file and passes it to the tested library. In such a
@@ -159,14 +249,13 @@ $ CC=/path/to/afl/afl-gcc ./configure --disable-shared
 Setting `AFL_HARDEN=1` when calling 'make' will cause the CC wrapper to
 automatically enable code hardening options that make it easier to detect
 simple memory bugs. Libdislocator, a helper library included with AFL (see
-[libdislocator/README.dislocator](libdislocator/README.dislocator)) can help uncover heap corruption issues, too.
+[libdislocator/README.md](libdislocator/README.md)) can help uncover heap corruption issues, too.
 
 PS. ASAN users are advised to review [docs/notes_for_asan.txt](docs/notes_for_asan.txt)
 file for important caveats.
 
 
 ## 4) Instrumenting binary-only apps
----------------------------------
 
 When source code is *NOT* available, the fuzzer offers experimental support for
 fast, on-the-fly instrumentation of black-box binaries. This is accomplished
@@ -180,7 +269,7 @@ $ cd qemu_mode
 $ ./build_qemu_support.sh
 ```
 
-For additional instructions and caveats, see [qemu_mode/README.qemu](qemu_mode/README.qemu).
+For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).
 
 The mode is approximately 2-5x slower than compile-time instrumentation, is
 less conductive to parallelization, and may have some other quirks.
@@ -194,11 +283,10 @@ A more comprehensive description of these and other options can be found in
 
 
 ## 5) Power schedules
-------------------
 
 The power schedules were copied from Marcel Böhme's excellent AFLfast
-implementation and expands on the ability to discover new paths and
-therefore the coverage.
+implementation and expand on the ability to discover new paths and
+therefore may increase the code coverage.
 
 The available schedules are:
  
@@ -220,13 +308,8 @@ explore mode.
 made the default mode).
 
 More details can be found in the paper published at the 23rd ACM Conference on
-Computer and Communications Security (CCS'16):
- 
- (https://www.sigsac.org/ccs/CCS2016/accepted-papers/)[https://www.sigsac.org/ccs/CCS2016/accepted-papers/]
-
-
+Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/)
 ## 6) Choosing initial test cases
-------------------------------
 
 To operate correctly, the fuzzer requires one or more starting file that
 contains a good example of the input data normally expected by the targeted
@@ -248,7 +331,6 @@ exercise different code paths in the target binary.
 
 
 ## 7) Fuzzing binaries
--------------------
 
 The fuzzing process itself is carried out by the afl-fuzz utility. This program
 requires a read-only directory with initial test cases, a separate place to
@@ -287,7 +369,6 @@ fuzzers - add the -d option to the command line.
 
 
 ## 8) Interpreting output
-----------------------
 
 See the [docs/status_screen.txt](docs/status_screen.txt) file for information on
 how to interpret the displayed stats and monitor the health of the process. Be
@@ -349,7 +430,6 @@ see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/)
 
 
 ## 9) Parallelized fuzzing
------------------------
 
 Every instance of afl-fuzz takes up roughly one core. This means that on
 multi-core systems, parallelization is necessary to fully utilize the hardware.
@@ -362,7 +442,6 @@ last section of [docs/parallel_fuzzing.txt](docs/parallel_fuzzing.txt) for tips.
 
 
 ## 10) Fuzzer dictionaries
-----------------------
 
 By default, afl-fuzz mutation engine is optimized for compact data formats -
 say, images, multimedia, compressed data, regular expression syntax, or shell
@@ -377,7 +456,7 @@ magic headers, or other special tokens associated with the targeted data type
   [http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html](http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html)
 
 To use this feature, you first need to create a dictionary in one of the two
-formats discussed in [dictionaries/README.dictionaries](ictionaries/README.dictionaries);
+formats discussed in [dictionaries/README.md](dictionaries/README.md);
 and then point the fuzzer to it via the -x option in the command line.
 
 (Several common dictionaries are already provided in that subdirectory, too.)
@@ -395,11 +474,10 @@ parsers and grammars, but isn't nearly as good as the -x mode.
 
 If a dictionary is really hard to come by, another option is to let AFL run
 for a while, and then use the token capture library that comes as a companion
-utility with AFL. For that, see [libtokencap/README.tokencap](libtokencap/README.tokencap).
+utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md).
 
 
 ## 11) Crash triage
-----------------
 
 The coverage-based grouping of crashes usually produces a small data set that
 can be quickly triaged manually or with a very simple GDB or Valgrind script.
@@ -448,7 +526,6 @@ near the end of [docs/technical_details.txt](docs/technical_details.txt).
 
 
 ## 12) Going beyond crashes
-------------------------
 
 Fuzzing is a wonderful and underutilized technique for discovering non-crashing
 design and implementation errors, too. Quite a few interesting bugs have been
@@ -473,7 +550,6 @@ shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL).
 
 
 ## 13) Common-sense risks
-----------------------
 
 Please keep in mind that, similarly to many other computationally-intensive
 tasks, fuzzing may put strain on your hardware and on the OS. In particular:
@@ -504,7 +580,6 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular:
 
 
 ## 14) Known limitations & areas for improvement
----------------------------------------------
 
 Here are some of the most important caveats for AFL:
 
@@ -546,10 +621,9 @@ Beyond this, see INSTALL for platform-specific tips.
 
 
 ## 15) Special thanks
-------------------
 
-Many of the improvements to the original afl wouldn't be possible without
-feedback, bug reports, or patches from:
+Many of the improvements to the original afl and afl++ wouldn't be possible
+without feedback, bug reports, or patches from:
 
 ```
   Jann Horn                             Hanno Boeck
@@ -566,7 +640,7 @@ feedback, bug reports, or patches from:
   Jonathan Gray                         Filipe Cabecinhas
   Nico Weber                            Jodie Cunningham
   Andrew Griffiths                      Parker Thompson
-  Jonathan Neuschfer                    Tyler Nighswander
+  Jonathan Neuschaefer                  Tyler Nighswander
   Ben Nagy                              Samir Aguiar
   Aidan Thornton                        Aleksandar Nikolich
   Sam Hakim                             Laszlo Szekeres
@@ -585,20 +659,21 @@ feedback, bug reports, or patches from:
   Austin Seipp                          Daniel Komaromy
   Daniel Binderman                      Jonathan Metzman
   Vegard Nossum                         Jan Kneschke
-  Kurt Roeckx                           Marcel Bohme
+  Kurt Roeckx                           Marcel Boehme
   Van-Thuan Pham                        Abhik Roychoudhury
   Joshua J. Drake                       Toby Hutton
   Rene Freingruber                      Sergey Davidoff
   Sami Liedes                           Craig Young
   Andrzej Jackowski                     Daniel Hodson
-  Nathan Voss				Dominik Maier
+  Nathan Voss                           Dominik Maier
+  Andrea Biondo                         Vincent Le Garrec
+  Khaled Yakdan                         Kuang-che Wu
 ```
 
 Thank you!
 
 
 ## 16) Contact
------------
 
 Questions? Concerns? Bug reports? The contributors can be reached via
 [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)

TODO

@@ -1,34 +1,58 @@
-Roadmap 2.53d:
-==============
- - indent all the code: clang-format -style=Google
 
- - update docs/sister_projects.txt
+Roadmap 2.60:
+=============
 
 afl-fuzz:
- - put mutator, scheduler, forkserver and input channels in individual files
- - reuse forkserver for showmap, afl-cmin, etc.
+ - radamsa mutator (via dlopen())
 
 gcc_plugin:
- - needs to be rewritten
- - fix crashes when compiling :(
- - whitelist support
- - skip over uninteresting blocks
  - laf-intel
- - neverZero
+
+libdislocator:
+ - add a wrapper for posix_memalign
 
 qemu_mode:
- - deferred mode with AFL_DEFERRED_QEMU=0xaddress
+ - update to 4.x (probably this will be skipped :( )
+ - instrim for QEMU mode via static analysis (with r2pipe? or angr?)
+   Idea: The static analyzer outputs a map in which each edge that must be
+   skipped is marked with 1. QEMU loads it at startup in the parent process.
 
-unit testing / or large testcase campaign
+custom_mutators:
+ - rip what Superion is doing into custom mutators for js, php, etc.
+
+enhance test/test.sh script for checking if compcov features are working
+correctly (especially float splitting)
 
 
-Roadmap 2.54d:
-==============
- - expand MAP size to 256k (current L2 cache size on processors)
-   -> 18 bit map
- - llvm_mode: dynamic map size and collission free basic block IDs
-
-qemu_mode:
- - persistent mode patching the return address (WinAFL style)
- - instrument only comparison with immediate values by default when using compcov
+The far away future:
+====================
 
+Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
+         At afl's default map that means ~16 collisions and ~3 wrappings.
+  Solution #1: increase map size.
+    every +1 decreases fuzzing speed by ~10% and halfs the collisions
+    birthday paradox predicts collisions at this # of edges:
+     mapsize => collisions
+	2^16 = 302
+	2^17 = 427
+	2^18 = 603
+	2^19 = 853
+	2^20 = 1207
+	2^21 = 1706
+	2^22 = 2412
+	2^23 = 3411
+	2^24 = 4823
+    Increasing the map is an easy solution but also not a good one.
+  Solution #2: use dynamic map size and collision free basic block IDs
+    This only works in llvm_mode and llvm >= 9 though
+    A potential good future solution. Heiko/hexcoder follows this up
+  Solution #3: write instruction pointers to a big shared map
+    512kb/1MB shared map and the instrumented code writes the instruction
+    pointer into the map. Map must be big enough but could be command line
+    controlled.
+    Good: complete coverage information, nothing is lost. choice of analysis
+          impacts speed, but this can be decided by user options
+    Neutral: a little bit slower but no loss of coverage
+    Bad: completely changes how afl uses the map and the scheduling.
+    Overall another very good solution, Marc Heuse/vanHauser follows this up
+    

afl-cmin

@@ -3,7 +3,7 @@
 # american fuzzy lop - corpus minimization tool
 # ---------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2014, 2015 Google Inc. All rights reserved.
 #
@@ -36,7 +36,7 @@
 # array sizes.
 #
 
-echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
+echo "corpus minimization tool for afl-fuzz by Michal Zalewski"
 echo
 
 #########
@@ -51,10 +51,13 @@ TIMEOUT=none
 unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
   AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE UNICORN_MODE
 
-while getopts "+i:o:f:m:t:eQUC" opt; do
+while getopts "+i:o:f:m:t:eQUCh" opt; do
 
   case "$opt" in 
 
+    "h")
+	;;
+
     "i")
          IN_DIR="$OPTARG"
          ;;

afl-common.c

@@ -1,69 +0,0 @@
-/*
- gather some functions common to multiple executables
-
- detect_file_args
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <strings.h>
-
-#include "debug.h"
-#include "alloc-inl.h"
-
-/* Detect @@ in args. */
-#ifndef __glibc__
-#include <unistd.h>
-#endif
-void detect_file_args(char** argv, u8* prog_in) {
-
-  u32 i = 0;
-#ifdef __GLIBC__
-  u8* cwd = getcwd(NULL, 0); /* non portable glibc extension */
-#else
-  u8* cwd;
-  char *buf;
-  long size = pathconf(".", _PC_PATH_MAX);
-  if ((buf = (char *)malloc((size_t)size)) != NULL) {
-    cwd = getcwd(buf, (size_t)size); /* portable version */
-  } else {
-    PFATAL("getcwd() failed");
-  }
-#endif
-
-  if (!cwd) PFATAL("getcwd() failed");
-
-  while (argv[i]) {
-
-    u8* aa_loc = strstr(argv[i], "@@");
-
-    if (aa_loc) {
-
-      u8 *aa_subst, *n_arg;
-
-      if (!prog_in) FATAL("@@ syntax is not supported by this tool.");
-
-      /* Be sure that we're always using fully-qualified paths. */
-
-      if (prog_in[0] == '/') aa_subst = prog_in;
-      else aa_subst = alloc_printf("%s/%s", cwd, prog_in);
-
-      /* Construct a replacement argv value. */
-
-      *aa_loc = 0;
-      n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2);
-      argv[i] = n_arg;
-      *aa_loc = '@';
-
-      if (prog_in[0] != '/') ck_free(aa_subst);
-
-    }
-
-    i++;
-
-  }
-
-  free(cwd); /* not tracked */
-
-}
-

afl-common.h

@@ -1,5 +0,0 @@
-#ifndef __AFLCOMMON_H
-#define __AFLCOMMON_H
-
-void detect_file_args(char **argv, u8 *prog_in);
-#endif

afl-plot

@@ -3,7 +3,7 @@
 # american fuzzy lop - Advanced Persistent Graphing
 # -------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 # Based on a design & prototype by Michael Rash.
 #
 # Copyright 2014, 2015 Google Inc. All rights reserved.
@@ -15,16 +15,16 @@
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 
-echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
+echo "progress plotting utility for afl-fuzz by Michal Zalewski"
 echo
 
 if [ ! "$#" = "2" ]; then
 
   cat 1>&2 <<_EOF_
-This program generates gnuplot images from afl-fuzz output data. Usage:
-
 $0 afl_state_dir graph_output_dir
 
+This program generates gnuplot images from afl-fuzz output data. Usage:
+
 The afl_state_dir parameter should point to an existing state directory for any
 active or stopped instance of afl-fuzz; while graph_output_dir should point to
 an empty directory where this tool can write the resulting plots to.

afl-system-config

@@ -1,9 +1,24 @@
 #!/bin/sh
+test "$1" = "-h" && {
+  echo afl-system-config by Marc Heuse
+  echo
+  echo $0
+  echo
+  echo afl-system-config has no command line options
+  echo
+  echo afl-system reconfigures the system to a high performance fuzzing state
+  echo WARNING: this reduces the security of the system
+  echo
+  exit 1
+}
+
+PLATFORM=`uname -s`
 echo This reconfigures the system to have a better fuzzing performance
 if [ '!' "$EUID" = 0 ] && [ '!' `id -u` = 0 ] ; then
 	echo Error you need to be root to run this
 	exit 1
 fi
+if [ "$PLATFORM" = "Linux" ] ; then
 sysctl -w kernel.core_pattern=core
 sysctl -w kernel.randomize_va_space=0
 sysctl -w kernel.sched_child_runs_first=1
@@ -19,5 +34,33 @@ test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cp
 echo
 echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
 echo '/etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"'
+fi
+if [ "$PLATFORM" = "FreeBSD" ] ; then
+sysctl kern.elf32.aslr.enable=0
+sysctl kern.elf64.aslr.enable=0
+echo
+echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
+echo 'sysctl hw.ibrs_disable=1'
+echo
+echo 'Setting kern.pmap.pg_ps_enabled=0 into /boot/loader.conf might be helpful too.'
+fi
+if [ "$PLATFORM" = "OpenBSD" ] ; then
+echo
+echo 'System security features cannot be disabled on OpenBSD.'
+fi
+if [ "$PLATFORM" = "NetBSD" ] ; then
+echo
+echo It is recommended to enable unprivileged users to set cpu affinity
+echo to be able to use afl-gotcpu meaningfully.
+/sbin/sysctl -w security.models.extensions.user_set_cpu_affinity=1
+fi
+if [ "$PLATFORM" = "Darwin" ] ; then
+  if [ $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') ] ; then
+echo We unload the default crash reporter here
+SL=/System/Library; PL=com.apple.ReportCrash
+launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
+sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist
+  fi
+fi
 echo
 echo Also use AFL_TMPDIR to use a tmpfs for the input file

afl-whatsup

@@ -3,7 +3,7 @@
 # american fuzzy lop - status check tool
 # --------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2015 Google Inc. All rights reserved.
 #
@@ -17,8 +17,15 @@
 # instances of afl-fuzz.
 #
 
-echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
+echo "status check tool for afl-fuzz by Michal Zalewski"
 echo
+test "$1" = "-h" && {
+  echo $0
+  echo
+  echo afl-whatsup has no command line options
+  echo
+  exit 1
+}
 
 if [ "$1" = "-s" ]; then
 
@@ -54,7 +61,7 @@ fi
 
 CUR_TIME=`date +%s`
 
-TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || exit 1
+TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
 
 ALIVE_CNT=0
 DEAD_CNT=0

afl-wine-trace

@@ -0,0 +1,75 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import pefile
+import shutil
+import subprocess
+
+if len(sys.argv) < 2:
+    print("[afl-wine-trace] usage: ./afl-wine-trace binary [args...]\n")
+    exit(1)
+
+if os.getenv("AFL_PATH"):
+    my_dir = os.getenv("AFL_PATH")
+else:
+    my_dir = os.path.dirname(os.path.abspath(__file__))
+
+os.environ["WINELOADERNOEXEC"] = "1"
+
+pe = pefile.PE(sys.argv[1])
+
+if "AFL_ENTRYPOINT" not in os.environ:
+    os.environ["AFL_ENTRYPOINT"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+if not os.getenv("AFL_INST_LIBS"):
+    if "AFL_CODE_START" not in os.environ:
+        os.environ["AFL_CODE_START"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode)
+    if "AFL_CODE_END" not in os.environ:
+        os.environ["AFL_CODE_END"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode + pe.OPTIONAL_HEADER.SizeOfCode)
+
+if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so")
+else:
+    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so")
+
+if os.getenv("WINECOV_QEMU_PATH"):
+    qemu_path = os.getenv("WINECOV_QEMU_PATH")
+elif os.path.exists(os.path.join(my_dir, "afl-qemu-trace")):
+    qemu_path = os.path.join(my_dir, "afl-qemu-trace")
+else:
+    qemu_path = "qemu-"
+    if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+        qemu_path += "x86_64"
+    elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
+        qemu_path += "i386"
+    else:
+        print ("[afl-wine-trace] unsuppoted architecture\n")
+        exit(1)
+    qemu_path = shutil.which(qemu_path)
+
+wine_path = None
+if os.getenv("AFL_WINE_PATH"):
+    wine_path = os.getenv("AFL_WINE_PATH")
+else:
+    if not wine_path and shutil.which("wine"):
+        wine_path = shutil.which("wine")
+    if not wine_path and os.path.exists("/usr/bin/wine"):
+        wine_path = "/usr/bin/wine"
+    if not wine_path and os.path.exists("/usr/lib/wine/wine"):
+        wine_path = "/usr/lib/wine/wine"
+    if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+        wine_path += "64"
+    elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
+        pass
+    else:
+        print ("[afl-wine-trace] unsopported architecture\n")
+        exit(1)
+
+argv = sys.argv[1:]
+for i in range(len(argv)):
+    if ".cur_input" in argv[i]:
+        argv[i] = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout
+        break
+
+print("[afl-wine-trace] exec:", " ".join([qemu_path, wine_path] + argv))
+os.execve(qemu_path, [qemu_path, wine_path] + argv, os.environ)

config.h

@@ -1,359 +0,0 @@
-/*
-   american fuzzy lop plus plus - vaguely configurable bits
-   ----------------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- */
-
-#ifndef _HAVE_CONFIG_H
-#define _HAVE_CONFIG_H
-
-#include "types.h"
-
-/* Version string: */
-
-#define VERSION             "++2.53c"
-
-/******************************************************
- *                                                    *
- *  Settings that may be of interest to power users:  *
- *                                                    *
- ******************************************************/
-
-/* Comment out to disable terminal colors (note that this makes afl-analyze
-   a lot less nice): */
-
-#define USE_COLOR
-
-/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
-
-#define FANCY_BOXES
-
-/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
-   also used for detecting hangs; the actual value is auto-scaled: */
-
-#define EXEC_TIMEOUT        1000
-
-/* Timeout rounding factor when auto-scaling (milliseconds): */
-
-#define EXEC_TM_ROUND       20
-
-/* Default memory limit for child process (MB): */
-
-#ifndef __x86_64__ 
-#  define MEM_LIMIT         25
-#else
-#  define MEM_LIMIT         50
-#endif /* ^!__x86_64__ */
-
-/* Default memory limit when running in QEMU mode (MB): */
-
-#define MEM_LIMIT_QEMU      200
-
-/* Default memory limit when running in Unicorn mode (MB): */
-
-#define MEM_LIMIT_UNICORN   200
-
-/* Number of calibration cycles per every new test case (and for test
-   cases that show variable behavior): */
-
-#define CAL_CYCLES          8
-#define CAL_CYCLES_LONG     40
-
-/* Number of subsequent timeouts before abandoning an input file: */
-
-#define TMOUT_LIMIT         250
-
-/* Maximum number of unique hangs or crashes to record: */
-
-#define KEEP_UNIQUE_HANG    500
-#define KEEP_UNIQUE_CRASH   5000
-
-/* Baseline number of random tweaks during a single 'havoc' stage: */
-
-#define HAVOC_CYCLES        256
-#define HAVOC_CYCLES_INIT   1024
-
-/* Maximum multiplier for the above (should be a power of two, beware
-   of 32-bit int overflows): */
-
-#define HAVOC_MAX_MULT      16
-#define HAVOC_MAX_MULT_MOPT 32
-
-/* Absolute minimum number of havoc cycles (after all adjustments): */
-
-#define HAVOC_MIN           16
-
-/* Power Schedule Divisor */
-#define POWER_BETA          1
-#define MAX_FACTOR          (POWER_BETA * 32)
-
-/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
-   like this: 
-
-   n = random between 1 and HAVOC_STACK_POW2
-   stacking = 2^n
-
-   In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
-   128 stacked tweaks: */
-
-#define HAVOC_STACK_POW2    7
-
-/* Caps on block sizes for cloning and deletion operations. Each of these
-   ranges has a 33% probability of getting picked, except for the first
-   two cycles where smaller blocks are favored: */
-
-#define HAVOC_BLK_SMALL     32
-#define HAVOC_BLK_MEDIUM    128
-#define HAVOC_BLK_LARGE     1500
-
-/* Extra-large blocks, selected very rarely (<5% of the time): */
-
-#define HAVOC_BLK_XL        32768
-
-/* Probabilities of skipping non-favored entries in the queue, expressed as
-   percentages: */
-
-#define SKIP_TO_NEW_PROB    99 /* ...when there are new, pending favorites */
-#define SKIP_NFAV_OLD_PROB  95 /* ...no new favs, cur entry already fuzzed */
-#define SKIP_NFAV_NEW_PROB  75 /* ...no new favs, cur entry not fuzzed yet */
-
-/* Splicing cycle count: */
-
-#define SPLICE_CYCLES       15
-
-/* Nominal per-splice havoc cycle length: */
-
-#define SPLICE_HAVOC        32
-
-/* Maximum offset for integer addition / subtraction stages: */
-
-#define ARITH_MAX           35
-
-/* Limits for the test case trimmer. The absolute minimum chunk size; and
-   the starting and ending divisors for chopping up the input file: */
-
-#define TRIM_MIN_BYTES      4
-#define TRIM_START_STEPS    16
-#define TRIM_END_STEPS      1024
-
-/* Maximum size of input file, in bytes (keep under 100MB): */
-
-#define MAX_FILE            (1 * 1024 * 1024)
-
-/* The same, for the test case minimizer: */
-
-#define TMIN_MAX_FILE       (10 * 1024 * 1024)
-
-/* Block normalization steps for afl-tmin: */
-
-#define TMIN_SET_MIN_SIZE   4
-#define TMIN_SET_STEPS      128
-
-/* Maximum dictionary token size (-x), in bytes: */
-
-#define MAX_DICT_FILE       128
-
-/* Length limits for auto-detected dictionary tokens: */
-
-#define MIN_AUTO_EXTRA      3
-#define MAX_AUTO_EXTRA      32
-
-/* Maximum number of user-specified dictionary tokens to use in deterministic
-   steps; past this point, the "extras/user" step will be still carried out,
-   but with proportionally lower odds: */
-
-#define MAX_DET_EXTRAS      200
-
-/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
-   (first value), and to keep in memory as candidates. The latter should be much
-   higher than the former. */
-
-#define USE_AUTO_EXTRAS     50
-#define MAX_AUTO_EXTRAS     (USE_AUTO_EXTRAS * 10)
-
-/* Scaling factor for the effector map used to skip some of the more
-   expensive deterministic steps. The actual divisor is set to
-   2^EFF_MAP_SCALE2 bytes: */
-
-#define EFF_MAP_SCALE2      3
-
-/* Minimum input file length at which the effector logic kicks in: */
-
-#define EFF_MIN_LEN         128
-
-/* Maximum effector density past which everything is just fuzzed
-   unconditionally (%): */
-
-#define EFF_MAX_PERC        90
-
-/* UI refresh frequency (Hz): */
-
-#define UI_TARGET_HZ        5
-
-/* Fuzzer stats file and plot update intervals (sec): */
-
-#define STATS_UPDATE_SEC    60
-#define PLOT_UPDATE_SEC     5
-
-/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
-
-#define AVG_SMOOTHING       16
-
-/* Sync interval (every n havoc cycles): */
-
-#define SYNC_INTERVAL       5
-
-/* Output directory reuse grace period (minutes): */
-
-#define OUTPUT_GRACE        25
-
-/* Uncomment to use simple file names (id_NNNNNN): */
-
-// #define SIMPLE_FILES
-
-/* List of interesting values to use in fuzzing. */
-
-#define INTERESTING_8 \
-  -128,          /* Overflow signed 8-bit when decremented  */ \
-  -1,            /*                                         */ \
-   0,            /*                                         */ \
-   1,            /*                                         */ \
-   16,           /* One-off with common buffer size         */ \
-   32,           /* One-off with common buffer size         */ \
-   64,           /* One-off with common buffer size         */ \
-   100,          /* One-off with common buffer size         */ \
-   127           /* Overflow signed 8-bit when incremented  */
-
-#define INTERESTING_16 \
-  -32768,        /* Overflow signed 16-bit when decremented */ \
-  -129,          /* Overflow signed 8-bit                   */ \
-   128,          /* Overflow signed 8-bit                   */ \
-   255,          /* Overflow unsig 8-bit when incremented   */ \
-   256,          /* Overflow unsig 8-bit                    */ \
-   512,          /* One-off with common buffer size         */ \
-   1000,         /* One-off with common buffer size         */ \
-   1024,         /* One-off with common buffer size         */ \
-   4096,         /* One-off with common buffer size         */ \
-   32767         /* Overflow signed 16-bit when incremented */
-
-#define INTERESTING_32 \
-  -2147483648LL, /* Overflow signed 32-bit when decremented */ \
-  -100663046,    /* Large negative number (endian-agnostic) */ \
-  -32769,        /* Overflow signed 16-bit                  */ \
-   32768,        /* Overflow signed 16-bit                  */ \
-   65535,        /* Overflow unsig 16-bit when incremented  */ \
-   65536,        /* Overflow unsig 16 bit                   */ \
-   100663045,    /* Large positive number (endian-agnostic) */ \
-   2147483647    /* Overflow signed 32-bit when incremented */
-
-/***********************************************************
- *                                                         *
- *  Really exotic stuff you probably don't want to touch:  *
- *                                                         *
- ***********************************************************/
-
-/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
-
-#define RESEED_RNG          10000
-
-/* Maximum line length passed from GCC to 'as' and used for parsing
-   configuration files: */
-
-#define MAX_LINE            8192
-
-/* Environment variable used to pass SHM ID to the called program. */
-
-#define SHM_ENV_VAR         "__AFL_SHM_ID"
-
-/* Other less interesting, internal-only variables. */
-
-#define CLANG_ENV_VAR       "__AFL_CLANG_MODE"
-#define AS_LOOP_ENV_VAR     "__AFL_AS_LOOPCHECK"
-#define PERSIST_ENV_VAR     "__AFL_PERSISTENT"
-#define DEFER_ENV_VAR       "__AFL_DEFER_FORKSRV"
-
-/* In-code signatures for deferred and persistent mode. */
-
-#define PERSIST_SIG         "##SIG_AFL_PERSISTENT##"
-#define DEFER_SIG           "##SIG_AFL_DEFER_FORKSRV##"
-
-/* Distinctive bitmap signature used to indicate failed execution: */
-
-#define EXEC_FAIL_SIG       0xfee1dead
-
-/* Distinctive exit code used to indicate MSAN trip condition: */
-
-#define MSAN_ERROR          86
-
-/* Designated file descriptors for forkserver commands (the application will
-   use FORKSRV_FD and FORKSRV_FD + 1): */
-
-#define FORKSRV_FD          198
-
-/* Fork server init timeout multiplier: we'll wait the user-selected
-   timeout plus this much for the fork server to spin up. */
-
-#define FORK_WAIT_MULT      10
-
-/* Calibration timeout adjustments, to be a bit more generous when resuming
-   fuzzing sessions or trying to calibrate already-added internal finds.
-   The first value is a percentage, the other is in milliseconds: */
-
-#define CAL_TMOUT_PERC      125
-#define CAL_TMOUT_ADD       50
-
-/* Number of chances to calibrate a case before giving up: */
-
-#define CAL_CHANCES         3
-
-/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
-   2; you probably want to keep it under 18 or so for performance reasons
-   (adjusting AFL_INST_RATIO when compiling is probably a better way to solve
-   problems with complex programs). You need to recompile the target binary
-   after changing this - otherwise, SEGVs may ensue. */
-
-#define MAP_SIZE_POW2       16
-#define MAP_SIZE            (1 << MAP_SIZE_POW2)
-
-/* Maximum allocator request size (keep well under INT_MAX): */
-
-#define MAX_ALLOC           0x40000000
-
-/* A made-up hashing seed: */
-
-#define HASH_CONST          0xa5b35705
-
-/* Constants for afl-gotcpu to control busy loop timing: */
-
-#define  CTEST_TARGET_MS    5000
-#define  CTEST_CORE_TRG_MS  1000
-#define  CTEST_BUSY_CYCLES  (10 * 1000 * 1000)
-
-/* Uncomment this to use inferior block-coverage-based instrumentation. Note
-   that you need to recompile the target binary for this to have any effect: */
-
-// #define COVERAGE_ONLY
-
-/* Uncomment this to ignore hit counts and output just one bit per tuple.
-   As with the previous setting, you will need to recompile the target
-   binary: */
-
-// #define SKIP_COUNTS
-
-/* Uncomment this to use instrumentation data to record newly discovered paths,
-   but do not use them as seeds for fuzzing. This is useful for conveniently
-   measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
-
-// #define IGNORE_FINDS
-
-#endif /* ! _HAVE_CONFIG_H */

config.h

@@ -0,0 +1 @@
+include/config.h

custom_mutators/README

@@ -0,0 +1,2 @@
+This is a simple example for the AFL_CUSTOM_MUTATOR_LIBRARY feature.
+For more information see docs/custom_mutator.txt

custom_mutators/simple_mutator.c

@@ -0,0 +1,49 @@
+/*
+  Simple Custom Mutator for AFL
+
+  Written by Khaled Yakdan <yakdan@code-intelligence.de>
+
+  This a simple mutator that assumes that the generates messages starting with
+  one of the three strings GET, PUT, or DEL followed by a payload. The mutator
+  randomly selects a commend and mutates the payload of the seed provided as
+  input.
+*/
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+static const char *commands[] = {
+
+    "GET",
+    "PUT",
+    "DEL",
+
+};
+
+static size_t data_size = 100;
+
+size_t afl_custom_mutator(uint8_t *data, size_t size, uint8_t *mutated_out,
+                          size_t max_size, unsigned int seed) {
+
+  // Seed the PRNG
+  srand(seed);
+
+  // Make sure that the packet size does not exceed the maximum size expected by
+  // the fuzzer
+  size_t mutated_size = data_size <= max_size ? data_size : max_size;
+
+  // Randomly select a command string to add as a header to the packet
+  memcpy(mutated_out, commands[rand() % 3], 3);
+
+  // Mutate the payload of the packet
+  for (int i = 3; i < mutated_size; i++) {
+
+    mutated_out[i] = (data[i] + rand() % 10) & 0xff;
+
+  }
+
+  return mutated_size;
+
+}
+

debug.h

@@ -1,251 +0,0 @@
-/*
-   american fuzzy lop - debug / error handling macros
-   --------------------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- */
-
-#ifndef _HAVE_DEBUG_H
-#define _HAVE_DEBUG_H
-
-#include <errno.h>
-
-#include "types.h"
-#include "config.h"
-
-/*******************
- * Terminal colors *
- *******************/
-
-#ifdef USE_COLOR
-
-#  define cBLK "\x1b[0;30m"
-#  define cRED "\x1b[0;31m"
-#  define cGRN "\x1b[0;32m"
-#  define cBRN "\x1b[0;33m"
-#  define cBLU "\x1b[0;34m"
-#  define cMGN "\x1b[0;35m"
-#  define cCYA "\x1b[0;36m"
-#  define cLGR "\x1b[0;37m"
-#  define cGRA "\x1b[1;90m"
-#  define cLRD "\x1b[1;91m"
-#  define cLGN "\x1b[1;92m"
-#  define cYEL "\x1b[1;93m"
-#  define cLBL "\x1b[1;94m"
-#  define cPIN "\x1b[1;95m"
-#  define cLCY "\x1b[1;96m"
-#  define cBRI "\x1b[1;97m"
-#  define cRST "\x1b[0m"
-
-#  define bgBLK "\x1b[40m"
-#  define bgRED "\x1b[41m"
-#  define bgGRN "\x1b[42m"
-#  define bgBRN "\x1b[43m"
-#  define bgBLU "\x1b[44m"
-#  define bgMGN "\x1b[45m"
-#  define bgCYA "\x1b[46m"
-#  define bgLGR "\x1b[47m"
-#  define bgGRA "\x1b[100m"
-#  define bgLRD "\x1b[101m"
-#  define bgLGN "\x1b[102m"
-#  define bgYEL "\x1b[103m"
-#  define bgLBL "\x1b[104m"
-#  define bgPIN "\x1b[105m"
-#  define bgLCY "\x1b[106m"
-#  define bgBRI "\x1b[107m"
-
-#else
-
-#  define cBLK ""
-#  define cRED ""
-#  define cGRN ""
-#  define cBRN ""
-#  define cBLU ""
-#  define cMGN ""
-#  define cCYA ""
-#  define cLGR ""
-#  define cGRA ""
-#  define cLRD ""
-#  define cLGN ""
-#  define cYEL ""
-#  define cLBL ""
-#  define cPIN ""
-#  define cLCY ""
-#  define cBRI ""
-#  define cRST ""
-
-#  define bgBLK ""
-#  define bgRED ""
-#  define bgGRN ""
-#  define bgBRN ""
-#  define bgBLU ""
-#  define bgMGN ""
-#  define bgCYA ""
-#  define bgLGR ""
-#  define bgGRA ""
-#  define bgLRD ""
-#  define bgLGN ""
-#  define bgYEL ""
-#  define bgLBL ""
-#  define bgPIN ""
-#  define bgLCY ""
-#  define bgBRI ""
-
-#endif /* ^USE_COLOR */
-
-/*************************
- * Box drawing sequences *
- *************************/
-
-#ifdef FANCY_BOXES
-
-#  define SET_G1   "\x1b)0"       /* Set G1 for box drawing    */
-#  define RESET_G1 "\x1b)B"       /* Reset G1 to ASCII         */
-#  define bSTART   "\x0e"         /* Enter G1 drawing mode     */
-#  define bSTOP    "\x0f"         /* Leave G1 drawing mode     */
-#  define bH       "q"            /* Horizontal line           */
-#  define bV       "x"            /* Vertical line             */
-#  define bLT      "l"            /* Left top corner           */
-#  define bRT      "k"            /* Right top corner          */
-#  define bLB      "m"            /* Left bottom corner        */
-#  define bRB      "j"            /* Right bottom corner       */
-#  define bX       "n"            /* Cross                     */
-#  define bVR      "t"            /* Vertical, branch right    */
-#  define bVL      "u"            /* Vertical, branch left     */
-#  define bHT      "v"            /* Horizontal, branch top    */
-#  define bHB      "w"            /* Horizontal, branch bottom */
-
-#else
-
-#  define SET_G1   ""
-#  define RESET_G1 ""
-#  define bSTART   ""
-#  define bSTOP    ""
-#  define bH       "-"
-#  define bV       "|"
-#  define bLT      "+"
-#  define bRT      "+"
-#  define bLB      "+"
-#  define bRB      "+"
-#  define bX       "+"
-#  define bVR      "+"
-#  define bVL      "+"
-#  define bHT      "+"
-#  define bHB      "+"
-
-#endif /* ^FANCY_BOXES */
-
-/***********************
- * Misc terminal codes *
- ***********************/
-
-#define TERM_HOME     "\x1b[H"
-#define TERM_CLEAR    TERM_HOME "\x1b[2J"
-#define cEOL          "\x1b[0K"
-#define CURSOR_HIDE   "\x1b[?25l"
-#define CURSOR_SHOW   "\x1b[?25h"
-
-/************************
- * Debug & error macros *
- ************************/
-
-/* Just print stuff to the appropriate stream. */
-
-#ifdef MESSAGES_TO_STDOUT
-#  define SAYF(x...)    printf(x)
-#else 
-#  define SAYF(x...)    fprintf(stderr, x)
-#endif /* ^MESSAGES_TO_STDOUT */
-
-/* Show a prefixed warning. */
-
-#define WARNF(x...) do { \
-    SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Show a prefixed "doing something" message. */
-
-#define ACTF(x...) do { \
-    SAYF(cLBL "[*] " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Show a prefixed "success" message. */
-
-#define OKF(x...) do { \
-    SAYF(cLGN "[+] " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Show a prefixed fatal error message (not used in afl). */
-
-#define BADF(x...) do { \
-    SAYF(cLRD "\n[-] " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Die with a verbose non-OS fatal error message. */
-
-#define FATAL(x...) do { \
-    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
-         cBRI x); \
-    SAYF(cLRD "\n         Location : " cRST "%s(), %s:%u\n\n", \
-         __FUNCTION__, __FILE__, __LINE__); \
-    exit(1); \
-  } while (0)
-
-/* Die by calling abort() to provide a core dump. */
-
-#define ABORT(x...) do { \
-    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
-         cBRI x); \
-    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n\n", \
-         __FUNCTION__, __FILE__, __LINE__); \
-    abort(); \
-  } while (0)
-
-/* Die while also including the output of perror(). */
-
-#define PFATAL(x...) do { \
-    fflush(stdout); \
-    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-]  SYSTEM ERROR : " \
-         cBRI x); \
-    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n", \
-         __FUNCTION__, __FILE__, __LINE__); \
-    SAYF(cLRD "       OS message : " cRST "%s\n", strerror(errno)); \
-    exit(1); \
-  } while (0)
-
-/* Die with FAULT() or PFAULT() depending on the value of res (used to
-   interpret different failure modes for read(), write(), etc). */
-
-#define RPFATAL(res, x...) do { \
-    if (res < 0) PFATAL(x); else FATAL(x); \
-  } while (0)
-
-/* Error-checking versions of read() and write() that call RPFATAL() as
-   appropriate. */
-
-#define ck_write(fd, buf, len, fn) do { \
-    u32 _len = (len); \
-    s32 _res = write(fd, buf, _len); \
-    if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
-  } while (0)
-
-#define ck_read(fd, buf, len, fn) do { \
-    u32 _len = (len); \
-    s32 _res = read(fd, buf, _len); \
-    if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
-  } while (0)
-
-#endif /* ! _HAVE_DEBUG_H */

dictionaries/README.md

@@ -1,19 +1,17 @@
-================
-AFL dictionaries
-================
+# AFL dictionaries
 
-  (See ../docs/README for the general instruction manual.)
+(See [../docs/README.md](../docs/README.md) for the general instruction manual.)
 
 This subdirectory contains a set of dictionaries that can be used in
 conjunction with the -x option to allow the fuzzer to effortlessly explore the
 grammar of some of the more verbose data formats or languages. The basic
-principle behind the operation of fuzzer dictionaries is outlined in section 9
-of the "main" README for the project.
+principle behind the operation of fuzzer dictionaries is outlined in section 10
+of the "main" README.md for the project.
 
 Custom dictionaries can be added at will. They should consist of a
 reasonably-sized set of rudimentary syntax units that the fuzzer will then try
-to clobber together in various ways. Snippets between 2 and 16 bytes are usually
-the sweet spot.
+to clobber together in various ways. Snippets between 2 and 16 bytes are
+usually the sweet spot.
 
 Custom dictionaries can be created in two ways:
 
@@ -32,12 +30,12 @@ parameter is a file or a directory.
 
 In the file mode, every name field can be optionally followed by @<num>, e.g.:
 
-  keyword_foo@1 = "foo"
+  `keyword_foo@1 = "foo"`
 
 Such entries will be loaded only if the requested dictionary level is equal or
 higher than this number. The default level is zero; a higher value can be set
 by appending @<num> to the dictionary file name, like so:
 
-  -x path/to/dictionary.dct@2
+  `-x path/to/dictionary.dct@2`
 
 Good examples of dictionaries can be found in xml.dict and png.dict.

dictionaries/gif.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for GIF images
 # -----------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_87a="87a"

dictionaries/html_tags.dict

@@ -5,7 +5,7 @@
 # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
 # include any attributes or attribute values.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 tag_a="<a>"

dictionaries/jpeg.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for JPEG images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_jfif="JFIF\x00"

dictionaries/js.dict

@@ -4,7 +4,7 @@
 #
 # Contains basic reserved keywords and syntax building blocks.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 keyword_arguments="arguments"

dictionaries/png.dict

@@ -5,7 +5,7 @@
 # Just the basic, standard-originating sections; does not include vendor
 # extensions.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_png="\x89PNG\x0d\x0a\x1a\x0a"

dictionaries/regexp.dict

@@ -0,0 +1,596 @@
+#
+# AFL dictionary for regex
+# --------------------------
+#
+# Contains various regular expressions.
+#
+# Created by Yang Guo <yangguo@chromium.org>
+#
+# Contributed by Dhiraj Mishra <dhiraj@inputzero.io>
+#
+"?"
