classic

include/afl-fuzz.h

@@ -526,6 +526,8 @@ typedef struct afl_state {
       *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
       *virgin_crash;                    /* Bits we haven't seen in crashes  */
 
+  u8 *colliding_bits;u8 *touched_bits;
+
   double *alias_probability;            /* alias weighted probabilities     */
   u32 *   alias_table;                /* alias weighted random lookup table */
   u32     active_paths;                 /* enabled entries in the queue     */

include/envs.h

@@ -16,6 +16,7 @@ static char *afl_environment_deprecated[] = {
 
 static char *afl_environment_variables[] = {
 
+    "AFL_COLLFREE_CTX",
     "AFL_ALIGNED_ALLOC",
     "AFL_ALLOW_TMP",
     "AFL_ANALYZE_HEX",

include/sharedmem.h

@@ -46,7 +46,8 @@ typedef struct sharedmem {
   s32 cmplog_shm_id;
 #endif
 
-  u8 *map;                                          /* shared memory region */
+  u8 *                    map;                      /* shared memory region */
+  struct collision_entry *collisions_map;
 
   size_t map_size;                                 /* actual allocated size */
 

include/types.h

@@ -35,6 +35,16 @@ typedef unsigned __int128 uint128_t;
 typedef uint128_t         u128;
 #endif
 
+struct collision_entry {
+
+  u32 cur;
+  u32 prev;
+  u32 ctx;
+  u8  is_colliding;
+  u8  touched;
+
+};
+
 /* Extended forkserver option values */
 
 /* Reporting errors */

instrumentation/afl-compiler-rt.o.c

@@ -90,6 +90,8 @@ u32 __afl_map_size = MAP_SIZE;
 u32 __afl_dictionary_len;
 u64 __afl_map_addr;
 
+u8 * __afl_ctx_area_ptr = __afl_area_initial;
+
 // for the __AFL_COVERAGE_ON/__AFL_COVERAGE_OFF features to work:
 int __afl_selective_coverage __attribute__((weak));
 int __afl_selective_coverage_start_off __attribute__((weak));
@@ -97,11 +99,15 @@ int __afl_selective_coverage_temp = 1;
 
 #if defined(__ANDROID__) || defined(__HAIKU__)
 PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX];
+PREV_LOC_T __afl_prev_loc2[NGRAM_SIZE_MAX];
 u32        __afl_prev_ctx;
+u32        __afl_prev_ctx2;
 u32        __afl_cmp_counter;
 #else
 __thread PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX];
+__thread PREV_LOC_T __afl_prev_loc2[NGRAM_SIZE_MAX];
 __thread u32        __afl_prev_ctx;
+__thread u32        __afl_prev_ctx2;
 __thread u32        __afl_cmp_counter;
 #endif
 
@@ -127,6 +133,34 @@ static u8 _is_sancov;
 
 static int __afl_dummy_fd[2] = {2, 2};
 
+struct collision_entry *collision_map;
+
+void __afl_log_collision(u32 cur, u32 prev, u32 ctx, u32 cur2, u32 prev2, u32 ctx2) {
+
+  if (!collision_map) return;
+
+  u32 idx = (cur ^ prev ^ ctx) & (MAP_SIZE - 1);
+
+  if (collision_map[idx].touched) {
+
+    if (collision_map[idx].cur != cur2 || collision_map[idx].prev != prev2 ||
+        collision_map[idx].ctx != ctx2) {
+
+      collision_map[idx].is_colliding = 1;
+
+    }
+
+  } else {
+
+    collision_map[idx].touched = 1;
+    collision_map[idx].cur = cur2;
+    collision_map[idx].prev = prev2;
+    collision_map[idx].ctx = ctx2;
+
+  }
+
+}
+
 /* ensure we kill the child on termination */
 
 void at_exit(int signal) {
@@ -247,6 +281,10 @@ static void __afl_map_shm(void) {
 
   char *id_str = getenv(SHM_ENV_VAR);
 
+  if (getenv("AFL_COLLFREE_CTX")) {
+      __afl_final_loc += MAP_SIZE;
+  }
+
   if (__afl_final_loc) {
 
     if (__afl_final_loc % 64) {
@@ -410,6 +448,8 @@ static void __afl_map_shm(void) {
 
     __afl_area_ptr[0] = 1;
 
+    collision_map = (struct collision_entry *)(__afl_area_ptr + __afl_map_size);
+
   } else if ((!__afl_area_ptr || __afl_area_ptr == __afl_area_initial) &&
 
              __afl_map_addr) {
@@ -469,6 +509,14 @@ static void __afl_map_shm(void) {
     }
 
   }
+  
+  if (getenv("AFL_COLLFREE_CTX")) {
+      __afl_ctx_area_ptr = __afl_area_ptr + (__afl_final_loc - MAP_SIZE);
+  } else {
+      __afl_ctx_area_ptr = __afl_area_ptr;
+  }
+
+  fprintf(stderr, "__afl_area_ptr: 0x%llx,__afl_ctx_area_ptr: 0x%llx, collision_map: 0x%llx\n", __afl_area_ptr, __afl_ctx_area_ptr, collision_map);
 
   id_str = getenv(CMPLOG_SHM_ENV_VAR);
 
@@ -701,6 +749,7 @@ static void __afl_start_snapshots(void) {
 
         __afl_area_ptr[0] = 1;
         memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
+        __afl_prev_ctx = __afl_prev_ctx2 = 0;
 
         return;
 