+"abc"
+"()"
+"[]"
+"abc|def"
+"abc|def|ghi"
+"^xxx$"
+"ab\\b\\d\\bcd"
+"\\w|\\d"
+"a*?"
+"abc+"
+"abc+?"
+"xyz?"
+"xyz??"
+"xyz{0,1}"
+"xyz{0,1}?"
+"xyz{93}"
+"xyz{1,32}"
+"xyz{1,32}?"
+"xyz{1,}"
+"xyz{1,}?"
+"a\\fb\\nc\\rd\\te\\vf"
+"a\\nb\\bc"
+"(?:foo)"
+"(?: foo )"
+"foo|(bar|baz)|quux"
+"foo(?=bar)baz"
+"foo(?!bar)baz"
+"foo(?<=bar)baz"
+"foo(?<!bar)baz"
+"()"
+"(?=)"
+"[]"
+"[x]"
+"[xyz]"
+"[a-zA-Z0-9]"
+"[-123]"
+"[^123]"
+"]"
+"}"
+"[a-b-c]"
+"[x\\dz]"
+"[\\d-z]"
+"[\\d-\\d]"
+"[z-\\d]"
+"\\cj\\cJ\\ci\\cI\\ck\\cK"
+"\\c!"
+"\\c_"
+"\\c~"
+"[\\c!]"
+"[\\c_]"
+"[\\c~]"
+"[\\ca]"
+"[\\cz]"
+"[\\cA]"
+"[\\cZ]"
+"[\\c1]"
+"\\[\\]\\{\\}\\(\\)\\%\\^\\#\\ "
+"[\\[\\]\\{\\}\\(\\)\\%\\^\\#\\ ]"
+"\\8"
+"\\9"
+"\\11"
+"\\11a"
+"\\011"
+"\\118"
+"\\111"
+"\\1111"
+"(x)(x)(x)\\1"
+"(x)(x)(x)\\2"
+"(x)(x)(x)\\3"
+"(x)(x)(x)\\4"
+"(x)(x)(x)\\1*"
+"(x)(x)(x)\\3*"
+"(x)(x)(x)\\4*"
+"(x)(x)(x)(x)(x)(x)(x)(x)(x)(x)\\10"
+"(x)(x)(x)(x)(x)(x)(x)(x)(x)(x)\\11"
+"(a)\\1"
+"(a\\1)"
+"(\\1a)"
+"(\\2)(\\1)"
+"(?=a){0,10}a"
+"(?=a){1,10}a"
+"(?=a){9,10}a"
+"(?!a)?a"
+"\\1(a)"
+"(?!(a))\\1"
+"(?!\\1(a\\1)\\1)\\1"
+"\\1\\2(a(?:\\1(b\\1\\2))\\2)\\1"
+"[\\0]"
+"[\\11]"
+"[\\11a]"
+"[\\011]"
+"[\\00011]"
+"[\\118]"
+"[\\111]"
+"[\\1111]"
+"\\x60"
+"\\x3z"
+"\\c"
+"\\u0034"
+"\\u003z"
+"foo[z]*"
+"\\u{12345}"
+"\\u{12345}\\u{23456}"
+"\\u{12345}{3}"
+"\\u{12345}*"
+"\\ud808\\udf45*"
+"[\\ud808\\udf45-\\ud809\\udccc]"
+"a"
+"a|b"
+"a\\n"
+"a$"
+"a\\b!"
+"a\\Bb"
+"a*?"
+"a?"
+"a??"
+"a{0,1}?"
+"a{1,2}?"
+"a+?"
+"(a)"
+"(a)\\1"
+"(\\1a)"
+"\\1(a)"
+"a\\s"
+"a\\S"
+"a\\D"
+"a\\w"
+"a\\W"
+"a."
+"a\\q"
+"a[a]"
+"a[^a]"
+"a[a-z]"
+"a(?:b)"
+"a(?=b)"
+"a(?!b)"
+"\\x60"
+"\\u0060"
+"\\cA"
+"\\q"
+"\\1112"
+"(a)\\1"
+"(?!a)?a\\1"
+"(?:(?=a))a\\1"
+"a{}"
+"a{,}"
+"a{"
+"a{z}"
+"a{12z}"
+"a{12,"
+"a{12,3b"
+"{}"
+"{,}"
+"{"
+"{z}"
+"{1z}"
+"{12,"
+"{12,3b"
+"a"
+"abc"
+"a[bc]d"
+"a|bc"
+"ab|c"
+"a||bc"
+"(?:ab)"
+"(?:ab|cde)"
+"(?:ab)|cde"
+"(ab)"
+"(ab|cde)"
+"(ab)\\1"
+"(ab|cde)\\1"
+"(?:ab)?"
+"(?:ab)+"
+"a?"
+"a+"
+"a??"
+"a*?"
+"a+?"
+"(?:a?)?"
+"(?:a+)?"
+"(?:a?)+"
+"(?:a*)+"
+"(?:a+)+"
+"(?:a?)*"
+"(?:a*)*"
+"(?:a+)*"
+"a{0}"
+"(?:a+){0,0}"
+"a*b"
+"a+b"
+"a*b|c"
+"a+b|c"
+"(?:a{5,1000000}){3,1000000}"
+"(?:ab){4,7}"
+"a\\bc"
+"a\\sc"
+"a\\Sc"
+"a(?=b)c"
+"a(?=bbb|bb)c"
+"a(?!bbb|bb)c"
+"\xe2\x81\xa3"
+"[\xe2\x81\xa3]"
+"\xed\xb0\x80"
+"\xed\xa0\x80"
+"(\xed\xb0\x80)\x01"
+"((\xed\xa0\x80))\x02"
+"\xf0\x9f\x92\xa9"
+"\x01"
+"\x0f"
+"[-\xf0\x9f\x92\xa9]+"
+"[\xf0\x9f\x92\xa9-\xf4\x8f\xbf\xbf]"
+"(?<=)"
+"(?<=a)"
+"(?<!)"
+"(?<!a)"
+"(?<a>)"
+"(?<a>.)"
+"(?<a>.)\\k<a>"
+"\\p{Script=Greek}"
+"\\P{sc=Greek}"
+"\\p{Script_Extensions=Greek}"
+"\\P{scx=Greek}"
+"\\p{General_Category=Decimal_Number}"
+"\\P{gc=Decimal_Number}"
+"\\p{gc=Nd}"
+"\\P{Decimal_Number}"
+"\\p{Nd}"
+"\\P{Any}"
+"\\p{Changes_When_NFKC_Casefolded}"
+"L~"
+"P{scx=Greek}??"
+"Q~"
+"R??"
+"R!??oo(E=?ar)baz-"
+"Sc?Sc{?{?"
+"U~"
+"V~"
+"W~"
+"Xdtc"
+"X~"
+"X?"
+"[-123],}"
+"[-????]+,}"
+"[00011],}"
+"[011],}"
+"[0],}"
+"[1111],}"
+"[111],}"
+"[118],}"
+"[11],}"
+"[11a],}"
+"[[]{}()%^# ],}"
+"[]"
+"[],}"
+"[]{}()%^# ,}"
+"[^123],}"
+"[a-b-c],}"
+"[a-zA-Z0-9],}"
+"[b"
+"[bfoo(?!bar)baz"
+"[c!],}"
+"[c1],}"
+"[cA],}"
+"[cZ],}"
+"[c_],}"
+"[ca],}"
+"[cz],}"
+"[c~],}"
+"[c~]w"
+"[d-d],}"
+"[d-z],}"
+"[u???[11<([c?]?:u??<a>)dccc]"
+"[ud808udf45-ud809udccc],}"
+"[x"
+"[x],}"
+"[xdz],}"
+"[xyz],}"
+"[x?"
+"[x?n4n4"
+"[x??19?"
+"[z-d],}"
+"[~?"
+"[?????"
+"[?"
+"[???],}"
+"[????-????],}"
+"[????"
+"]"
+"],}"
+"]QrC[w~]Qr"
+"]}"
+"]~"
+"^?000???????????????????????????x60?"
+"^12(a(?:1(b12))2)1dyb?9"
+"^xi!q"
+"^xxx$,}"
+"abc"
+"abc60,0}?{?"
+"aic"
+"b~"
+"c"
+"c!,}"
+"c,}"
+"cA,}"
+"c_,}"
+"cjcJcicIckcK,}"
+"c~"
+"c~,}"
+"d"
+"d?"
+"d??"
+"d(?:ab[]?9}"
+"dpN?(?<a>.)?"
+"duu{123a?"
+"d{1,9"
+"d~"
+"e"
+"e~"
+"e?}"
+"f~"
+"g~"
+"h~"
+"i~"
+"j~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xx?~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxb~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxc~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxd~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxe~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxf~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxg~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxh~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxi~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxj~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxk~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxl~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxm~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxn~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxo~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxp~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxq~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxr~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxs~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxt~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxu~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxv~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxw~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxx~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxy~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxz~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xx?~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxn~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxo~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxp~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxq~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxr~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxs~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxt~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxu~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxv~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxw~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxx~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxy~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxz~"
+"k?@a(?=bbb.~"
+"k?@a(?=bbbb~"
+"k?@a(?=bbbc~"
+"k?@a(?=bbbd~"
+"k?@a(?=bbbe~"
+"k?@a(?=bbbf~"
+"k?@a(?=bbbg~"
+"k?@a(?=bbbh~"
+"k?@a(?=bbbi~"
+"k?@a(?=bbbj~"
+"k?@a(?=bbbk~"
+"k?@a(?=bbbl~"
+"k?@a(?=bbbm~"
+"k?@a(?=bbbn~"
+"k?@a(?=bbbo~"
+"k?@a(?=bbbp~"
+"k?@a(?=bbbq~"
+"k?@a(?=bbbr~"
+"k?@a(?=bbbs~"
+"k?@a(?=bbbt~"
+"k?@a(?=bbbu~"
+"k?@a(?=bbbv~"
+"k?@a(?=bbbw~"
+"k?@a(?=bbbx~"
+"k?@a(?=bbby~"
+"k?@a(?=bbbz~"
+"k?@a(?=by?bC?:!k??????????????b~"
+"k?@a(?=by?bC?:!k??????????????c~"
+"k?@a(?=by?bC?:!k??????????????d~"
+"k?@a(?=by?bC?:!k??????????????e~"
+"k?@a(?=by?bC?:!k??????????????f~"
+"k?@a(?=by?bC?:!k??????????????g~"
+"k?@a(?=by?bC?:!k??????????????h~"
+"k?@a(?=by?bC?:!k??????????????i~"
+"k?@a(?=by?bC?:!k??????????????j~"
+"k?@a(?=by?bC?:!k??????????????k~"
+"k?@a(?=by?bC?:!k??????????????l~"
+"k?@a(?=by?bC?:!k??????????????m~"
+"k?@a(?=by?bC?:!k??????????????n~"
+"k?@a(?=by?bC?:!k??????????????o~"
+"k?@a(?=by?bC?:!k??????????????p~"
+"k?@a(?=by?bC?:!k??????????????q~"
+"k?@a(?=by?bC?:!k??????????????r~"
+"k?@a(?=by?bC?:!k??????????????s~"
+"k?@a(?=by?bC?:!k??????????????t~"
+"k?@a(?=by?bC?:!k??????????????u~"
+"k?@a(?=by?bC?:!k??????????????v~"
+"k?@a(?=by?bC?:!k??????????????w~"
+"k?@a(?=by?bC?:!k??????????????x~"
+"k?@a(?=by?bC?:!k??????????????y~"
+"k?@a(?=by?bC?:!k??????????????z~"
+"k?@a(?=by?bC?:!k???????????????~"
+"k?@a(?~"
+"k?@a(b~"
+"k?@a(c~"
+"k?@a(d~"
+"k?@a(e~"
+"k?@a(f~"
+"k?@a(g~"
+"k?@a(h~"
+"k?@a(i~"
+"k?@a(j~"
+"k?@a(k~"
+"k?@a(l~"
+"k?@a(m~"
+"k?@a(n~"
+"k?@a(o~"
+"k?@a(p~"
+"k?@a(q~"
+"k?@a(r~"
+"k?@a(s~"
+"k?@a(t~"
+"k?@a(u~"
+"k?@a(v~"
+"k?@a(w~"
+"k?@a(x~"
+"k?@a(y~"
+"k?@a(z~"
+"k0X@ab~"
+"k0X@ac~"
+"k0X@ad~"
+"k0X@ae~"
+"k0X@af~"
+"k0X@ag~"
+"k0X@ah~"
+"k0X@ai~"
+"k0X@aj~"
+"k0X@ak~"
+"k0X@al~"
+"k0X@am~"
+"k0X@an~"
+"k0X@ao~"
+"k0X@ap~"
+"k0X@aq~"
+"k0X@ar~"
+"k0X@as~"
+"k0X@at~"
+"k0X@au~"
+"k0X@av~"
+"k0X@aw~"
+"k0X@ax~"
+"k0X@ay~"
+"k0X@az~"
+"k0X@a?~"
+"k~"
+"l~"
+"m~"
+"n~"
+"o~"
+"p~"
+"q,}"
+"q~"
+"r~"
+"r?[c~]"
+"s~"
+"t~"
+"u0034,}"
+"u003z,}"
+"u0060,}"
+"ud808udf45*,}"
+"u~"
+"v~"
+"w"
+"w~"
+"x3z,}"
+"x60,}"
+"xyz?9"
+"x~"
+"y~"
+"z~"
+"{"
+"{??"
+"{ ,,?"
+"{-"
+"{0,d?????!"
+"{12345}pu{234:P}?"
+"{1?5"
+"{@"
+"{M,??"
+"{M,P{scx=Greek}???sn"
+"{M,??"
+"{M,??"
+"{M,?M,??"
+"{O"
+"{r~"
+"{s~"
+"{t~"
+"{u~"
+"{v~"
+"{w~"
+"{x~"
+"{y~"
+"{z~"
+"{}"
+"{}~"
+"{??@"
+"{?~"
+"},}"
+"}}"
+"}}}}}?}!}}}}}}}}}}}}}}}}}?},}"
+"}~"
+"}?w~???"
+"~~"
+"?!~"
+"?$"
+"?*?9?nnRnnn?"
+"?.~"
+"?123222222??"
+"?:??"
+"?R"
+"?b~"
+"?c~"
+"?d~"
+"?d???"
+"?e~"
+"?f~"
+"?g~"
+"?h~"
+"?i~"
+"?j~"
+"?k~"
+"?l~"
+"?m~"
+"?n~"
+"?o~"
+"?p~"
+"?q~"
+"?r~"
+"?s~"
+"?t~"
+"?u~"
+"?v~"
+"?v~?v"
+"?w~"
+"?x~"
+"?y~"
+"?z~"
+"?}"
+"??~"
+"?????????dadi(?!bbb"
+"??~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxq~>>>>>>>>>>>>>>>>>>"
+"?f??123222222??"
+"?fP{gc=Decimal_Number}"
+"?f2jq?oo@ooooh??"
+"?[???],}f?"
+"?[???],}nbbc2jocom"
+"?[]"
+"?[],}?"
+"?[],}f?"
+"?[]f?"
+"?[]{}()%^#"
+"?[^123],}f?"
+"?[^123]nbbc2jocom"
+"?[a-b-c],}f?"
+"?[a-b-c]nbbc2jocom"
+"?[a-zA-Z0-9],}f?"
+"?[a-zA-Z0-9],}jocom"
+"?[a-zA-Z0-9]c2jocom"
+"?[bfoo(?!bar)bazcom"
+"?[bfoo(?!bar)bazf?"

dictionaries/sql.dict

@@ -11,7 +11,7 @@
 # standpoint, because they are usually not allowed in non-privileged
 # contexts).
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 function_abs=" abs(1)"

dictionaries/tiff.dict

@@ -5,7 +5,7 @@
 # Just the basic, standard-originating sections; does not include vendor
 # extensions.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_ii="II*\x00"

dictionaries/webp.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for WebP images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_RIFF="RIFF"

dictionaries/xml.dict

@@ -4,7 +4,7 @@
 #
 # Several basic syntax elements and attributes, modeled on libxml2.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 attr_encoding=" encoding=\"1\""

docs/ChangeLog

@@ -13,6 +13,128 @@ Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 
+--------------------------
+Version ++2.59d (develop):
+--------------------------
+
+  - fixed a critical bug in afl-tmin that was introduced during ++2.53d
+  - added test cases for afl-cmin and afl-tmin to test/test.sh
+  - added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
+  - added preeny's desock_dup ld_preload library as
+    ./experimental/socket_fuzzing for network fuzzing
+  - added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
+    for the retrorewrite project
+  - we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used
+
+
+--------------------------
+Version ++2.59c (release):
+--------------------------
+
+  - qbdi_mode: fuzz android native libraries via QBDI framework
+  - unicorn_mode: switched to the new unicornafl, thanks domenukk
+                  (see https://github.com/vanhauser-thc/unicorn)
+  - afl-fuzz:
+     - added radamsa as (an optional) mutator stage (-R[R])
+     - added -u command line option to not unlink the fuzz input file
+     - Python3 support (autodetect)
+     - AFL_DISABLE_TRIM env var to disable the trim stage
+     - CPU affinity support for DragonFly
+  - llvm_mode:
+     - float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
+     - support for llvm 10 included now (thanks to devnexen)
+  - libtokencap:
+     - support for *BSD/OSX/Dragonfly added
+     - hook common *cmp functions from widely used libraries
+  - compcov:
+     - hook common *cmp functions from widely used libraries
+     - floating point splitting support for QEMU on x86 targets
+  - qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
+  - afl-analyze: added AFL_SKIP_BIN_CHECK support
+  - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
+  - Dockerfile by courtesy of devnexen
+  - added regex.dictionary
+  - qemu and unicorn download scripts now try to download until the full
+    download succeeded. f*ckin travis fails downloading 40% of the time!
+  - more support for Android (please test!)
+  - added the few Android stuff we didnt have already from Google afl repository
+  - removed unnecessary warnings
+
+
+--------------------------
+Version ++2.58c (release):
+--------------------------
+
+  - reverted patch to not unlink and recreate the input file, it resulted in
+    performance loss of ~10%
+  - added test/test-performance.sh script
+  - (re)added gcc_plugin, fast inline instrumentation is not yet finished,
+    however it includes the whitelisting and persistance feature! by hexcoder-
+  - gcc_plugin tests added to testing framework
+
+
+--------------------------------
+Version ++2.54d-2.57c (release):
+--------------------------------
+
+  - we jump to 2.57 instead of 2.55 to catch up with Google's versioning
+  - persistent mode for QEMU (see qemu_mode/README.md)
+  - custom mutator library is now an additional mutator, to exclusivly use it
+    add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
+  - new library qemu_mode/unsigaction which filters sigaction events
+  - afl-fuzz: new command line option -I to execute a command on a new crash
+  - no more unlinking the input file, this way the input file can also be a
+    FIFO or disk partition
+  - setting LLVM_CONFIG for llvm_mode will now again switch to the selected
+    llvm version. If your setup is correct.
+  - fuzzing strategy yields for custom mutator were missing from the UI, added them :)
+  - added "make tests" which will perform checks to see that all functionality
+    is working as expected. this is currently the starting point, its not complete :)
+  - added mutation documentation feature ("make document"), creates afl-fuzz-document
+    and saves all mutations of the first run on the first file into out/queue/mutations
+  - libtokencap and libdislocator now compile to the afl_root directory and are
+    installed to the .../lib/afl directory when present during make install
+  - more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
+  - reducing duplicate code in afl-fuzz
+  - added "make help"
+  - removed compile warnings from python internal stuff
+  - added man page for afl-clang-fast[++]
+  - updated documentation
+  - Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
+  - CompareCoverage for ARM target in QEMU/Unicorn
+  - laf-intel in llvm_mode now also handles floating point comparisons
+
+
+--------------------------
+Version ++2.54c (release):
+--------------------------
+
+  - big code refactoring:
+    * all includes are now in include/
+    * all afl sources are now in src/ - see src/README.src
+    * afl-fuzz was splitted up in various individual files for including
+      functionality in other programs (e.g. forkserver, memory map, etc.)
+      for better readability.
+    * new code indention everywhere
+  - auto-generating man pages for all (main) tools
+  - added AFL_FORCE_UI to show the UI even if the terminal is not detected
+  - llvm 9 is now supported (still needs testing)
+  - Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though
+  - fix building qemu on some Ubuntus (thanks to floyd!)
+  - custom mutator by a loaded library is now supported (thanks to kyakdan!)
+  - added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report
+  - more support for *BSD (thanks to devnexen!)
+  - fix building on *BSD (thanks to tobias.kortkamp for the patch)
+  - fix for a few features to support different map sized than 2^16
+  - afl-showmap: new option -r now shows the real values in the buckets (stock
+    afl never did), plus shows tuple content summary information now
+  - small docu updates
+  - NeverZero counters for QEMU
+  - NeverZero counters for Unicorn
+  - CompareCoverage Unicorn
+  - immediates-only instrumentation for CompareCoverage
+
+
 --------------------------
 Version ++2.53c (release):
 --------------------------

docs/PATCHES

@@ -17,6 +17,7 @@ afl-qemu-optimize-entrypoint.diff	by mh(at)mh-sec(dot)de
 afl-qemu-speed.diff			by abiondo on github
 afl-qemu-optimize-map.diff		by mh(at)mh-sec(dot)de
 
++ Custom mutator (native library) (by kyakdan)
 + unicorn_mode (modernized and updated by domenukk)
 + instrim (https://github.com/csienslab/instrim) was integrated
 + MOpt (github.com/puppet-meteor/MOpt-AFL) was imported

docs/QuickStartGuide.txt

@@ -45,6 +45,8 @@ how to hit the ground running:
 7) compile and use llvm_mode (afl-clang-fast/afl-clang-fast++) as it is way
    faster and has a few cool features
 
+8) There is a basic docker build with 'docker build -t aflplusplus .'
+
 That's it. Sit back, relax, and - time permitting - try to skim through the
 following files:
 

docs/README.radamsa.md

@@ -0,0 +1 @@
+../src/third_party/libradamsa/README.md

docs/binaryonly_fuzzing.txt

@@ -26,6 +26,10 @@ It is the easiest to use alternative and even works for cross-platform binaries.
 
 As it is included in afl++ this needs no URL.
 
+WINE+QEMU
+---------
+Wine mode can run Win32 PE with the QEMU instrumentation.
+It needs Wine, python3 and the pefile python package installed.
 
 UNICORN
 -------

docs/custom_mutator.txt

@@ -0,0 +1,39 @@
+==================================================
+Adding custom mutators to AFL using
+==================================================
+This file describes how you can implement custom mutations to be used in AFL.
+
+Implemented by Khaled Yakdan from Code Intelligence <yakdan@code-intelligence.de>
+
+
+1) Description
+--------------
+
+Custom mutator libraries can be passed to afl-fuzz to perform custom mutations
+on test cases beyond those available in AFL - for example, to enable structure-aware
+fuzzing by using libraries that perform mutations according to a given grammar.
+
+The custom mutator library is passed to afl-fuzz via the AFL_CUSTOM_MUTATOR_LIBRARY
+environment variable. The library must export the afl_custom_mutator() function and
+must be compiled as a shared object. For example:
+     $CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so
+
+Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, its state mutator like any others,
+so it will be used for some test cases, and other mutators for others.
+
+Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will
+be called every time it needs to mutate test case!
+
+For some cases, the format of the mutated data returned from
+the custom mutator is not suitable to directly execute the target with this input.
+For example, when using libprotobuf-mutator, the data returned is in a protobuf
+format which corresponds to a given grammar. In order to execute the target,
+the protobuf data must be converted to the plain-text format expected by the target.
+In such scenarios, the user can define the afl_pre_save_handler() function. This function
+is then transforms the data into the format expected by the API before executing the target.
+afl_pre_save_handler is optional and does not have to be implemented if its functionality
+is not needed.
+
+2) Example
+----------
+A simple example is provided in ../custom_mutators/

docs/env_variables.txt

@@ -65,17 +65,21 @@ tools make fairly broad use of environmental variables:
     mkdir assembly_here
     TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all
 
+  - If you are a weird person that wants to compile and instrument asm
+    text files then use the AFL_AS_FORCE_INSTRUMENT variable:
+      AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo
+
   - Setting AFL_QUIET will prevent afl-cc and afl-as banners from being
     displayed during compilation, in case you find them distracting.
 
   - Setting AFL_CAL_FAST will speed up the initial calibration, if the
     application is very slow
 
-2) Settings for afl-clang-fast / afl-clang-fast++
--------------------------------------------------
+2) Settings for afl-clang-fast / afl-clang-fast++ / afl-gcc-fast / afl-g++-fast
+---------------------------------------------------------------------------------
 
-The native LLVM instrumentation helper accepts a subset of the settings
-discussed in section #1, with the exception of:
+The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset
+of the settings discussed in section #1, with the exception of:
 
   - AFL_AS, since this toolchain does not directly invoke GNU as.
 
@@ -97,9 +101,10 @@ Then there are a few specific features that are only available in llvm_mode:
 
     - Setting AFL_LLVM_LAF_TRANSFORM_COMPARES will split string compare functions
 
-    - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split > 8 bit CMP instructions
+    - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split all floating point and
+      64, 32 and 16 bit integer CMP instructions
 
-    See llvm_mode/README.laf-intel for more information. 
+    See llvm_mode/README.laf-intel.md for more information. 
 
   WHITELIST
   =========
@@ -108,7 +113,7 @@ Then there are a few specific features that are only available in llvm_mode:
     - Setting AFL_LLVM_WHITELIST with a filename will only instrument those
       files that match the names listed in this file.
 
-    See llvm_mode/README.whitelist for more information.
+    See llvm_mode/README.whitelist.md for more information.
 
   INSTRIM
   =======
@@ -121,7 +126,7 @@ Then there are a few specific features that are only available in llvm_mode:
       afl-fuzz will only be able to see the path the loop took, but not how
       many times it was called (unless it is a complex loop).
 
-    See llvm_mode/README.instrim
+    See llvm_mode/README.instrim.md
 
   NOT_ZERO
   ========
@@ -132,7 +137,18 @@ Then there are a few specific features that are only available in llvm_mode:
       slowdown due a performance issue that is only fixed in llvm 9+.
       This feature increases path discovery by a little bit.
 
-    See llvm_mode/README.neverzero
+    See llvm_mode/README.neverzero.md
+
+Then there are a few specific features that are only available in the gcc_plugin:
+
+  WHITELIST
+  =========
+    This feature allows selective instrumentation of the source
+
+    - Setting AFL_GCC_WHITELIST with a filename will only instrument those
+      files that match the names listed in this file (one filename per line).
+
+    See gcc_plugin/README.whitelist.md for more information.
 
 3) Settings for afl-fuzz
 ------------------------
@@ -201,6 +217,11 @@ checks or alter some of the more exotic semantics of the tool:
     mutated files - say, to fix up checksums. See experimental/post_library/
     for more.
 
+  - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with
+    afl_custom_mutator() export run additional mutations though this library.
+    If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be
+    performed with/from the libary. see docs/custom_mutator.txt
+
   - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled
     with -DUSE_PYTHON. Please see docs/python_mutators.txt
     This feature allows to configure custom mutators which can be very helpful
@@ -223,6 +244,9 @@ checks or alter some of the more exotic semantics of the tool:
     some basic stats. This behavior is also automatically triggered when the
     output from afl-fuzz is redirected to a file or to a pipe.
 
+  - Setting AFL_FORCE_UI will force painting the UI on the screen even if
+    no valid terminal was detected (for virtual consoles)
+
   - If you are Jakub, you may need AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES.
     Others need not apply.
 
@@ -245,9 +269,19 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
   - Setting AFL_INST_LIBS causes the translator to also instrument the code
     inside any dynamically linked libraries (notably including glibc).
   
+  - Setting AFL_COMPCOV_LEVEL enables the CompareCoverage tracing of all cmp
+    and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp,
+    memcmp, ...) when libcompcov is preloaded using AFL_PRELOAD.
+    More info at qemu_mode/libcompcov/README.md.
+    There are two levels at the moment, AFL_COMPCOV_LEVEL=1 that instruments
+    only comparisons with immediate values / read-only memory and
+    AFL_COMPCOV_LEVEL=2 that instruments all the comparions. Level 2 is more
+    accurate but may need a larger shared memory.
+  
   - Setting AFL_QEMU_COMPCOV enables the CompareCoverage tracing of all
-    cmp and sub in x86 and x86_64. Support for other architectures and
-    comparison functions (mem/strcmp et al.) is planned.
+    cmp and sub in x86 and x86_64.
+    This is an alias of AFL_COMPCOV_LEVEL=1 when AFL_COMPCOV_LEVEL is
+    not specified.
 
   - The underlying QEMU binary will recognize any standard "user space
     emulation" variables (e.g., QEMU_STACK_SIZE), but there should be no
@@ -257,9 +291,10 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
     Use this if you are unsure if the entrypoint might be wrong - but
     use it directly, e.g. afl-qemu-trace ./program 
 
-  - If you want to specify a specific entrypoint into the binary (this can
-    be very good for the performance!), use AFL_ENTRYPOINT for this.
+  - AFL_ENTRYPOINT allows you to specify a specific entrypoint into the
+    binary (this can be very good for the performance!).
     The entrypoint is specified as hex address, e.g. 0x4004110
+    Note that the address must be the address of a basic block.
 
 5) Settings for afl-cmin
 ------------------------
@@ -298,7 +333,7 @@ of decimal.
 8) Settings for libdislocator.so
 --------------------------------
 
-The library honors three environmental variables:
+The library honors these environmental variables:
 
   - AFL_LD_LIMIT_MB caps the size of the maximum heap usage permitted by the
     library, in megabytes. The default value is 1 GB. Once this is exceeded,

docs/notes_for_asan.txt

@@ -34,7 +34,7 @@ Note that ASAN is incompatible with -static, so be mindful of that.
 There is also the option of generating a corpus using a non-ASAN binary, and
 then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
 and can give you somewhat comparable results. You can also try using
-libdislocator (see libdislocator/README.dislocator in the parent directory) as a
+libdislocator (see libdislocator/README.dislocator.md in the parent directory) as a
 lightweight and hassle-free (but less thorough) alternative.
 
 2) Long version

docs/perf_tips.txt

@@ -50,12 +50,15 @@ Even if you don't have a lightweight harness for a particular target, remember
 that you can always use another, related library to generate a corpus that will
 be then manually fed to a more resource-hungry program later on.
 
+Also note that reading the fuzzing input via stdin is faster than reading from
+a file.
+
 3) Use LLVM instrumentation
 ---------------------------
 
-When fuzzing slow targets, you can gain 2x performance improvement by using
-the LLVM-based instrumentation mode described in llvm_mode/README.llvm. Note
-that this mode requires the use of clang and will not work with GCC.
+When fuzzing slow targets, you can gain 20-100% performance improvement by
+using the LLVM-based instrumentation mode described in llvm_mode/README.llvm.
+Note that this mode requires the use of clang and will not work with GCC.
 
 The LLVM mode also offers a "persistent", in-process fuzzing mode that can
 work well for certain types of self-contained libraries, and for fast targets,
@@ -72,6 +75,9 @@ If you are only intested in specific parts of the code being fuzzed, you can
 whitelist the files that are actually relevant. This improves the speed and
 accuracy of afl. See llvm_mode/README.whitelist
 
+Also use the InsTrim mode on larger binaries, this improves performance and
+coverage a lot.
+
 4) Profile and optimize the binary
 ----------------------------------
 
@@ -161,6 +167,11 @@ and not waste CPU time.
 
 There are several OS-level factors that may affect fuzzing speed:
 
+  - If you have no risk of power loss then run your fuzzing on a tmpfs
+    partition. This increases the performance noticably.
+    Alternatively you can use AFL_TMPDIR to point to a tmpfs location to
+    just write the input file to a tmpfs.
+
   - High system load. Use idle machines where possible. Kill any non-essential
     CPU hogs (idle browser windows, media players, complex screensavers, etc).
 

docs/power_schedules.txt

@@ -2,7 +2,7 @@ afl++'s power schedules based on AFLfast
 
 <a href="https://comp.nus.edu.sg/~mboehme/paper/CCS16.pdf"><img src="https://comp.nus.edu.sg/~mboehme/paper/CCS16.png" align="right" width="250"></a>
 Power schedules implemented by Marcel Böhme \<marcel.boehme@acm.org\>. 
-AFLFast is an extension of AFL which was written by Michal Zalewski \<lcamtuf@google.com\>.
+AFLFast is an extension of AFL which was written by Michal Zalewski.
 
 AFLfast has helped in the success of Team Codejitsu at the finals of the DARPA Cyber Grand Challenge where their bot Galactica took **2nd place** in terms of #POVs proven (see red bar at https://www.cybergrandchallenge.com/event#results). AFLFast exposed several previously unreported CVEs that could not be exposed by AFL in 24 hours and otherwise exposed vulnerabilities significantly faster than AFL while generating orders of magnitude more unique crashes. 
 

docs/python_mutators.txt

@@ -9,8 +9,9 @@ Adding custom mutators to AFL using Python modules
 
   Implemented by Christian Holler (:decoder) <choller@mozilla.com>.
 
-  NOTE: This is for Python 2.7 !
-  Anyone who wants to add Python 3.7 support is happily welcome :)
+  NOTE: Python 3.7 and 2.7 are supported so far (3.8 upcomming).
+  Depending on with which version afl-fuzz was compiled, you must use
+  python2 or python3 syntax in your scripts!
 
   For an example and a template see ../python_mutators/
 
@@ -56,16 +57,20 @@ further information about this feature.
 3) How to compile AFLFuzz with Python support
 ---------------------------------------------
 
-You must install the python 2.7 development package of your Linux distribution
-before this will work. On Debian/Ubuntu/Kali this can be done with:
+You must install the python 3.7 or 2.7 development package of your Linux
+distribution before this will work. On Debian/Ubuntu/Kali this can be done
+with either:
+  apt install python3.7-dev
+or
   apt install python2.7-dev
+Note that for some distributions you might also need the package python[23]-apt
 
 A prerequisite for using this mode is to compile AFLFuzz with Python support.
 
-The afl Makefile performs some magic and detects Python 2.7 if it is in the
-default path and compiles afl-fuzz with the feature if available (which is
-/usr/include/python2.7 for the Python.h include and /usr/lib/x86_64-linux-gnu
-for the libpython2.7.a library)
+The afl Makefile performs some magic and detects Python 3.7 and 2.7 if it is
+in the default path and compiles afl-fuzz with the feature if available (which
+is /usr/include/python2.7 for the Python.h include and
+/usr/lib/x86_64-linux-gnu for the libpython2.7.a library)
 
 In case your setup is different set the necessary variables like this:
 PYTHON_INCLUDE=/path/to/python2.7/include LDFLAGS=-L/path/to/python2.7/lib make

docs/sister_projects.txt

@@ -319,11 +319,13 @@ Fuzzer shell for SQLite (Richard Hipp)
 Support for Python mutation modules (Christian Holler)
 ------------------------------------------------------
 
+now integrated in AFL++, originally from here
   https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt
 
 Support for selective instrumentation (Christian Holler)
 --------------------------------------------------------
 
+now integrated in AFL++, originally from here
   https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt
 
 Kernel fuzzing (Dmitry Vyukov)

docs/status_screen.txt

@@ -407,6 +407,9 @@ directory. This includes:
   - variable_paths - number of test cases showing variable behavior
   - unique_crashes - number of unique crashes recorded
   - unique_hangs   - number of unique hangs encountered
+  - command_line   - full command line used for the fuzzing session
+  - slowest_exec_ms- real time of the slowest execution in seconds
+  - peak_rss_mb    - max rss usage reached during fuzzing in MB
 
 Most of these map directly to the UI elements discussed earlier on.
 

docs/technical_details.txt

@@ -165,7 +165,7 @@ of new tuples, and the remainder is associated with changes in hit counts.
 
 The following table compares the relative ability to discover file syntax and
 explore program states when using several different approaches to guided
-fuzzing. The instrumented target was GNU patch 2.7.3 compiled with -O3 and
+fuzzing. The instrumented target was GNU patch 2.7k.3 compiled with -O3 and
 seeded with a dummy text file; the session consisted of a single pass over the
 input queue with afl-fuzz:
 

docs/unicorn_mode.txt

@@ -1,107 +0,0 @@
-=========================================================
-Unicorn-based binary-only instrumentation for afl-fuzz
-=========================================================
-
-1) Introduction
----------------
-
-The code in ./unicorn_mode allows you to build a standalone feature that
-leverages the Unicorn Engine and allows callers to obtain instrumentation 
-output for black-box, closed-source binary code snippets. This mechanism 
-can be then used by afl-fuzz to stress-test targets that couldn't be built 
-with afl-gcc or used in QEMU mode, or with other extensions such as 
-TriforceAFL.
-
-There is a significant performance penalty compared to native AFL,
-but at least we're able to use AFL on these binaries, right?
-
-The idea and much of the implementation comes from Nathan Voss <njvoss299@gmail.com>.
-
-2) How to use
--------------
-
-*** Building AFL's Unicorn Mode ***
-
-First, make afl as usual.
-Once that completes successfully you need to build and add in the Unicorn Mode 
-features:
-
-  $ cd unicorn_mode
-  $ ./build_unicorn_support.sh
-
-NOTE: This script downloads a recent Unicorn Engine commit that has been tested 
-and is stable-ish from the Unicorn github page. If you are offline, you'll need 
-to hack up this script a little bit and supply your own copy of Unicorn's latest 
-stable release. It's not very hard, just check out the beginning of the 
-build_unicorn_support.sh script and adjust as necessary.
-
-Building Unicorn will take a little bit (~5-10 minutes). Once it completes 
-it automatically compiles a sample application and verify that it works.
-
-*** Fuzzing with Unicorn Mode ***
-
-To really use unicorn-mode effectively you need to prepare the following:
-
-	* Relevant binary code to be fuzzed
-	* Knowledge of the memory map and good starting state
-	* Folder containing sample inputs to start fuzzing with
-		- Same ideas as any other AFL inputs
-		- Quality/speed of results will depend greatly on quality of starting 
-		  samples
-		- See AFL's guidance on how to create a sample corpus
-	* Unicorn-based test harness which:
-		- Adds memory map regions
-		- Loads binary code into memory		
-		- Emulates at least one instruction*
-			- Yeah, this is lame. See 'Gotchas' section below for more info		
-		- Loads and verifies data to fuzz from a command-line specified file
-			- AFL will provide mutated inputs by changing the file passed to 
-			  the test harness
-			- Presumably the data to be fuzzed is at a fixed buffer address
-			- If input constraints (size, invalid bytes, etc.) are known they 
-			  should be checked after the file is loaded. If a constraint 
-			  fails, just exit the test harness. AFL will treat the input as 
-			  'uninteresting' and move on.
-		- Sets up registers and memory state for beginning of test
-		- Emulates the interested code from beginning to end
-		- If a crash is detected, the test harness must 'crash' by 
-		  throwing a signal (SIGSEGV, SIGKILL, SIGABORT, etc.)
-
-Once you have all those things ready to go you just need to run afl-fuzz in
-'unicorn-mode' by passing in the '-U' flag:
-
-	$ afl-fuzz -U -m none -i /path/to/inputs -o /path/to/results -- ./test_harness @@
-
-The normal afl-fuzz command line format applies to everything here. Refer to
-AFL's main documentation for more info about how to use afl-fuzz effectively.
-
-For a much clearer vision of what all of this looks like, please refer to the
-sample provided in the 'unicorn_mode/samples' directory. There is also a blog
-post that goes over the basics at:
-
-https://medium.com/@njvoss299/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf
-
-The 'helper_scripts' directory also contains several helper scripts that allow you 
-to dump context from a running process, load it, and hook heap allocations. For details
-on how to use this check out the follow-up blog post to the one linked above.
-
-A example use of AFL-Unicorn mode is discussed in the Paper Unicorefuzz:
-https://www.usenix.org/conference/woot19/presentation/maier
-
-3) Gotchas, feedback, bugs
---------------------------
-
-To make sure that AFL's fork server starts up correctly the Unicorn test 
-harness script must emulate at least one instruction before loading the
-data that will be fuzzed from the input file. It doesn't matter what the
-instruction is, nor if it is valid. This is an artifact of how the fork-server
-is started and could likely be fixed with some clever re-arranging of the
-patches applied to Unicorn.
-
-Running the build script builds Unicorn and its python bindings and installs 
-them on your system. This installation will supersede any existing Unicorn
-installation with the patched afl-unicorn version.
-
-Refer to the unicorn_mode/samples/arm_example/arm_tester.c for an example
-of how to do this properly! If you don't get this right, AFL will not 
-load any mutated inputs and your fuzzing will be useless!

experimental/argv_fuzzing/Makefile

@@ -0,0 +1,37 @@
+#
+# american fuzzy lop - argvfuzz
+# --------------------------------
+#
+# Copyright 2019 Kjell Braden <afflux@pentabarf.de>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared -ldl
+
+all: argvfuzz32.so argvfuzz64.so
+
+argvfuzz32.so: argvfuzz.c
+	-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
+
+argvfuzz64.so: argvfuzz.c
+	-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+
+install: argvfuzz32.so argvfuzz64.so
+	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+	if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+	install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+
+clean:
+	rm -f argvfuzz32.so argvfuzz64.so

experimental/argv_fuzzing/README.md

@@ -0,0 +1,16 @@
+# argvfuzz
+
+afl supports fuzzing file inputs or stdin. When source is available,
+`argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin.
+
+`argvfuzz` tries to provide the same functionality for binaries. When loaded
+using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace
+argv using the same logic of `argv-fuzz-inl.h`.
+
+A few conditions need to be fulfilled for this mechanism to work correctly:
+
+1. As it relies on hooking the loader, it cannot work on static binaries.
+2. If the target binary does not use the default libc's `_start` implementation
+   (crt1.o), the hook may not run.
+3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the
+   target binary expects argv to be living on the stack, things may go wrong.

experimental/argv_fuzzing/argv-fuzz-inl.h

@@ -2,7 +2,7 @@
    american fuzzy lop - sample argv fuzzing wrapper
    ------------------------------------------------
 
-   Written by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -17,7 +17,7 @@
 
    #include "/path/to/argv-fuzz-inl.h"
 
-   ...to the file containing main(), ideally placing it after all the 
+   ...to the file containing main(), ideally placing it after all the
    standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of
    main().
 
@@ -36,12 +36,20 @@
 
 #include <unistd.h>
 
-#define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0)
-
-#define AFL_INIT_SET0(_p) do { \
+#define AFL_INIT_ARGV()          \
+  do {                           \
+                                 \
     argv = afl_init_argv(&argc); \
-    argv[0] = (_p); \
-    if (!argc) argc = 1; \
+                                 \
+  } while (0)
+
+#define AFL_INIT_SET0(_p)        \
+  do {                           \
+                                 \
+    argv = afl_init_argv(&argc); \
+    argv[0] = (_p);              \
+    if (!argc) argc = 1;         \
+                                 \
   } while (0)
 
 #define MAX_CMDLINE_LEN 100000
@@ -53,9 +61,9 @@ static char** afl_init_argv(int* argc) {
   static char* ret[MAX_CMDLINE_PAR];
 
   char* ptr = in_buf;
-  int   rc  = 0;
+  int   rc = 0;
 
-  if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0);
+  if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {}
 
   while (*ptr) {
 
@@ -63,7 +71,8 @@ static char** afl_init_argv(int* argc) {
     if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
     rc++;
 
-    while (*ptr) ptr++;
+    while (*ptr)
+      ptr++;
     ptr++;
 
   }
@@ -77,4 +86,5 @@ static char** afl_init_argv(int* argc) {
 #undef MAX_CMDLINE_LEN
 #undef MAX_CMDLINE_PAR
 
-#endif /* !_HAVE_ARGV_FUZZ_INL */
+#endif                                              /* !_HAVE_ARGV_FUZZ_INL */
+

experimental/argv_fuzzing/argvfuzz.c

@@ -0,0 +1,49 @@
+/*
+   american fuzzy lop - LD_PRELOAD for fuzzing argv in binaries
+   ------------------------------------------------------------
+
+   Copyright 2019 Kjell Braden <afflux@pentabarf.de>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ */
+
+#define _GNU_SOURCE                                        /* for RTLD_NEXT */
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "argv-fuzz-inl.h"
+
+int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv,
+                      void (*init)(void), void (*fini)(void),
+                      void (*rtld_fini)(void), void *stack_end) {
+
+  int (*orig)(int (*main)(int, char **, char **), int argc, char **argv,
+              void (*init)(void), void (*fini)(void), void (*rtld_fini)(void),
+              void *stack_end);
+  int    sub_argc;
+  char **sub_argv;
+
+  (void)argc;
+  (void)argv;
+
+  orig = dlsym(RTLD_NEXT, __func__);
+
+  if (!orig) {
+
+    fprintf(stderr, "hook did not find original %s: %s\n", __func__, dlerror());
+    exit(EXIT_FAILURE);
+
+  }
+
+  sub_argv = afl_init_argv(&sub_argc);
+
+  return orig(main, sub_argc, sub_argv, init, fini, rtld_fini, stack_end);
+
+}
+

experimental/asan_cgroups/limit_memory.sh

@@ -7,7 +7,7 @@
 #            David A. Wheeler <dwheeler@ida.org>
 #
 # Edits to bring the script in line with afl-cmin and other companion scripts
-# by Michal Zalewski <lcamtuf@google.com>. All bugs are my fault.
+# by Michal Zalewski. All bugs are my fault.
 #
 # Copyright 2015 Institute for Defense Analyses.
 #

experimental/canvas_harness/canvas_harness.html

@@ -4,7 +4,7 @@
   american fuzzy lop - <canvas> harness
   -------------------------------------
  
-  Written and maintained by Michal Zalewski <lcamtuf@google.com>
+  Written by Michal Zalewski
  
   Copyright 2013, 2014 Google Inc. All rights reserved.
  

experimental/clang_asm_normalize/as

@@ -3,7 +3,7 @@
 # american fuzzy lop - clang assembly normalizer
 # ----------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 # The idea for this wrapper comes from Ryan Govostes.
 #
 # Copyright 2013, 2014 Google Inc. All rights reserved.

experimental/crash_triage/triage_crashes.sh

@@ -3,7 +3,7 @@
 # american fuzzy lop - crash triage utility
 # -----------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2013, 2014, 2017 Google Inc. All rights reserved.
 #
@@ -22,7 +22,7 @@
 # necessary.
 #
 
-echo "crash triage utility for afl-fuzz by <lcamtuf@google.com>"
+echo "crash triage utility for afl-fuzz by Michal Zalewski"
 echo
 
 ulimit -v 100000 2>/dev/null

experimental/distributed_fuzzing/sync_script.sh

@@ -3,7 +3,7 @@
 # american fuzzy lop - fuzzer synchronization tool
 # ------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2014 Google Inc. All rights reserved.
 #

experimental/persistent_demo/persistent_demo.c

@@ -2,7 +2,7 @@
    american fuzzy lop - persistent mode example
    --------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -28,11 +28,11 @@
 #include <signal.h>
 #include <string.h>
 
-
 /* Main entry point. */
 
 int main(int argc, char** argv) {
 
+  ssize_t len;                               /* how much input did we read? */
   char buf[100]; /* Example-only buffer, you'd replace it with other global or
                     local variables appropriate for your use case. */
 
@@ -57,23 +57,34 @@ int main(int argc, char** argv) {
                Beware of reading from buffered FILE* objects such as stdin. Use
                raw file descriptors or call fopen() / fdopen() in every pass. */
 
-    read(0, buf, 100);
+    len = read(0, buf, 100);
 
     /* STEP 3: This is where we'd call the tested library on the read data.
                We just have some trivial inline code that faults on 'foo!'. */
 
+    /* do we have enough data? */
+    if (len < 4) return 0;
+
     if (buf[0] == 'f') {
+
       printf("one\n");
       if (buf[1] == 'o') {
+
         printf("two\n");
         if (buf[2] == 'o') {
+
           printf("three\n");
           if (buf[3] == '!') {
+
             printf("four\n");
             abort();
+
           }
+
         }
+
       }
+
     }
 
     /*** END PLACEHOLDER CODE ***/
@@ -87,3 +98,4 @@ int main(int argc, char** argv) {
   return 0;
 
 }
+

experimental/post_library/post_library.so.c

@@ -2,7 +2,7 @@
    american fuzzy lop - postprocessor library example
    --------------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -21,9 +21,9 @@
       in the targeted binary (as shown in ../libpng_no_checksum/). One possible
       exception is the process of fuzzing binary-only software in QEMU mode.
 
-   2) The use of postprocessors for anything other than checksums is questionable
-      and may cause more harm than good. AFL is normally pretty good about
-      dealing with length fields, magic values, etc.
+   2) The use of postprocessors for anything other than checksums is
+   questionable and may cause more harm than good. AFL is normally pretty good
+   about dealing with length fields, magic values, etc.
 
    3) Postprocessors that do anything non-trivial must be extremely robust to
       gracefully handle malformed data and other error conditions - otherwise,
@@ -77,10 +77,10 @@
 /* The actual postprocessor routine called by afl-fuzz: */
 
 const unsigned char* afl_postprocess(const unsigned char* in_buf,
-                                     unsigned int* len) {
+                                     unsigned int*        len) {
 
   static unsigned char* saved_buf;
-  unsigned char* new_buf;
+  unsigned char*        new_buf;
 
   /* Skip execution altogether for buffers shorter than 6 bytes (just to
      show how it's done). We can trust *len to be sane. */
@@ -117,3 +117,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
   return new_buf;
 
 }
+

experimental/post_library/post_library_png.so.c

@@ -2,7 +2,7 @@
    american fuzzy lop - postprocessor for PNG
    ------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -36,13 +36,13 @@
 #define UP4K(_i) ((((_i) >> 12) + 1) << 12)
 
 const unsigned char* afl_postprocess(const unsigned char* in_buf,
-                                     unsigned int* len) {
+                                     unsigned int*        len) {
 
   static unsigned char* saved_buf;
   static unsigned int   saved_len;
 
   unsigned char* new_buf = (unsigned char*)in_buf;
-  unsigned int pos = 8;
+  unsigned int   pos = 8;
 
   /* Don't do anything if there's not enough room for the PNG header
      (8 bytes). */
@@ -111,3 +111,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
   return new_buf;
 
 }
+

experimental/socket_fuzzing/Makefile

@@ -0,0 +1,35 @@
+#
+# american fuzzy lop++ - socket_fuzz
+# ----------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared -ldl
+
+all: socketfuzz32.so socketfuzz64.so
+
+socketfuzz32.so: socketfuzz.c
+	-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
+
+socketfuzz64.so: socketfuzz.c
+	-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+
+install: socketfuzz32.so socketfuzz64.so
+	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+	if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+	install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+
+clean:
+	rm -f socketfuzz32.so socketfuzz64.so

experimental/socket_fuzzing/README.md

@@ -0,0 +1,11 @@
+# socketfuzz
+
+when you want to fuzz a network service and you can not/do not want to modify
+the source (or just have a binary), then this LD_PRELOAD library will allow
+for sending input to stdin which the target binary will think is coming from
+a network socket.
+
+This is desock_dup.c from the amazing preeny project
+https://github.com/zardus/preeny
+
+It is packaged in afl++ to have it at hand if needed

experimental/socket_fuzzing/socketfuzz.c

@@ -0,0 +1,110 @@
+/*
+ * This is desock_dup.c from the amazing preeny project
+ * https://github.com/zardus/preeny
+ *
+ * It is packaged in afl++ to have it at hand if needed
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>   //
+#include <sys/socket.h>  //
+#include <sys/stat.h>    //
+#include <fcntl.h>       //
+#include <netinet/in.h>
+#include <pthread.h>
+#include <signal.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <stdio.h>
+#include <poll.h>
+//#include "logging.h" // switche from preeny_info() to fprintf(stderr, "Info: "
+
+//
+// originals
+//
+int (*original_close)(int);
+int (*original_dup2)(int, int);
+__attribute__((constructor)) void preeny_desock_dup_orig() {
+
+  original_close = dlsym(RTLD_NEXT, "close");
+  original_dup2 = dlsym(RTLD_NEXT, "dup2");
+
+}
+
+int close(int sockfd) {
+
+  if (sockfd <= 2) {
+
+    fprintf(stderr, "Info: Disabling close on %d\n", sockfd);
+    return 0;
+
+  } else {
+
+    return original_close(sockfd);
+
+  }
+
+}
+
+int dup2(int old, int new) {
+
+  if (new <= 2) {
+
+    fprintf(stderr, "Info: Disabling dup from %d to %d\n", old, new);
+    return 0;
+
+  } else {
+
+    return original_dup2(old, new);
+
+  }
+
+}
+
+int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) {
+
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
+  fprintf(stderr, "Info: Emulating accept on %d\n", sockfd);
+  return 0;
+
+}
+
+int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
+  fprintf(stderr, "Info: Emulating bind on port %d\n",
+          ntohs(((struct sockaddr_in *)addr)->sin_port));
+  return 0;
+
+}
+
+int listen(int sockfd, int backlog) {
+
+  (void)sockfd;
+  (void)backlog;
+  return 0;
+
+}
+
+int setsockopt(int sockfd, int level, int optid, const void *optdata,
+               socklen_t optdatalen) {
+
+  (void)sockfd;
+  (void)level;
+  (void)optid;
+  (void)optdata;
+  (void)optdatalen;
+  return 0;
+
+}
+

gcc_plugin/Makefile

@@ -0,0 +1,130 @@
+#
+# american fuzzy lop - GCC plugin instrumentation
+# -----------------------------------------------
+#
+# Written by Austin Seipp <aseipp@pobox.com> and
+#            Laszlo Szekeres <lszekeres@google.com> and
+#            Michal Zalewski and
+#            Heiko Eißfeldt  <heiko@hexco.de>
+#
+# GCC integration design is based on the LLVM design, which comes
+# from Laszlo Szekeres.
+#
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+PREFIX      ?= /usr/local
+HELPER_PATH  = $(PREFIX)/lib/afl
+BIN_PATH     = $(PREFIX)/bin
+
+CFLAGS      ?= -O3 -g -funroll-loops
+CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -Wno-pointer-sign \
+               -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+
+CXXFLAGS    ?= -O3 -g -funroll-loops
+CXXEFLAGS   := $(CXXFLAGS) -Wall -D_FORTIFY_SOURCE=2
+
+CC          ?= gcc
+CXX         ?= g++
+
+PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include"
+
+ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	SHMAT_OK=1
+else
+	SHMAT_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -lrt
+endif
+
+ifeq "$(TEST_MMAP)" "1"
+	SHMAT_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -lrt
+endif
+
+PROGS        = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o
+
+
+all: test_shm test_deps $(PROGS) afl-gcc-fast.8 test_build all_done
+
+ifeq "$(SHMAT_OK)" "1"
+
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+
+else
+
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+
+endif
+
+
+test_deps:
+	@echo "[*] Checking for working '$(CC)'..."
+	@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
+#	@echo "[*] Checking for gcc for plugin support..."
+#	@$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 )
+	@echo "[*] Checking for gcc plugin development header files..."
+	@test -d `$(CC) -print-file-name=plugin`/include || ( echo "[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'."; exit 1 )
+	@echo "[*] Checking for '../afl-showmap'..."
+	@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
+	@echo "[+] All set and ready to build."
+
+../afl-gcc-fast: afl-gcc-fast.c | test_deps
+	$(CC) -DAFL_GCC_CC=\"$(CC)\" -DAFL_GCC_CXX=\"$(CXX)\" $(CFLAGS) $< -o $@ $(LDFLAGS)
+	ln -sf afl-gcc-fast ../afl-g++-fast
+
+../afl-gcc-pass.so: afl-gcc-pass.so.cc | test_deps
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+
+../afl-gcc-rt.o: afl-gcc-rt.o.c | test_deps
+	$(CC) $(CFLAGS) -fPIC -c $< -o $@
+
+test_build: $(PROGS)
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+#	unset AFL_USE_ASAN AFL_USE_MSAN;             AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+	../afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
+	echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+all_done: test_build
+	@echo "[+] All done! You can now use '../afl-gcc-fast' to compile programs."
+
+.NOTPARALLEL: clean
+
+vpath  % ..
+%.8: %
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .SH NAME >> ../$@
+	@echo .B $* >> ../$@
+	@echo >> ../$@
+	@echo .SH SYNOPSIS >> ../$@
+	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
+	@echo >> ../$@
+	@echo .SH OPTIONS >> ../$@
+	@echo .nf >> ../$@
+	@../$* -h 2>&1 | tail -n +4 >> ../$@
+	@echo >> ../$@
+	@echo .SH AUTHOR >> ../$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@
+	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@
+	@echo >> ../$@
+	@echo .SH LICENSE >> ../$@
+	@echo Apache License Version 2.0, January 2004 >> ../$@
+	ln -sf afl-gcc-fast.8 ../afl-g++-fast.8
+
+clean:
+	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2
+	rm -f $(PROGS) ../afl-g++-fast ../afl-g*-fast.8

gcc_plugin/README.gcc.md

@@ -0,0 +1,160 @@
+===========================================
+GCC-based instrumentation for afl-fuzz
+======================================
+
+  (See ../docs/README.md for the general instruction manual.)
+  (See ../llvm_mode/README.md for the LLVM-based instrumentation.)
+
+!!! TODO items are:
+!!!  => inline instrumentation has to work!
+!!!
+
+
+## 1) Introduction
+
+The code in this directory allows you to instrument programs for AFL using
+true compiler-level instrumentation, instead of the more crude
+assembly-level rewriting approach taken by afl-gcc and afl-clang. This has
+several interesting properties:
+
+  - The compiler can make many optimizations that are hard to pull off when
+    manually inserting assembly. As a result, some slow, CPU-bound programs will
+    run up to around faster.
+
+    The gains are less pronounced for fast binaries, where the speed is limited
+    chiefly by the cost of creating new processes. In such cases, the gain will
+    probably stay within 10%.
+
+  - The instrumentation is CPU-independent. At least in principle, you should
+    be able to rely on it to fuzz programs on non-x86 architectures (after
+    building afl-fuzz with AFL_NOX86=1).
+
+  - Because the feature relies on the internals of GCC, it is gcc-specific
+    and will *not* work with LLVM (see ../llvm_mode for an alternative).
+
+Once this implementation is shown to be sufficiently robust and portable, it
+will probably replace afl-gcc. For now, it can be built separately and
+co-exists with the original code.
+
+The idea and much of the implementation comes from Laszlo Szekeres.
+
+## 2) How to use
+
+In order to leverage this mechanism, you need to have modern enough GCC
+(>= version 4.5.0) and the plugin headers installed on your system. That
+should be all you need. On Debian machines, these headers can be acquired by
+installing the `gcc-<VERSION>-plugin-dev` packages.
+
+To build the instrumentation itself, type 'make'. This will generate binaries
+called afl-gcc-fast and afl-g++-fast in the parent directory. 
+If the CC/CXX have been overridden, those compilers will be used from
+those wrappers without using AFL_CXX/AFL_CC settings.
+Once this is done, you can instrument third-party code in a way similar to the
+standard operating mode of AFL, e.g.:
+
+  CC=/path/to/afl/afl-gcc-fast ./configure [...options...]
+  make
+
+Be sure to also include CXX set to afl-g++-fast for C++ code.
+
+The tool honors roughly the same environmental variables as afl-gcc (see
+../docs/env_variables.txt). This includes AFL_INST_RATIO, AFL_USE_ASAN,
+AFL_HARDEN, and AFL_DONT_OPTIMIZE.
+
+Note: if you want the GCC plugin to be installed on your system for all
+users, you need to build it before issuing 'make install' in the parent
+directory.
+
+## 3) Gotchas, feedback, bugs
+
+This is an early-stage mechanism, so field reports are welcome. You can send bug
+reports to <hexcoder-@github.com>.
+
+## 4) Bonus feature #1: deferred initialization
+
+AFL tries to optimize performance by executing the targeted binary just once,
+stopping it just before main(), and then cloning this "master" process to get
+a steady supply of targets to fuzz.
+
+Although this approach eliminates much of the OS-, linker- and libc-level
+costs of executing the program, it does not always help with binaries that
+perform other time-consuming initialization steps - say, parsing a large config
+file before getting to the fuzzed data.
+
+In such cases, it's beneficial to initialize the forkserver a bit later, once
+most of the initialization work is already done, but before the binary attempts
+to read the fuzzed input and parse it; in some cases, this can offer a 10x+
+performance gain. You can implement delayed initialization in LLVM mode in a
+fairly simple way.
+
+First, locate a suitable location in the code where the delayed cloning can
+take place. This needs to be done with *extreme* care to avoid breaking the
+binary. In particular, the program will probably malfunction if you select
+a location after:
+
+  - The creation of any vital threads or child processes - since the forkserver
+    can't clone them easily.
+
+  - The initialization of timers via setitimer() or equivalent calls.
+
+  - The creation of temporary files, network sockets, offset-sensitive file
+    descriptors, and similar shared-state resources - but only provided that
+    their state meaningfully influences the behavior of the program later on.
+
+  - Any access to the fuzzed input, including reading the metadata about its
+    size.
+
+With the location selected, add this code in the appropriate spot:
+
+```
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+  __AFL_INIT();
+#endif
+```
+
+You don't need the #ifdef guards, but they will make the program still work as
+usual when compiled with a tool other than afl-gcc-fast/afl-clang-fast.
+
+Finally, recompile the program with afl-gcc-fast (afl-gcc or afl-clang will
+*not* generate a deferred-initialization binary) - and you should be all set!
+
+## 5) Bonus feature #2: persistent mode
+
+Some libraries provide APIs that are stateless, or whose state can be reset in
+between processing different input files. When such a reset is performed, a
+single long-lived process can be reused to try out multiple test cases,
+eliminating the need for repeated fork() calls and the associated OS overhead.
+
+The basic structure of the program that does this would be:
+
+```
+  while (__AFL_LOOP(1000)) {
+
+    /* Read input data. */
+    /* Call library code to be fuzzed. */
+    /* Reset state. */
+
+  }
+
+  /* Exit normally */
+```
+
+The numerical value specified within the loop controls the maximum number
+of iterations before AFL will restart the process from scratch. This minimizes
+the impact of memory leaks and similar glitches; 1000 is a good starting point.
+
+A more detailed template is shown in ../experimental/persistent_demo/.
+Similarly to the previous mode, the feature works only with afl-gcc-fast or
+afl-clang-fast; #ifdef guards can be used to suppress it when using other
+compilers.
+
+Note that as with the previous mode, the feature is easy to misuse; if you
+do not reset the critical state fully, you may end up with false positives or
+waste a whole lot of CPU power doing nothing useful at all. Be particularly
+wary of memory leaks and the state of file descriptors.
+
+When running in this mode, the execution paths will inherently vary a bit
+depending on whether the input loop is being entered for the first time or
+executed again. To avoid spurious warnings, the feature implies
+AFL_NO_VAR_CHECK and hides the "variable path" warnings in the UI.
+

gcc_plugin/README.whitelist.md

@@ -0,0 +1,73 @@
+========================================
+Using afl++ with partial instrumentation
+========================================
+
+  This file describes how you can selectively instrument only the source files
+  that are interesting to you using the gcc instrumentation provided by
+  afl++.
+
+  Plugin by hexcoder-.
+
+
+## 1) Description and purpose
+
+When building and testing complex programs where only a part of the program is
+the fuzzing target, it often helps to only instrument the necessary parts of
+the program, leaving the rest uninstrumented. This helps to focus the fuzzer
+on the important parts of the program, avoiding undesired noise and
+disturbance by uninteresting code being exercised.
+
+For this purpose, I have added a "partial instrumentation" support to the gcc
+plugin of AFLFuzz that allows you to specify on a source file level which files
+should be compiled with or without instrumentation.
+
+
+## 2) Building the gcc plugin
+
+The new code is part of the existing afl++ gcc plugin in the gcc_plugin/
+subdirectory. There is nothing specifically to do :)
+
+
+## 3) How to use the partial instrumentation mode
+
+In order to build with partial instrumentation, you need to build with
+afl-gcc-fast and afl-g++-fast respectively. The only required change is
+that you need to set the environment variable AFL_GCC_WHITELIST when calling
+the compiler.
+
+The environment variable must point to a file containing all the filenames
+that should be instrumented. For matching, the filename that is being compiled
+must end in the filename entry contained in this whitelist (to avoid breaking
+the matching when absolute paths are used during compilation).
+
+For example if your source tree looks like this:
+
+```
+project/
+project/feature_a/a1.cpp
+project/feature_a/a2.cpp
+project/feature_b/b1.cpp
+project/feature_b/b2.cpp
+```
+
+and you only want to test feature_a, then create a whitelist file containing:
+
+```
+feature_a/a1.cpp
+feature_a/a2.cpp
+```
+
+However if the whitelist file contains only this, it works as well:
+
+```
+a1.cpp
+a2.cpp
+```
+
+but it might lead to files being unwantedly instrumented if the same filename
+exists somewhere else in the project directories.
+
+The created whitelist file is then set to AFL_GCC_WHITELIST when you compile
+your program. For each file that didn't match the whitelist, the compiler will
+issue a warning at the end stating that no blocks were instrumented. If you
+didn't intend to instrument that file, then you can safely ignore that warning.

gcc_plugin/afl-gcc-fast.c

@@ -0,0 +1,357 @@
+/*
+   american fuzzy lop - GCC wrapper for GCC plugin
+   ------------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> and
+              Laszlo Szekeres <lszekeres@google.com> and
+              Michal Zalewski
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres.
+
+   Copyright 2015 Google Inc. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This program is a drop-in replacement for gcc, similar in most
+   respects to ../afl-gcc, but with compiler instrumentation through a
+   plugin. It tries to figure out compilation mode, adds a bunch of
+   flags, and then calls the real compiler.
+
+ */
+
+#define AFL_MAIN
+
+#include "../config.h"
+#include "../types.h"
+#include "../include/debug.h"
+#include "../include/alloc-inl.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+
+static u8*  obj_path;                  /* Path to runtime libraries         */
+static u8** cc_params;                 /* Parameters passed to the real CC  */
+static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
+
+/* Try to find the runtime libraries. If that fails, abort. */
+
+static void find_obj(u8* argv0) {
+
+  u8* afl_path = getenv("AFL_PATH");
+  u8 *slash, *tmp;
+
+  if (afl_path) {
+
+    tmp = alloc_printf("%s/afl-gcc-rt.o", afl_path);
+
+    if (!access(tmp, R_OK)) {
+
+      obj_path = afl_path;
+      ck_free(tmp);
+      return;
+
+    }
+
+    ck_free(tmp);
+
+  }
+
+  slash = strrchr(argv0, '/');
+
+  if (slash) {
+
+    u8* dir;
+
+    *slash = 0;
+    dir = ck_strdup(argv0);
+    *slash = '/';
+
+    tmp = alloc_printf("%s/afl-gcc-rt.o", dir);
+
+    if (!access(tmp, R_OK)) {
+
+      obj_path = dir;
+      ck_free(tmp);
+      return;
+
+    }
+
+    ck_free(tmp);
+    ck_free(dir);
+
+  }
+
+  if (!access(AFL_PATH "/afl-gcc-rt.o", R_OK)) {
+
+    obj_path = AFL_PATH;
+    return;
+
+  }
+
+  FATAL(
+      "Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set "
+      "AFL_PATH");
+
+}
+
+/* Copy argv to cc_params, making the necessary edits. */
+
+static void edit_params(u32 argc, char** argv) {
+
+  u8  fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1;
+  u8* name;
+
+  cc_params = ck_alloc((argc + 128) * sizeof(u8*));
+
+  name = strrchr(argv[0], '/');
+  if (!name)
+    name = argv[0];
+  else
+    ++name;
+
+  if (!strcmp(name, "afl-g++-fast")) {
+
+    u8* alt_cxx = getenv("AFL_CXX");
+    cc_params[0] = alt_cxx ? alt_cxx : (u8*)AFL_GCC_CXX;
+
+  } else {
+
+    u8* alt_cc = getenv("AFL_CC");
+    cc_params[0] = alt_cc ? alt_cc : (u8*)AFL_GCC_CC;
+
+  }
+
+  char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
+  cc_params[cc_par_cnt++] = fplugin_arg;
+
+  /* Detect stray -v calls from ./configure scripts. */
+
+  if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0;
+
+  while (--argc) {
+
+    u8* cur = *(++argv);
+
+#if defined(__x86_64__)
+    if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
+#endif
+
+    if (!strcmp(cur, "-x")) x_set = 1;
+
+    if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E") ||
+        !strcmp(cur, "-v"))
+      maybe_linking = 0;
+
+    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
+      asan_set = 1;
+
+    if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
+
+    if (!strcmp(cur, "-shared")) maybe_linking = 0;
+
+    cc_params[cc_par_cnt++] = cur;
+
+  }
+
+  if (getenv("AFL_HARDEN")) {
+
+    cc_params[cc_par_cnt++] = "-fstack-protector-all";
+
+    if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
+
+  }
+
+  if (!asan_set) {
+
+    if (getenv("AFL_USE_ASAN")) {
+
+      if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive");
+
+      if (getenv("AFL_HARDEN"))
+        FATAL("ASAN and AFL_HARDEN are mutually exclusive");
+
+      cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
+      cc_params[cc_par_cnt++] = "-fsanitize=address";
+
+    } else if (getenv("AFL_USE_MSAN")) {
+
+      if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive");
+
+      if (getenv("AFL_HARDEN"))
+        FATAL("MSAN and AFL_HARDEN are mutually exclusive");
+
+      cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
+      cc_params[cc_par_cnt++] = "-fsanitize=memory";
+
+    }
+
+  }
+
+  if (!getenv("AFL_DONT_OPTIMIZE")) {
+
+    cc_params[cc_par_cnt++] = "-g";
+    cc_params[cc_par_cnt++] = "-O3";
+    cc_params[cc_par_cnt++] = "-funroll-loops";
+
+  }
+
+  if (getenv("AFL_NO_BUILTIN")) {
+
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-bcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
+
+  }
+
+#ifdef USEMMAP
+  cc_params[cc_par_cnt++] = "-lrt";
+#endif
+
+  cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
+  cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
+  cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
+
+  /* When the user tries to use persistent or deferred forkserver modes by
+     appending a single line to the program, we want to reliably inject a
+     signature into the binary (to be picked up by afl-fuzz) and we want
+     to call a function from the runtime .o file. This is unnecessarily
+     painful for three reasons:
+
+     1) We need to convince the compiler not to optimize out the signature.
+        This is done with __attribute__((used)).
+
+     2) We need to convince the linker, when called with -Wl,--gc-sections,
+        not to do the same. This is done by forcing an assignment to a
+        'volatile' pointer.
+
+     3) We need to declare __afl_persistent_loop() in the global namespace,
+        but doing this within a method in a class is hard - :: and extern "C"
+        are forbidden and __attribute__((alias(...))) doesn't work. Hence the
+        __asm__ aliasing trick.
+
+   */
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_LOOP(_A)="
+      "({ static volatile char *_B __attribute__((used)); "
+      " _B = (char*)\"" PERSIST_SIG
+      "\"; "
+#ifdef __APPLE__
+      "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
+#else
+      "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_L(_A); })";
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_INIT()="
+      "do { static volatile char *_A __attribute__((used)); "
+      " _A = (char*)\"" DEFER_SIG
+      "\"; "
+#ifdef __APPLE__
+      "void _I(void) __asm__(\"___afl_manual_init\"); "
+#else
+      "void _I(void) __asm__(\"__afl_manual_init\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_I(); } while (0)";
+
+  if (maybe_linking) {
+
+    if (x_set) {
+
+      cc_params[cc_par_cnt++] = "-x";
+      cc_params[cc_par_cnt++] = "none";
+
+    }
+
+    cc_params[cc_par_cnt++] = alloc_printf("%s/afl-gcc-rt.o", obj_path);
+
+  }
+
+  cc_params[cc_par_cnt] = NULL;
+
+}
+
+/* Main entry point */
+
+int main(int argc, char** argv) {
+
+  if (argc < 2 || strcmp(argv[1], "-h") == 0) {
+
+    printf(
+        cCYA
+        "afl-gcc-fast" VERSION cRST
+        " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"
+        "\n"
+        "afl-gcc-fast [options]\n"
+        "\n"
+        "This is a helper application for afl-fuzz. It serves as a drop-in "
+        "replacement\n"
+        "for gcc, letting you recompile third-party code with the required "
+        "runtime\n"
+        "instrumentation. A common use pattern would be one of the "
+        "following:\n\n"
+
+        "  CC=%s/afl-gcc-fast ./configure\n"
+        "  CXX=%s/afl-g++-fast ./configure\n\n"
+
+        "In contrast to the traditional afl-gcc tool, this version is "
+        "implemented as\n"
+        "a GCC plugin and tends to offer improved performance with slow "
+        "programs\n"
+        "(similarly to the LLVM plugin used by afl-clang-fast).\n\n"
+
+        "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. "
+        "Setting\n"
+        "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
+        BIN_PATH, BIN_PATH);
+
+    exit(1);
+
+  } else if (isatty(2) && !getenv("AFL_QUIET")) {
+
+    SAYF(cCYA "afl-gcc-fast" VERSION cRST
+              " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n");
+
+    if (getenv("AFL_GCC_WHITELIST") == NULL) {
+
+      SAYF(cYEL "Warning:" cRST
+                " using afl-gcc-fast without using AFL_GCC_WHITELIST currently "
+                "produces worse results than afl-gcc. Even better, use "
+                "llvm_mode for now.\n");
+
+    }
+
+  }
+
+  find_obj(argv[0]);
+
+  edit_params(argc, argv);
+  /*if (isatty(2) && !getenv("AFL_QUIET")) {
+
+            printf("Calling \"%s\" with:\n", cc_params[0]);
+            for(int i=1; i<cc_par_cnt; i++) printf("%s\n", cc_params[i]);
+
+    }
+
+  */
+  execvp(cc_params[0], (char**)cc_params);
+
+  FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
+
+  return 0;
+
+}
+

gcc_plugin/afl-gcc-pass.so.cc

@@ -0,0 +1,593 @@
+//
+// There are some TODOs in this file:
+//   - fix instrumentation via external call
+//   - fix inline instrumentation
+//   - implement whitelist feature
+//   - dont instrument blocks that are uninteresting
+//   - implement neverZero
+//
+
+/*
+   american fuzzy lop - GCC instrumentation pass
+   ---------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> with bits from
+              Emese Revfy <re.emese@gmail.com>
+
+   Fixed by Heiko Eißfeldt 2019 for AFL++
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres. Some of the boilerplate code below for
+   afl_pass to adapt to different GCC versions was taken from Emese
+   Revfy's Size Overflow plugin for GCC, licensed under the GPLv2/v3.
+
+   (NOTE: this plugin code is under GPLv3, in order to comply with the
+   GCC runtime library exception, which states that you may distribute
+   "Target Code" from the compiler under a license of your choice, as
+   long as the "Compilation Process" is "Eligible", and contains no
+   GPL-incompatible software in GCC "during the process of
+   transforming high level code to target code". In this case, the
+   plugin will be used to generate "Target Code" during the
+   "Compilation Process", and thus it must be GPLv3 to be "eligible".)
+
+   Copyright (C) 2015 Austin Seipp
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ */
+
+#define BUILD_INLINE_INST
+
+#include "../config.h"
+#include "../include/debug.h"
+
+/* clear helper AFL types pulls in, which intervene with gcc-plugin geaders from
+ * GCC-8 */
+#ifdef likely
+#undef likely
+#endif
+#ifdef unlikely
+#undef unlikely
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <list>
+#include <string>
+#include <fstream>
+
+#include <gcc-plugin.h>
+#include <plugin-version.h>
+#include <diagnostic.h>
+#include <tree.h>
+#include <tree-ssa.h>
+#include <tree-pass.h>
+#include <tree-ssa-alias.h>
+#include <basic-block.h>
+#include <gimple-expr.h>
+#include <gimple.h>
+#include <gimple-iterator.h>
+#include <gimple-ssa.h>
+#include <version.h>
+#include <toplev.h>
+#include <intl.h>
+#include <context.h>
+#include <stringpool.h>
+#include <cgraph.h>
+#include <cfgloop.h>
+
+/* -------------------------------------------------------------------------- */
+/* -- AFL instrumentation pass ---------------------------------------------- */
+
+static int                    be_quiet = 0;
+static unsigned int           inst_ratio = 100;
+static bool                   inst_ext = true;
+static std::list<std::string> myWhitelist;
+
+static unsigned int ext_call_instrument(function *fun) {
+
+  /* Instrument all the things! */
+  basic_block bb;
+  unsigned    finst_blocks = 0;
+  unsigned    fcnt_blocks = 0;
+
+  tree fntype = build_function_type_list(void_type_node,          /* return */
+                                         uint32_type_node,          /* args */
+                                         NULL_TREE);                /* done */
+  tree fndecl = build_fn_decl("__afl_trace", fntype);
+  TREE_STATIC(fndecl) = 1;                             /* Defined elsewhere */
+  TREE_PUBLIC(fndecl) = 1;                                        /* Public */
+  DECL_EXTERNAL(fndecl) = 1;                            /* External linkage */
+  DECL_ARTIFICIAL(fndecl) = 1;                      /* Injected by compiler */
+
+  FOR_EACH_BB_FN(bb, fun) {
+
+    gimple_seq           fcall;
+    gimple_seq           seq = NULL;
+    gimple_stmt_iterator bentry;
+    ++fcnt_blocks;
+
+    // only instrument if this basic block is the destination of a previous
+    // basic block that has multiple successors
+    // this gets rid of ~5-10% of instrumentations that are unnecessary
+    // result: a little more speed and less map pollution
+
+    int           more_than_one = -1;
+    edge          ep;
+    edge_iterator eip;
+
+    FOR_EACH_EDGE(ep, eip, bb->preds) {
+
+      int count = 0;
+      if (more_than_one == -1) more_than_one = 0;
+
+      basic_block   Pred = ep->src;
+      edge          es;
+      edge_iterator eis;
+      FOR_EACH_EDGE(es, eis, Pred->succs) {
+
+        basic_block Succ = es->dest;
+        if (Succ != NULL) count++;
+
+      }
+
+      if (count > 1) more_than_one = 1;
+
+    }
+
+    if (more_than_one != 1) continue;
+
+    /* Bail on this block if we trip the specified ratio */
+    if (R(100) >= inst_ratio) continue;
+
+    /* Make up cur_loc */
+    unsigned int rand_loc = R(MAP_SIZE);
+    tree         cur_loc = build_int_cst(uint32_type_node, rand_loc);
+
+    /* Update bitmap via external call */
+    /* to quote:
+     * /+ Trace a basic block with some ID +/
+     * void __afl_trace(u32 x);
+     */
+
+    fcall = gimple_build_call(
+        fndecl, 1,
+        cur_loc); /* generate the function _call_ to above built reference, with
+                   *1* parameter -> the random const for the location */
+    gimple_seq_add_stmt(&seq, fcall);         /* and insert into a sequence */
+
+    /* Done - grab the entry to the block and insert sequence */
+    bentry = gsi_after_labels(bb);
+    gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT);
+
+    ++finst_blocks;
+
+  }
+
+  /* Say something nice. */
+  if (!be_quiet) {
+
+    if (!finst_blocks)
+      WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST),
+            function_name(fun));
+    else if (finst_blocks < fcnt_blocks)
+      OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST),
+          finst_blocks, fcnt_blocks, function_name(fun));
+    else
+      OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks,
+          function_name(fun));
+
+  }
+
+  return 0;
+
+}
+
+static unsigned int inline_instrument(function *fun) {
+
+  /* Instrument all the things! */
+  basic_block bb;
+  unsigned    finst_blocks = 0;
+  unsigned    fcnt_blocks = 0;
+  tree        one = build_int_cst(unsigned_char_type_node, 1);
+  // tree zero = build_int_cst(unsigned_char_type_node, 0);
+
+  /* Set up global type declarations */
+  tree map_type = build_pointer_type(unsigned_char_type_node);
+  tree map_ptr_g =
+      build_decl(UNKNOWN_LOCATION, VAR_DECL,
+                 get_identifier_with_length("__afl_area_ptr", 14), map_type);
+  TREE_USED(map_ptr_g) = 1;
+  TREE_STATIC(map_ptr_g) = 1;                          /* Defined elsewhere */
+  DECL_EXTERNAL(map_ptr_g) = 1;                         /* External linkage */
+  DECL_PRESERVE_P(map_ptr_g) = 1;
+  DECL_ARTIFICIAL(map_ptr_g) = 1;                   /* Injected by compiler */
+  rest_of_decl_compilation(map_ptr_g, 1, 0);
+
+  tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL,
+                               get_identifier_with_length("__afl_prev_loc", 14),
+                               uint32_type_node);
+  TREE_USED(prev_loc_g) = 1;
+  TREE_STATIC(prev_loc_g) = 1;                         /* Defined elsewhere */
+  DECL_EXTERNAL(prev_loc_g) = 1;                        /* External linkage */
+  DECL_PRESERVE_P(prev_loc_g) = 1;
+  DECL_ARTIFICIAL(prev_loc_g) = 1;                  /* Injected by compiler */
+  set_decl_tls_model(prev_loc_g, TLS_MODEL_REAL);          /* TLS attribute */
+  rest_of_decl_compilation(prev_loc_g, 1, 0);
+
+  FOR_EACH_BB_FN(bb, fun) {
+
+    gimple_seq           seq = NULL;
+    gimple_stmt_iterator bentry;
+    ++fcnt_blocks;
+
+    // only instrument if this basic block is the destination of a previous
+    // basic block that has multiple successors
+    // this gets rid of ~5-10% of instrumentations that are unnecessary
+    // result: a little more speed and less map pollution
+
+    int           more_than_one = -1;
+    edge          ep;
+    edge_iterator eip;
+    FOR_EACH_EDGE(ep, eip, bb->preds) {
+
+      int count = 0;
+      if (more_than_one == -1) more_than_one = 0;
+
+      basic_block   Pred = ep->src;
+      edge          es;
+      edge_iterator eis;
+      FOR_EACH_EDGE(es, eis, Pred->succs) {
+
+        basic_block Succ = es->dest;
+        if (Succ != NULL) count++;
+
+      }
+
+      if (count > 1) more_than_one = 1;
+
+    }
+
+    if (more_than_one != 1) continue;
+
+    /* Bail on this block if we trip the specified ratio */
+    if (R(100) >= inst_ratio) continue;
+
+    /* Make up cur_loc */
+
+    unsigned int rand_loc = R(MAP_SIZE);
+    tree         cur_loc = build_int_cst(uint32_type_node, rand_loc);
+
+    /* Load prev_loc, xor with cur_loc */
+    // gimple_assign <var_decl, prev_loc.0_1, prev_loc, NULL, NULL>
+    tree     prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc");
+    gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g);
+    gimple_seq_add_stmt(&seq, g);  // load prev_loc
+    update_stmt(g);
+
+    // gimple_assign <bit_xor_expr, _2, prev_loc.0_1, 47231, NULL>
+    tree area_off = create_tmp_var_raw(uint32_type_node, "area_off");
+    g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc);
+    gimple_seq_add_stmt(&seq, g);  // area_off = prev_loc ^ cur_loc
+    update_stmt(g);
+
+    /* Update bitmap */
+
+    // gimple_assign <addr_expr, p_6, &map[_2], NULL, NULL>
+    tree map_ptr = create_tmp_var(map_type, "map_ptr");
+    tree map_ptr2 = create_tmp_var(map_type, "map_ptr2");
+
+    g = gimple_build_assign(map_ptr, map_ptr_g);
+    gimple_seq_add_stmt(&seq, g);  // map_ptr = __afl_area_ptr
+    update_stmt(g);
+
+#if 1
+#if 0
+		tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off);
+		g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr);
+		gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off
+		update_stmt(g);
+#else
+    g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off);
+    gimple_seq_add_stmt(&seq, g);  // map_ptr2 = map_ptr + area_off
+    update_stmt(g);
+#endif
+
+    // gimple_assign <mem_ref, _3, *p_6, NULL, NULL>
+    tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1");
+    g = gimple_build_assign(tmp1, MEM_REF, map_ptr2);
+    gimple_seq_add_stmt(&seq, g);  // tmp1 = *map_ptr2
+    update_stmt(g);
+#else
+    tree atIndex = build2(PLUS_EXPR, uint32_type_node, map_ptr, area_off);
+    tree array_address = build1(ADDR_EXPR, map_type, atIndex);
+    tree array_access = build1(INDIRECT_REF, map_type, array_address);
+    tree tmp1 = create_tmp_var(unsigned_char_type_node, "tmp1");
+    g = gimple_build_assign(tmp1, array_access);
+    gimple_seq_add_stmt(&seq, g);  // tmp1 = *(map_ptr + area_off)
+    update_stmt(g);
+#endif
+    // gimple_assign <plus_expr, _4, _3, 1, NULL>
+    tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2");
+    g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one);
+    gimple_seq_add_stmt(&seq, g);  // tmp2 = tmp1 + 1
+    update_stmt(g);
+
+    // TODO: neverZero: here we have to check if tmp3 == 0
+    //                  and add 1 if so
+
+    // gimple_assign <ssa_name, *p_6, _4, NULL, NULL>
+    //		tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3");
+    g = gimple_build_assign(map_ptr2, INDIRECT_REF, tmp2);
+    gimple_seq_add_stmt(&seq, g);  // *map_ptr2 = tmp2
+    update_stmt(g);
+
+    /* Set prev_loc to cur_loc >> 1 */
+
+    // gimple_assign <integer_cst, prev_loc, 23615, NULL, NULL>
+    tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1);
+    tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2");
+    g = gimple_build_assign(prev_loc2, shifted_loc);
+    gimple_seq_add_stmt(&seq, g);  // __afl_prev_loc = cur_loc >> 1
+    update_stmt(g);
+    g = gimple_build_assign(prev_loc_g, prev_loc2);
+    gimple_seq_add_stmt(&seq, g);  // __afl_prev_loc = cur_loc >> 1
+    update_stmt(g);
+
+    /* Done - grab the entry to the block and insert sequence */
+
+    bentry = gsi_after_labels(bb);
+    gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT);
+
+    ++finst_blocks;
+
+  }
+
+  /* Say something nice. */
+  if (!be_quiet) {
+
+    if (!finst_blocks)
+      WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST),
+            function_name(fun));
+    else if (finst_blocks < fcnt_blocks)
+      OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST),
+          finst_blocks, fcnt_blocks, function_name(fun));
+    else
+      OKF(G_("Instrumented   %2u   locations in " cBRI "%s" cRST), finst_blocks,
+          function_name(fun));
+
+  }
+
+  return 0;
+
+}
+
+/* -------------------------------------------------------------------------- */
+/* -- Boilerplate and initialization ---------------------------------------- */
+
+static const struct pass_data afl_pass_data = {
+
+    .type = GIMPLE_PASS,
+    .name = "afl-inst",
+    .optinfo_flags = OPTGROUP_NONE,
+
+    .tv_id = TV_NONE,
+    .properties_required = 0,
+    .properties_provided = 0,
+    .properties_destroyed = 0,
+    .todo_flags_start = 0,
+    // NOTE(aseipp): it's very, very important to include
+    // at least 'TODO_update_ssa' here so that GCC will
+    // properly update the resulting SSA form, e.g., to
+    // include new PHI nodes for newly added symbols or
+    // names. Do not remove this. Do not taunt Happy Fun
+    // Ball.
+    .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg,
+
+};
+
+namespace {
+
+class afl_pass : public gimple_opt_pass {
+
+ private:
+  bool do_ext_call;
+
+ public:
+  afl_pass(bool ext_call, gcc::context *g)
+      : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) {
+
+  }
+
+  unsigned int execute(function *fun) override {
+
+    if (!myWhitelist.empty()) {
+
+      bool         instrumentBlock = false;
+      std::string  instFilename;
+      unsigned int instLine = 0;
+
+      /* EXPR_FILENAME
+      This macro returns the name of the file in which the entity was declared,
+      as a char*. For an entity declared implicitly by the compiler (like
+      __builtin_ memcpy), this will be the string "<internal>".
+      */
+      const char *fname = DECL_SOURCE_FILE(fun->decl);
+
+      if (0 != strncmp("<internal>", fname, 10) &&
+          0 != strncmp("<built-in>", fname, 10)) {
+
+        instFilename = fname;
+        instLine = DECL_SOURCE_LINE(fun->decl);
+
+        /* Continue only if we know where we actually are */
+        if (!instFilename.empty()) {
+
+          for (std::list<std::string>::iterator it = myWhitelist.begin();
+               it != myWhitelist.end(); ++it) {
+
+            /* We don't check for filename equality here because
+             * filenames might actually be full paths. Instead we
+             * check that the actual filename ends in the filename
+             * specified in the list. */
+            if (instFilename.length() >= it->length()) {
+
+              if (instFilename.compare(instFilename.length() - it->length(),
+                                       it->length(), *it) == 0) {
+
+                instrumentBlock = true;
+                break;
+
+              }
+
+            }
+
+          }
+
+        }
+
+      }
+
+      /* Either we couldn't figure out our location or the location is
+       * not whitelisted, so we skip instrumentation. */
+      if (!instrumentBlock) {
+
+        if (!be_quiet) {
+
+          if (!instFilename.empty())
+            SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s line %u...\n",
+                 instFilename.c_str(), instLine);
+          else
+            SAYF(cYEL "[!] " cBRI "No filename information found, skipping it");
+
+        }
+
+        return 0;
+
+      }
+
+    }
+
+    return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun);
+
+  }
+
+};                                                        /* class afl_pass */
+
+}  // namespace
+
+static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) {
+
+  return new afl_pass(ext_call, ctxt);
+
+}
+
+/* -------------------------------------------------------------------------- */
+/* -- Initialization -------------------------------------------------------- */
+
+int plugin_is_GPL_compatible = 1;
+
+static struct plugin_info afl_plugin_info = {
+
+    .version = "20191015",
+    .help = "AFL++ gcc plugin\n",
+
+};
+
+int plugin_init(struct plugin_name_args *  plugin_info,
+                struct plugin_gcc_version *version) {
+
+  struct register_pass_info afl_pass_info;
+  struct timeval            tv;
+  struct timezone           tz;
+  u32                       rand_seed;
+
+  /* Setup random() so we get Actually Random(TM) outputs from R() */
+  gettimeofday(&tv, &tz);
+  rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
+  SR(rand_seed);
+
+  /* Pass information */
+  afl_pass_info.pass = make_afl_pass(inst_ext, g);
+  afl_pass_info.reference_pass_name = "ssa";
+  afl_pass_info.ref_pass_instance_number = 1;
+  afl_pass_info.pos_op = PASS_POS_INSERT_AFTER;
+
+  if (!plugin_default_version_check(version, &gcc_version)) {
+
+    FATAL(G_("Incompatible gcc/plugin versions!"));
+
+  }
+
+  /* Show a banner */
+  if (isatty(2) && !getenv("AFL_QUIET")) {
+
+    SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST
+                 " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"));
+
+  } else
+
+    be_quiet = 1;
+
+  /* Decide instrumentation ratio */
+  char *inst_ratio_str = getenv("AFL_INST_RATIO");
+
+  if (inst_ratio_str) {
+
+    if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
+        inst_ratio > 100)
+      FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)"));
+    else {
+
+      if (!be_quiet)
+        ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."),
+             inst_ext ? G_("Call-based") : G_("Inline"), inst_ratio,
+             getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened"));
+
+    }
+
+  }
+
+  char *instWhiteListFilename = getenv("AFL_GCC_WHITELIST");
+  if (instWhiteListFilename) {
+
+    std::string   line;
+    std::ifstream fileStream;
+    fileStream.open(instWhiteListFilename);
+    if (!fileStream) fatal_error(0, "Unable to open AFL_GCC_WHITELIST");
+    getline(fileStream, line);
+    while (fileStream) {
+
+      myWhitelist.push_back(line);
+      getline(fileStream, line);
+
+    }
+
+  } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST"))
+
+    SAYF(cYEL "[-] " cRST
+              "AFL_LLVM_WHITELIST environment variable detected - did you mean "
+              "AFL_GCC_WHITELIST?\n");
+
+  /* Go go gadget */
+  register_callback(plugin_info->base_name, PLUGIN_INFO, NULL,
+                    &afl_plugin_info);
+  register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL,
+                    &afl_pass_info);
+  return 0;
+
+}
+

gcc_plugin/afl-gcc-rt.o.c

@@ -0,0 +1,300 @@
+/*
+   american fuzzy lop - GCC plugin instrumentation bootstrap
+   ---------------------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> and
+              Laszlo Szekeres <lszekeres@google.com> and
+              Michal Zalewski
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This code is the rewrite of afl-as.h's main_payload.
+
+*/
+
+#ifdef __ANDROID__
+#include "android-ashmem.h"
+#endif
+#include "../config.h"
+#include "../types.h"
+
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+#include <string.h>
+#include <assert.h>
+
+#include <sys/mman.h>
+#include <sys/shm.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+#include <sys/mman.h>
+#include <fcntl.h>
+
+/* Globals needed by the injected instrumentation. The __afl_area_initial region
+   is used for instrumentation output before __afl_map_shm() has a chance to
+   run. It will end up as .comm, so it shouldn't be too wasteful. */
+
+u8  __afl_area_initial[MAP_SIZE];
+u8 *__afl_area_ptr = __afl_area_initial;
+
+#ifdef __ANDROID__
+u32 __afl_prev_loc;
+#else
+__thread u32 __afl_prev_loc;
+#endif
+
+/* Trace a basic block with some ID */
+void __afl_trace(const u32 x) {
+
+#if 1                                      /* enable for neverZero feature. */
+  __afl_area_ptr[__afl_prev_loc ^ x] +=
+      1 + ((u8)(1 + __afl_area_ptr[__afl_prev_loc ^ x]) == 0);
+#else
+  ++__afl_area_ptr[__afl_prev_loc ^ x];
+#endif
+
+  __afl_prev_loc = (x >> 1);
+  return;
+
+}
+
+/* Running in persistent mode? */
+
+static u8 is_persistent;
+
+/* SHM setup. */
+
+static void __afl_map_shm(void) {
+
+  u8 *id_str = getenv(SHM_ENV_VAR);
+
+  /* If we're running under AFL, attach to the appropriate region, replacing the
+     early-stage __afl_area_initial region that is needed to allow some really
+     hacky .init code to work correctly in projects such as OpenSSL. */
+
+  if (id_str) {
+
+#ifdef USEMMAP
+    const char *   shm_file_path = id_str;
+    int            shm_fd = -1;
+    unsigned char *shm_base = NULL;
+
+    /* create the shared memory segment as if it was a file */
+    shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
+    if (shm_fd == -1) {
+
+      printf("shm_open() failed\n");
+      exit(1);
+
+    }
+
+    /* map the shared memory segment to the address space of the process */
+    shm_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0);
+    if (shm_base == MAP_FAILED) {
+
+      close(shm_fd);
+      shm_fd = -1;
+
+      printf("mmap() failed\n");
+      exit(2);
+
+    }
+
+    __afl_area_ptr = shm_base;
+#else
+    u32 shm_id = atoi(id_str);
+
+    __afl_area_ptr = shmat(shm_id, NULL, 0);
+#endif
+
+    /* Whooooops. */
+
+    if (__afl_area_ptr == (void *)-1) exit(1);
+
+    /* Write something into the bitmap so that even with low AFL_INST_RATIO,
+       our parent doesn't give up on us. */
+
+    __afl_area_ptr[0] = 1;
+
+  }
+
+}
+
+/* Fork server logic. */
+
+static void __afl_start_forkserver(void) {
+
+  static u8 tmp[4];
+  s32       child_pid;
+
+  u8 child_stopped = 0;
+
+  void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
+
+  /* Phone home and tell the parent that we're OK. If parent isn't there,
+     assume we're not running in forkserver mode and just execute program. */
+
+  if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
+
+  while (1) {
+
+    u32 was_killed;
+    int status;
+
+    /* Wait for parent by reading from the pipe. Abort if read fails. */
+
+    if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(1);
+
+    /* If we stopped the child in persistent mode, but there was a race
+       condition and afl-fuzz already issued SIGKILL, write off the old
+       process. */
+
+    if (child_stopped && was_killed) {
+
+      child_stopped = 0;
+      if (waitpid(child_pid, &status, 0) < 0) exit(1);
+
+    }
+
+    if (!child_stopped) {
+
+      /* Once woken up, create a clone of our process. */
+
+      child_pid = fork();
+      if (child_pid < 0) exit(1);
+
+      /* In child process: close fds, resume execution. */
+
+      if (!child_pid) {
+
+        signal(SIGCHLD, old_sigchld_handler);
+
+        close(FORKSRV_FD);
+        close(FORKSRV_FD + 1);
+        return;
+
+      }
+
+    } else {
+
+      /* Special handling for persistent mode: if the child is alive but
+         currently stopped, simply restart it with SIGCONT. */
+
+      kill(child_pid, SIGCONT);
+      child_stopped = 0;
+
+    }
+
+    /* In parent process: write PID to pipe, then wait for child. */
+
+    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1);
+
+    if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(1);
+
+    /* In persistent mode, the child stops itself with SIGSTOP to indicate
+       a successful run. In this case, we want to wake it up without forking
+       again. */
+
+    if (WIFSTOPPED(status)) child_stopped = 1;
+
+    /* Relay wait status to pipe, then loop back. */
+
+    if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1);
+
+  }
+
+}
+
+/* A simplified persistent mode handler, used as explained in README.llvm. */
+
+int __afl_persistent_loop(unsigned int max_cnt) {
+
+  static u8  first_pass = 1;
+  static u32 cycle_cnt;
+
+  if (first_pass) {
+
+    /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
+       On subsequent calls, the parent will take care of that, but on the first
+       iteration, it's our job to erase any trace of whatever happened
+       before the loop. */
+
+    if (is_persistent) {
+
+      memset(__afl_area_ptr, 0, MAP_SIZE);
+      __afl_area_ptr[0] = 1;
+      __afl_prev_loc = 0;
+
+    }
+
+    cycle_cnt = max_cnt;
+    first_pass = 0;
+    return 1;
+
+  }
+
+  if (is_persistent) {
+
+    if (--cycle_cnt) {
+
+      raise(SIGSTOP);
+
+      __afl_area_ptr[0] = 1;
+      __afl_prev_loc = 0;
+
+      return 1;
+
+    } else {
+
+      /* When exiting __AFL_LOOP(), make sure that the subsequent code that
+         follows the loop is not traced. We do that by pivoting back to the
+         dummy output region. */
+
+      __afl_area_ptr = __afl_area_initial;
+
+    }
+
+  }
+
+  return 0;
+
+}
+
+/* This one can be called from user code when deferred forkserver mode
+    is enabled. */
+
+void __afl_manual_init(void) {
+
+  static u8 init_done;
+
+  if (!init_done) {
+
+    __afl_map_shm();
+    __afl_start_forkserver();
+    init_done = 1;
+
+  }
+
+}
+
+/* Proper initialization routine. */
+
+__attribute__((constructor(101))) void __afl_auto_init(void) {
+
+  is_persistent = !!getenv(PERSIST_ENV_VAR);
+
+  if (getenv(DEFER_ENV_VAR)) return;
+
+  __afl_manual_init();
+
+}
+

include/afl-as.h

@@ -1,12 +1,15 @@
 /*
-   american fuzzy lop - injectable parts
-   -------------------------------------
+   american fuzzy lop++ - injectable parts
+   ---------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Forkserver design by Jann Horn <jannhorn@googlemail.com>
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
 
-   Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -37,7 +40,7 @@
 #include "config.h"
 #include "types.h"
 
-/* 
+/*
    ------------------
    Performances notes
    ------------------
@@ -106,47 +109,47 @@
 
 static const u8* trampoline_fmt_32 =
 
-  "\n"
-  "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
-  "\n"
-  ".align 4\n"
-  "\n"
-  "leal -16(%%esp), %%esp\n"
-  "movl %%edi,  0(%%esp)\n"
-  "movl %%edx,  4(%%esp)\n"
-  "movl %%ecx,  8(%%esp)\n"
-  "movl %%eax, 12(%%esp)\n"
-  "movl $0x%08x, %%ecx\n"
-  "call __afl_maybe_log\n"
-  "movl 12(%%esp), %%eax\n"
-  "movl  8(%%esp), %%ecx\n"
-  "movl  4(%%esp), %%edx\n"
-  "movl  0(%%esp), %%edi\n"
-  "leal 16(%%esp), %%esp\n"
-  "\n"
-  "/* --- END --- */\n"
-  "\n";
+    "\n"
+    "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
+    "\n"
+    ".align 4\n"
+    "\n"
+    "leal -16(%%esp), %%esp\n"
+    "movl %%edi,  0(%%esp)\n"
+    "movl %%edx,  4(%%esp)\n"
+    "movl %%ecx,  8(%%esp)\n"
+    "movl %%eax, 12(%%esp)\n"
+    "movl $0x%08x, %%ecx\n"
+    "call __afl_maybe_log\n"
+    "movl 12(%%esp), %%eax\n"
+    "movl  8(%%esp), %%ecx\n"
+    "movl  4(%%esp), %%edx\n"
+    "movl  0(%%esp), %%edi\n"
+    "leal 16(%%esp), %%esp\n"
+    "\n"
+    "/* --- END --- */\n"
+    "\n";
 
 static const u8* trampoline_fmt_64 =
 
-  "\n"
-  "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
-  "\n"
-  ".align 4\n"
-  "\n"
-  "leaq -(128+24)(%%rsp), %%rsp\n"
-  "movq %%rdx,  0(%%rsp)\n"
-  "movq %%rcx,  8(%%rsp)\n"
-  "movq %%rax, 16(%%rsp)\n"
-  "movq $0x%08x, %%rcx\n"
-  "call __afl_maybe_log\n"
-  "movq 16(%%rsp), %%rax\n"
-  "movq  8(%%rsp), %%rcx\n"
-  "movq  0(%%rsp), %%rdx\n"
-  "leaq (128+24)(%%rsp), %%rsp\n"
-  "\n"
-  "/* --- END --- */\n"
-  "\n";
+    "\n"
+    "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
+    "\n"
+    ".align 4\n"
+    "\n"
+    "leaq -(128+24)(%%rsp), %%rsp\n"
+    "movq %%rdx,  0(%%rsp)\n"
+    "movq %%rcx,  8(%%rsp)\n"
+    "movq %%rax, 16(%%rsp)\n"
+    "movq $0x%08x, %%rcx\n"
+    "call __afl_maybe_log\n"
+    "movq 16(%%rsp), %%rax\n"
+    "movq  8(%%rsp), %%rcx\n"
+    "movq  0(%%rsp), %%rdx\n"
+    "leaq (128+24)(%%rsp), %%rsp\n"
+    "\n"
+    "/* --- END --- */\n"
+    "\n";
 
 static const u8* main_payload_32 = 
 
@@ -183,14 +186,14 @@ static const u8* main_payload_32 =
   "  movl %ecx, __afl_prev_loc\n"
 #else
   "  movl %ecx, %edi\n"
-#endif /* ^!COVERAGE_ONLY */
+#endif                                                   /* ^!COVERAGE_ONLY */
   "\n"
 #ifdef SKIP_COUNTS
   "  orb  $1, (%edx, %edi, 1)\n"
 #else
   "  incb (%edx, %edi, 1)\n"
   "  adcb $0, (%edx, %edi, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact
-#endif /* ^SKIP_COUNTS */
+#endif                                                      /* ^SKIP_COUNTS */
   "\n"
   "__afl_return:\n"
   "\n"
@@ -379,7 +382,7 @@ static const u8* main_payload_32 =
   "  .comm   __afl_setup_failure, 1, 32\n"
 #ifndef COVERAGE_ONLY
   "  .comm   __afl_prev_loc, 4, 32\n"
-#endif /* !COVERAGE_ONLY */
+#endif                                                    /* !COVERAGE_ONLY */
   "  .comm   __afl_fork_pid, 4, 32\n"
   "  .comm   __afl_temp, 4, 32\n"
   "\n"
@@ -398,10 +401,10 @@ static const u8* main_payload_32 =
    recognize .string. */
 
 #ifdef __APPLE__
-#  define CALL_L64(str)		"call _" str "\n"
+#define CALL_L64(str) "call _" str "\n"
 #else
-#  define CALL_L64(str)		"call " str "@PLT\n"
-#endif /* ^__APPLE__ */
+#define CALL_L64(str) "call " str "@PLT\n"
+#endif                                                        /* ^__APPLE__ */
 
 static const u8* main_payload_64 = 
 
@@ -415,11 +418,11 @@ static const u8* main_payload_64 =
   "\n"
   "__afl_maybe_log:\n"
   "\n"
-#if defined(__OpenBSD__)  || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
   "  .byte 0x9f /* lahf */\n"
 #else
   "  lahf\n"
-#endif /* ^__OpenBSD__, etc */
+#endif                                                 /* ^__OpenBSD__, etc */
   "  seto  %al\n"
   "\n"
   "  /* Check if SHM region is already mapped. */\n"
@@ -436,23 +439,23 @@ static const u8* main_payload_64 =
   "  xorq __afl_prev_loc(%rip), %rcx\n"
   "  xorq %rcx, __afl_prev_loc(%rip)\n"
   "  shrq $1, __afl_prev_loc(%rip)\n"
-#endif /* ^!COVERAGE_ONLY */
+#endif                                                   /* ^!COVERAGE_ONLY */
   "\n"
 #ifdef SKIP_COUNTS
   "  orb  $1, (%rdx, %rcx, 1)\n"
 #else
   "  incb (%rdx, %rcx, 1)\n"
   "  adcb $0, (%rdx, %rcx, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact
-#endif /* ^SKIP_COUNTS */
+#endif                                                      /* ^SKIP_COUNTS */
   "\n"
   "__afl_return:\n"
   "\n"
   "  addb $127, %al\n"
-#if defined(__OpenBSD__)  || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
   "  .byte 0x9e /* sahf */\n"
 #else
   "  sahf\n"
-#endif /* ^__OpenBSD__, etc */
+#endif                                                 /* ^__OpenBSD__, etc */
   "  ret\n"
   "\n"
   ".align 8\n"
@@ -471,7 +474,7 @@ static const u8* main_payload_64 =
   "  movq  (%rdx), %rdx\n"
 #else
   "  movq  __afl_global_area_ptr(%rip), %rdx\n"
-#endif /* !^__APPLE__ */
+#endif                                                       /* !^__APPLE__ */
   "  testq %rdx, %rdx\n"
   "  je    __afl_setup_first\n"
   "\n"
@@ -570,7 +573,7 @@ static const u8* main_payload_64 =
 #else
   "  movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
   "  movq %rax, (%rdx)\n"
-#endif /* ^__APPLE__ */
+#endif                                                        /* ^__APPLE__ */
   "  movq %rax, %rdx\n"
   "\n"
   "__afl_forkserver:\n"
@@ -739,7 +742,7 @@ static const u8* main_payload_64 =
   "  .comm   __afl_area_ptr, 8\n"
 #ifndef COVERAGE_ONLY
   "  .comm   __afl_prev_loc, 8\n"
-#endif /* !COVERAGE_ONLY */
+#endif                                                    /* !COVERAGE_ONLY */
   "  .comm   __afl_fork_pid, 4\n"
   "  .comm   __afl_temp, 4\n"
   "  .comm   __afl_setup_failure, 1\n"
@@ -749,12 +752,12 @@ static const u8* main_payload_64 =
   "  .lcomm   __afl_area_ptr, 8\n"
 #ifndef COVERAGE_ONLY
   "  .lcomm   __afl_prev_loc, 8\n"
-#endif /* !COVERAGE_ONLY */
+#endif                                                    /* !COVERAGE_ONLY */
   "  .lcomm   __afl_fork_pid, 4\n"
   "  .lcomm   __afl_temp, 4\n"
   "  .lcomm   __afl_setup_failure, 1\n"
 
-#endif /* ^__APPLE__ */
+#endif                                                        /* ^__APPLE__ */
 
   "  .comm    __afl_global_area_ptr, 8, 8\n"
   "\n"
@@ -764,4 +767,5 @@ static const u8* main_payload_64 =
   "/* --- END --- */\n"
   "\n";
 
-#endif /* !_HAVE_AFL_AS_H */
+#endif                                                   /* !_HAVE_AFL_AS_H */
+

include/afl-fuzz.h

@@ -0,0 +1,726 @@
+/*
+   american fuzzy lop++ - fuzzer header
+   ------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This is the real deal: the program takes an instrumented binary and
+   attempts a variety of basic fuzzing tricks, paying close attention to
+   how they affect the execution path.
+
+ */
+
+#ifndef _AFL_FUZZ_H
+#define _AFL_FUZZ_H
+
+#define AFL_MAIN
+#define MESSAGES_TO_STDOUT
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
+#define _FILE_OFFSET_BITS 64
+
+#ifdef __ANDROID__
+#include "android-ashmem.h"
+#endif
+
+#include "config.h"
+#include "types.h"
+#include "debug.h"
+#include "alloc-inl.h"
+#include "hash.h"
+#include "sharedmem.h"
+#include "forkserver.h"
+#include "common.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <errno.h>
+#include <signal.h>
+#include <dirent.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <termios.h>
+#include <dlfcn.h>
+#include <sched.h>
+
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/shm.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <sys/file.h>
+
+#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
+    defined(__NetBSD__) || defined(__DragonFly__)
+#include <sys/sysctl.h>
+#endif                           /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
+
+/* For systems that have sched_setaffinity; right now just Linux, but one
+   can hope... */
+
+#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
+    defined(__DragonFly__)
+#define HAVE_AFFINITY 1
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+#include <sys/param.h>
+#if defined(__FreeBSD__)
+#include <sys/cpuset.h>
+#endif
+#include <sys/user.h>
+#include <pthread.h>
+#include <pthread_np.h>
+#define cpu_set_t cpuset_t
+#elif defined(__NetBSD__)
+#include <pthread.h>
+#endif
+#endif                                                         /* __linux__ */
+
+#ifdef __APPLE__
+#include <TargetConditionals.h>
+#endif
+
+#ifndef SIMPLE_FILES
+#define CASE_PREFIX "id:"
+#else
+#define CASE_PREFIX "id_"
+#endif                                                    /* ^!SIMPLE_FILES */
+
+struct queue_entry {
+
+  u8* fname;                            /* File name for the test case      */
+  u32 len;                              /* Input length                     */
+
+  u8 cal_failed,                        /* Calibration failed?              */
+      trim_done,                        /* Trimmed?                         */
+      was_fuzzed,                       /* historical, but needed for MOpt  */
+      passed_det,                       /* Deterministic stages passed?     */
+      has_new_cov,                      /* Triggers new coverage?           */
+      var_behavior,                     /* Variable behavior?               */
+      favored,                          /* Currently favored?               */
+      fs_redundant;                     /* Marked as redundant in the fs?   */
+
+  u32 bitmap_size,                      /* Number of bits set in bitmap     */
+      fuzz_level,                       /* Number of fuzzing iterations     */
+      exec_cksum;                       /* Checksum of the execution trace  */
+
+  u64 exec_us,                          /* Execution time (us)              */
+      handicap,                         /* Number of queue cycles behind    */
+      n_fuzz,                          /* Number of fuzz, does not overflow */
+      depth;                            /* Path depth                       */
+
+  u8* trace_mini;                       /* Trace bytes, if kept             */
+  u32 tc_ref;                           /* Trace bytes ref count            */
+
+  struct queue_entry *next,             /* Next element, if any             */
+      *next_100;                        /* 100 elements ahead               */
+
+};
+
+struct extra_data {
+
+  u8* data;                             /* Dictionary token data            */
+  u32 len;                              /* Dictionary token length          */
+  u32 hit_cnt;                          /* Use count in the corpus          */
+
+};
+
+/* Fuzzing stages */
+
+enum {
+
+  /* 00 */ STAGE_FLIP1,
+  /* 01 */ STAGE_FLIP2,
+  /* 02 */ STAGE_FLIP4,
+  /* 03 */ STAGE_FLIP8,
+  /* 04 */ STAGE_FLIP16,
+  /* 05 */ STAGE_FLIP32,
+  /* 06 */ STAGE_ARITH8,
+  /* 07 */ STAGE_ARITH16,
+  /* 08 */ STAGE_ARITH32,
+  /* 09 */ STAGE_INTEREST8,
+  /* 10 */ STAGE_INTEREST16,
+  /* 11 */ STAGE_INTEREST32,
+  /* 12 */ STAGE_EXTRAS_UO,
+  /* 13 */ STAGE_EXTRAS_UI,
+  /* 14 */ STAGE_EXTRAS_AO,
+  /* 15 */ STAGE_HAVOC,
+  /* 16 */ STAGE_SPLICE,
+  /* 17 */ STAGE_PYTHON,
+  /* 18 */ STAGE_RADAMSA,
+  /* 19 */ STAGE_CUSTOM_MUTATOR
+
+};
+
+/* Stage value types */
+
+enum {
+
+  /* 00 */ STAGE_VAL_NONE,
+  /* 01 */ STAGE_VAL_LE,
+  /* 02 */ STAGE_VAL_BE
+
+};
+
+/* Execution status fault codes */
+
+enum {
+
+  /* 00 */ FAULT_NONE,
+  /* 01 */ FAULT_TMOUT,
+  /* 02 */ FAULT_CRASH,
+  /* 03 */ FAULT_ERROR,
+  /* 04 */ FAULT_NOINST,
+  /* 05 */ FAULT_NOBITS
+
+};
+
+/* MOpt:
+   Lots of globals, but mostly for the status UI and other things where it
+   really makes no sense to haul them around as function parameters. */
+extern u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start,
+    tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find,
+    most_time_key, most_time, most_execs_key, most_execs, old_hit_count;
+
+extern s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module;
+
+extern double w_init, w_end, w_now;
+
+extern s32 g_now;
+extern s32 g_max;
+
+#define operator_num 16
+#define swarm_num 5
+#define period_core 500000
+
+extern u64 tmp_core_time;
+extern s32 swarm_now;
+
+extern double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num],
+    eff_best[swarm_num][operator_num], G_best[operator_num],
+    v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num],
+    swarm_fitness[swarm_num];
+
+extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per
+                                                           fuzz stage    */
+    stage_finds_puppet_v2[swarm_num][operator_num],
+    stage_cycles_puppet_v2[swarm_num][operator_num],
+    stage_cycles_puppet_v3[swarm_num][operator_num],
+    stage_cycles_puppet[swarm_num][operator_num],
+    operator_finds_puppet[operator_num],
+    core_operator_finds_puppet[operator_num],
+    core_operator_finds_puppet_v2[operator_num],
+    core_operator_cycles_puppet[operator_num],
+    core_operator_cycles_puppet_v2[operator_num],
+    core_operator_cycles_puppet_v3[operator_num];   /* Execs per fuzz stage */
+
+#define RAND_C (rand() % 1000 * 0.001)
+#define v_max 1
+#define v_min 0.05
+#define limit_time_bound 1.1
+#define SPLICE_CYCLES_puppet_up 25
+#define SPLICE_CYCLES_puppet_low 5
+#define STAGE_RANDOMBYTE 12
+#define STAGE_DELETEBYTE 13
+#define STAGE_Clone75 14
+#define STAGE_OverWrite75 15
+#define period_pilot 50000
+
+extern double period_pilot_tmp;
+extern s32    key_lv;
+
+extern u8 *in_dir,                      /* Input directory with test cases  */
+    *out_dir,                           /* Working & output directory       */
+    *tmp_dir,                           /* Temporary directory for input    */
+    *sync_dir,                          /* Synchronization directory        */
+    *sync_id,                           /* Fuzzer ID                        */
+    *power_name,                        /* Power schedule name              */
+    *use_banner,                        /* Display banner                   */
+    *in_bitmap,                         /* Input bitmap                     */
+    *file_extension,                    /* File extension                   */
+    *orig_cmdline,                      /* Original command line            */
+    *doc_path,                          /* Path to documentation dir        */
+    *infoexec,                         /* Command to execute on a new crash */
+    *out_file;                          /* File to fuzz, if any             */
+
+extern u32 exec_tmout;                  /* Configurable exec timeout (ms)   */
+extern u32 hang_tmout;                  /* Timeout used for hang det (ms)   */
+
+extern u64 mem_limit;                   /* Memory cap for child (MB)        */
+
+extern u8 cal_cycles,                   /* Calibration cycles defaults      */
+    cal_cycles_long,                    /* Calibration cycles defaults      */
+    no_unlink,                          /* do not unlink cur_input          */
+    use_stdin,                          /* use stdin for sending data       */
+    debug,                              /* Debug mode                       */
+    custom_only,                        /* Custom mutator only mode         */
+    python_only;                        /* Python-only mode                 */
+
+extern u32 stats_update_freq;           /* Stats update frequency (execs)   */
+
+enum {
+
+  /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */
+  /* 01 */ FAST,    /* Exponential schedule             */
+  /* 02 */ COE,     /* Cut-Off Exponential schedule     */
+  /* 03 */ LIN,     /* Linear schedule                  */
+  /* 04 */ QUAD,    /* Quadratic schedule               */
+  /* 05 */ EXPLOIT, /* AFL's exploitation-based const.  */
+
+  POWER_SCHEDULES_NUM
+
+};
+
+extern char* power_names[POWER_SCHEDULES_NUM];
+
+extern u8 schedule;                     /* Power schedule (default: EXPLORE)*/
+extern u8 havoc_max_mult;
+
+extern u8 use_radamsa;
+extern size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);
+
+extern u8 skip_deterministic,           /* Skip deterministic stages?       */
+    force_deterministic,                /* Force deterministic stages?      */
+    use_splicing,                       /* Recombine input files?           */
+    dumb_mode,                          /* Run in non-instrumented mode?    */
+    score_changed,                      /* Scoring for favorites changed?   */
+    kill_signal,                        /* Signal that killed the child     */
+    resuming_fuzz,                      /* Resuming an older fuzzing job?   */
+    timeout_given,                      /* Specific timeout given?          */
+    not_on_tty,                         /* stdout is not a tty              */
+    term_too_small,                     /* terminal dimensions too small    */
+    no_forkserver,                      /* Disable forkserver?              */
+    crash_mode,                         /* Crash mode! Yeah!                */
+    in_place_resume,                    /* Attempt in-place resume?         */
+    auto_changed,                       /* Auto-generated tokens changed?   */
+    no_cpu_meter_red,                   /* Feng shui on the status screen   */
+    no_arith,                           /* Skip most arithmetic ops         */
+    shuffle_queue,                      /* Shuffle input queue?             */
+    bitmap_changed,                     /* Time to update bitmap?           */
+    qemu_mode,                          /* Running in QEMU mode?            */
+    unicorn_mode,                       /* Running in Unicorn mode?         */
+    use_wine,                           /* Use WINE with QEMU mode          */
+    skip_requested,                     /* Skip request, via SIGUSR1        */
+    run_over10m,                        /* Run time over 10 minutes?        */
+    persistent_mode,                    /* Running in persistent mode?      */
+    deferred_mode,                      /* Deferred forkserver mode?        */
+    fixed_seed,                         /* do not reseed                    */
+    fast_cal,                           /* Try to calibrate faster?         */
+    uses_asan,                          /* Target uses ASAN?                */
+    disable_trim;                       /* Never trim in fuzz_one           */
+
+extern s32 out_fd,                      /* Persistent fd for out_file       */
+#ifndef HAVE_ARC4RANDOM
+    dev_urandom_fd,                     /* Persistent fd for /dev/urandom   */
+#endif
+    dev_null_fd,                        /* Persistent fd for /dev/null      */
+    fsrv_ctl_fd,                        /* Fork server control pipe (write) */
+    fsrv_st_fd;                         /* Fork server status pipe (read)   */
+
+extern s32 forksrv_pid,                 /* PID of the fork server           */
+    child_pid,                          /* PID of the fuzzed program        */
+    out_dir_fd;                         /* FD of the lock file              */
+
+extern u8* trace_bits;                  /* SHM with instrumentation bitmap  */
+
+extern u8 virgin_bits[MAP_SIZE],        /* Regions yet untouched by fuzzing */
+    virgin_tmout[MAP_SIZE],             /* Bits we haven't seen in tmouts   */
+    virgin_crash[MAP_SIZE];             /* Bits we haven't seen in crashes  */
+
+extern u8 var_bytes[MAP_SIZE];          /* Bytes that appear to be variable */
+
+extern volatile u8 stop_soon,           /* Ctrl-C pressed?                  */
+    clear_screen,                       /* Window resized?                  */
+    child_timed_out;                    /* Traced process timed out?        */
+
+extern u32 queued_paths,                /* Total number of queued testcases */
+    queued_variable,                    /* Testcases with variable behavior */
+    queued_at_start,                    /* Total number of initial inputs   */
+    queued_discovered,                  /* Items discovered during this run */
+    queued_imported,                    /* Items imported via -S            */
+    queued_favored,                     /* Paths deemed favorable           */
+    queued_with_cov,                    /* Paths with new coverage bytes    */
+    pending_not_fuzzed,                 /* Queued but not done yet          */
+    pending_favored,                    /* Pending favored paths            */
+    cur_skipped_paths,                  /* Abandoned inputs in cur cycle    */
+    cur_depth,                          /* Current path depth               */
+    max_depth,                          /* Max path depth                   */
+    useless_at_start,                   /* Number of useless starting paths */
+    var_byte_count,                     /* Bitmap bytes with var behavior   */
+    current_entry,                      /* Current queue entry ID           */
+    havoc_div;                          /* Cycle count divisor for havoc    */
+
+extern u64 total_crashes,               /* Total number of crashes          */
+    unique_crashes,                     /* Crashes with unique signatures   */
+    total_tmouts,                       /* Total number of timeouts         */
+    unique_tmouts,                      /* Timeouts with unique signatures  */
+    unique_hangs,                       /* Hangs with unique signatures     */
+    total_execs,                        /* Total execve() calls             */
+    slowest_exec_ms,                    /* Slowest testcase non hang in ms  */
+    start_time,                         /* Unix start time (ms)             */
+    last_path_time,                     /* Time for most recent path (ms)   */
+    last_crash_time,                    /* Time for most recent crash (ms)  */
+    last_hang_time,                     /* Time for most recent hang (ms)   */
+    last_crash_execs,                   /* Exec counter at last crash       */
+    queue_cycle,                        /* Queue round counter              */
+    cycles_wo_finds,                    /* Cycles without any new paths     */
+    trim_execs,                         /* Execs done to trim input files   */
+    bytes_trim_in,                      /* Bytes coming into the trimmer    */
+    bytes_trim_out,                     /* Bytes coming outa the trimmer    */
+    blocks_eff_total,                   /* Blocks subject to effector maps  */
+    blocks_eff_select;                  /* Blocks selected as fuzzable      */
+
+extern u32 subseq_tmouts;               /* Number of timeouts in a row      */
+
+extern u8 *stage_name,                  /* Name of the current fuzz stage   */
+    *stage_short,                       /* Short stage name                 */
+    *syncing_party;                     /* Currently syncing with...        */
+
+extern s32 stage_cur, stage_max;        /* Stage progression                */
+extern s32 splicing_with;               /* Splicing with which test case?   */
+
+extern u32 master_id, master_max;       /* Master instance job splitting    */
+
+extern u32 syncing_case;                /* Syncing with case #...           */
+
+extern s32 stage_cur_byte,              /* Byte offset of current stage op  */
+    stage_cur_val;                      /* Value used for stage op          */
+
+extern u8 stage_val_type;               /* Value type (STAGE_VAL_*)         */
+
+extern u64 stage_finds[32],             /* Patterns found per fuzz stage    */
+    stage_cycles[32];                   /* Execs per fuzz stage             */
+
+#ifndef HAVE_ARC4RANDOM
+extern u32 rand_cnt;                    /* Random number counter            */
+#endif
+
+extern u32 rand_seed[2];
+extern s64 init_seed;
+
+extern u64 total_cal_us,                /* Total calibration time (us)      */
+    total_cal_cycles;                   /* Total calibration cycles         */
+
+extern u64 total_bitmap_size,           /* Total bit count for all bitmaps  */
+    total_bitmap_entries;               /* Number of bitmaps counted        */
+
+extern s32 cpu_core_count;              /* CPU core count                   */
+
+#ifdef HAVE_AFFINITY
+
+extern s32 cpu_aff;                     /* Selected CPU core                */
+
+#endif                                                     /* HAVE_AFFINITY */
+
+extern FILE* plot_file;                 /* Gnuplot output file              */
+
+extern struct queue_entry *queue,       /* Fuzzing queue (linked list)      */
+    *queue_cur,                         /* Current offset within the queue  */
+    *queue_top,                         /* Top of the list                  */
+    *q_prev100;                         /* Previous 100 marker              */
+
+extern struct queue_entry*
+    top_rated[MAP_SIZE];                /* Top entries for bitmap bytes     */
+
+extern struct extra_data* extras;       /* Extra tokens to fuzz with        */
+extern u32                extras_cnt;   /* Total number of tokens read      */
+
+extern struct extra_data* a_extras;     /* Automatically selected extras    */
+extern u32                a_extras_cnt; /* Total number of tokens available */
+
+u8* (*post_handler)(u8* buf, u32* len);
+
+/* hooks for the custom mutator function */
+/**
+ * Perform custom mutations on a given input
+ * @param data Input data to be mutated
+ * @param size Size of input data
+ * @param mutated_out Buffer to store the mutated input
+ * @param max_size Maximum size of the mutated output. The mutation must not
+ * produce data larger than max_size.
+ * @param seed Seed used for the mutation. The mutation should produce the same
+ * output given the same seed.
+ * @return Size of the mutated output.
+ */
+size_t (*custom_mutator)(u8* data, size_t size, u8* mutated_out,
+                         size_t max_size, unsigned int seed);
+/**
+ * A post-processing function to use right before AFL writes the test case to
+ * disk in order to execute the target. If this functionality is not needed,
+ * Simply don't define this function.
+ * @param data Buffer containing the test case to be executed.
+ * @param size Size of the test case.
+ * @param new_data Buffer to store the test case after processing
+ * @return Size of data after processing.
+ */
+size_t (*pre_save_handler)(u8* data, size_t size, u8** new_data);
+
+/* Interesting values, as per config.h */
+
+extern s8  interesting_8[INTERESTING_8_LEN];
+extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
+extern s32
+    interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
+
+/* Python stuff */
+#ifdef USE_PYTHON
+
+// because Python sets stuff it should not ...
+#ifdef _POSIX_C_SOURCE
+#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE
+#undef _POSIX_C_SOURCE
+#endif
+#ifdef _XOPEN_SOURCE
+#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE
+#undef _XOPEN_SOURCE
+#endif
+
+#include <Python.h>
+
+#ifdef _SAVE_POSIX_C_SOURCE
+#ifdef _POSIX_C_SOURCE
+#undef _POSIX_C_SOURCE
+#endif
+#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE
+#endif
+#ifdef _SAVE_XOPEN_SOURCE
+#ifdef _XOPEN_SOURCE
+#undef _XOPEN_SOURCE
+#endif
+#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE
+#endif
+
+extern PyObject* py_module;
+
+enum {
+
+  /* 00 */ PY_FUNC_INIT,
+  /* 01 */ PY_FUNC_FUZZ,
+  /* 02 */ PY_FUNC_INIT_TRIM,
+  /* 03 */ PY_FUNC_POST_TRIM,
+  /* 04 */ PY_FUNC_TRIM,
+  PY_FUNC_COUNT
+
+};
+
+extern PyObject* py_functions[PY_FUNC_COUNT];
+
+#endif
+
+/**** Prototypes ****/
+
+/* Python */
+#ifdef USE_PYTHON
+int  init_py();
+void finalize_py();
+void fuzz_py(char*, size_t, char*, size_t, char**, size_t*);
+u32  init_trim_py(char*, size_t);
+u32  post_trim_py(char);
+void trim_py(char**, size_t*);
+u8   trim_case_python(char**, struct queue_entry*, u8*);
+#endif
+
+/* Queue */
+
+void mark_as_det_done(struct queue_entry*);
+void mark_as_variable(struct queue_entry*);
+void mark_as_redundant(struct queue_entry*, u8);
+void add_to_queue(u8*, u32, u8);
+void destroy_queue(void);
+void update_bitmap_score(struct queue_entry*);
+void cull_queue(void);
+u32  calculate_score(struct queue_entry*);
+
+/* Bitmap */
+
+void write_bitmap(void);
+void read_bitmap(u8*);
+u8   has_new_bits(u8*);
+u32  count_bits(u8*);
+u32  count_bytes(u8*);
+u32  count_non_255_bytes(u8*);
+#ifdef WORD_SIZE_64
+void simplify_trace(u64*);
+void classify_counts(u64*);
+#else
+void simplify_trace(u32*);
+void classify_counts(u32*);
+#endif
+void init_count_class16(void);
+void minimize_bits(u8*, u8*);
+#ifndef SIMPLE_FILES
+u8* describe_op(u8);
+#endif
+u8 save_if_interesting(char**, void*, u32, u8);
+
+/* Misc */
+
+u8* DI(u64);
+u8* DF(double);
+u8* DMS(u64);
+u8* DTD(u64, u64);
+
+/* Extras */
+
+void load_extras_file(u8*, u32*, u32*, u32);
+void load_extras(u8*);
+void maybe_add_auto(u8*, u32);
+void save_auto(void);
+void load_auto(void);
+void destroy_extras(void);
+
+/* Stats */
+
+void write_stats_file(double, double, double);
+void maybe_update_plot_file(double, double);
+void show_stats(void);
+void show_init_stats(void);
+
+/* Run */
+
+u8   run_target(char**, u32);
+void write_to_testcase(void*, u32);
+void write_with_gap(void*, u32, u32, u32);
+u8   calibrate_case(char**, struct queue_entry*, u8*, u32, u8);
+void sync_fuzzers(char**);
+u8   trim_case(char**, struct queue_entry*, u8*);
+u8   common_fuzz_stuff(char**, u8*, u32);
+
+/* Fuzz one */
+
+u8   fuzz_one_original(char**);
+u8   pilot_fuzzing(char**);
+u8   core_fuzzing(char**);
+void pso_updating(void);
+u8   fuzz_one(char**);
+
+/* Init */
+
+#ifdef HAVE_AFFINITY
+void bind_to_free_cpu(void);
+#endif
+void   setup_post(void);
+void   setup_custom_mutator(void);
+void   read_testcases(void);
+void   perform_dry_run(char**);
+void   pivot_inputs(void);
+u32    find_start_position(void);
+void   find_timeout(void);
+double get_runnable_processes(void);
+void   nuke_resume_dir(void);
+void   maybe_delete_out_dir(void);
+void   setup_dirs_fds(void);
+void   setup_cmdline_file(char**);
+void   setup_stdio_file(void);
+void   check_crash_handling(void);
+void   check_cpu_governor(void);
+void   get_core_count(void);
+void   fix_up_sync(void);
+void   check_asan_opts(void);
+void   check_binary(u8*);
+void   fix_up_banner(u8*);
+void   check_if_tty(void);
+void   setup_signal_handlers(void);
+char** get_qemu_argv(u8*, char**, int);
+char** get_wine_argv(u8*, char**, int);
+void   save_cmdline(u32, char**);
+
+/**** Inline routines ****/
+
+/* Generate a random number (from 0 to limit - 1). This may
+   have slight bias. */
+
+static inline u32 UR(u32 limit) {
+
+#ifdef HAVE_ARC4RANDOM
+  if (fixed_seed) { return random() % limit; }
+
+  /* The boundary not being necessarily a power of 2,
+     we need to ensure the result uniformity. */
+  return arc4random_uniform(limit);
+#else
+  if (!fixed_seed && unlikely(!rand_cnt--)) {
+
+    ck_read(dev_urandom_fd, &rand_seed, sizeof(rand_seed), "/dev/urandom");
+    srandom(rand_seed[0]);
+    rand_cnt = (RESEED_RNG / 2) + (rand_seed[1] % RESEED_RNG);
+
+  }
+
+  return random() % limit;
+#endif
+
+}
+
+static inline u32 get_rand_seed() {
+
+  if (fixed_seed) return (u32)init_seed;
+  return rand_seed[0];
+
+}
+
+/* Find first power of two greater or equal to val (assuming val under
+   2^63). */
+
+static u64 next_p2(u64 val) {
+
+  u64 ret = 1;
+  while (val > ret)
+    ret <<= 1;
+  return ret;
+
+}
+
+/* Get unix time in milliseconds */
+
+static u64 get_cur_time(void) {
+
+  struct timeval  tv;
+  struct timezone tz;
+
+  gettimeofday(&tv, &tz);
+
+  return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000);
+
+}
+
+/* Get unix time in microseconds */
+
+static u64 get_cur_time_us(void) {
+
+  struct timeval  tv;
+  struct timezone tz;
+
+  gettimeofday(&tv, &tz);
+
+  return (tv.tv_sec * 1000000ULL) + tv.tv_usec;
+
+}
+
+#ifdef _AFL_DOCUMENT_MUTATIONS
+extern u8  do_document;
+extern u32 document_counter;
+#endif
+
+#endif
+

include/alloc-inl.h

@@ -1,10 +1,15 @@
 /*
-   american fuzzy lop - error-checking, memory-zeroing alloc routines
-   ------------------------------------------------------------------
+   american fuzzy lop++ - error-checking, memory-zeroing alloc routines
+   --------------------------------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -31,88 +36,109 @@
 
 /* User-facing macro to sprintf() to a dynamically allocated buffer. */
 
-#define alloc_printf(_str...) ({ \
-    u8* _tmp; \
-    s32 _len = snprintf(NULL, 0, _str); \
+#define alloc_printf(_str...)                        \
+  ({                                                 \
+                                                     \
+    u8* _tmp;                                        \
+    s32 _len = snprintf(NULL, 0, _str);              \
     if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
-    _tmp = ck_alloc(_len + 1); \
-    snprintf((char*)_tmp, _len + 1, _str); \
-    _tmp; \
+    _tmp = ck_alloc(_len + 1);                       \
+    snprintf((char*)_tmp, _len + 1, _str);           \
+    _tmp;                                            \
+                                                     \
   })
 
 /* Macro to enforce allocation limits as a last-resort defense against
    integer overflows. */
 
-#define ALLOC_CHECK_SIZE(_s) do { \
-    if ((_s) > MAX_ALLOC) \
-      ABORT("Bad alloc request: %u bytes", (_s)); \
+#define ALLOC_CHECK_SIZE(_s)                                          \
+  do {                                                                \
+                                                                      \
+    if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \
+                                                                      \
   } while (0)
 
 /* Macro to check malloc() failures and the like. */
 
-#define ALLOC_CHECK_RESULT(_r, _s) do { \
-    if (!(_r)) \
-      ABORT("Out of memory: can't allocate %u bytes", (_s)); \
+#define ALLOC_CHECK_RESULT(_r, _s)                                    \
+  do {                                                                \
+                                                                      \
+    if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \
+                                                                      \
   } while (0)
 
 /* Magic tokens used to mark used / freed chunks. */
 
-#define ALLOC_MAGIC_C1  0xFF00FF00 /* Used head (dword)  */
-#define ALLOC_MAGIC_F   0xFE00FE00 /* Freed head (dword) */
-#define ALLOC_MAGIC_C2  0xF0       /* Used tail (byte)   */
+#define ALLOC_MAGIC_C1 0xFF00FF00                     /* Used head (dword)  */
+#define ALLOC_MAGIC_F 0xFE00FE00                      /* Freed head (dword) */
+#define ALLOC_MAGIC_C2 0xF0                           /* Used tail (byte)   */
 
 /* Positions of guard tokens in relation to the user-visible pointer. */
 
-#define ALLOC_C1(_ptr)  (((u32*)(_ptr))[-2])
-#define ALLOC_S(_ptr)   (((u32*)(_ptr))[-1])
-#define ALLOC_C2(_ptr)  (((u8*)(_ptr))[ALLOC_S(_ptr)])
+#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2])
+#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1])
+#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)])
 
-#define ALLOC_OFF_HEAD  8
+#define ALLOC_OFF_HEAD 8
 #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
 
 /* Allocator increments for ck_realloc_block(). */
 
-#define ALLOC_BLK_INC    256
+#define ALLOC_BLK_INC 256
 
 /* Sanity-checking macros for pointers. */
 
-#define CHECK_PTR(_p) do { \
-    if (_p) { \
-      if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
-        if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
-          ABORT("Use after free."); \
-        else ABORT("Corrupted head alloc canary."); \
-      } \
-   } \
+#define CHECK_PTR(_p)                            \
+  do {                                           \
+                                                 \
+    if (_p) {                                    \
+                                                 \
+      if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {       \
+                                                 \
+        if (ALLOC_C1(_p) == ALLOC_MAGIC_F)       \
+          ABORT("Use after free.");              \
+        else                                     \
+          ABORT("Corrupted head alloc canary."); \
+                                                 \
+      }                                          \
+                                                 \
+    }                                            \
+                                                 \
   } while (0)
 
-/*
-#define CHECK_PTR(_p) do { \
+/* #define CHECK_PTR(_p) do { \
     if (_p) { \
       if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
         if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
           ABORT("Use after free."); \
         else ABORT("Corrupted head alloc canary."); \
+
       } \
+
       if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
         ABORT("Corrupted tail alloc canary."); \
+
     } \
+
   } while (0)
+
 */
 
-#define CHECK_PTR_EXPR(_p) ({ \
-    typeof (_p) _tmp = (_p); \
-    CHECK_PTR(_tmp); \
-    _tmp; \
+#define CHECK_PTR_EXPR(_p)  \
+  ({                        \
+                            \
+    typeof(_p) _tmp = (_p); \
+    CHECK_PTR(_tmp);        \
+    _tmp;                   \
+                            \
   })
 
-
 /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
    requests. */
 
 static inline void* DFL_ck_alloc_nozero(u32 size) {
 
-  void* ret;
+  u8* ret;
 
   if (!size) return NULL;
 
@@ -123,14 +149,13 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
   ret += ALLOC_OFF_HEAD;
 
   ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
+  ALLOC_S(ret) = size;
   ALLOC_C2(ret) = ALLOC_MAGIC_C2;
 
-  return ret;
+  return (void*)ret;
 
 }
 
-
 /* Allocate a buffer, returning zeroed memory. */
 
 static inline void* DFL_ck_alloc(u32 size) {
@@ -144,7 +169,6 @@ static inline void* DFL_ck_alloc(u32 size) {
 
 }
 
-
 /* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
    is set, the old memory will be also clobbered with 0xFF. */
 
@@ -159,23 +183,23 @@ static inline void DFL_ck_free(void* mem) {
   /* Catch pointer issues sooner. */
   memset(mem, 0xFF, ALLOC_S(mem));
 
-#endif /* DEBUG_BUILD */
+#endif                                                       /* DEBUG_BUILD */
 
   ALLOC_C1(mem) = ALLOC_MAGIC_F;
 
-  free(mem - ALLOC_OFF_HEAD);
+  u8* realStart = mem;
+  free(realStart - ALLOC_OFF_HEAD);
 
 }
 
-
 /* Re-allocate a buffer, checking for issues and zeroing any newly-added tail.
    With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
    old memory is clobbered with 0xFF. */
 
 static inline void* DFL_ck_realloc(void* orig, u32 size) {
 
-  void* ret;
-  u32   old_size = 0;
+  u8* ret;
+  u32 old_size = 0;
 
   if (!size) {
 
@@ -190,10 +214,12 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
 
 #ifndef DEBUG_BUILD
     ALLOC_C1(orig) = ALLOC_MAGIC_F;
-#endif /* !DEBUG_BUILD */
+#endif                                                      /* !DEBUG_BUILD */
 
-    old_size  = ALLOC_S(orig);
-    orig     -= ALLOC_OFF_HEAD;
+    old_size = ALLOC_S(orig);
+    u8* origu8 = orig;
+    origu8 -= ALLOC_OFF_HEAD;
+    orig = origu8;
 
     ALLOC_CHECK_SIZE(old_size);
 
@@ -216,31 +242,30 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
 
   if (orig) {
 
-    memcpy(ret + ALLOC_OFF_HEAD, orig + ALLOC_OFF_HEAD, MIN(size, old_size));
-    memset(orig + ALLOC_OFF_HEAD, 0xFF, old_size);
+    u8* origu8 = orig;
+    memcpy(ret + ALLOC_OFF_HEAD, origu8 + ALLOC_OFF_HEAD, MIN(size, old_size));
+    memset(origu8 + ALLOC_OFF_HEAD, 0xFF, old_size);
 
-    ALLOC_C1(orig + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F;
+    ALLOC_C1(origu8 + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F;
 
     free(orig);
 
   }
 
-#endif /* ^!DEBUG_BUILD */
+#endif                                                     /* ^!DEBUG_BUILD */
 
   ret += ALLOC_OFF_HEAD;
 
   ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
+  ALLOC_S(ret) = size;
   ALLOC_C2(ret) = ALLOC_MAGIC_C2;
 
-  if (size > old_size)
-    memset(ret + old_size, 0, size - old_size);
+  if (size > old_size) memset(ret + old_size, 0, size - old_size);
 
-  return ret;
+  return (void*)ret;
 
 }
 
-
 /* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
    repeated small reallocs without complicating the user code). */
 
@@ -258,19 +283,18 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
 
   }
 
-#endif /* !DEBUG_BUILD */
+#endif                                                      /* !DEBUG_BUILD */
 
   return DFL_ck_realloc(orig, size);
 
 }
 
-
 /* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
 
 static inline u8* DFL_ck_strdup(u8* str) {
 
-  void* ret;
-  u32   size;
+  u8* ret;
+  u32 size;
 
   if (!str) return NULL;
 
@@ -283,38 +307,36 @@ static inline u8* DFL_ck_strdup(u8* str) {
   ret += ALLOC_OFF_HEAD;
 
   ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
+  ALLOC_S(ret) = size;
   ALLOC_C2(ret) = ALLOC_MAGIC_C2;
 
   return memcpy(ret, str, size);
 
 }
 
-
 /* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
    or NULL inputs. */
 
 static inline void* DFL_ck_memdup(void* mem, u32 size) {
 
-  void* ret;
+  u8* ret;
 
   if (!mem || !size) return NULL;
 
   ALLOC_CHECK_SIZE(size);
   ret = malloc(size + ALLOC_OFF_TOTAL);
   ALLOC_CHECK_RESULT(ret, size);
-  
+
   ret += ALLOC_OFF_HEAD;
 
   ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
+  ALLOC_S(ret) = size;
   ALLOC_C2(ret) = ALLOC_MAGIC_C2;
 
   return memcpy(ret, mem, size);
 
 }
 
-
 /* Create a buffer with a block of text, appending a NUL terminator at the end.
    Returns NULL for zero-sized or NULL inputs. */
 
@@ -327,11 +349,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
   ALLOC_CHECK_SIZE(size);
   ret = malloc(size + ALLOC_OFF_TOTAL + 1);
   ALLOC_CHECK_RESULT(ret, size);
-  
+
   ret += ALLOC_OFF_HEAD;
 
   ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
+  ALLOC_S(ret) = size;
   ALLOC_C2(ret) = ALLOC_MAGIC_C2;
 
   memcpy(ret, mem, size);
@@ -341,20 +363,19 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
 
 }
 
-
 #ifndef DEBUG_BUILD
 
 /* In non-debug mode, we just do straightforward aliasing of the above functions
    to user-visible names such as ck_alloc(). */
 
-#define ck_alloc          DFL_ck_alloc
-#define ck_alloc_nozero   DFL_ck_alloc_nozero
-#define ck_realloc        DFL_ck_realloc
-#define ck_realloc_block  DFL_ck_realloc_block
-#define ck_strdup         DFL_ck_strdup
-#define ck_memdup         DFL_ck_memdup
-#define ck_memdup_str     DFL_ck_memdup_str
-#define ck_free           DFL_ck_free
+#define ck_alloc DFL_ck_alloc
+#define ck_alloc_nozero DFL_ck_alloc_nozero
+#define ck_realloc DFL_ck_realloc
+#define ck_realloc_block DFL_ck_realloc_block
+#define ck_strdup DFL_ck_strdup
+#define ck_memdup DFL_ck_memdup
+#define ck_memdup_str DFL_ck_memdup_str
+#define ck_free DFL_ck_free
 
 #define alloc_report()
 
@@ -365,12 +386,14 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
 
 /* Alloc tracking data structures: */
 
-#define ALLOC_BUCKETS     4096
+#define ALLOC_BUCKETS 4096
 
 struct TRK_obj {
-  void *ptr;
+
+  void* ptr;
   char *file, *func;
-  u32  line;
+  u32 line;
+
 };
 
 #ifdef AFL_MAIN
@@ -378,22 +401,21 @@ struct TRK_obj {
 struct TRK_obj* TRK[ALLOC_BUCKETS];
 u32 TRK_cnt[ALLOC_BUCKETS];
 
-#  define alloc_report() TRK_report()
+#define alloc_report() TRK_report()
 
 #else
 
 extern struct TRK_obj* TRK[ALLOC_BUCKETS];
-extern u32 TRK_cnt[ALLOC_BUCKETS];
+extern u32             TRK_cnt[ALLOC_BUCKETS];
 
-#  define alloc_report()
+#define alloc_report()
 
-#endif /* ^AFL_MAIN */
+#endif                                                         /* ^AFL_MAIN */
 
 /* Bucket-assigning function for a given pointer: */
 
 #define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS)
 
-
 /* Add a new entry to the list of allocated objects. */
 
 static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
@@ -411,7 +433,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
 
     if (!TRK[bucket][i].ptr) {
 
-      TRK[bucket][i].ptr  = ptr;
+      TRK[bucket][i].ptr = ptr;
       TRK[bucket][i].file = (char*)file;
       TRK[bucket][i].func = (char*)func;
       TRK[bucket][i].line = line;
@@ -421,10 +443,10 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
 
   /* No space available - allocate more. */
 
-  TRK[bucket] = DFL_ck_realloc_block(TRK[bucket],
-    (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
+  TRK[bucket] = DFL_ck_realloc_block(
+      TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
 
-  TRK[bucket][i].ptr  = ptr;
+  TRK[bucket][i].ptr = ptr;
   TRK[bucket][i].file = (char*)file;
   TRK[bucket][i].func = (char*)func;
   TRK[bucket][i].line = line;
@@ -433,7 +455,6 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
 
 }
 
-
 /* Remove entry from the list of allocated objects. */
 
 static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
@@ -456,12 +477,11 @@ static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
 
     }
 
-  WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)",
-        func, file, line);
+  WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", func, file,
+        line);
 
 }
 
-
 /* Do a final report on all non-deallocated objects. */
 
 static inline void TRK_report(void) {
@@ -478,7 +498,6 @@ static inline void TRK_report(void) {
 
 }
 
-
 /* Simple wrappers for non-debugging functions: */
 
 static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
@@ -490,7 +509,6 @@ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
 
 }
 
-
 static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
                                    const char* func, u32 line) {
 
@@ -501,7 +519,6 @@ static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
 
 }
 
-
 static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
                                          const char* func, u32 line) {
 
@@ -512,7 +529,6 @@ static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
 
 }
 
-
 static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
                                   u32 line) {
 
@@ -522,7 +538,6 @@ static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
 
 }
 
-
 static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
                                   const char* func, u32 line) {
 
@@ -532,7 +547,6 @@ static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
 
 }
 
-
 static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
                                       const char* func, u32 line) {
 
@@ -542,9 +556,8 @@ static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
 
 }
 
-
-static inline void TRK_ck_free(void* ptr, const char* file,
-                                const char* func, u32 line) {
+static inline void TRK_ck_free(void* ptr, const char* file, const char* func,
+                               u32 line) {
 
   TRK_free_buf(ptr, file, func, line);
   DFL_ck_free(ptr);
@@ -553,11 +566,9 @@ static inline void TRK_ck_free(void* ptr, const char* file,
 
 /* Aliasing user-facing names to tracking functions: */
 
-#define ck_alloc(_p1) \
-  TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
+#define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
 
-#define ck_alloc_nozero(_p1) \
-  TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
+#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
 
 #define ck_realloc(_p1, _p2) \
   TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
@@ -565,8 +576,7 @@ static inline void TRK_ck_free(void* ptr, const char* file,
 #define ck_realloc_block(_p1, _p2) \
   TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
 
-#define ck_strdup(_p1) \
-  TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
+#define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
 
 #define ck_memdup(_p1, _p2) \
   TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
@@ -574,9 +584,9 @@ static inline void TRK_ck_free(void* ptr, const char* file,
 #define ck_memdup_str(_p1, _p2) \
   TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
 
-#define ck_free(_p1) \
-  TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
+#define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
 
-#endif /* ^!DEBUG_BUILD */
+#endif                                                     /* ^!DEBUG_BUILD */
+
+#endif                                               /* ! _HAVE_ALLOC_INL_H */
 
-#endif /* ! _HAVE_ALLOC_INL_H */

include/android-ashmem.h

@@ -0,0 +1,106 @@
+/*
+   american fuzzy lop++ - android shared memory compatibility layer
+   ----------------------------------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This header re-defines the shared memory routines used by AFL++
+   using the Andoid API.
+
+ */
+
+#ifndef _ANDROID_ASHMEM_H
+#define _ANDROID_ASHMEM_H
+
+#include <fcntl.h>
+#include <linux/shm.h>
+#include <linux/ashmem.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+
+#if __ANDROID_API__ >= 26
+#define shmat bionic_shmat
+#define shmctl bionic_shmctl
+#define shmdt bionic_shmdt
+#define shmget bionic_shmget
+#endif
+#include <sys/shm.h>
+#undef shmat
+#undef shmctl
+#undef shmdt
+#undef shmget
+#include <stdio.h>
+
+#define ASHMEM_DEVICE "/dev/ashmem"
+
+static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
+
+  int ret = 0;
+  if (__cmd == IPC_RMID) {
+
+    int               length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
+    struct ashmem_pin pin = {0, (unsigned int)length};
+    ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
+    close(__shmid);
+
+  }
+
+  return ret;
+
+}
+
+static inline int shmget(key_t __key, size_t __size, int __shmflg) {
+
+  (void)__shmflg;
+  int  fd, ret;
+  char ourkey[11];
+
+  fd = open(ASHMEM_DEVICE, O_RDWR);
+  if (fd < 0) return fd;
+
+  sprintf(ourkey, "%d", __key);
+  ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
+  if (ret < 0) goto error;
+
+  ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
+  if (ret < 0) goto error;
+
+  return fd;
+
+error:
+  close(fd);
+  return ret;
+
+}
+
+static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
+
+  (void)__shmflg;
+  int   size;
+  void *ptr;
+
+  size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
+  if (size < 0) { return NULL; }
+
+  ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
+  if (ptr == MAP_FAILED) { return NULL; }
+
+  return ptr;
+
+}
+
+#endif
+

include/common.h

@@ -0,0 +1,37 @@
+/*
+   american fuzzy lop++ - common routines header
+   ---------------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Gather some functions common to multiple executables
+
+   - detect_file_args
+
+ */
+
+#ifndef __AFLCOMMON_H
+#define __AFLCOMMON_H
+#include "types.h"
+
+extern u8* target_path;                 /* Path to target binary            */
+
+void detect_file_args(char** argv, u8* prog_in);
+
+char** get_qemu_argv(u8* own_loc, char** argv, int argc);
+char** get_wine_argv(u8* own_loc, char** argv, int argc);
+#endif
+

include/config.h

@@ -0,0 +1,389 @@
+/*
+   american fuzzy lop++ - vaguely configurable bits
+   ------------------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ */
+
+#ifndef _HAVE_CONFIG_H
+#define _HAVE_CONFIG_H
+
+#include "types.h"
+
+/* Version string: */
+
+#define VERSION "++2.59d"  // c = release, d = volatile github dev
+
+/******************************************************
+ *                                                    *
+ *  Settings that may be of interest to power users:  *
+ *                                                    *
+ ******************************************************/
+
+/* Comment out to disable terminal colors (note that this makes afl-analyze
+   a lot less nice): */
+
+#define USE_COLOR
+
+/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
+
+#ifndef ANDROID_DISABLE_FANCY  // Fancy boxes are ugly from adb
+#define FANCY_BOXES
+#endif
+
+/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
+   also used for detecting hangs; the actual value is auto-scaled: */
+
+#define EXEC_TIMEOUT 1000
+
+/* Timeout rounding factor when auto-scaling (milliseconds): */
+
+#define EXEC_TM_ROUND 20
+
+/* 64bit arch MACRO */
+#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
+#define WORD_SIZE_64 1
+#endif
+
+/* Default memory limit for child process (MB): */
+
+#ifndef WORD_SIZE_64
+#define MEM_LIMIT 25
+#else
+#define MEM_LIMIT 50
+#endif                                                    /* ^!WORD_SIZE_64 */
+
+/* Default memory limit when running in QEMU mode (MB): */
+
+#define MEM_LIMIT_QEMU 200
+
+/* Default memory limit when running in Unicorn mode (MB): */
+
+#define MEM_LIMIT_UNICORN 200
+
+/* Number of calibration cycles per every new test case (and for test
+   cases that show variable behavior): */
+
+#define CAL_CYCLES 8
+#define CAL_CYCLES_LONG 40
+
+/* Number of subsequent timeouts before abandoning an input file: */
+
+#define TMOUT_LIMIT 250
+
+/* Maximum number of unique hangs or crashes to record: */
+
+#define KEEP_UNIQUE_HANG 500
+#define KEEP_UNIQUE_CRASH 5000
+
+/* Baseline number of random tweaks during a single 'havoc' stage: */
+
+#define HAVOC_CYCLES 256
+#define HAVOC_CYCLES_INIT 1024
+
+/* Maximum multiplier for the above (should be a power of two, beware
+   of 32-bit int overflows): */
+
+#define HAVOC_MAX_MULT 16
+#define HAVOC_MAX_MULT_MOPT 32
+
+/* Absolute minimum number of havoc cycles (after all adjustments): */
+
+#define HAVOC_MIN 16
+
+/* Power Schedule Divisor */
+#define POWER_BETA 1
+#define MAX_FACTOR (POWER_BETA * 32)
+
+/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
+   like this:
+
+   n = random between 1 and HAVOC_STACK_POW2
+   stacking = 2^n
+
+   In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
+   128 stacked tweaks: */
+
+#define HAVOC_STACK_POW2 7
+
+/* Caps on block sizes for cloning and deletion operations. Each of these
+   ranges has a 33% probability of getting picked, except for the first
+   two cycles where smaller blocks are favored: */
+
+#define HAVOC_BLK_SMALL 32
+#define HAVOC_BLK_MEDIUM 128
+#define HAVOC_BLK_LARGE 1500
+
+/* Extra-large blocks, selected very rarely (<5% of the time): */
+
+#define HAVOC_BLK_XL 32768
+
+/* Probabilities of skipping non-favored entries in the queue, expressed as
+   percentages: */
+
+#define SKIP_TO_NEW_PROB 99     /* ...when there are new, pending favorites */
+#define SKIP_NFAV_OLD_PROB 95   /* ...no new favs, cur entry already fuzzed */
+#define SKIP_NFAV_NEW_PROB 75   /* ...no new favs, cur entry not fuzzed yet */
+
+/* Splicing cycle count: */
+
+#define SPLICE_CYCLES 15
+
+/* Nominal per-splice havoc cycle length: */
+
+#define SPLICE_HAVOC 32
+
+/* Maximum offset for integer addition / subtraction stages: */
+
+#define ARITH_MAX 35
+
+/* Limits for the test case trimmer. The absolute minimum chunk size; and
+   the starting and ending divisors for chopping up the input file: */
+
+#define TRIM_MIN_BYTES 4
+#define TRIM_START_STEPS 16
+#define TRIM_END_STEPS 1024
+
+/* Maximum size of input file, in bytes (keep under 100MB): */
+
+#define MAX_FILE (1 * 1024 * 1024)
+
+/* The same, for the test case minimizer: */
+
+#define TMIN_MAX_FILE (10 * 1024 * 1024)
+
+/* Block normalization steps for afl-tmin: */
+
+#define TMIN_SET_MIN_SIZE 4
+#define TMIN_SET_STEPS 128
+
+/* Maximum dictionary token size (-x), in bytes: */
+
+#define MAX_DICT_FILE 128
+
+/* Length limits for auto-detected dictionary tokens: */
+
+#define MIN_AUTO_EXTRA 3
+#define MAX_AUTO_EXTRA 32
+
+/* Maximum number of user-specified dictionary tokens to use in deterministic
+   steps; past this point, the "extras/user" step will be still carried out,
+   but with proportionally lower odds: */
+
+#define MAX_DET_EXTRAS 200
+
+/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
+   (first value), and to keep in memory as candidates. The latter should be much
+   higher than the former. */
+
+#define USE_AUTO_EXTRAS 50
+#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
+
+/* Scaling factor for the effector map used to skip some of the more
+   expensive deterministic steps. The actual divisor is set to
+   2^EFF_MAP_SCALE2 bytes: */
+
+#define EFF_MAP_SCALE2 3
+
+/* Minimum input file length at which the effector logic kicks in: */
+
+#define EFF_MIN_LEN 128
+
+/* Maximum effector density past which everything is just fuzzed
+   unconditionally (%): */
+
+#define EFF_MAX_PERC 90
+
+/* UI refresh frequency (Hz): */
+
+#define UI_TARGET_HZ 5
+
+/* Fuzzer stats file and plot update intervals (sec): */
+
+#define STATS_UPDATE_SEC 60
+#define PLOT_UPDATE_SEC 5
+
+/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
+
+#define AVG_SMOOTHING 16
+
+/* Sync interval (every n havoc cycles): */
+
+#define SYNC_INTERVAL 5
+
+/* Output directory reuse grace period (minutes): */
+
+#define OUTPUT_GRACE 25
+
+/* Uncomment to use simple file names (id_NNNNNN): */
+
+// #define SIMPLE_FILES
+
+/* List of interesting values to use in fuzzing. */
+
+#define INTERESTING_8                                    \
+  -128,    /* Overflow signed 8-bit when decremented  */ \
+      -1,  /*                                         */ \
+      0,   /*                                         */ \
+      1,   /*                                         */ \
+      16,  /* One-off with common buffer size         */ \
+      32,  /* One-off with common buffer size         */ \
+      64,  /* One-off with common buffer size         */ \
+      100, /* One-off with common buffer size         */ \
+      127                        /* Overflow signed 8-bit when incremented  */
+
+#define INTERESTING_8_LEN 9
+
+#define INTERESTING_16                                    \
+  -32768,   /* Overflow signed 16-bit when decremented */ \
+      -129, /* Overflow signed 8-bit                   */ \
+      128,  /* Overflow signed 8-bit                   */ \
+      255,  /* Overflow unsig 8-bit when incremented   */ \
+      256,  /* Overflow unsig 8-bit                    */ \
+      512,  /* One-off with common buffer size         */ \
+      1000, /* One-off with common buffer size         */ \
+      1024, /* One-off with common buffer size         */ \
+      4096, /* One-off with common buffer size         */ \
+      32767                      /* Overflow signed 16-bit when incremented */
+
+#define INTERESTING_16_LEN 10
+
+#define INTERESTING_32                                          \
+  -2147483648LL,  /* Overflow signed 32-bit when decremented */ \
+      -100663046, /* Large negative number (endian-agnostic) */ \
+      -32769,     /* Overflow signed 16-bit                  */ \
+      32768,      /* Overflow signed 16-bit                  */ \
+      65535,      /* Overflow unsig 16-bit when incremented  */ \
+      65536,      /* Overflow unsig 16 bit                   */ \
+      100663045,  /* Large positive number (endian-agnostic) */ \
+      2147483647                 /* Overflow signed 32-bit when incremented */
+
+#define INTERESTING_32_LEN 8
+
+/***********************************************************
+ *                                                         *
+ *  Really exotic stuff you probably don't want to touch:  *
+ *                                                         *
+ ***********************************************************/
+
+/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
+
+#define RESEED_RNG 10000
+
+/* Maximum line length passed from GCC to 'as' and used for parsing
+   configuration files: */
+
+#define MAX_LINE 8192
+
+/* Environment variable used to pass SHM ID to the called program. */
+
+#define SHM_ENV_VAR "__AFL_SHM_ID"
+
+/* Other less interesting, internal-only variables. */
+
+#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
+#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
+#define PERSIST_ENV_VAR "__AFL_PERSISTENT"
+#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
+
+/* In-code signatures for deferred and persistent mode. */
+
+#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
+#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
+
+/* Distinctive bitmap signature used to indicate failed execution: */
+
+#define EXEC_FAIL_SIG 0xfee1dead
+
+/* Distinctive exit code used to indicate MSAN trip condition: */
+
+#define MSAN_ERROR 86
+
+/* Designated file descriptors for forkserver commands (the application will
+   use FORKSRV_FD and FORKSRV_FD + 1): */
+
+#define FORKSRV_FD 198
+
+/* Fork server init timeout multiplier: we'll wait the user-selected
+   timeout plus this much for the fork server to spin up. */
+
+#define FORK_WAIT_MULT 10
+
+/* Calibration timeout adjustments, to be a bit more generous when resuming
+   fuzzing sessions or trying to calibrate already-added internal finds.
+   The first value is a percentage, the other is in milliseconds: */
+
+#define CAL_TMOUT_PERC 125
+#define CAL_TMOUT_ADD 50
+
+/* Number of chances to calibrate a case before giving up: */
+
+#define CAL_CHANCES 3
+
+/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
+   2; you probably want to keep it under 18 or so for performance reasons
+   (adjusting AFL_INST_RATIO when compiling is probably a better way to solve
+   problems with complex programs). You need to recompile the target binary
+   after changing this - otherwise, SEGVs may ensue. */
+
+#define MAP_SIZE_POW2 16
+#define MAP_SIZE (1 << MAP_SIZE_POW2)
+
+/* Maximum allocator request size (keep well under INT_MAX): */
+
+#define MAX_ALLOC 0x40000000
+
+/* A made-up hashing seed: */
+
+#define HASH_CONST 0xa5b35705
+
+/* Constants for afl-gotcpu to control busy loop timing: */
+
+#define CTEST_TARGET_MS 5000
+#define CTEST_CORE_TRG_MS 1000
+#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
+
+/* Enable NeverZero counters in QEMU mode */
+
+#define AFL_QEMU_NOT_ZERO
+
+/* Uncomment this to use inferior block-coverage-based instrumentation. Note
+   that you need to recompile the target binary for this to have any effect: */
+
+// #define COVERAGE_ONLY
+
+/* Uncomment this to ignore hit counts and output just one bit per tuple.
+   As with the previous setting, you will need to recompile the target
+   binary: */
+
+// #define SKIP_COUNTS
+
+/* Uncomment this to use instrumentation data to record newly discovered paths,
+   but do not use them as seeds for fuzzing. This is useful for conveniently
+   measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
+
+// #define IGNORE_FINDS
+
+/* for *BSD: use ARC4RANDOM and save a file descriptor */
+#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__)
+#ifndef HAVE_ARC4RANDOM
+#define HAVE_ARC4RANDOM 1
+#endif
+#endif                           /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
+
+#endif                                                  /* ! _HAVE_CONFIG_H */
+

include/debug.h

@@ -0,0 +1,290 @@
+/*
+   american fuzzy lop++ - debug / error handling macros
+   ----------------------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ */
+
+#ifndef _HAVE_DEBUG_H
+#define _HAVE_DEBUG_H
+
+#include <errno.h>
+
+#include "types.h"
+#include "config.h"
+
+/*******************
+ * Terminal colors *
+ *******************/
+
+#ifdef USE_COLOR
+
+#define cBLK "\x1b[0;30m"
+#define cRED "\x1b[0;31m"
+#define cGRN "\x1b[0;32m"
+#define cBRN "\x1b[0;33m"
+#define cBLU "\x1b[0;34m"
+#define cMGN "\x1b[0;35m"
+#define cCYA "\x1b[0;36m"
+#define cLGR "\x1b[0;37m"
+#define cGRA "\x1b[1;90m"
+#define cLRD "\x1b[1;91m"
+#define cLGN "\x1b[1;92m"
+#define cYEL "\x1b[1;93m"
+#define cLBL "\x1b[1;94m"
+#define cPIN "\x1b[1;95m"
+#define cLCY "\x1b[1;96m"
+#define cBRI "\x1b[1;97m"
+#define cRST "\x1b[0m"
+
+#define bgBLK "\x1b[40m"
+#define bgRED "\x1b[41m"
+#define bgGRN "\x1b[42m"
+#define bgBRN "\x1b[43m"
+#define bgBLU "\x1b[44m"
+#define bgMGN "\x1b[45m"
+#define bgCYA "\x1b[46m"
+#define bgLGR "\x1b[47m"
+#define bgGRA "\x1b[100m"
+#define bgLRD "\x1b[101m"
+#define bgLGN "\x1b[102m"
+#define bgYEL "\x1b[103m"
+#define bgLBL "\x1b[104m"
+#define bgPIN "\x1b[105m"
+#define bgLCY "\x1b[106m"
+#define bgBRI "\x1b[107m"
+
+#else
+
+#define cBLK ""
+#define cRED ""
+#define cGRN ""
+#define cBRN ""
+#define cBLU ""
+#define cMGN ""
+#define cCYA ""
+#define cLGR ""
+#define cGRA ""
+#define cLRD ""
+#define cLGN ""
+#define cYEL ""
+#define cLBL ""
+#define cPIN ""
+#define cLCY ""
+#define cBRI ""
+#define cRST ""
+
+#define bgBLK ""
+#define bgRED ""
+#define bgGRN ""
+#define bgBRN ""
+#define bgBLU ""
+#define bgMGN ""
+#define bgCYA ""
+#define bgLGR ""
+#define bgGRA ""
+#define bgLRD ""
+#define bgLGN ""
+#define bgYEL ""
+#define bgLBL ""
+#define bgPIN ""
+#define bgLCY ""
+#define bgBRI ""
+
+#endif                                                        /* ^USE_COLOR */
+
+/*************************
+ * Box drawing sequences *
+ *************************/
+
+#ifdef FANCY_BOXES
+
+#define SET_G1 "\x1b)0"                        /* Set G1 for box drawing    */
+#define RESET_G1 "\x1b)B"                      /* Reset G1 to ASCII         */
+#define bSTART "\x0e"                          /* Enter G1 drawing mode     */
+#define bSTOP "\x0f"                           /* Leave G1 drawing mode     */
+#define bH "q"                                 /* Horizontal line           */
+#define bV "x"                                 /* Vertical line             */
+#define bLT "l"                                /* Left top corner           */
+#define bRT "k"                                /* Right top corner          */
+#define bLB "m"                                /* Left bottom corner        */
+#define bRB "j"                                /* Right bottom corner       */
+#define bX "n"                                 /* Cross                     */
+#define bVR "t"                                /* Vertical, branch right    */
+#define bVL "u"                                /* Vertical, branch left     */
+#define bHT "v"                                /* Horizontal, branch top    */
+#define bHB "w"                                /* Horizontal, branch bottom */
+
+#else
+
+#define SET_G1 ""
+#define RESET_G1 ""
+#define bSTART ""
+#define bSTOP ""
+#define bH "-"
+#define bV "|"
+#define bLT "+"
+#define bRT "+"
+#define bLB "+"
+#define bRB "+"
+#define bX "+"
+#define bVR "+"
+#define bVL "+"
+#define bHT "+"
+#define bHB "+"
+
+#endif                                                      /* ^FANCY_BOXES */
+
+/***********************
+ * Misc terminal codes *
+ ***********************/
+
+#define TERM_HOME "\x1b[H"
+#define TERM_CLEAR TERM_HOME "\x1b[2J"
+#define cEOL "\x1b[0K"
+#define CURSOR_HIDE "\x1b[?25l"
+#define CURSOR_SHOW "\x1b[?25h"
+
+/************************
+ * Debug & error macros *
+ ************************/
+
+/* Just print stuff to the appropriate stream. */
+
+#ifdef MESSAGES_TO_STDOUT
+#define SAYF(x...) printf(x)
+#else
+#define SAYF(x...) fprintf(stderr, x)
+#endif                                               /* ^MESSAGES_TO_STDOUT */
+
+/* Show a prefixed warning. */
+
+#define WARNF(x...)                            \
+  do {                                         \
+                                               \
+    SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
+    SAYF(cRST "\n");                           \
+                                               \
+  } while (0)
+
+/* Show a prefixed "doing something" message. */
+
+#define ACTF(x...)            \
+  do {                        \
+                              \
+    SAYF(cLBL "[*] " cRST x); \
+    SAYF(cRST "\n");          \
+                              \
+  } while (0)
+
+/* Show a prefixed "success" message. */
+
+#define OKF(x...)             \
+  do {                        \
+                              \
+    SAYF(cLGN "[+] " cRST x); \
+    SAYF(cRST "\n");          \
+                              \
+  } while (0)
+
+/* Show a prefixed fatal error message (not used in afl). */
+
+#define BADF(x...)              \
+  do {                          \
+                                \
+    SAYF(cLRD "\n[-] " cRST x); \
+    SAYF(cRST "\n");            \
+                                \
+  } while (0)
+
+/* Die with a verbose non-OS fatal error message. */
+
+#define FATAL(x...)                                                          \
+  do {                                                                       \
+                                                                             \
+    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD                                \
+         "\n[-] PROGRAM ABORT : " cRST   x);                                   \
+    SAYF(cLRD "\n         Location : " cRST "%s(), %s:%u\n\n", __FUNCTION__, \
+         __FILE__, __LINE__);                                                \
+    exit(1);                                                                 \
+                                                                             \
+  } while (0)
+
+/* Die by calling abort() to provide a core dump. */
+
+#define ABORT(x...)                                                          \
+  do {                                                                       \
+                                                                             \
+    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD                                \
+         "\n[-] PROGRAM ABORT : " cRST   x);                                   \
+    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n\n", __FUNCTION__, \
+         __FILE__, __LINE__);                                                \
+    abort();                                                                 \
+                                                                             \
+  } while (0)
+
+/* Die while also including the output of perror(). */
+
+#define PFATAL(x...)                                                       \
+  do {                                                                     \
+                                                                           \
+    fflush(stdout);                                                        \
+    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD                              \
+         "\n[-]  SYSTEM ERROR : " cRST   x);                                 \
+    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n", __FUNCTION__, \
+         __FILE__, __LINE__);                                              \
+    SAYF(cLRD "       OS message : " cRST "%s\n", strerror(errno));        \
+    exit(1);                                                               \
+                                                                           \
+  } while (0)
+
+/* Die with FAULT() or PFAULT() depending on the value of res (used to
+   interpret different failure modes for read(), write(), etc). */
+
+#define RPFATAL(res, x...) \
+  do {                     \
+                           \
+    if (res < 0)           \
+      PFATAL(x);           \
+    else                   \
+      FATAL(x);            \
+                           \
+  } while (0)
+
+/* Error-checking versions of read() and write() that call RPFATAL() as
+   appropriate. */
+
+#define ck_write(fd, buf, len, fn)                            \
+  do {                                                        \
+                                                              \
+    u32 _len = (len);                                         \
+    s32 _res = write(fd, buf, _len);                          \
+    if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
+                                                              \
+  } while (0)
+
+#define ck_read(fd, buf, len, fn)                              \
+  do {                                                         \
+                                                               \
+    u32 _len = (len);                                          \
+    s32 _res = read(fd, buf, _len);                            \
+    if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
+                                                               \
+  } while (0)
+
+#endif                                                   /* ! _HAVE_DEBUG_H */
+

include/forkserver.h

@@ -0,0 +1,51 @@
+/*
+   american fuzzy lop++ - forkserver header
+   ----------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Forkserver design by Jann Horn <jannhorn@googlemail.com>
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Shared code that implements a forkserver. This is used by the fuzzer
+   as well the other components like afl-tmin.
+
+ */
+
+#ifndef __AFL_FORKSERVER_H
+#define __AFL_FORKSERVER_H
+
+void handle_timeout(int sig);
+void init_forkserver(char **argv);
+
+#ifdef __APPLE__
+#define MSG_FORK_ON_APPLE                                                    \
+  "    - On MacOS X, the semantics of fork() syscalls are non-standard and " \
+  "may\n"                                                                    \
+  "      break afl-fuzz performance optimizations when running "             \
+  "platform-specific\n"                                                      \
+  "      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n"
+#else
+#define MSG_FORK_ON_APPLE ""
+#endif
+
+#ifdef RLIMIT_AS
+#define MSG_ULIMIT_USAGE "      ( ulimit -Sv $[%llu << 10];"
+#else
+#define MSG_ULIMIT_USAGE "      ( ulimit -Sd $[%llu << 10];"
+#endif                                                        /* ^RLIMIT_AS */
+
+#endif
+

include/hash.h

@@ -1,6 +1,6 @@
 /*
-   american fuzzy lop - hashing function
-   -------------------------------------
+   american fuzzy lop++ - hashing function
+   ---------------------------------------
 
    The hash32() function is a variant of MurmurHash3, a good
    non-cryptosafe hashing function developed by Austin Appleby.
@@ -12,7 +12,7 @@
 
    Austin's original code is public domain.
 
-   Other code written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Other code written by Michal Zalewski
 
    Copyright 2016 Google Inc. All rights reserved.
 
@@ -31,12 +31,12 @@
 
 #ifdef __x86_64__
 
-#define ROL64(_x, _r)  ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
+#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
 
 static inline u32 hash32(const void* key, u32 len, u32 seed) {
 
   const u64* data = (u64*)key;
-  u64 h1 = seed ^ len;
+  u64        h1 = seed ^ len;
 
   len >>= 3;
 
@@ -45,12 +45,12 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
     u64 k1 = *data++;
 
     k1 *= 0x87c37b91114253d5ULL;
-    k1  = ROL64(k1, 31);
+    k1 = ROL64(k1, 31);
     k1 *= 0x4cf5ad432745937fULL;
 
     h1 ^= k1;
-    h1  = ROL64(h1, 27);
-    h1  = h1 * 5 + 0x52dce729;
+    h1 = ROL64(h1, 27);
+    h1 = h1 * 5 + 0x52dce729;
 
   }
 
@@ -64,14 +64,14 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
 
 }
 
-#else 
+#else
 
-#define ROL32(_x, _r)  ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
+#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
 
 static inline u32 hash32(const void* key, u32 len, u32 seed) {
 
-  const u32* data  = (u32*)key;
-  u32 h1 = seed ^ len;
+  const u32* data = (u32*)key;
+  u32        h1 = seed ^ len;
 
   len >>= 2;
 
@@ -80,12 +80,12 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
     u32 k1 = *data++;
 
     k1 *= 0xcc9e2d51;
-    k1  = ROL32(k1, 15);
+    k1 = ROL32(k1, 15);
     k1 *= 0x1b873593;
 
     h1 ^= k1;
-    h1  = ROL32(h1, 13);
-    h1  = h1 * 5 + 0xe6546b64;
+    h1 = ROL32(h1, 13);
+    h1 = h1 * 5 + 0xe6546b64;
 
   }
 
@@ -99,6 +99,7 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
 
 }
 
-#endif /* ^__x86_64__ */
+#endif                                                       /* ^__x86_64__ */
+
+#endif                                                     /* !_HAVE_HASH_H */
 
-#endif /* !_HAVE_HASH_H */

include/sharedmem.h

@@ -0,0 +1,34 @@
+/*
+   american fuzzy lop++ - shared memory related header
+   ---------------------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Forkserver design by Jann Horn <jannhorn@googlemail.com>
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Shared code to handle the shared memory. This is used by the fuzzer
+   as well the other components like afl-tmin, afl-showmap, etc...
+
+ */
+
+#ifndef __AFL_SHAREDMEM_H
+#define __AFL_SHAREDMEM_H
+
+void setup_shm(unsigned char dumb_mode);
+void remove_shm(void);
+
+#endif
+

include/types.h

@@ -0,0 +1,113 @@
+/*
+   american fuzzy lop++ - type definitions and minor macros
+   --------------------------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ */
+
+#ifndef _HAVE_TYPES_H
+#define _HAVE_TYPES_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+typedef uint8_t  u8;
+typedef uint16_t u16;
+typedef uint32_t u32;
+
+/*
+
+   Ugh. There is an unintended compiler / glibc #include glitch caused by
+   combining the u64 type an %llu in format strings, necessitating a workaround.
+
+   In essence, the compiler is always looking for 'unsigned long long' for %llu.
+   On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to
+   'unsigned long long' in <bits/types.h>, so everything checks out.
+
+   But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'.
+   Now, it only happens in circumstances where the type happens to have the
+   expected bit width, *but* the compiler does not know that... and complains
+   about 'unsigned long' being unsafe to pass to %llu.
+
+ */
+
+#ifdef __x86_64__
+typedef unsigned long long u64;
+#else
+typedef uint64_t u64;
+#endif                                                       /* ^__x86_64__ */
+
+typedef int8_t  s8;
+typedef int16_t s16;
+typedef int32_t s32;
+typedef int64_t s64;
+
+#ifndef MIN
+#define MIN(_a, _b) ((_a) > (_b) ? (_b) : (_a))
+#define MAX(_a, _b) ((_a) > (_b) ? (_a) : (_b))
+#endif                                                              /* !MIN */
+
+#define SWAP16(_x)                    \
+  ({                                  \
+                                      \
+    u16 _ret = (_x);                  \
+    (u16)((_ret << 8) | (_ret >> 8)); \
+                                      \
+  })
+
+#define SWAP32(_x)                                                   \
+  ({                                                                 \
+                                                                     \
+    u32 _ret = (_x);                                                 \
+    (u32)((_ret << 24) | (_ret >> 24) | ((_ret << 8) & 0x00FF0000) | \
+          ((_ret >> 8) & 0x0000FF00));                               \
+                                                                     \
+  })
+
+#ifdef AFL_LLVM_PASS
+#if defined(__linux__)
+#define AFL_SR(s) (srandom(s))
+#define AFL_R(x) (random() % (x))
+#else
+#define AFL_SR(s) ((void)s)
+#define AFL_R(x) (arc4random_uniform(x))
+#endif
+#else
+#if defined(__linux__)
+#define SR(s) (srandom(s))
+#define R(x) (random() % (x))
+#else
+#define SR(s) ((void)s)
+#define R(x) (arc4random_uniform(x))
+#endif
+#endif                                                    /* ^AFL_LLVM_PASS */
+
+#define STRINGIFY_INTERNAL(x) #x
+#define STRINGIFY(x) STRINGIFY_INTERNAL(x)
+
+#define MEM_BARRIER() __asm__ volatile("" ::: "memory")
+
+#if __GNUC__ < 6
+#define likely(_x) (_x)
+#define unlikely(_x) (_x)
+#else
+#define likely(_x) __builtin_expect(!!(_x), 1)
+#define unlikely(_x) __builtin_expect(!!(_x), 0)
+#endif
+
+#endif                                                   /* ! _HAVE_TYPES_H */
+

libdislocator/Makefile

@@ -2,7 +2,7 @@
 # american fuzzy lop - libdislocator
 # ----------------------------------
 #
-# Written by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2016 Google Inc. All rights reserved.
 #
@@ -18,21 +18,27 @@ HELPER_PATH  = $(PREFIX)/lib/afl
 
 VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 
-CFLAGS      ?= -O3 -funroll-loops
+CFLAGS      ?= -O3 -funroll-loops -I ../include/
 CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
 
+ifdef USEHUGEPAGE
+	CFLAGS += -DUSEHUGEPAGE
+endif
+
 all: libdislocator.so
 
+VPATH = ..
 libdislocator.so: libdislocator.so.c ../config.h
-	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS)
 
 .NOTPARALLEL: clean
 
 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
-	rm -f libdislocator.so
+	rm -f ../libdislocator.so
 
 install: all
-	install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH)
-	install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH)
+	install -m 755 -d $${DESTDIR}$(HELPER_PATH)
+	install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH)
+	install -m 644 README.dislocator.md $${DESTDIR}$(HELPER_PATH)
 

libdislocator/README.dislocator.md

@@ -1,6 +1,4 @@
-===================================
-libdislocator, an abusive allocator
-===================================
+# libdislocator, an abusive allocator
 
   (See ../docs/README for the general instruction manual.)
 
@@ -27,6 +25,8 @@ heap-related security bugs in several ways:
   - It checks for calloc() overflows and can cause soft or hard failures
     of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
     AFL_LD_HARD_FAIL).
+  - Optionally, in platforms supporting it, huge pages can be used by passing
+    USEHUGEPAGE=1 to make.
 
 Basically, it is inspired by some of the non-default options available for the
 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
@@ -45,7 +45,9 @@ when fuzzing small, self-contained binaries.
 
 To use this library, run AFL like so:
 
+```
 AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]
+```
 
 You *have* to specify path, even if it's just ./libdislocator.so or
 $PWD/libdislocator.so.

libdislocator/libdislocator.so.c

@@ -3,7 +3,7 @@
    american fuzzy lop - dislocator, an abusive allocator
    -----------------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2016 Google Inc. All rights reserved.
 
@@ -14,7 +14,7 @@
      http://www.apache.org/licenses/LICENSE-2.0
 
    This is a companion library that can be used as a drop-in replacement
-   for the libc allocator in the fuzzed binaries. See README.dislocator for
+   for the libc allocator in the fuzzed binaries. See README.dislocator.md for
    more info.
 
  */
@@ -23,38 +23,85 @@
 #include <stdlib.h>
 #include <string.h>
 #include <limits.h>
+#include <errno.h>
 #include <sys/mman.h>
 
-#include "../config.h"
-#include "../types.h"
+#ifdef __APPLE__
+#include <mach/vm_statistics.h>
+#endif
+
+#ifdef __linux__
+#include <unistd.h>
+#include <sys/syscall.h>
+#ifdef __NR_getrandom
+#define arc4random_buf(p, l)                       \
+  do {                                             \
+                                                   \
+    ssize_t rd = syscall(__NR_getrandom, p, l, 0); \
+    if (rd != l) DEBUGF("getrandom failed");       \
+                                                   \
+  } while (0)
+
+#else
+#include <time.h>
+#define arc4random_buf(p, l)     \
+  do {                           \
+                                 \
+    srand(time(NULL));           \
+    u32 i;                       \
+    u8* ptr = (u8*)p;            \
+    for (i = 0; i < l; i++)      \
+      ptr[i] = rand() % INT_MAX; \
+                                 \
+  } while (0)
+
+#endif
+#endif
+
+#include "config.h"
+#include "types.h"
 
 #ifndef PAGE_SIZE
-#  define PAGE_SIZE 4096
-#endif /* !PAGE_SIZE */
+#define PAGE_SIZE 4096
+#endif                                                        /* !PAGE_SIZE */
 
 #ifndef MAP_ANONYMOUS
-#  define MAP_ANONYMOUS MAP_ANON
-#endif /* !MAP_ANONYMOUS */
+#define MAP_ANONYMOUS MAP_ANON
+#endif                                                    /* !MAP_ANONYMOUS */
+
+#define SUPER_PAGE_SIZE 1 << 21
 
 /* Error / message handling: */
 
-#define DEBUGF(_x...) do { \
-    if (alloc_verbose) { \
-      if (++call_depth == 1) { \
+#define DEBUGF(_x...)                 \
+  do {                                \
+                                      \
+    if (alloc_verbose) {              \
+                                      \
+      if (++call_depth == 1) {        \
+                                      \
         fprintf(stderr, "[AFL] " _x); \
-        fprintf(stderr, "\n"); \
-      } \
-      call_depth--; \
-    } \
+        fprintf(stderr, "\n");        \
+                                      \
+      }                               \
+      call_depth--;                   \
+                                      \
+    }                                 \
+                                      \
   } while (0)
 
-#define FATAL(_x...) do { \
-    if (++call_depth == 1) { \
+#define FATAL(_x...)                    \
+  do {                                  \
+                                        \
+    if (++call_depth == 1) {            \
+                                        \
       fprintf(stderr, "*** [AFL] " _x); \
-      fprintf(stderr, " ***\n"); \
-      abort(); \
-    } \
-    call_depth--; \
+      fprintf(stderr, " ***\n");        \
+      abort();                          \
+                                        \
+    }                                   \
+    call_depth--;                       \
+                                        \
   } while (0)
 
 /* Macro to count the number of pages needed to store a buffer: */
@@ -63,7 +110,7 @@
 
 /* Canary & clobber bytes: */
 
-#define ALLOC_CANARY  0xAACCAACC
+#define ALLOC_CANARY 0xAACCAACC
 #define ALLOC_CLOBBER 0xCC
 
 #define PTR_C(_p) (((u32*)(_p))[-1])
@@ -73,13 +120,17 @@
 
 static u32 max_mem = MAX_ALLOC;         /* Max heap usage to permit         */
 static u8  alloc_verbose,               /* Additional debug messages        */
-           hard_fail,                   /* abort() when max_mem exceeded?   */
-           no_calloc_over;              /* abort() on calloc() overflows?   */
+    hard_fail,                          /* abort() when max_mem exceeded?   */
+    no_calloc_over;                     /* abort() on calloc() overflows?   */
 
+#if defined __OpenBSD__ || defined __APPLE__
+#define __thread
+#warning no thread support available
+#endif
 static __thread size_t total_mem;       /* Currently allocated mem          */
 
 static __thread u32 call_depth;         /* To avoid recursion via fprintf() */
-
+static u32          alloc_canary;
 
 /* This is the main alloc function. It allocates one page more than necessary,
    sets that tailing page to PROT_NONE, and then increments the return address
@@ -88,28 +139,59 @@ static __thread u32 call_depth;         /* To avoid recursion via fprintf() */
 
 static void* __dislocator_alloc(size_t len) {
 
-  void* ret;
-
+  void*  ret;
+  size_t tlen;
+  int    flags, fd, sp;
 
   if (total_mem + len > max_mem || total_mem + len < total_mem) {
 
-    if (hard_fail)
-      FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024);
+    if (hard_fail) FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024);
 
-    DEBUGF("total allocs exceed %u MB, returning NULL",
-           max_mem / 1024 / 1024);
+    DEBUGF("total allocs exceed %u MB, returning NULL", max_mem / 1024 / 1024);
 
     return NULL;
 
   }
 
+  tlen = (1 + PG_COUNT(len + 8)) * PAGE_SIZE;
+  flags = MAP_PRIVATE | MAP_ANONYMOUS;
+  fd = -1;
+#if defined(USEHUGEPAGE)
+  sp = (len >= SUPER_PAGE_SIZE && !(len % SUPER_PAGE_SIZE));
+
+#if defined(__APPLE__)
+  if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB;
+#elif defined(__linux__)
+  if (sp) flags |= MAP_HUGETLB;
+#elif defined(__FreeBSD__)
+  if (sp) flags |= MAP_ALIGNED_SUPER;
+#endif
+#else
+  (void)sp;
+#endif
+
   /* We will also store buffer length and a canary below the actual buffer, so
      let's add 8 bytes for that. */
 
-  ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE,
-             MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+#if defined(USEHUGEPAGE)
+  /* We try one more time with regular call */
+  if (ret == MAP_FAILED) {
 
-  if (ret == (void*)-1) {
+#if defined(__APPLE__)
+    fd = -1;
+#elif defined(__linux__)
+    flags &= -MAP_HUGETLB;
+#elif defined(__FreeBSD__)
+    flags &= -MAP_ALIGNED_SUPER;
+#endif
+    ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+
+  }
+
+#endif
+
+  if (ret == MAP_FAILED) {
 
     if (hard_fail) FATAL("mmap() failed on alloc (OOM?)");
 
@@ -134,7 +216,7 @@ static void* __dislocator_alloc(size_t len) {
   ret += 8;
 
   PTR_L(ret) = len;
-  PTR_C(ret) = ALLOC_CANARY;
+  PTR_C(ret) = alloc_canary;
 
   total_mem += len;
 
@@ -142,7 +224,6 @@ static void* __dislocator_alloc(size_t len) {
 
 }
 
-
 /* The "user-facing" wrapper for calloc(). This just checks for overflows and
    displays debug messages if requested. */
 
@@ -157,8 +238,11 @@ void* calloc(size_t elem_len, size_t elem_cnt) {
   if (elem_cnt && len / elem_cnt != elem_len) {
 
     if (no_calloc_over) {
-      DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt);
+
+      DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len,
+             elem_cnt);
       return NULL;
+
     }
 
     FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt);
@@ -174,6 +258,9 @@ void* calloc(size_t elem_len, size_t elem_cnt) {
 
 }
 
+/* TODO: add a wrapper for posix_memalign, otherwise apps who use it,
+   will fail when freeing the memory.
+*/
 
 /* The wrapper for malloc(). Roughly the same, also clobbers the returned
    memory (unlike calloc(), malloc() is not guaranteed to return zeroed
@@ -193,7 +280,6 @@ void* malloc(size_t len) {
 
 }
 
-
 /* The wrapper for free(). This simply marks the entire region as PROT_NONE.
    If the region is already freed, the code will segfault during the attempt to
    read the canary. Not very graceful, but works, right? */
@@ -206,7 +292,7 @@ void free(void* ptr) {
 
   if (!ptr) return;
 
-  if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on free()");
+  if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on free()");
 
   len = PTR_L(ptr);
 
@@ -224,7 +310,6 @@ void free(void* ptr) {
 
 }
 
-
 /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer,
    move data, and then free (aka mprotect()) the original one. */
 
@@ -236,7 +321,7 @@ void* realloc(void* ptr, size_t len) {
 
   if (ret && ptr) {
 
-    if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on realloc()");
+    if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()");
 
     memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
     free(ptr);
@@ -249,20 +334,89 @@ void* realloc(void* ptr, size_t len) {
 
 }
 
+/* posix_memalign we mainly check the proper alignment argument
+   if the requested size fits within the alignment we do
+   a normal request */
+
+int posix_memalign(void** ptr, size_t align, size_t len) {
+
+  // if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now
+  if ((align % 2) || (align % sizeof(void*))) return EINVAL;
+  if (len == 0) {
+
+    *ptr = NULL;
+    return 0;
+
+  }
+
+  size_t rem = len % align;
+  if (rem) len += align - rem;
+
+  *ptr = __dislocator_alloc(len);
+
+  if (*ptr && len) memset(*ptr, ALLOC_CLOBBER, len);
+
+  DEBUGF("posix_memalign(%p %zu, %zu) [*ptr = %p]", ptr, align, len, *ptr);
+
+  return 0;
+
+}
+
+/* just the non-posix fashion */
+
+void* memalign(size_t align, size_t len) {
+
+  void* ret = NULL;
+
+  if (posix_memalign(&ret, align, len)) {
+
+    DEBUGF("memalign(%zu, %zu) failed", align, len);
+
+  }
+
+  return ret;
+
+}
+
+/* sort of C11 alias of memalign only more severe, alignment-wise */
+
+void* aligned_alloc(size_t align, size_t len) {
+
+  void* ret = NULL;
+
+  if ((len % align)) return NULL;
+
+  if (posix_memalign(&ret, align, len)) {
+
+    DEBUGF("aligned_alloc(%zu, %zu) failed", align, len);
+
+  }
+
+  return ret;
+
+}
 
 __attribute__((constructor)) void __dislocator_init(void) {
 
-  u8* tmp = getenv("AFL_LD_LIMIT_MB");
+  u8* tmp = (u8*)getenv("AFL_LD_LIMIT_MB");
 
   if (tmp) {
 
-    max_mem = atoi(tmp) * 1024 * 1024;
-    if (!max_mem) FATAL("Bad value for AFL_LD_LIMIT_MB");
+    u8* tok;
+    s32 mmem = (s32)strtol((char*)tmp, (char**)&tok, 10);
+    if (*tok != '\0' || errno == ERANGE) FATAL("Bad value for AFL_LD_LIMIT_MB");
+    max_mem = mmem * 1024 * 1024;
 
   }
 
+  alloc_canary = ALLOC_CANARY;
+  tmp = (u8*)getenv("AFL_RANDOM_ALLOC_CANARY");
+
+  if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary));
+
   alloc_verbose = !!getenv("AFL_LD_VERBOSE");
   hard_fail = !!getenv("AFL_LD_HARD_FAIL");
   no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
 
 }
+

libtokencap/Makefile

@@ -2,7 +2,7 @@
 # american fuzzy lop - libtokencap
 # --------------------------------
 #
-# Written by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2016 Google Inc. All rights reserved.
 #
@@ -18,21 +18,44 @@ HELPER_PATH  = $(PREFIX)/lib/afl
 
 VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 
-CFLAGS      ?= -O3 -funroll-loops
+CFLAGS      ?= -O3 -funroll-loops -I ../include/
 CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
 
-all: libtokencap.so
+ifeq "$(shell uname)" "Linux"
+  TARGETS = libtokencap.so
+  LDFLAGS     += -ldl
+endif
+ifeq "$(shell uname)" "Darwin"
+  TARGETS = libtokencap.so
+  LDFLAGS     += -ldl
+endif
+ifeq "$(shell uname)" "FreeBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "OpenBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "NetBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "DragonFly"
+  TARGETS = libtokencap.so
+  LDFLAGS     += -ldl
+endif
+all: $(TARGETS)
 
+VPATH = ..
 libtokencap.so: libtokencap.so.c ../config.h
-	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS)
 
 .NOTPARALLEL: clean
 
 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
-	rm -f libtokencap.so
+	rm -f ../libtokencap.so
 
 install: all
-	install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH)
-	install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH)
+	install -m 755 -d $${DESTDIR}$(HELPER_PATH)
+	install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH)
+	install -m 644 README.tokencap.md $${DESTDIR}$(HELPER_PATH)
 

libtokencap/README.tokencap.md

@@ -1,10 +1,8 @@
-=========================================
-strcmp() / memcmp() token capture library
-=========================================
+# strcmp() / memcmp() token capture library
 
   (See ../docs/README for the general instruction manual.)
 
-This Linux-only companion library allows you to instrument strcmp(), memcmp(),
+This companion library allows you to instrument `strcmp()`, `memcmp()`,
 and related functions to automatically extract syntax tokens passed to any of
 these libcalls. The resulting list of tokens may be then given as a starting
 dictionary to afl-fuzz (the -x option) to improve coverage on subsequent
@@ -31,15 +29,18 @@ with -fno-builtin and is linked dynamically. If you wish to automate the first
 part without mucking with CFLAGS in Makefiles, you can set AFL_NO_BUILTIN=1
 when using afl-gcc. This setting specifically adds the following flags:
 
+```
   -fno-builtin-strcmp -fno-builtin-strncmp -fno-builtin-strcasecmp
   -fno-builtin-strcasencmp -fno-builtin-memcmp -fno-builtin-strstr
   -fno-builtin-strcasestr
+```
 
 The next step is simply loading this library via LD_PRELOAD. The optimal usage
 pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus,
 and then fire off the target binary, with libtokencap.so loaded, on every file
 found by AFL in that earlier run. This demonstrates the basic principle:
 
+```
   export AFL_TOKEN_FILE=$PWD/temp_output.txt
 
   for i in <out_dir>/queue/id*; do
@@ -48,14 +49,16 @@ found by AFL in that earlier run. This demonstrates the basic principle:
   done
 
   sort -u temp_output.txt >afl_dictionary.txt
+```
 
 If you don't get any results, the target library is probably not using strcmp()
 and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or
 the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect.
 
-PS. The library is Linux-only because there is probably no particularly portable
-and non-invasive way to distinguish between read-only and read-write memory
-mappings. The __tokencap_load_mappings() function is the only thing that would
-need to be changed for other OSes. Porting to platforms with /proc/<pid>/maps
-(e.g., FreeBSD) should be trivial.
+Portability hints: There is probably no particularly portable and non-invasive
+way to distinguish between read-only and read-write memory mappings.
+The `__tokencap_load_mappings()` function is the only thing that would
+need to be changed for other OSes.
+
+Current supported OSes are: Linux, Darwin, FreeBSD (thanks to @devnexen)
 

libtokencap/libtokencap.so.c

@@ -3,7 +3,7 @@
    american fuzzy lop - extract tokens passed to strcmp / memcmp
    -------------------------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski
 
    Copyright 2016 Google Inc. All rights reserved.
 
@@ -15,34 +15,66 @@
 
    This Linux-only companion library allows you to instrument strcmp(),
    memcmp(), and related functions to automatically extract tokens.
-   See README.tokencap for more info.
+   See README.tokencap.md for more info.
 
  */
 
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 #include <stdio.h>
 #include <string.h>
 #include <ctype.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdbool.h>
 
 #include "../types.h"
 #include "../config.h"
 
-#ifndef __linux__
-#  error "Sorry, this library is Linux-specific for now!"
-#endif /* !__linux__ */
+#if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \
+    !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__
+#error "Sorry, this library is unsupported in this platform for now!"
+#endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \
+          !__NetBSD__*/
 
+#if defined __APPLE__
+#include <mach/vm_map.h>
+#include <mach/mach_init.h>
+#elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include <sys/user.h>
+#include <sys/mman.h>
+#endif
+
+#include <dlfcn.h>
+
+#ifdef RTLD_NEXT
+/* The libc functions are a magnitude faster than our replacements.
+   Use them when RTLD_NEXT is available. */
+int (*__libc_strcmp)(const char* str1, const char* str2);
+int (*__libc_strncmp)(const char* str1, const char* str2, size_t len);
+int (*__libc_strcasecmp)(const char* str1, const char* str2);
+int (*__libc_strncasecmp)(const char* str1, const char* str2, size_t len);
+int (*__libc_memcmp)(const void* mem1, const void* mem2, size_t len);
+int (*__libc_bcmp)(const void* mem1, const void* mem2, size_t len);
+char* (*__libc_strstr)(const char* haystack, const char* needle);
+char* (*__libc_strcasestr)(const char* haystack, const char* needle);
+void* (*__libc_memmem)(const void* haystack, size_t haystack_len,
+                       const void* needle, size_t needle_len);
+#endif
 
 /* Mapping data and such */
 
 #define MAX_MAPPINGS 1024
 
-static struct mapping {
-  void *st, *en;
-} __tokencap_ro[MAX_MAPPINGS];
+static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS];
 
 static u32   __tokencap_ro_cnt;
 static u8    __tokencap_ro_loaded;
-static FILE* __tokencap_out_file;
-
+static int   __tokencap_out_file = -1;
+static pid_t __tokencap_pid = -1;
 
 /* Identify read-only regions in memory. Only parameters that fall into these
    ranges are worth dumping when passed to strcmp() and so on. Read-write
@@ -50,7 +82,9 @@ static FILE* __tokencap_out_file;
 
 static void __tokencap_load_mappings(void) {
 
-  u8 buf[MAX_LINE];
+#if defined __linux__
+
+  u8    buf[MAX_LINE];
   FILE* f = fopen("/proc/self/maps", "r");
 
   __tokencap_ro_loaded = 1;
@@ -59,8 +93,8 @@ static void __tokencap_load_mappings(void) {
 
   while (fgets(buf, MAX_LINE, f)) {
 
-    u8 rf, wf;
-    void* st, *en;
+    u8    rf, wf;
+    void *st, *en;
 
     if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
     if (wf == 'w' || rf != 'r') continue;
@@ -74,8 +108,125 @@ static void __tokencap_load_mappings(void) {
 
   fclose(f);
 
-}
+#elif defined __APPLE__
 
+  struct vm_region_submap_info_64 region;
+  mach_msg_type_number_t          cnt = VM_REGION_SUBMAP_INFO_COUNT_64;
+  vm_address_t                    base = 0;
+  vm_size_t                       size = 0;
+  natural_t                       depth = 0;
+
+  __tokencap_ro_loaded = 1;
+
+  while (1) {
+
+    if (vm_region_recurse_64(mach_task_self(), &base, &size, &depth,
+                             (vm_region_info_64_t)&region,
+                             &cnt) != KERN_SUCCESS)
+      break;
+
+    if (region.is_submap) {
+
+      depth++;
+
+    } else {
+
+      /* We only care of main map addresses and the read only kinds */
+      if ((region.protection & VM_PROT_READ) &&
+          !(region.protection & VM_PROT_WRITE)) {
+
+        __tokencap_ro[__tokencap_ro_cnt].st = (void*)base;
+        __tokencap_ro[__tokencap_ro_cnt].en = (void*)(base + size);
+
+        if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
+
+      }
+
+    }
+
+  }
+
+#elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
+
+#if defined   __FreeBSD__
+  int    mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid};
+#elif defined __OpenBSD__
+  int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid};
+#elif defined __NetBSD__
+  int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid,
+               sizeof(struct kinfo_vmentry)};
+#endif
+  char * buf, *low, *high;
+  size_t miblen = sizeof(mib) / sizeof(mib[0]);
+  size_t len;
+
+  if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return;
+
+#if defined __FreeBSD__ || defined __NetBSD__
+  len = len * 4 / 3;
+#elif defined                      __OpenBSD__
+  len -= len % sizeof(struct kinfo_vmentry);
+#endif
+
+  buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
+  if (buf == MAP_FAILED) return;
+
+  if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
+
+    munmap(buf, len);
+    return;
+
+  }
+
+  low = buf;
+  high = low + len;
+
+  __tokencap_ro_loaded = 1;
+
+  while (low < high) {
+
+    struct kinfo_vmentry* region = (struct kinfo_vmentry*)low;
+
+#if defined __FreeBSD__ || defined __NetBSD__
+
+#if defined   __FreeBSD__
+    size_t                size = region->kve_structsize;
+
+    if (size == 0) break;
+#elif defined __NetBSD__
+    size_t size = sizeof(*region);
+#endif
+
+    /* We go through the whole mapping of the process and track read-only
+     * addresses */
+    if ((region->kve_protection & KVME_PROT_READ) &&
+        !(region->kve_protection & KVME_PROT_WRITE)) {
+
+#elif defined __OpenBSD__
+
+    size_t size = sizeof(*region);
+
+    /* We go through the whole mapping of the process and track read-only
+     * addresses */
+    if ((region->kve_protection & KVE_PROT_READ) &&
+        !(region->kve_protection & KVE_PROT_WRITE)) {
+
+#endif
+      __tokencap_ro[__tokencap_ro_cnt].st = (void*)region->kve_start;
+      __tokencap_ro[__tokencap_ro_cnt].en = (void*)region->kve_end;
+
+      if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
+
+    }
+
+    low += size;
+
+  }
+
+  munmap(buf, len);
+#endif
+
+}
 
 /* Check an address against the list of read-only mappings. */
 
@@ -85,24 +236,23 @@ static u8 __tokencap_is_ro(const void* ptr) {
 
   if (!__tokencap_ro_loaded) __tokencap_load_mappings();
 
-  for (i = 0; i < __tokencap_ro_cnt; i++) 
+  for (i = 0; i < __tokencap_ro_cnt; i++)
     if (ptr >= __tokencap_ro[i].st && ptr <= __tokencap_ro[i].en) return 1;
 
   return 0;
 
 }
 
-
 /* Dump an interesting token to output file, quoting and escaping it
    properly. */
 
 static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
 
-  u8 buf[MAX_AUTO_EXTRA * 4 + 1];
+  u8  buf[MAX_AUTO_EXTRA * 4 + 1];
   u32 i;
   u32 pos = 0;
 
-  if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file)
+  if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || __tokencap_out_file == -1)
     return;
 
   for (i = 0; i < len; i++) {
@@ -120,9 +270,7 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
         pos += 4;
         break;
 
-      default:
-
-        buf[pos++] = ptr[i];
+      default: buf[pos++] = ptr[i];
 
     }
 
@@ -130,11 +278,12 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
 
   buf[pos] = 0;
 
-  fprintf(__tokencap_out_file, "\"%s\"\n", buf);    
+  int wrt_ok = (1 == write(__tokencap_out_file, "\"", 1));
+  wrt_ok &= (pos == write(__tokencap_out_file, buf, pos));
+  wrt_ok &= (2 == write(__tokencap_out_file, "\"\n", 2));
 
 }
 
-
 /* Replacements for strcmp(), memcmp(), and so on. Note that these will be used
    only if the target is compiled with -fno-builtins and linked dynamically. */
 
@@ -145,19 +294,23 @@ int strcmp(const char* str1, const char* str2) {
   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
 
+#ifdef RTLD_NEXT
+  if (__libc_strcmp) return __libc_strcmp(str1, str2);
+#endif
+
   while (1) {
 
-    unsigned char c1 = *str1, c2 = *str2;
+    const unsigned char c1 = *str1, c2 = *str2;
 
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
     if (!c1) return 0;
-    str1++; str2++;
+    str1++;
+    str2++;
 
   }
 
 }
 
-
 #undef strncmp
 
 int strncmp(const char* str1, const char* str2, size_t len) {
@@ -165,13 +318,18 @@ int strncmp(const char* str1, const char* str2, size_t len) {
   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
 
+#ifdef RTLD_NEXT
+  if (__libc_strncmp) return __libc_strncmp(str1, str2, len);
+#endif
+
   while (len--) {
 
     unsigned char c1 = *str1, c2 = *str2;
 
     if (!c1) return 0;
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
-    str1++; str2++;
+    str1++;
+    str2++;
 
   }
 
@@ -179,7 +337,6 @@ int strncmp(const char* str1, const char* str2, size_t len) {
 
 }
 
-
 #undef strcasecmp
 
 int strcasecmp(const char* str1, const char* str2) {
@@ -187,19 +344,23 @@ int strcasecmp(const char* str1, const char* str2) {
   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
 
+#ifdef RTLD_NEXT
+  if (__libc_strcasecmp) return __libc_strcasecmp(str1, str2);
+#endif
+
   while (1) {
 
-    unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
+    const unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
 
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
     if (!c1) return 0;
-    str1++; str2++;
+    str1++;
+    str2++;
 
   }
 
 }
 
-
 #undef strncasecmp
 
 int strncasecmp(const char* str1, const char* str2, size_t len) {
@@ -207,13 +368,18 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
 
+#ifdef RTLD_NEXT
+  if (__libc_strncasecmp) return __libc_strncasecmp(str1, str2, len);
+#endif
+
   while (len--) {
 
-    unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
+    const unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
 
     if (!c1) return 0;
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
-    str1++; str2++;
+    str1++;
+    str2++;
 
   }
 
@@ -221,7 +387,6 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
 
 }
 
-
 #undef memcmp
 
 int memcmp(const void* mem1, const void* mem2, size_t len) {
@@ -229,11 +394,19 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
   if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
   if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
 
+#ifdef RTLD_NEXT
+  if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len);
+#endif
+
+  const char* strmem1 = (const char*)mem1;
+  const char* strmem2 = (const char*)mem2;
+
   while (len--) {
 
-    unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2;
+    const unsigned char c1 = *strmem1, c2 = *strmem2;
     if (c1 != c2) return (c1 > c2) ? 1 : -1;
-    mem1++; mem2++;
+    strmem1++;
+    strmem2++;
 
   }
 
@@ -241,6 +414,32 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
 
 }
 
+#undef bcmp
+
+int bcmp(const void* mem1, const void* mem2, size_t len) {
+
+  if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
+  if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
+
+#ifdef RTLD_NEXT
+  if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len);
+#endif
+
+  const char* strmem1 = (const char*)mem1;
+  const char* strmem2 = (const char*)mem2;
+
+  while (len--) {
+
+    int diff = *strmem1 ^ *strmem2;
+    if (diff != 0) return 1;
+    strmem1++;
+    strmem2++;
+
+  }
+
+  return 0;
+
+}
 
 #undef strstr
 
@@ -249,16 +448,21 @@ char* strstr(const char* haystack, const char* needle) {
   if (__tokencap_is_ro(haystack))
     __tokencap_dump(haystack, strlen(haystack), 1);
 
-  if (__tokencap_is_ro(needle))
-    __tokencap_dump(needle, strlen(needle), 1);
+  if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);
+
+#ifdef RTLD_NEXT
+  if (__libc_strstr) return __libc_strstr(haystack, needle);
+#endif
 
   do {
+
     const char* n = needle;
     const char* h = haystack;
 
-    while(*n && *h && *n == *h) n++, h++;
+    while (*n && *h && *n == *h)
+      n++, h++;
 
-    if(!*n) return (char*)haystack;
+    if (!*n) return (char*)haystack;
 
   } while (*(haystack++));
 
@@ -266,7 +470,6 @@ char* strstr(const char* haystack, const char* needle) {
 
 }
 
-
 #undef strcasestr
 
 char* strcasestr(const char* haystack, const char* needle) {
@@ -274,32 +477,257 @@ char* strcasestr(const char* haystack, const char* needle) {
   if (__tokencap_is_ro(haystack))
     __tokencap_dump(haystack, strlen(haystack), 1);
 
-  if (__tokencap_is_ro(needle))
-    __tokencap_dump(needle, strlen(needle), 1);
+  if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);
+
+#ifdef RTLD_NEXT
+  if (__libc_strcasestr) return __libc_strcasestr(haystack, needle);
+#endif
 
   do {
 
     const char* n = needle;
     const char* h = haystack;
 
-    while(*n && *h && tolower(*n) == tolower(*h)) n++, h++;
+    while (*n && *h && tolower(*n) == tolower(*h))
+      n++, h++;
 
-    if(!*n) return (char*)haystack;
+    if (!*n) return (char*)haystack;
 
-  } while(*(haystack++));
+  } while (*(haystack++));
 
   return 0;
 
 }
 
+#undef memmem
+
+void* memmem(const void* haystack, size_t haystack_len, const void* needle,
+             size_t needle_len) {
+
+  if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);
+
+  if (__tokencap_is_ro(needle)) __tokencap_dump(needle, needle_len, 1);
+
+#ifdef RTLD_NEXT
+  if (__libc_memmem)
+    return __libc_memmem(haystack, haystack_len, needle, needle_len);
+#endif
+
+  const char* n = (const char*)needle;
+  const char* h = (const char*)haystack;
+  if (haystack_len < needle_len) return 0;
+  if (needle_len == 0) return (void*)haystack;
+  if (needle_len == 1) return memchr(haystack, *n, haystack_len);
+
+  const char* end = h + (haystack_len - needle_len);
+
+  do {
+
+    if (*h == *n) {
+
+      if (memcmp(h, n, needle_len) == 0) return (void*)h;
+
+    }
+
+  } while (h++ <= end);
+
+  return 0;
+
+}
+
+/* Common libraries wrappers (from honggfuzz) */
+
+/*
+ * Apache's httpd wrappers
+ */
+int ap_cstr_casecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
+
+  return strncasecmp(s1, s2, n);
+
+}
+
+const char* ap_strcasestr(const char* s1, const char* s2) {
+
+  return strcasestr(s1, s2);
+
+}
+
+int apr_cstr_casecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
+
+  return strncasecmp(s1, s2, n);
+
+}
+
+/*
+ * *SSL wrappers
+ */
+int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) {
+
+  return memcmp(m1, m2, len);
+
+}
+
+int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) {
+
+  return memcmp(m1, m2, len);
+
+}
+
+int OPENSSL_strcasecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) {
+
+  return strncasecmp(s1, s2, len);
+
+}
+
+int32_t memcmpct(const void* s1, const void* s2, size_t len) {
+
+  return memcmp(s1, s2, len);
+
+}
+
+/*
+ * libXML wrappers
+ */
+int xmlStrncmp(const char* s1, const char* s2, int len) {
+
+  if (len <= 0) { return 0; }
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strncmp(s1, s2, (size_t)len);
+
+}
+
+int xmlStrcmp(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strcmp(s1, s2);
+
+}
+
+int xmlStrEqual(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 1; }
+  if (s1 == NULL) { return 0; }
+  if (s2 == NULL) { return 0; }
+  if (strcmp(s1, s2) == 0) { return 1; }
+  return 0;
+
+}
+
+int xmlStrcasecmp(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strcasecmp(s1, s2);
+
+}
+
+int xmlStrncasecmp(const char* s1, const char* s2, int len) {
+
+  if (len <= 0) { return 0; }
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strncasecmp(s1, s2, (size_t)len);
+
+}
+
+const char* xmlStrstr(const char* haystack, const char* needle) {
+
+  if (haystack == NULL) { return NULL; }
+  if (needle == NULL) { return NULL; }
+  return strstr(haystack, needle);
+
+}
+
+const char* xmlStrcasestr(const char* haystack, const char* needle) {
+
+  if (haystack == NULL) { return NULL; }
+  if (needle == NULL) { return NULL; }
+  return strcasestr(haystack, needle);
+
+}
+
+/*
+ * Samba wrappers
+ */
+int memcmp_const_time(const void* s1, const void* s2, size_t n) {
+
+  return memcmp(s1, s2, n);
+
+}
+
+bool strcsequal(const void* s1, const void* s2) {
+
+  if (s1 == s2) { return true; }
+  if (!s1 || !s2) { return false; }
+  return (strcmp(s1, s2) == 0);
+
+}
+
+/* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */
+
+int timingsafe_bcmp(const void* mem1, const void* mem2, size_t len) {
+
+  return bcmp(mem1, mem2, len);
+
+}
+
+int timingsafe_memcmp(const void* mem1, const void* mem2, size_t len) {
+
+  return memcmp(mem1, mem2, len);
+
+}
 
 /* Init code to open the output file (or default to stderr). */
 
 __attribute__((constructor)) void __tokencap_init(void) {
 
   u8* fn = getenv("AFL_TOKEN_FILE");
-  if (fn) __tokencap_out_file = fopen(fn, "a");
-  if (!__tokencap_out_file) __tokencap_out_file = stderr;
+  if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
+  if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
+  __tokencap_pid = getpid();
+
+#ifdef RTLD_NEXT
+  __libc_strcmp = dlsym(RTLD_NEXT, "strcmp");
+  __libc_strncmp = dlsym(RTLD_NEXT, "strncmp");
+  __libc_strcasecmp = dlsym(RTLD_NEXT, "strcasecmp");
+  __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp");
+  __libc_memcmp = dlsym(RTLD_NEXT, "memcmp");
+  __libc_bcmp = dlsym(RTLD_NEXT, "bcmp");
+  __libc_strstr = dlsym(RTLD_NEXT, "strstr");
+  __libc_strcasestr = dlsym(RTLD_NEXT, "strcasestr");
+  __libc_memmem = dlsym(RTLD_NEXT, "memmem");
+#endif
+
+}
+
+/* closing as best as we can the tokens file */
+__attribute__((destructor)) void __tokencap_shutdown(void) {
+
+  if (__tokencap_out_file != STDERR_FILENO) close(__tokencap_out_file);
 
 }
 

llvm_mode/LLVMInsTrim.so.cc

@@ -13,6 +13,7 @@
 #include "llvm/IR/Module.h"
 #include "llvm/Pass.h"
 #include "llvm/Support/raw_ostream.h"
+#include "llvm/Support/CommandLine.h"
 #include "llvm/Transforms/IPO/PassManagerBuilder.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
 #include "llvm/IR/DebugInfo.h"
@@ -24,8 +25,8 @@
 #include <string>
 #include <fstream>
 
-#include "../config.h"
-#include "../debug.h"
+#include "config.h"
+#include "debug.h"
 
 #include "MarkNodes.h"
 
@@ -37,269 +38,360 @@ static cl::opt<bool> LoopHeadOpt("loophead", cl::desc("LoopHead"),
                                  cl::init(false));
 
 namespace {
-  struct InsTrim : public ModulePass {
 
-  protected:
-    std::list<std::string> myWhitelist;
+struct InsTrim : public ModulePass {
 
-  private:
-    std::mt19937 generator;
-    int total_instr = 0;
+ protected:
+  std::list<std::string> myWhitelist;
 
-    unsigned genLabel() {
-      return generator() % 65536;
-    }
+ private:
+  std::mt19937 generator;
+  int          total_instr = 0;
 
-  public:
-    static char ID;
-    InsTrim() : ModulePass(ID), generator(0) {//}
-    
-//    AFLCoverage() : ModulePass(ID) {
-      char* instWhiteListFilename = getenv("AFL_LLVM_WHITELIST");
-      if (instWhiteListFilename) {
-        std::string line;
-        std::ifstream fileStream;
-        fileStream.open(instWhiteListFilename);
-        if (!fileStream)
-          report_fatal_error("Unable to open AFL_LLVM_WHITELIST");
+  unsigned int genLabel() {
+
+    return generator() & (MAP_SIZE - 1);
+
+  }
+
+ public:
+  static char ID;
+  InsTrim() : ModulePass(ID), generator(0) {
+
+    char *instWhiteListFilename = getenv("AFL_LLVM_WHITELIST");
+    if (instWhiteListFilename) {
+
+      std::string   line;
+      std::ifstream fileStream;
+      fileStream.open(instWhiteListFilename);
+      if (!fileStream) report_fatal_error("Unable to open AFL_LLVM_WHITELIST");
+      getline(fileStream, line);
+      while (fileStream) {
+
+        myWhitelist.push_back(line);
         getline(fileStream, line);
-        while (fileStream) {
-          myWhitelist.push_back(line);
-          getline(fileStream, line);
-        }
+
       }
+
     }
 
-    void getAnalysisUsage(AnalysisUsage &AU) const override {
-      AU.addRequired<DominatorTreeWrapperPass>();
-    }
+  }
+
+  void getAnalysisUsage(AnalysisUsage &AU) const override {
+
+    AU.addRequired<DominatorTreeWrapperPass>();
+
+  }
 
 #if LLVM_VERSION_MAJOR < 4
-    const char *
+  const char *
 #else
-    StringRef
+  StringRef
 #endif
-              getPassName() const override {
-      return "InstTrim Instrumentation";
+  getPassName() const override {
+
+    return "InstTrim Instrumentation";
+
+  }
+
+  bool runOnModule(Module &M) override {
+
+    char be_quiet = 0;
+
+    if (isatty(2) && !getenv("AFL_QUIET")) {
+
+      SAYF(cCYA "LLVMInsTrim" VERSION cRST " by csienslab\n");
+
+    } else
+
+      be_quiet = 1;
+
+#if LLVM_VERSION_MAJOR < 9
+    char *neverZero_counters_str;
+    if ((neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO")) != NULL)
+      OKF("LLVM neverZero activated (by hexcoder)\n");
+#endif
+
+    if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL ||
+        getenv("LOOPHEAD") != NULL) {
+
+      LoopHeadOpt = true;
+
     }
 
-    bool runOnModule(Module &M) override {
-      char be_quiet = 0;
-      
-      if (isatty(2) && !getenv("AFL_QUIET")) {
-        SAYF(cCYA "LLVMInsTrim" VERSION cRST " by csienslab\n");
-      } else be_quiet = 1;
-    
-#if LLVM_VERSION_MAJOR < 9
-      char* neverZero_counters_str;
-      if ((neverZero_counters_str = getenv("AFL_LLVM_NOT_ZERO")) != NULL)
-        OKF("LLVM neverZero activated (by hexcoder)\n");
-#endif
-    
-      if (getenv("AFL_LLVM_INSTRIM_LOOPHEAD") != NULL || getenv("LOOPHEAD") != NULL) {
-        LoopHeadOpt = true;
-      }
+    // this is our default
+    MarkSetOpt = true;
 
-      // this is our default
-      MarkSetOpt = true;
-      
-/*    // I dont think this makes sense to port into LLVMInsTrim
-      char* inst_ratio_str = getenv("AFL_INST_RATIO");
-      unsigned int inst_ratio = 100;
-      if (inst_ratio_str) {
-       if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio || inst_ratio > 100)
-         FATAL("Bad value of AFL_INST_RATIO (must be between 1 and 100)");
-      }
-*/
+    /*    // I dont think this makes sense to port into LLVMInsTrim
+          char* inst_ratio_str = getenv("AFL_INST_RATIO");
+          unsigned int inst_ratio = 100;
+          if (inst_ratio_str) {
 
-      LLVMContext &C = M.getContext();
-      IntegerType *Int8Ty  = IntegerType::getInt8Ty(C);
-      IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
+           if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
+       inst_ratio > 100) FATAL("Bad value of AFL_INST_RATIO (must be between 1
+       and 100)");
 
-      GlobalVariable *CovMapPtr = new GlobalVariable(
+          }
+
+    */
+
+    LLVMContext &C = M.getContext();
+    IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
+    IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
+
+    GlobalVariable *CovMapPtr = new GlobalVariable(
         M, PointerType::getUnqual(Int8Ty), false, GlobalValue::ExternalLinkage,
         nullptr, "__afl_area_ptr");
 
-      GlobalVariable *OldPrev = new GlobalVariable(
-        M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
-        0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
+    GlobalVariable *OldPrev = new GlobalVariable(
+        M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
+        GlobalVariable::GeneralDynamicTLSModel, 0, false);
 
-      u64 total_rs = 0;
-      u64 total_hs = 0;
+    ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
+    ConstantInt *One = ConstantInt::get(Int8Ty, 1);
+
+    u64 total_rs = 0;
+    u64 total_hs = 0;
+
+    for (Function &F : M) {
+
+      if (!F.size()) { continue; }
+
+      if (!myWhitelist.empty()) {
+
+        bool         instrumentBlock = false;
+        DebugLoc     Loc;
+        StringRef    instFilename;
+        unsigned int instLine = 0;
+
+        for (auto &BB : F) {
+
+          BasicBlock::iterator IP = BB.getFirstInsertionPt();
+          IRBuilder<>          IRB(&(*IP));
+          if (!Loc) Loc = IP->getDebugLoc();
 
-      for (Function &F : M) {
-        if (!F.size()) {
-          continue;
         }
 
-        if (!myWhitelist.empty()) {
-          bool instrumentBlock = false;
-          DebugLoc Loc;
-          StringRef instFilename;
+        if (Loc) {
+
+          DILocation *cDILoc = dyn_cast<DILocation>(Loc.getAsMDNode());
+
+          instLine = cDILoc->getLine();
+          instFilename = cDILoc->getFilename();
+
+          if (instFilename.str().empty()) {
+
+            /* If the original location is empty, try using the inlined location
+             */
+            DILocation *oDILoc = cDILoc->getInlinedAt();
+            if (oDILoc) {
+
+              instFilename = oDILoc->getFilename();
+              instLine = oDILoc->getLine();
+
+            }
 
-          for (auto &BB : F) {
-            BasicBlock::iterator IP = BB.getFirstInsertionPt();
-            IRBuilder<> IRB(&(*IP));
-            if (!Loc)
-              Loc = IP->getDebugLoc();
           }
 
-          if ( Loc ) {
-              DILocation *cDILoc = dyn_cast<DILocation>(Loc.getAsMDNode());
+          /* Continue only if we know where we actually are */
+          if (!instFilename.str().empty()) {
 
-              unsigned int instLine = cDILoc->getLine();
-              instFilename = cDILoc->getFilename();
+            for (std::list<std::string>::iterator it = myWhitelist.begin();
+                 it != myWhitelist.end(); ++it) {
 
-              if (instFilename.str().empty()) {
-                  /* If the original location is empty, try using the inlined location */
-                  DILocation *oDILoc = cDILoc->getInlinedAt();
-                  if (oDILoc) {
-                      instFilename = oDILoc->getFilename();
-                      instLine = oDILoc->getLine();
-                  }
-              }
+              if (instFilename.str().length() >= it->length()) {
 
-              /* Continue only if we know where we actually are */
-              if (!instFilename.str().empty()) {
-                  for (std::list<std::string>::iterator it = myWhitelist.begin(); it != myWhitelist.end(); ++it) {
-                      if (instFilename.str().length() >= it->length()) {
-                          if (instFilename.str().compare(instFilename.str().length() - it->length(), it->length(), *it) == 0) {
-                              instrumentBlock = true;
-                              break;
-                          }
-                      }
-                  }
-              }
-          }
+                if (instFilename.str().compare(
+                        instFilename.str().length() - it->length(),
+                        it->length(), *it) == 0) {
 
-          /* Either we couldn't figure out our location or the location is
-           * not whitelisted, so we skip instrumentation. */
-          if (!instrumentBlock) {
-            if (!instFilename.str().empty())
-              SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s ...\n", instFilename.str().c_str());
-            else
-              SAYF(cYEL "[!] " cBRI "No filename information found, skipping it");
-            continue;
-          }
-        }
-
-        std::unordered_set<BasicBlock *> MS;
-        if (!MarkSetOpt) {
-          for (auto &BB : F) {
-            MS.insert(&BB);
-          }
-          total_rs += F.size();
-        } else {
-          auto Result = markNodes(&F);
-          auto RS = Result.first;
-          auto HS = Result.second;
-
-          MS.insert(RS.begin(), RS.end());
-          if (!LoopHeadOpt) {
-            MS.insert(HS.begin(), HS.end());
-            total_rs += MS.size();
-          } else {
-            DenseSet<std::pair<BasicBlock *, BasicBlock *>> EdgeSet;
-            DominatorTreeWrapperPass *DTWP = &getAnalysis<DominatorTreeWrapperPass>(F);
-            auto DT = &DTWP->getDomTree();
-
-            total_rs += RS.size();
-            total_hs += HS.size();
-
-            for (BasicBlock *BB : HS) {
-              bool Inserted = false;
-              for (auto BI = pred_begin(BB), BE = pred_end(BB);
-                   BI != BE; ++BI
-              ) {
-                auto Edge = BasicBlockEdge(*BI, BB);
-                if (Edge.isSingleEdge() && DT->dominates(Edge, BB)) {
-                  EdgeSet.insert({*BI, BB});
-                  Inserted = true;
+                  instrumentBlock = true;
                   break;
+
                 }
+
               }
-              if (!Inserted) {
-                MS.insert(BB);
-                total_rs += 1;
-                total_hs -= 1;
-              }
+
             }
-            for (auto I = EdgeSet.begin(), E = EdgeSet.end(); I != E; ++I) {
-              auto PredBB = I->first;
-              auto SuccBB = I->second;
-              auto NewBB = SplitBlockPredecessors(SuccBB, {PredBB}, ".split",
-                                                  DT, nullptr,
+
+          }
+
+        }
+
+        /* Either we couldn't figure out our location or the location is
+         * not whitelisted, so we skip instrumentation. */
+        if (!instrumentBlock) {
+
+          if (!be_quiet) {
+
+            if (!instFilename.str().empty())
+              SAYF(cYEL "[!] " cBRI
+                        "Not in whitelist, skipping %s line %u...\n",
+                   instFilename.str().c_str(), instLine);
+            else
+              SAYF(cYEL "[!] " cBRI
+                        "No filename information found, skipping it");
+
+          }
+
+          continue;
+
+        }
+
+      }
+
+      std::unordered_set<BasicBlock *> MS;
+      if (!MarkSetOpt) {
+
+        for (auto &BB : F) {
+
+          MS.insert(&BB);
+
+        }
+
+        total_rs += F.size();
+
+      } else {
+
+        auto Result = markNodes(&F);
+        auto RS = Result.first;
+        auto HS = Result.second;
+
+        MS.insert(RS.begin(), RS.end());
+        if (!LoopHeadOpt) {
+
+          MS.insert(HS.begin(), HS.end());
+          total_rs += MS.size();
+
+        } else {
+
+          DenseSet<std::pair<BasicBlock *, BasicBlock *>> EdgeSet;
+          DominatorTreeWrapperPass *                      DTWP =
+              &getAnalysis<DominatorTreeWrapperPass>(F);
+          auto DT = &DTWP->getDomTree();
+
+          total_rs += RS.size();
+          total_hs += HS.size();
+
+          for (BasicBlock *BB : HS) {
+
+            bool Inserted = false;
+            for (auto BI = pred_begin(BB), BE = pred_end(BB); BI != BE; ++BI) {
+
+              auto Edge = BasicBlockEdge(*BI, BB);
+              if (Edge.isSingleEdge() && DT->dominates(Edge, BB)) {
+
+                EdgeSet.insert({*BI, BB});
+                Inserted = true;
+                break;
+
+              }
+
+            }
+
+            if (!Inserted) {
+
+              MS.insert(BB);
+              total_rs += 1;
+              total_hs -= 1;
+
+            }
+
+          }
+
+          for (auto I = EdgeSet.begin(), E = EdgeSet.end(); I != E; ++I) {
+
+            auto PredBB = I->first;
+            auto SuccBB = I->second;
+            auto NewBB =
+                SplitBlockPredecessors(SuccBB, {PredBB}, ".split", DT, nullptr,
 #if LLVM_VERSION_MAJOR >= 8
-                                                  nullptr,
+                                       nullptr,
 #endif
-                                                  false);
-              MS.insert(NewBB);
-            }
+                                       false);
+            MS.insert(NewBB);
+
           }
 
-          auto *EBB = &F.getEntryBlock();
-          if (succ_begin(EBB) == succ_end(EBB)) {
-            MS.insert(EBB);
-            total_rs += 1;
-          }
+        }
+
+        auto *EBB = &F.getEntryBlock();
+        if (succ_begin(EBB) == succ_end(EBB)) {
+
+          MS.insert(EBB);
+          total_rs += 1;
 
-          for (BasicBlock &BB : F) {
-            if (MS.find(&BB) == MS.end()) {
-              continue;
-            }
-            IRBuilder<> IRB(&*BB.getFirstInsertionPt());
-            IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev);
-          }
         }
 
         for (BasicBlock &BB : F) {
-          auto PI = pred_begin(&BB);
-          auto PE = pred_end(&BB);
-          if (MarkSetOpt && MS.find(&BB) == MS.end()) {
-            continue;
-          }
 
+          if (MS.find(&BB) == MS.end()) { continue; }
           IRBuilder<> IRB(&*BB.getFirstInsertionPt());
-          Value *L = NULL;
-          if (PI == PE) {
-            L = ConstantInt::get(Int32Ty, genLabel());
-          } else {
-            auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
-            DenseMap<BasicBlock *, unsigned> PredMap;
-            for (auto PI = pred_begin(&BB), PE = pred_end(&BB);
-                 PI != PE; ++PI
-            ) {
-              BasicBlock *PBB = *PI;
-              auto It = PredMap.insert({PBB, genLabel()});
-              unsigned Label = It.first->second;
-              PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
-            }
-            L = PN;
+          IRB.CreateStore(ConstantInt::get(Int32Ty, genLabel()), OldPrev);
+
+        }
+
+      }
+
+      for (BasicBlock &BB : F) {
+
+        auto PI = pred_begin(&BB);
+        auto PE = pred_end(&BB);
+        if (MarkSetOpt && MS.find(&BB) == MS.end()) { continue; }
+
+        IRBuilder<> IRB(&*BB.getFirstInsertionPt());
+        Value *     L = NULL;
+        if (PI == PE) {
+
+          L = ConstantInt::get(Int32Ty, genLabel());
+
+        } else {
+
+          auto *PN = PHINode::Create(Int32Ty, 0, "", &*BB.begin());
+          DenseMap<BasicBlock *, unsigned> PredMap;
+          for (auto PI = pred_begin(&BB), PE = pred_end(&BB); PI != PE; ++PI) {
+
+            BasicBlock *PBB = *PI;
+            auto        It = PredMap.insert({PBB, genLabel()});
+            unsigned    Label = It.first->second;
+            PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB);
+
           }
 
-          /* Load prev_loc */
-          LoadInst *PrevLoc = IRB.CreateLoad(OldPrev);
-          PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
-          Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
+          L = PN;
 
-          /* Load SHM pointer */
-          LoadInst *MapPtr = IRB.CreateLoad(CovMapPtr);
-          MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
-          Value *MapPtrIdx = IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, L));
+        }
 
-          /* Update bitmap */
-          LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
-          Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
-          
-          Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
+        /* Load prev_loc */
+        LoadInst *PrevLoc = IRB.CreateLoad(OldPrev);
+        PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+        Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
+
+        /* Load SHM pointer */
+        LoadInst *MapPtr = IRB.CreateLoad(CovMapPtr);
+        MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+        Value *MapPtrIdx =
+            IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, L));
+
+        /* Update bitmap */
+        LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
+        Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+
+        Value *Incr = IRB.CreateAdd(Counter, One);
 
 #if LLVM_VERSION_MAJOR < 9
-          if (neverZero_counters_str != NULL) { // with llvm 9 we make this the default as the bug in llvm is then fixed
+        if (neverZero_counters_str !=
+            NULL)  // with llvm 9 we make this the default as the bug in llvm is
+                   // then fixed
 #else
-  #warning "neverZero implementation needs to be reviewed!"
+        if (1)  // with llvm 9 we make this the default as the bug in llvm is
+                // then fixed
 #endif
+        {
+
           /* hexcoder: Realize a counter that skips zero during overflow.
-           * Once this counter reaches its maximum value, it next increments to 1
+           * Once this counter reaches its maximum value, it next increments to
+           * 1
            *
            * Instead of
            * Counter + 1 -> Counter
@@ -307,40 +399,52 @@ namespace {
            * Counter + 1 -> {Counter, OverflowFlag}
            * Counter + OverflowFlag -> Counter
            */
-            auto cf = IRB.CreateICmpEQ(Incr, ConstantInt::get(Int8Ty, 0));
-            auto carry = IRB.CreateZExt(cf, Int8Ty);
-            Incr = IRB.CreateAdd(Incr, carry);
-#if LLVM_VERSION_MAJOR < 9
-          }
-#endif
-   
-          IRB.CreateStore(Incr, MapPtrIdx)->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
-   
-          /* Set prev_loc to cur_loc >> 1 */
-          /*
-          StoreInst *Store = IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc);
-          Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
-          */
+          auto cf = IRB.CreateICmpEQ(Incr, Zero);
+          auto carry = IRB.CreateZExt(cf, Int8Ty);
+          Incr = IRB.CreateAdd(Incr, carry);
 
-          total_instr++;
         }
+
+        IRB.CreateStore(Incr, MapPtrIdx)
+            ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+
+        /* Set prev_loc to cur_loc >> 1 */
+        /*
+        StoreInst *Store = IRB.CreateStore(ConstantInt::get(Int32Ty, L >> 1),
+        OldPrev); Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C,
+        None));
+        */
+
+        total_instr++;
+
       }
 
-      OKF("Instrumented %u locations (%llu, %llu) (%s mode)\n"/*", ratio %u%%)."*/,
-          total_instr, total_rs, total_hs,
-          getenv("AFL_HARDEN") ? "hardened" :
-          ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ?
-          "ASAN/MSAN" : "non-hardened")/*, inst_ratio*/);
-      return false;
     }
-  }; // end of struct InsTrim
+
+    OKF("Instrumented %u locations (%llu, %llu) (%s mode)\n" /*", ratio
+                                                                %u%%)."*/
+        ,
+        total_instr, total_rs, total_hs,
+        getenv("AFL_HARDEN")
+            ? "hardened"
+            : ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN"))
+                   ? "ASAN/MSAN"
+                   : "non-hardened") /*, inst_ratio*/);
+    return false;
+
+  }
+
+};  // end of struct InsTrim
+
 }  // end of anonymous namespace
 
 char InsTrim::ID = 0;
 
 static void registerAFLPass(const PassManagerBuilder &,
                             legacy::PassManagerBase &PM) {
+
   PM.add(new InsTrim());
+
 }
 
 static RegisterStandardPasses RegisterAFLPass(
@@ -348,3 +452,4 @@ static RegisterStandardPasses RegisterAFLPass(
 
 static RegisterStandardPasses RegisterAFLPass0(
     PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
+

llvm_mode/Makefile

@@ -3,7 +3,7 @@
 # -----------------------------------------
 #
 # Written by Laszlo Szekeres <lszekeres@google.com> and
-#            Michal Zalewski <lcamtuf@google.com>
+#            Michal Zalewski
 #
 # LLVM integration design comes from Laszlo Szekeres.
 #
@@ -25,30 +25,55 @@ BIN_PATH     = $(PREFIX)/bin
 
 VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 
-LLVM_CONFIG ?= llvm-config
-LLVMVER  = $(shell $(LLVM_CONFIG) --version)
-LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version | egrep -q '^9|3.0' && echo 1 || echo 0 )
-LLVM_MAJOR = ($shell $(LLVM_CONFIG) --version | sed 's/\..*//')
-
-ifeq "$(LLVM_UNSUPPORTED)" "1"
-  $(warn llvm_mode only supports versions 3.8.0 up to 8.x )
+ifeq "$(shell uname)" "OpenBSD"
+  LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
+  HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
+  ifeq "$(HAS_OPT)" "1"
+    $(error llvm_mode needs a complete llvm installation (versions 3.8.0 up to 10) -> e.g. "pkg_add llvm-7.0.1p9")
+  endif
+else
+  LLVM_CONFIG ?= llvm-config
+endif
+
+LLVMVER  = $(shell $(LLVM_CONFIG) --version 2>/dev/null )
+LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-7]|^1[1-9]' && echo 1 || echo 0 )
+LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 )
+LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//')
+LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
+LLVM_STDCXX = gnu++11
+LLVM_APPLE = $(shell clang -v 2>&1 | grep -iq apple && echo 1 || echo 0)
+
+ifeq "$(LLVMVER)" ""
+  $(warning llvm_mode needs llvm-config, which was not found)
+endif
+
+ifeq "$(LLVM_UNSUPPORTED)" "1"
+  $(warning llvm_mode only supports llvm versions 3.8.0 up to 10)
 endif
 
-# this is not visible yet:
 ifeq "$(LLVM_MAJOR)" "9"
-  $(info llvm_mode deteted llvm 9, enabling neverZero implementation)
+  $(info llvm_mode detected llvm 9, enabling neverZero implementation)
+endif
+
+ifeq "$(LLVM_NEW_API)" "1"
+  $(info llvm_mode detected llvm 10+, enabling neverZero implementation and c++14)
+  LLVM_STDCXX = c++14
+endif
+
+ifeq "$(LLVM_APPLE)" "1"
+  $(warning llvm_mode will not compile with Xcode clang...)
 endif
 
 CFLAGS      ?= -O3 -funroll-loops
-CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
+CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I ../include/ \
                -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
-               -DVERSION=\"$(VERSION)\"
+               -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\"
 ifdef AFL_TRACE_PC
   CFLAGS    += -DUSE_TRACE_PC=1
 endif
 
 CXXFLAGS    ?= -O3 -funroll-loops
-CXXFLAGS    += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
+CXXFLAGS    += -Wall -D_FORTIFY_SOURCE=2 -g -I ../include/ \
                -DVERSION=\"$(VERSION)\" -Wno-variadic-macros
 
 CLANG_CFL    = `$(LLVM_CONFIG) --cxxflags` -Wl,-znodelete -fno-rtti -fpic $(CXXFLAGS)
@@ -61,24 +86,36 @@ ifeq "$(shell uname)" "Darwin"
 endif
 
 ifeq "$(shell uname)" "OpenBSD"
-  CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so.0.0
+  CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so
 endif
 
 # We were using llvm-config --bindir to get the location of clang, but
 # this seems to be busted on some distros, so using the one in $PATH is
 # probably better.
 
-ifeq "$(origin CC)" "default"
-  CC         = clang
-  CXX        = clang++
+CC         = $(LLVM_BINDIR)/clang
+CXX        = $(LLVM_BINDIR)/clang++
+
+ifeq "$(shell test -e $(CC) || echo 1 )" "1"
+  # llvm-config --bindir is not providing a valid path, so ...
+  ifeq "$(shell test -e '$(BIN_DIR)/clang' && echo 1)" "1"
+    # we found one in the local install directory, lets use these
+    CC         = $(BIN_DIR)/clang
+    CXX        = $(BIN_DIR)/clang++
+  else
+    # hope for the best
+    $(warning we have trouble finding clang/clang++ - llvm-config is not helping us)
+    CC         = clang
+    CXX        = clang++
+  endif
 endif
 
 # sanity check.
 # Are versions of clang --version and llvm-config --version equal?
-CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*([0-9]\.[0-9]\.[0-9]).*/s//\1/p')
+CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ ([0-9]\.[0-9]\.[0-9]).*/s//\1/p')
 
 
-ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
+ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
         SHMAT_OK=1
 else
         SHMAT_OK=0
@@ -92,7 +129,6 @@ ifeq "$(TEST_MMAP)" "1"
         LDFLAGS += -lrt
 endif
 
-
 ifndef AFL_TRACE_PC
   PROGS      = ../afl-clang-fast ../afl-llvm-pass.so ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
 else
@@ -100,12 +136,26 @@ else
 endif
 
 ifneq "$(CLANGVER)" "$(LLVMVER)"
-  CC = $(shell llvm-config --bindir)/clang
-  CXX = $(shell llvm-config --bindir)/clang++
+  CC = $(shell $(LLVM_CONFIG) --bindir)/clang
+  CXX = $(shell $(LLVM_CONFIG) --bindir)/clang++
 endif
 
-all: test_shm test_deps $(PROGS) test_build all_done
+# If prerequisites are not given, warn, do not build anything, and exit with code 0
+ifeq "$(LLVMVER)" ""
+  NO_BUILD = 1
+endif
 
+ifneq "$(LLVM_UNSUPPORTED)$(LLVM_APPLE)" "00"
+  NO_BUILD = 1
+endif
+
+ifeq "$(NO_BUILD)" "1"
+  TARGETS = no_build
+else
+  TARGETS = test_shm test_deps $(PROGS) afl-clang-fast.8 test_build all_done
+endif
+
+all: $(TARGETS)
 
 ifeq "$(SHMAT_OK)" "1"
 
@@ -120,11 +170,15 @@ test_shm:
 
 endif
 
+no_build:
+	@printf "%b\\n" "\\033[0;31mPrerequisites are not met, skipping build llvm_mode\\033[0m"
 
 test_deps:
 ifndef AFL_TRACE_PC
 	@echo "[*] Checking for working 'llvm-config'..."
+ ifneq "$(LLVM_APPLE)" "1"
 	@which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo "    (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 )
+ endif
 else
 	@echo "[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM)."
 endif
@@ -146,10 +200,10 @@ endif
 	ln -sf afl-clang-fast ../afl-clang-fast++
 
 ../libLLVMInsTrim.so: LLVMInsTrim.so.cc MarkNodes.cc | test_deps
-	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< MarkNodes.cc -o $@ $(CLANG_LFL)
+	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< MarkNodes.cc -o $@ $(CLANG_LFL)
 
 ../afl-llvm-pass.so: afl-llvm-pass.so.cc | test_deps
-	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< -o $@ $(CLANG_LFL)
+	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL)
 
 # laf
 ../split-switches-pass.so:	split-switches-pass.so.cc | test_deps
@@ -174,10 +228,10 @@ endif
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
 	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=$(CC) AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
-	echo 0 | ../afl-showmap -m none -q -o .test-instr0 ./test-instr
+	../afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
-	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
 	@echo "[+] All right, the instrumentation seems to be working!"
 
 all_done: test_build
@@ -185,6 +239,27 @@ all_done: test_build
 
 .NOTPARALLEL: clean
 
+vpath  % ..
+%.8: %
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .SH NAME >> ../$@
+	@echo .B $* >> ../$@
+	@echo >> ../$@
+	@echo .SH SYNOPSIS >> ../$@
+	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
+	@echo >> ../$@
+	@echo .SH OPTIONS >> ../$@
+	@echo .nf >> ../$@
+	@../$* -h 2>&1 | tail -n +4 >> ../$@
+	@echo >> ../$@
+	@echo .SH AUTHOR >> ../$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@
+	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@
+	@echo >> ../$@
+	@echo .SH LICENSE >> ../$@
+	@echo Apache License Version 2.0, January 2004 >> ../$@
+	ln -sf afl-clang-fast.8 ../afl-clang-fast++.8
+
 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* .test2 test-instr .test-instr0 .test-instr1 
-	rm -f $(PROGS) ../afl-clang-fast++
+	rm -f $(PROGS) ../afl-clang-fast++ ../afl-clang-fast*.8

llvm_mode/MarkNodes.cc

@@ -19,207 +19,267 @@
 
 using namespace llvm;
 
-DenseMap<BasicBlock *, uint32_t> LMap;
-std::vector<BasicBlock *> Blocks;
-std::set<uint32_t> Marked , Markabove;
-std::vector< std::vector<uint32_t> > Succs , Preds;
+DenseMap<BasicBlock *, uint32_t>    LMap;
+std::vector<BasicBlock *>           Blocks;
+std::set<uint32_t>                  Marked, Markabove;
+std::vector<std::vector<uint32_t> > Succs, Preds;
+
+void reset() {
 
-void reset(){
   LMap.clear();
   Blocks.clear();
   Marked.clear();
   Markabove.clear();
+
 }
 
 uint32_t start_point;
 
 void labelEachBlock(Function *F) {
+
   // Fake single endpoint;
   LMap[NULL] = Blocks.size();
   Blocks.push_back(NULL);
- 
+
   // Assign the unique LabelID to each block;
   for (auto I = F->begin(), E = F->end(); I != E; ++I) {
+
     BasicBlock *BB = &*I;
     LMap[BB] = Blocks.size();
     Blocks.push_back(BB);
+
   }
-  
+
   start_point = LMap[&F->getEntryBlock()];
+
 }
 
 void buildCFG(Function *F) {
-  Succs.resize( Blocks.size() );
-  Preds.resize( Blocks.size() );
-  for( size_t i = 0 ; i < Succs.size() ; i ++ ){
-    Succs[ i ].clear();
-    Preds[ i ].clear();
+
+  Succs.resize(Blocks.size());
+  Preds.resize(Blocks.size());
+  for (size_t i = 0; i < Succs.size(); i++) {
+
+    Succs[i].clear();
+    Preds[i].clear();
+
   }
 
-  //uint32_t FakeID = 0;
+  // uint32_t FakeID = 0;
   for (auto S = F->begin(), E = F->end(); S != E; ++S) {
+
     BasicBlock *BB = &*S;
-    uint32_t MyID = LMap[BB];
-    //if (succ_begin(BB) == succ_end(BB)) {
-      //Succs[MyID].push_back(FakeID);
-      //Marked.insert(MyID);
+    uint32_t    MyID = LMap[BB];
+    // if (succ_begin(BB) == succ_end(BB)) {
+
+    // Succs[MyID].push_back(FakeID);
+    // Marked.insert(MyID);
     //}
     for (auto I = succ_begin(BB), E = succ_end(BB); I != E; ++I) {
+
       Succs[MyID].push_back(LMap[*I]);
+
     }
+
   }
+
 }
 
-std::vector< std::vector<uint32_t> > tSuccs;
-std::vector<bool> tag , indfs;
+std::vector<std::vector<uint32_t> > tSuccs;
+std::vector<bool>                   tag, indfs;
 
 void DFStree(size_t now_id) {
-  if(tag[now_id]) return;
-  tag[now_id]=true;
-  indfs[now_id]=true;
-  for (auto succ: tSuccs[now_id]) {
-    if(tag[succ] and indfs[succ]) {
+
+  if (tag[now_id]) return;
+  tag[now_id] = true;
+  indfs[now_id] = true;
+  for (auto succ : tSuccs[now_id]) {
+
+    if (tag[succ] and indfs[succ]) {
+
       Marked.insert(succ);
       Markabove.insert(succ);
       continue;
+
     }
+
     Succs[now_id].push_back(succ);
     Preds[succ].push_back(now_id);
     DFStree(succ);
+
   }
-  indfs[now_id]=false;
+
+  indfs[now_id] = false;
+
 }
+
 void turnCFGintoDAG(Function *F) {
+
   tSuccs = Succs;
   tag.resize(Blocks.size());
   indfs.resize(Blocks.size());
-  for (size_t i = 0; i < Blocks.size(); ++ i) {
+  for (size_t i = 0; i < Blocks.size(); ++i) {
+
     Succs[i].clear();
-    tag[i]=false;
-    indfs[i]=false;
+    tag[i] = false;
+    indfs[i] = false;
+
   }
+
   DFStree(start_point);
-  for (size_t i = 0; i < Blocks.size(); ++ i) 
-    if( Succs[i].empty() ){
+  for (size_t i = 0; i < Blocks.size(); ++i)
+    if (Succs[i].empty()) {
+
       Succs[i].push_back(0);
       Preds[0].push_back(i);
+
     }
+
 }
 
 uint32_t timeStamp;
-namespace DominatorTree{
-  std::vector< std::vector<uint32_t> > cov;
-  std::vector<uint32_t> dfn, nfd, par, sdom, idom, mom, mn;
+namespace DominatorTree {
+
+std::vector<std::vector<uint32_t> > cov;
+std::vector<uint32_t>               dfn, nfd, par, sdom, idom, mom, mn;
+
+bool Compare(uint32_t u, uint32_t v) {
+
+  return dfn[u] < dfn[v];
+
+}
+
+uint32_t eval(uint32_t u) {
+
+  if (mom[u] == u) return u;
+  uint32_t res = eval(mom[u]);
+  if (Compare(sdom[mn[mom[u]]], sdom[mn[u]])) { mn[u] = mn[mom[u]]; }
+  return mom[u] = res;
+
+}
+
+void DFS(uint32_t now) {
+
+  timeStamp += 1;
+  dfn[now] = timeStamp;
+  nfd[timeStamp - 1] = now;
+  for (auto succ : Succs[now]) {
+
+    if (dfn[succ] == 0) {
+
+      par[succ] = now;
+      DFS(succ);
 
-  bool Compare(uint32_t u, uint32_t v) {
-    return dfn[u] < dfn[v];
-  }
-  uint32_t eval(uint32_t u) {
-    if( mom[u] == u ) return u;
-    uint32_t res = eval( mom[u] );
-    if(Compare(sdom[mn[mom[u]]] , sdom[mn[u]])) {
-      mn[u] = mn[mom[u]];
     }
-    return mom[u] = res;
+
   }
 
-  void DFS(uint32_t now) {
-    timeStamp += 1;
-    dfn[now] = timeStamp;
-    nfd[timeStamp - 1] = now;
-    for( auto succ : Succs[now] ) {
-      if( dfn[succ] == 0 ) {
-        par[succ] = now;
-        DFS(succ);
-      }
-    }
+}
+
+void DominatorTree(Function *F) {
+
+  if (Blocks.empty()) return;
+  uint32_t s = start_point;
+
+  // Initialization
+  mn.resize(Blocks.size());
+  cov.resize(Blocks.size());
+  dfn.resize(Blocks.size());
+  nfd.resize(Blocks.size());
+  par.resize(Blocks.size());
+  mom.resize(Blocks.size());
+  sdom.resize(Blocks.size());
+  idom.resize(Blocks.size());
+
+  for (uint32_t i = 0; i < Blocks.size(); i++) {
+
+    dfn[i] = 0;
+    nfd[i] = Blocks.size();
+    cov[i].clear();
+    idom[i] = mom[i] = mn[i] = sdom[i] = i;
+
   }
 
-  void DominatorTree(Function *F) {
-    if( Blocks.empty() ) return;
-    uint32_t s = start_point;
+  timeStamp = 0;
+  DFS(s);
 
-    // Initialization
-    mn.resize(Blocks.size());
-    cov.resize(Blocks.size());
-    dfn.resize(Blocks.size());
-    nfd.resize(Blocks.size());
-    par.resize(Blocks.size());
-    mom.resize(Blocks.size());
-    sdom.resize(Blocks.size());
-    idom.resize(Blocks.size());
+  for (uint32_t i = Blocks.size() - 1; i >= 1u; i--) {
+
+    uint32_t now = nfd[i];
+    if (now == Blocks.size()) { continue; }
+    for (uint32_t pre : Preds[now]) {
+
+      if (dfn[pre]) {
+
+        eval(pre);
+        if (Compare(sdom[mn[pre]], sdom[now])) { sdom[now] = sdom[mn[pre]]; }
+
+      }
 
-    for( uint32_t i = 0 ; i < Blocks.size() ; i ++ ) {
-      dfn[i] = 0;
-      nfd[i] = Blocks.size();
-      cov[i].clear();
-      idom[i] = mom[i] = mn[i] = sdom[i] = i;
     }
 
-    timeStamp = 0;
-    DFS(s);
+    cov[sdom[now]].push_back(now);
+    mom[now] = par[now];
+    for (uint32_t x : cov[par[now]]) {
+
+      eval(x);
+      if (Compare(sdom[mn[x]], par[now])) {
+
+        idom[x] = mn[x];
+
+      } else {
+
+        idom[x] = par[now];
 
-    for( uint32_t i = Blocks.size() - 1 ; i >= 1u ; i -- ) {
-      uint32_t now = nfd[i];
-      if( now == Blocks.size() ) {
-        continue;
-      }
-      for( uint32_t pre : Preds[ now ] ) {
-        if( dfn[ pre ] ) {
-          eval(pre);
-          if( Compare(sdom[mn[pre]], sdom[now]) ) {
-            sdom[now] = sdom[mn[pre]];
-          }
-        }
-      }
-      cov[sdom[now]].push_back(now);
-      mom[now] = par[now];
-      for( uint32_t x : cov[par[now]] ) {
-        eval(x);
-        if( Compare(sdom[mn[x]], par[now]) ) {
-          idom[x] = mn[x];
-        } else {
-          idom[x] = par[now];
-        }
       }
+
     }
 
-    for( uint32_t i = 1 ; i < Blocks.size() ; i += 1 ) {
-      uint32_t now = nfd[i];
-      if( now == Blocks.size() ) {
-        continue;
-      }
-      if(idom[now] != sdom[now])
-        idom[now] = idom[idom[now]];
-    }
   }
-}; // End of DominatorTree
 
-std::vector<uint32_t> Visited, InStack;
-std::vector<uint32_t> TopoOrder, InDeg;
-std::vector< std::vector<uint32_t> > t_Succ , t_Pred;
+  for (uint32_t i = 1; i < Blocks.size(); i += 1) {
+
+    uint32_t now = nfd[i];
+    if (now == Blocks.size()) { continue; }
+    if (idom[now] != sdom[now]) idom[now] = idom[idom[now]];
+
+  }
+
+}
+
+}  // namespace DominatorTree
+
+std::vector<uint32_t>               Visited, InStack;
+std::vector<uint32_t>               TopoOrder, InDeg;
+std::vector<std::vector<uint32_t> > t_Succ, t_Pred;
 
 void Go(uint32_t now, uint32_t tt) {
-  if( now == tt ) return;
+
+  if (now == tt) return;
   Visited[now] = InStack[now] = timeStamp;
 
-  for(uint32_t nxt : Succs[now]) {
-    if(Visited[nxt] == timeStamp and InStack[nxt] == timeStamp) {
+  for (uint32_t nxt : Succs[now]) {
+
+    if (Visited[nxt] == timeStamp and InStack[nxt] == timeStamp) {
+
       Marked.insert(nxt);
+
     }
+
     t_Succ[now].push_back(nxt);
     t_Pred[nxt].push_back(now);
     InDeg[nxt] += 1;
-    if(Visited[nxt] == timeStamp) {
-      continue;
-    }
+    if (Visited[nxt] == timeStamp) { continue; }
     Go(nxt, tt);
+
   }
 
   InStack[now] = 0;
+
 }
 
 void TopologicalSort(uint32_t ss, uint32_t tt) {
+
   timeStamp += 1;
 
   Go(ss, tt);
@@ -227,76 +287,111 @@ void TopologicalSort(uint32_t ss, uint32_t tt) {
   TopoOrder.clear();
   std::queue<uint32_t> wait;
   wait.push(ss);
-  while( not wait.empty() ) {
-    uint32_t now = wait.front(); wait.pop();
+  while (not wait.empty()) {
+
+    uint32_t now = wait.front();
+    wait.pop();
     TopoOrder.push_back(now);
-    for(uint32_t nxt : t_Succ[now]) {
+    for (uint32_t nxt : t_Succ[now]) {
+
       InDeg[nxt] -= 1;
-      if(InDeg[nxt] == 0u) {
-        wait.push(nxt);
-      }
+      if (InDeg[nxt] == 0u) { wait.push(nxt); }
+
     }
+
   }
+
 }
 
-std::vector< std::set<uint32_t> > NextMarked;
-bool Indistinguish(uint32_t node1, uint32_t node2) {
-  if(NextMarked[node1].size() > NextMarked[node2].size()){
+std::vector<std::set<uint32_t> > NextMarked;
+bool                             Indistinguish(uint32_t node1, uint32_t node2) {
+
+  if (NextMarked[node1].size() > NextMarked[node2].size()) {
+
     uint32_t _swap = node1;
     node1 = node2;
     node2 = _swap;
+
   }
-  for(uint32_t x : NextMarked[node1]) {
-    if( NextMarked[node2].find(x) != NextMarked[node2].end() ) {
-      return true;
-    }
+
+  for (uint32_t x : NextMarked[node1]) {
+
+    if (NextMarked[node2].find(x) != NextMarked[node2].end()) { return true; }
+
   }
+
   return false;
+
 }
 
 void MakeUniq(uint32_t now) {
+
   bool StopFlag = false;
   if (Marked.find(now) == Marked.end()) {
-    for(uint32_t pred1 : t_Pred[now]) {
-      for(uint32_t pred2 : t_Pred[now]) {
-        if(pred1 == pred2) continue;
-        if(Indistinguish(pred1, pred2)) {
+
+    for (uint32_t pred1 : t_Pred[now]) {
+
+      for (uint32_t pred2 : t_Pred[now]) {
+
+        if (pred1 == pred2) continue;
+        if (Indistinguish(pred1, pred2)) {
+
           Marked.insert(now);
           StopFlag = true;
           break;
+
         }
+
       }
-      if (StopFlag) {
-        break;
-      }
+
+      if (StopFlag) { break; }
+
     }
+
   }
-  if(Marked.find(now) != Marked.end()) {
+
+  if (Marked.find(now) != Marked.end()) {
+
     NextMarked[now].insert(now);
+
   } else {
-    for(uint32_t pred : t_Pred[now]) {
-      for(uint32_t x : NextMarked[pred]) {
+
+    for (uint32_t pred : t_Pred[now]) {
+
+      for (uint32_t x : NextMarked[pred]) {
+
         NextMarked[now].insert(x);
+
       }
+
     }
+
   }
+
 }
 
 void MarkSubGraph(uint32_t ss, uint32_t tt) {
-  TopologicalSort(ss, tt);
-  if(TopoOrder.empty()) return;
 
-  for(uint32_t i : TopoOrder) {
+  TopologicalSort(ss, tt);
+  if (TopoOrder.empty()) return;
+
+  for (uint32_t i : TopoOrder) {
+
     NextMarked[i].clear();
+
   }
 
   NextMarked[TopoOrder[0]].insert(TopoOrder[0]);
-  for(uint32_t i = 1 ; i < TopoOrder.size() ; i += 1) {
+  for (uint32_t i = 1; i < TopoOrder.size(); i += 1) {
+
     MakeUniq(TopoOrder[i]);
+
   }
+
 }
 
 void MarkVertice(Function *F) {
+
   uint32_t s = start_point;
 
   InDeg.resize(Blocks.size());
@@ -306,26 +401,32 @@ void MarkVertice(Function *F) {
   t_Pred.resize(Blocks.size());
   NextMarked.resize(Blocks.size());
 
-  for( uint32_t i = 0 ; i < Blocks.size() ; i += 1 ) {
+  for (uint32_t i = 0; i < Blocks.size(); i += 1) {
+
     Visited[i] = InStack[i] = InDeg[i] = 0;
     t_Succ[i].clear();
     t_Pred[i].clear();
+
   }
+
   timeStamp = 0;
   uint32_t t = 0;
-  //MarkSubGraph(s, t);
-  //return;
+  // MarkSubGraph(s, t);
+  // return;
+
+  while (s != t) {
 
-  while( s != t ) {
     MarkSubGraph(DominatorTree::idom[t], t);
     t = DominatorTree::idom[t];
+
   }
 
 }
 
 // return {marked nodes}
-std::pair<std::vector<BasicBlock *>,
-          std::vector<BasicBlock *> >markNodes(Function *F) {
+std::pair<std::vector<BasicBlock *>, std::vector<BasicBlock *> > markNodes(
+    Function *F) {
+
   assert(F->size() > 0 && "Function can not be empty");
 
   reset();
@@ -335,21 +436,30 @@ std::pair<std::vector<BasicBlock *>,
   DominatorTree::DominatorTree(F);
   MarkVertice(F);
 
-  std::vector<BasicBlock *> Result , ResultAbove;
-  for( uint32_t x : Markabove ) {
-    auto it = Marked.find( x );
-    if( it != Marked.end() )
-      Marked.erase( it );
-    if( x )
-      ResultAbove.push_back(Blocks[x]);
-  }
-  for( uint32_t x : Marked ) {
-    if (x == 0) {
-      continue;
-    } else {
-      Result.push_back(Blocks[x]);
-    }
+  std::vector<BasicBlock *> Result, ResultAbove;
+  for (uint32_t x : Markabove) {
+
+    auto it = Marked.find(x);
+    if (it != Marked.end()) Marked.erase(it);
+    if (x) ResultAbove.push_back(Blocks[x]);
+
   }
 
-  return { Result , ResultAbove };
+  for (uint32_t x : Marked) {
+
+    if (x == 0) {
+
+      continue;
+
+    } else {
+
+      Result.push_back(Blocks[x]);
+
+    }
+
+  }
+
+  return {Result, ResultAbove};
+
 }
+

llvm_mode/MarkNodes.h

@@ -3,9 +3,10 @@
 
 #include "llvm/IR/BasicBlock.h"
 #include "llvm/IR/Function.h"
-#include<vector>
+#include <vector>
 
-std::pair<std::vector<llvm::BasicBlock *>,
-          std::vector<llvm::BasicBlock *>> markNodes(llvm::Function *F);
+std::pair<std::vector<llvm::BasicBlock *>, std::vector<llvm::BasicBlock *>>
+markNodes(llvm::Function *F);
 
 #endif
+

llvm_mode/README.instrim.md

@@ -1,6 +1,6 @@
 # InsTrim
-InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing
 
+InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing
 
 ## Introduction
 
@@ -8,17 +8,16 @@ InsTrim uses CFG and markers to instrument just what is necessary in the
 binary in llvm_mode. It is about 20-25% faster but as a cost has a lower
 path discovery.
 
-
 ## Usage
 
-Set the environment variable AFL_LLVM_INSTRIM=1
+Set the environment variable `AFL_LLVM_INSTRIM=1` during compilation of
+the target.
 
 There is also an advanced mode which instruments loops in a way so that
 afl-fuzz can see which loop path has been selected but not being able to
 see how often the loop has been rerun.
 This again is a tradeoff for speed for less path information.
-To enable this mode set AFL_LLVM_INSTRIM_LOOPHEAD=1
-
+To enable this mode set `AFL_LLVM_INSTRIM_LOOPHEAD=1`.
 
 ## Background
 

llvm_mode/README.laf-intel

@@ -1,20 +0,0 @@
-Usage
-=====
-
-By default the passes will not run when you compile programs using 
-afl-clang-fast. Hence, you can use AFL as usual.
-To enable the passes you must set environment variables before you
-compile the target project.
-
-The following options exist:
-
-export AFL_LLVM_LAF_SPLIT_SWITCHES=1     Enables the split-switches pass.
-
-export AFL_LLVM_LAF_TRANSFORM_COMPARES=1 Enables the transform-compares pass
-                             (strcmp, memcmp, strncmp, strcasecmp, strncasecmp).
-
-export AFL_LLVM_LAF_SPLIT_COMPARES=1     Enables the split-compares pass.
-      By default it will split all compares with a bit width <= 64 bits.
-      You can change this behaviour by setting 
-          export AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>.
-

llvm_mode/README.laf-intel.md

@@ -0,0 +1,39 @@
+# laf-intel instrumentation
+
+## Usage
+
+By default these passes will not run when you compile programs using 
+afl-clang-fast. Hence, you can use AFL as usual.
+To enable the passes you must set environment variables before you
+compile the target project.
+
+The following options exist:
+
+`export AFL_LLVM_LAF_SPLIT_SWITCHES=1`
+
+Enables the split-switches pass.
+
+`export AFL_LLVM_LAF_TRANSFORM_COMPARES=1`
+
+Enables the transform-compares pass (strcmp, memcmp, strncmp,
+strcasecmp, strncasecmp).
+
+`export AFL_LLVM_LAF_SPLIT_COMPARES=1`
+
+Enables the split-compares pass.
+By default it will 
+1. simplify operators >= (and <=) into chains of > (<) and == comparisons
+2. change signed integer comparisons to a chain of sign-only comparison
+and unsigned comparisons
+3. split all unsigned integer comparisons with bit widths of
+64, 32 or 16 bits to chains of 8 bits comparisons.
+
+You can change the behaviour of the last step by setting
+`export AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where 
+bit_width may be 64, 32 or 16.
+
+A new experimental feature is splitting floating point comparisons into a
+series of sign, exponent and mantissa comparisons followed by splitting each
+of them into 8 bit comparisons when necessary.
+It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting, available only
+when `AFL_LLVM_LAF_SPLIT_COMPARES` is set.

llvm_mode/README.md

@@ -1,15 +1,11 @@
-============================================
-Fast LLVM-based instrumentation for afl-fuzz
-============================================
+# Fast LLVM-based instrumentation for afl-fuzz
 
   (See ../docs/README for the general instruction manual.)
   (See ../gcc_plugin/README.gcc for the GCC-based instrumentation.)
 
-1) Introduction
----------------
+## 1) Introduction
 
-! llvm_mode works with llvm version 3.8.1 up to 8.x !
-! llvm version 9 does not work yet !
+! llvm_mode works with llvm versions 3.8.0 up to 10 !
 
 The code in this directory allows you to instrument programs for AFL using
 true compiler-level instrumentation, instead of the more crude
@@ -31,7 +27,8 @@ several interesting properties:
   - The instrumentation can cope a bit better with multi-threaded targets.
 
   - Because the feature relies on the internals of LLVM, it is clang-specific
-    and will *not* work with GCC (see ../gcc_plugin/ for an alternative).
+    and will *not* work with GCC (see ../gcc_plugin/ for an alternative once
+    it is available).
 
 Once this implementation is shown to be sufficiently robust and portable, it
 will probably replace afl-clang. For now, it can be built separately and
@@ -39,13 +36,16 @@ co-exists with the original code.
 
 The idea and much of the implementation comes from Laszlo Szekeres.
 
-2) How to use this
-------------------
+## 2) How to use this
 
 In order to leverage this mechanism, you need to have clang installed on your
 system. You should also make sure that the llvm-config tool is in your path
 (or pointed to via LLVM_CONFIG in the environment).
 
+Note that if you have several LLVM versions installed, pointing LLVM_CONFIG
+to the version you want to use will switch compiling to this specific
+version - if you installation is set up correctly :-)
+
 Unfortunately, some systems that do have clang come without llvm-config or the
 LLVM development headers; one example of this is FreeBSD. FreeBSD users will
 also run into problems with clang being built statically and not being able to
@@ -64,8 +64,10 @@ called afl-clang-fast and afl-clang-fast++ in the parent directory. Once this
 is done, you can instrument third-party code in a way similar to the standard
 operating mode of AFL, e.g.:
 
+```
   CC=/path/to/afl/afl-clang-fast ./configure [...options...]
   make
+```
 
 Be sure to also include CXX set to afl-clang-fast++ for C++ code.
 
@@ -79,13 +81,13 @@ Note: if you want the LLVM helper to be installed on your system for all
 users, you need to build it before issuing 'make install' in the parent
 directory.
 
-3) Options
+## 3) Options
 
 Several options are present to make llvm_mode faster or help it rearrange
 the code to make afl-fuzz path discovery easier.
 
 If you need just to instrument specific parts of the code, you can whitelist
-which C/C++ files to actually intrument. See README.whitelist
+which C/C++ files to actually instrument. See README.whitelist
 
 For splitting memcmp, strncmp, etc. please see README.laf-intel
 
@@ -97,20 +99,17 @@ See README.instrim
 
 Finally if your llvm version is 8 or lower, you can activate a mode that
 prevents that a counter overflow result in a 0 value. This is good for
-path discovery, but the llvm implementation for intel for this functionality
+path discovery, but the llvm implementation for x86 for this functionality
 is not optimal and was only fixed in llvm 9.
 You can set this with AFL_LLVM_NOT_ZERO=1
 See README.neverzero
 
-
-4) Gotchas, feedback, bugs
---------------------------
+## 4) Gotchas, feedback, bugs
 
 This is an early-stage mechanism, so field reports are welcome. You can send bug
 reports to <afl-users@googlegroups.com>.
 
-5) Bonus feature #1: deferred initialization
---------------------------------------------
+## 5) Bonus feature #1: deferred initialization
 
 AFL tries to optimize performance by executing the targeted binary just once,
 stopping it just before main(), and then cloning this "master" process to get
@@ -146,9 +145,11 @@ a location after:
 
 With the location selected, add this code in the appropriate spot:
 
+```c
 #ifdef __AFL_HAVE_MANUAL_CONTROL
   __AFL_INIT();
 #endif
+```
 
 You don't need the #ifdef guards, but including them ensures that the program
 will keep working normally when compiled with a tool other than afl-clang-fast.
@@ -156,8 +157,7 @@ will keep working normally when compiled with a tool other than afl-clang-fast.
 Finally, recompile the program with afl-clang-fast (afl-gcc or afl-clang will
 *not* generate a deferred-initialization binary) - and you should be all set!
 
-6) Bonus feature #2: persistent mode
-------------------------------------
+## 6) Bonus feature #2: persistent mode
 
 Some libraries provide APIs that are stateless, or whose state can be reset in
 between processing different input files. When such a reset is performed, a
@@ -166,6 +166,7 @@ eliminating the need for repeated fork() calls and the associated OS overhead.
 
 The basic structure of the program that does this would be:
 
+```c
   while (__AFL_LOOP(1000)) {
 
     /* Read input data. */
@@ -175,6 +176,7 @@ The basic structure of the program that does this would be:
   }
 
   /* Exit normally */
+```
 
 The numerical value specified within the loop controls the maximum number
 of iterations before AFL will restart the process from scratch. This minimizes
@@ -183,8 +185,8 @@ and going much higher increases the likelihood of hiccups without giving you
 any real performance benefits.
 
 A more detailed template is shown in ../experimental/persistent_demo/.
-Similarly to the previous mode, the feature works only with afl-clang-fast;
-#ifdef guards can be used to suppress it when using other compilers.
+Similarly to the previous mode, the feature works only with afl-clang-fast; #ifdef
+guards can be used to suppress it when using other compilers.
 
 Note that as with the previous mode, the feature is easy to misuse; if you
 do not fully reset the critical state, you may end up with false positives or
@@ -196,8 +198,7 @@ PS. Because there are task switches still involved, the mode isn't as fast as
 faster than the normal fork() model, and compared to in-process fuzzing,
 should be a lot more robust.
 
-8) Bonus feature #3: new 'trace-pc-guard' mode
-----------------------------------------------
+## 8) Bonus feature #3: new 'trace-pc-guard' mode
 
 Recent versions of LLVM are shipping with a built-in execution tracing feature
 that provides AFL with the necessary tracing data without the need to
@@ -208,7 +209,9 @@ post-process the assembly or install any compiler plugins. See:
 If you have a sufficiently recent compiler and want to give it a try, build
 afl-clang-fast this way:
 
+```
   AFL_TRACE_PC=1 make clean all
+```
 
 Note that this mode is currently about 20% slower than "vanilla" afl-clang-fast,
 and about 5-10% slower than afl-clang. This is likely because the

llvm_mode/README.neverzero

@@ -1,22 +0,0 @@
-Usage
-=====
-
-In larger, complex or reiterative programs the map that collects the edge pairs
-can easily fill up and wrap.
-This is not that much of an issue - unless by chance it wraps just to a 0
-when the program execution ends.
-In this case afl-fuzz is not able to see that the pair has been accessed and
-will ignore it.
-
-NeverZero prevents this behaviour. If a counter wraps, it jumps over the 0
-directly to a 1. This improves path discovery (by a very little amount)
-at a very little cost (one instruction per edge).
-
-This is implemented in afl-gcc, however for llvm_mode this is optional if
-the llvm version is below 9 - as there is a perfomance bug that is only fixed
-in version 9 and onwards.
-
-If you want to enable this for llvm < 9 then set
-
-export AFL_LLVM_NOT_ZERO=1
-

llvm_mode/README.neverzero.md

@@ -0,0 +1,27 @@
+# NeverZero counters for LLVM instrumentation
+
+## Usage
+
+In larger, complex or reiterative programs the counters that collect the edge
+coverage can easily fill up and wrap around.
+This is not that much of an issue - unless by chance it wraps just to a value
+of zero when the program execution ends.
+In this case afl-fuzz is not able to see that the edge has been accessed and
+will ignore it.
+
+NeverZero prevents this behaviour. If a counter wraps, it jumps over the value
+0 directly to a 1. This improves path discovery (by a very little amount)
+at a very little cost (one instruction per edge).
+
+(The alternative of saturated counters has been tested also and proved to be
+inferior in terms of path discovery.)
+
+This is implemented in afl-gcc, however for llvm_mode this is optional if
+the llvm version is below 9 - as there is a perfomance bug that is only fixed
+in version 9 and onwards.
+
+If you want to enable this for llvm < 9 then set
+
+```
+export AFL_LLVM_NOT_ZERO=1
+```

llvm_mode/README.whitelist.md

@@ -1,6 +1,4 @@
-========================================
-Using afl++ with partial instrumentation
-========================================
+# Using afl++ with partial instrumentation
 
   This file describes how you can selectively instrument only the source files
   that are interesting to you using the LLVM instrumentation provided by
@@ -8,9 +6,7 @@ Using afl++ with partial instrumentation
 
   Originally developed by Christian Holler (:decoder) <choller@mozilla.com>.
 
-
-1) Description and purpose
---------------------------
+## 1) Description and purpose
 
 When building and testing complex programs where only a part of the program is
 the fuzzing target, it often helps to only instrument the necessary parts of
@@ -23,15 +19,13 @@ mode of AFLFuzz that allows you to specify on a source file level which files
 should be compiled with or without instrumentation.
 
 
-2) Building the LLVM module
----------------------------
+## 2) Building the LLVM module
 
 The new code is part of the existing afl++ LLVM module in the llvm_mode/
 subdirectory. There is nothing specifically to do :)
 
 
-3) How to use the partial instrumentation mode
-----------------------------------------------
+## 3) How to use the partial instrumentation mode
 
 In order to build with partial instrumentation, you need to build with
 afl-clang-fast and afl-clang-fast++ respectively. The only required change is
@@ -40,31 +34,37 @@ the compiler.
 
 The environment variable must point to a file containing all the filenames
 that should be instrumented. For matching, the filename that is being compiled
-must end in the filename contained in this whitelist (to avoid breaking the
-matching when absolute paths are used during compilation).
+must end in the filename entry contained in this whitelist (to avoid breaking
+the matching when absolute paths are used during compilation).
 
 For example if your source tree looks like this:
 
+```
 project/
 project/feature_a/a1.cpp
 project/feature_a/a2.cpp
 project/feature_b/b1.cpp
 project/feature_b/b2.cpp
+```
 
-And you only want to test feature_a, then create a whitelist file containing:
+and you only want to test feature_a, then create a whitelist file containing:
 
+```
 feature_a/a1.cpp
 feature_a/a2.cpp
+```
 
-However if the whitelist file contains this, it works as well:
+However if the whitelist file contains only this, it works as well:
 
+```
 a1.cpp
 a2.cpp
+```
 
 but it might lead to files being unwantedly instrumented if the same filename
-exists somewhere else in the project.
+exists somewhere else in the project directories.
 
-The created whitelist file is then set to AFL_INST_WHITELIST when you compile
+The created whitelist file is then set to AFL_LLVM_WHITELIST when you compile
 your program. For each file that didn't match the whitelist, the compiler will
 issue a warning at the end stating that no blocks were instrumented. If you
 didn't intend to instrument that file, then you can safely ignore that warning.
@@ -72,4 +72,4 @@ didn't intend to instrument that file, then you can safely ignore that warning.
 For old LLVM versions this feature might require to be compiled with debug
 information (-g), however at least from llvm version 6.0 onwards this is not
 required anymore (and might hurt performance and crash detection, so better not
-use -g)
+use -g).

llvm_mode/afl-clang-fast.c

@@ -3,7 +3,7 @@
    ------------------------------------------------
 
    Written by Laszlo Szekeres <lszekeres@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+              Michal Zalewski
 
    LLVM integration design comes from Laszlo Szekeres.
 
@@ -23,37 +23,44 @@
 
 #define AFL_MAIN
 
-#include "../config.h"
-#include "../types.h"
-#include "../debug.h"
-#include "../alloc-inl.h"
+#include "config.h"
+#include "types.h"
+#include "debug.h"
+#include "alloc-inl.h"
 
 #include <stdio.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <assert.h>
 
-static u8*  obj_path;               /* Path to runtime libraries         */
-static u8** cc_params;              /* Parameters passed to the real CC  */
-static u32  cc_par_cnt = 1;         /* Param count, including argv0      */
-
+static u8*  obj_path;                  /* Path to runtime libraries         */
+static u8** cc_params;                 /* Parameters passed to the real CC  */
+static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
+static u8   llvm_fullpath[PATH_MAX];
 
 /* Try to find the runtime libraries. If that fails, abort. */
 
 static void find_obj(u8* argv0) {
 
-  u8 *afl_path = getenv("AFL_PATH");
+  u8* afl_path = getenv("AFL_PATH");
   u8 *slash, *tmp;
 
   if (afl_path) {
 
+#ifdef __ANDROID__
+    tmp = alloc_printf("%s/afl-llvm-rt.so", afl_path);
+#else
     tmp = alloc_printf("%s/afl-llvm-rt.o", afl_path);
+#endif
 
     if (!access(tmp, R_OK)) {
+
       obj_path = afl_path;
       ck_free(tmp);
       return;
+
     }
 
     ck_free(tmp);
@@ -64,18 +71,24 @@ static void find_obj(u8* argv0) {
 
   if (slash) {
 
-    u8 *dir;
+    u8* dir;
 
     *slash = 0;
     dir = ck_strdup(argv0);
     *slash = '/';
 
+#ifdef __ANDROID__
+    tmp = alloc_printf("%s/afl-llvm-rt.so", afl_path);
+#else
     tmp = alloc_printf("%s/afl-llvm-rt.o", dir);
+#endif
 
     if (!access(tmp, R_OK)) {
+
       obj_path = dir;
       ck_free(tmp);
       return;
+
     }
 
     ck_free(tmp);
@@ -83,71 +96,112 @@ static void find_obj(u8* argv0) {
 
   }
 
+#ifdef __ANDROID__
+  if (!access(AFL_PATH "/afl-llvm-rt.so", R_OK)) {
+
+#else
   if (!access(AFL_PATH "/afl-llvm-rt.o", R_OK)) {
+
+#endif
+
     obj_path = AFL_PATH;
     return;
+
   }
 
-  FATAL("Unable to find 'afl-llvm-rt.o' or 'afl-llvm-pass.so.cc'. Please set AFL_PATH");
- 
-}
+  FATAL(
+      "Unable to find 'afl-llvm-rt.o' or 'afl-llvm-pass.so.cc'. Please set "
+      "AFL_PATH");
 
+}
 
 /* Copy argv to cc_params, making the necessary edits. */
 
 static void edit_params(u32 argc, char** argv) {
 
-  u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
-  u8 *name;
+  u8  fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
+  u8  has_llvm_config = 0;
+  u8* name;
 
   cc_params = ck_alloc((argc + 128) * sizeof(u8*));
 
   name = strrchr(argv[0], '/');
-  if (!name) name = argv[0]; else name++;
+  if (!name)
+    name = argv[0];
+  else
+    ++name;
+
+  has_llvm_config = (strlen(LLVM_BINDIR) > 0);
 
   if (!strcmp(name, "afl-clang-fast++")) {
+
     u8* alt_cxx = getenv("AFL_CXX");
-    cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
+    if (has_llvm_config)
+      snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR);
+    else
+      sprintf(llvm_fullpath, "clang++");
+    cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath;
+
   } else {
+
     u8* alt_cc = getenv("AFL_CC");
-    cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
+    if (has_llvm_config)
+      snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR);
+    else
+      sprintf(llvm_fullpath, "clang");
+    cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath;
+
   }
 
   /* There are three ways to compile with afl-clang-fast. In the traditional
      mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is
-     much faster but has less coverage. Finally tere is the experimental
+     much faster but has less coverage. Finally there is the experimental
      'trace-pc-guard' mode, we use native LLVM instrumentation callbacks
      instead. For trace-pc-guard see:
-     http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards */
+     http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards
+   */
 
   // laf
-  if (getenv("LAF_SPLIT_SWITCHES")||getenv("AFL_LLVM_LAF_SPLIT_SWITCHES")) {
+  if (getenv("LAF_SPLIT_SWITCHES") || getenv("AFL_LLVM_LAF_SPLIT_SWITCHES")) {
+
     cc_params[cc_par_cnt++] = "-Xclang";
     cc_params[cc_par_cnt++] = "-load";
     cc_params[cc_par_cnt++] = "-Xclang";
-    cc_params[cc_par_cnt++] = alloc_printf("%s/split-switches-pass.so", obj_path);
+    cc_params[cc_par_cnt++] =
+        alloc_printf("%s/split-switches-pass.so", obj_path);
+
   }
 
-  if (getenv("LAF_TRANSFORM_COMPARES")||getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) {
+  if (getenv("LAF_TRANSFORM_COMPARES") ||
+      getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES")) {
+
     cc_params[cc_par_cnt++] = "-Xclang";
     cc_params[cc_par_cnt++] = "-load";
     cc_params[cc_par_cnt++] = "-Xclang";
-    cc_params[cc_par_cnt++] = alloc_printf("%s/compare-transform-pass.so", obj_path);
+    cc_params[cc_par_cnt++] =
+        alloc_printf("%s/compare-transform-pass.so", obj_path);
+
   }
 
-  if (getenv("LAF_SPLIT_COMPARES")||getenv("AFL_LLVM_LAF_SPLIT_COMPARES")) {
+  if (getenv("LAF_SPLIT_COMPARES") || getenv("AFL_LLVM_LAF_SPLIT_COMPARES")) {
+
     cc_params[cc_par_cnt++] = "-Xclang";
     cc_params[cc_par_cnt++] = "-load";
     cc_params[cc_par_cnt++] = "-Xclang";
-    cc_params[cc_par_cnt++] = alloc_printf("%s/split-compares-pass.so", obj_path);
+    cc_params[cc_par_cnt++] =
+        alloc_printf("%s/split-compares-pass.so", obj_path);
+
   }
+
   // /laf
 
 #ifdef USE_TRACE_PC
-  cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard"; // edge coverage by default
-  //cc_params[cc_par_cnt++] = "-mllvm";
-  //cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-cmp,trace-div,trace-gep";
-  //cc_params[cc_par_cnt++] = "-sanitizer-coverage-block-threshold=0";
+  cc_params[cc_par_cnt++] =
+      "-fsanitize-coverage=trace-pc-guard";  // edge coverage by default
+  // cc_params[cc_par_cnt++] = "-mllvm";
+  // cc_params[cc_par_cnt++] =
+  // "-fsanitize-coverage=trace-cmp,trace-div,trace-gep";
+  // cc_params[cc_par_cnt++] = "-sanitizer-coverage-block-threshold=0";
 #else
   cc_params[cc_par_cnt++] = "-Xclang";
   cc_params[cc_par_cnt++] = "-load";
@@ -156,7 +210,7 @@ static void edit_params(u32 argc, char** argv) {
     cc_params[cc_par_cnt++] = alloc_printf("%s/libLLVMInsTrim.so", obj_path);
   else
     cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
-#endif /* ^USE_TRACE_PC */
+#endif                                                     /* ^USE_TRACE_PC */
 
   cc_params[cc_par_cnt++] = "-Qunused-arguments";
 
@@ -165,9 +219,11 @@ static void edit_params(u32 argc, char** argv) {
   if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0;
 
   while (--argc) {
+
     u8* cur = *(++argv);
 
     if (!strcmp(cur, "-m32")) bit_mode = 32;
+    if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
     if (!strcmp(cur, "-m64")) bit_mode = 64;
 
     if (!strcmp(cur, "-x")) x_set = 1;
@@ -175,15 +231,15 @@ static void edit_params(u32 argc, char** argv) {
     if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E"))
       maybe_linking = 0;
 
-    if (!strcmp(cur, "-fsanitize=address") ||
-        !strcmp(cur, "-fsanitize=memory")) asan_set = 1;
+    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
+      asan_set = 1;
 
     if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
 
     if (!strcmp(cur, "-shared")) maybe_linking = 0;
 
-    if (!strcmp(cur, "-Wl,-z,defs") ||
-        !strcmp(cur, "-Wl,--no-undefined")) continue;
+    if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined"))
+      continue;
 
     cc_params[cc_par_cnt++] = cur;
 
@@ -193,8 +249,7 @@ static void edit_params(u32 argc, char** argv) {
 
     cc_params[cc_par_cnt++] = "-fstack-protector-all";
 
-    if (!fortify_set)
-      cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
+    if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
 
   }
 
@@ -202,8 +257,7 @@ static void edit_params(u32 argc, char** argv) {
 
     if (getenv("AFL_USE_ASAN")) {
 
-      if (getenv("AFL_USE_MSAN"))
-        FATAL("ASAN and MSAN are mutually exclusive");
+      if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive");
 
       if (getenv("AFL_HARDEN"))
         FATAL("ASAN and AFL_HARDEN are mutually exclusive");
@@ -213,8 +267,7 @@ static void edit_params(u32 argc, char** argv) {
 
     } else if (getenv("AFL_USE_MSAN")) {
 
-      if (getenv("AFL_USE_ASAN"))
-        FATAL("ASAN and MSAN are mutually exclusive");
+      if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive");
 
       if (getenv("AFL_HARDEN"))
         FATAL("MSAN and AFL_HARDEN are mutually exclusive");
@@ -231,7 +284,7 @@ static void edit_params(u32 argc, char** argv) {
   if (getenv("AFL_INST_RATIO"))
     FATAL("AFL_INST_RATIO not available at compile time with 'trace-pc'.");
 
-#endif /* USE_TRACE_PC */
+#endif                                                      /* USE_TRACE_PC */
 
   if (!getenv("AFL_DONT_OPTIMIZE")) {
 
@@ -248,6 +301,9 @@ static void edit_params(u32 argc, char** argv) {
     cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
     cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
     cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-bcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
 
   }
 
@@ -279,37 +335,44 @@ static void edit_params(u32 argc, char** argv) {
 
    */
 
-  cc_params[cc_par_cnt++] = "-D__AFL_LOOP(_A)="
-    "({ static volatile char *_B __attribute__((used)); "
-    " _B = (char*)\"" PERSIST_SIG "\"; "
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_LOOP(_A)="
+      "({ static volatile char *_B __attribute__((used)); "
+      " _B = (char*)\"" PERSIST_SIG
+      "\"; "
 #ifdef __APPLE__
-    "__attribute__((visibility(\"default\"))) "
-    "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
+      "__attribute__((visibility(\"default\"))) "
+      "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
 #else
-    "__attribute__((visibility(\"default\"))) "
-    "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
-#endif /* ^__APPLE__ */
-    "_L(_A); })";
+      "__attribute__((visibility(\"default\"))) "
+      "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_L(_A); })";
 
-  cc_params[cc_par_cnt++] = "-D__AFL_INIT()="
-    "do { static volatile char *_A __attribute__((used)); "
-    " _A = (char*)\"" DEFER_SIG "\"; "
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_INIT()="
+      "do { static volatile char *_A __attribute__((used)); "
+      " _A = (char*)\"" DEFER_SIG
+      "\"; "
 #ifdef __APPLE__
-    "__attribute__((visibility(\"default\"))) "
-    "void _I(void) __asm__(\"___afl_manual_init\"); "
+      "__attribute__((visibility(\"default\"))) "
+      "void _I(void) __asm__(\"___afl_manual_init\"); "
 #else
-    "__attribute__((visibility(\"default\"))) "
-    "void _I(void) __asm__(\"__afl_manual_init\"); "
-#endif /* ^__APPLE__ */
-    "_I(); } while (0)";
+      "__attribute__((visibility(\"default\"))) "
+      "void _I(void) __asm__(\"__afl_manual_init\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_I(); } while (0)";
 
   if (maybe_linking) {
 
     if (x_set) {
+
       cc_params[cc_par_cnt++] = "-x";
       cc_params[cc_par_cnt++] = "none";
+
     }
 
+#ifndef __ANDROID__
     switch (bit_mode) {
 
       case 0:
@@ -334,60 +397,80 @@ static void edit_params(u32 argc, char** argv) {
 
     }
 
+#endif
+
   }
 
   cc_params[cc_par_cnt] = NULL;
 
 }
 
-
 /* Main entry point */
 
 int main(int argc, char** argv) {
 
-  if (isatty(2) && !getenv("AFL_QUIET")) {
+  if (argc < 2 || strcmp(argv[1], "-h") == 0) {
 
 #ifdef USE_TRACE_PC
-    SAYF(cCYA "afl-clang-fast" VERSION  cRST " [tpcg] by <lszekeres@google.com>\n");
+    printf(
+        cCYA
+        "afl-clang-fast" VERSION cRST
+        " [tpcg] by <lszekeres@google.com>\n"
 #else
-    SAYF(cCYA "afl-clang-fast" VERSION  cRST " by <lszekeres@google.com>\n");
-#endif /* ^USE_TRACE_PC */
+    printf(
+        cCYA
+        "afl-clang-fast" VERSION cRST
+        " by <lszekeres@google.com>\n"
+#endif                                                     /* ^USE_TRACE_PC */
+        "\n"
+        "afl-clang-fast[++] [options]\n"
+        "\n"
+        "This is a helper application for afl-fuzz. It serves as a drop-in "
+        "replacement\n"
+        "for clang, letting you recompile third-party code with the required "
+        "runtime\n"
+        "instrumentation. A common use pattern would be one of the "
+        "following:\n\n"
 
-  }
+        "  CC=%s/afl-clang-fast ./configure\n"
+        "  CXX=%s/afl-clang-fast++ ./configure\n\n"
 
-  if (argc < 2) {
+        "In contrast to the traditional afl-clang tool, this version is "
+        "implemented as\n"
+        "an LLVM pass and tends to offer improved performance with slow "
+        "programs.\n\n"
 
-    SAYF("\n"
-         "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
-         "for clang, letting you recompile third-party code with the required runtime\n"
-         "instrumentation. A common use pattern would be one of the following:\n\n"
-
-         "  CC=%s/afl-clang-fast ./configure\n"
-         "  CXX=%s/afl-clang-fast++ ./configure\n\n"
-
-         "In contrast to the traditional afl-clang tool, this version is implemented as\n"
-         "an LLVM pass and tends to offer improved performance with slow programs.\n\n"
-
-         "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. Setting\n"
-         "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
-         BIN_PATH, BIN_PATH);
+        "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. "
+        "Setting\n"
+        "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
+        BIN_PATH, BIN_PATH);
 
     exit(1);
 
+  } else if (isatty(2) && !getenv("AFL_QUIET")) {
+
+#ifdef USE_TRACE_PC
+    SAYF(cCYA "afl-clang-fast" VERSION cRST
+              " [tpcg] by <lszekeres@google.com>\n");
+#else
+    SAYF(cCYA "afl-clang-fast" VERSION cRST " by <lszekeres@google.com>\n");
+#endif                                                     /* ^USE_TRACE_PC */
+
   }
 
-
+#ifndef __ANDROID__
   find_obj(argv[0]);
+#endif
 
   edit_params(argc, argv);
 
-/*
-  int i = 0;
-  printf("EXEC:");
-  while (cc_params[i] != NULL)
-    printf(" %s", cc_params[i++]);
-  printf("\n");
-*/
+  /*
+    int i = 0;
+    printf("EXEC:");
+    while (cc_params[i] != NULL)
+      printf(" %s", cc_params[i++]);
+    printf("\n");
+  */
 
   execvp(cc_params[0], (char**)cc_params);
 
@@ -396,3 +479,4 @@ int main(int argc, char** argv) {
   return 0;
 
 }
+