@@ -974,6 +1023,7 @@ int __afl_persistent_loop(unsigned int max_cnt) {
       memset(__afl_area_ptr, 0, __afl_map_size);
       __afl_area_ptr[0] = 1;
       memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
+      __afl_prev_ctx = __afl_prev_ctx2 = 0;
 
     }
 
@@ -994,6 +1044,7 @@ int __afl_persistent_loop(unsigned int max_cnt) {
       __afl_area_ptr[0] = 1;
       memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
       __afl_selective_coverage_temp = 1;
+      __afl_prev_ctx = __afl_prev_ctx2 = 0;
 
       return 1;
 
@@ -1158,14 +1209,18 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
 
   */
 
+  uint32_t idx = *guard;
+
+  
+
 #if (LLVM_VERSION_MAJOR < 9)
 
-  __afl_area_ptr[*guard]++;
+  __afl_area_ptr[idx]++;
 
 #else
 
-  __afl_area_ptr[*guard] =
-      __afl_area_ptr[*guard] + 1 + (__afl_area_ptr[*guard] == 255 ? 1 : 0);
+  __afl_area_ptr[idx] =
+      __afl_area_ptr[idx] + 1 + (__afl_area_ptr[idx] == 255 ? 1 : 0);
 
 #endif
 

instrumentation/afl-llvm-pass.so.cc

@@ -131,6 +131,24 @@ bool AFLCoverage::runOnModule(Module &M) {
   u32             rand_seed;
   unsigned int    cur_loc = 0;
 
+  Type *VoidTy = Type::getVoidTy(C);
+#if LLVM_VERSION_MAJOR < 9
+  Constant *
+#else
+  FunctionCallee
+#endif
+      c1 = M.getOrInsertFunction("__afl_log_collision", VoidTy, Int32Ty, Int32Ty, Int32Ty, Int32Ty, Int32Ty, Int32Ty
+#if LLVM_VERSION_MAJOR < 5
+                                 ,
+                                 NULL
+#endif
+      );
+#if LLVM_VERSION_MAJOR < 9
+  Function *aflLogCollision = cast<Function>(c1);
+#else
+  FunctionCallee aflLogCollision = c1;
+#endif
+
   /* Setup random() so we get Actually Random(TM) outputs from AFL_R() */
   gettimeofday(&tv, &tz);
   rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
@@ -187,6 +205,7 @@ bool AFLCoverage::runOnModule(Module &M) {
   char *ngram_size_str = getenv("AFL_LLVM_NGRAM_SIZE");
   if (!ngram_size_str) ngram_size_str = getenv("AFL_NGRAM_SIZE");
   ctx_str = getenv("AFL_LLVM_CTX");
+  if (!ctx_str) ctx_str = getenv("AFL_COLLFREE_CTX");
 
 #ifdef AFL_HAVE_VECTOR_INTRINSICS
   /* Decide previous location vector size (must be a power of two) */
@@ -237,19 +256,32 @@ bool AFLCoverage::runOnModule(Module &M) {
   GlobalVariable *AFLMapPtr =
       new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
                          GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
+  GlobalVariable *AFLCtxMapPtr =
+      new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
+                         GlobalValue::ExternalLinkage, 0, "__afl_ctx_area_ptr");
   GlobalVariable *AFLPrevLoc;
+  GlobalVariable *AFLPrevLoc2;
   GlobalVariable *AFLContext = NULL;
+  GlobalVariable *AFLContext2 = NULL;
+
+  if (ctx_str) {
 
-  if (ctx_str)
 #if defined(__ANDROID__) || defined(__HAIKU__)
     AFLContext = new GlobalVariable(
         M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx");
+    AFLContext2 = new GlobalVariable(
+        M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx2");
 #else
     AFLContext = new GlobalVariable(
         M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx", 0,
         GlobalVariable::GeneralDynamicTLSModel, 0, false);
+    AFLContext2 = new GlobalVariable(
+        M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_ctx2",
+        0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
 
+  }
+
 #ifdef AFL_HAVE_VECTOR_INTRINSICS
   if (ngram_size)
   #if defined(__ANDROID__) || defined(__HAIKU__)
@@ -274,6 +306,30 @@ bool AFLCoverage::runOnModule(Module &M) {
       GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
 
+#ifdef AFL_HAVE_VECTOR_INTRINSICS
+  if (ngram_size)
+  #if defined(__ANDROID__) || defined(__HAIKU__)
+    AFLPrevLoc2 = new GlobalVariable(
+        M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage,
+        /* Initializer */ nullptr, "__afl_prev_loc2");
+  #else
+    AFLPrevLoc2 = new GlobalVariable(
+        M, PrevLocTy, /* isConstant */ false, GlobalValue::ExternalLinkage,
+        /* Initializer */ nullptr, "__afl_prev_loc2",
+        /* InsertBefore */ nullptr, GlobalVariable::GeneralDynamicTLSModel,
+        /* AddressSpace */ 0, /* IsExternallyInitialized */ false);
+  #endif
+  else
+#endif
+#if defined(__ANDROID__) || defined(__HAIKU__)
+    AFLPrevLoc2 = new GlobalVariable(
+        M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc2");
+#else
+  AFLPrevLoc2 = new GlobalVariable(
+      M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc2", 0,
+      GlobalVariable::GeneralDynamicTLSModel, 0, false);
+#endif
+
 #ifdef AFL_HAVE_VECTOR_INTRINSICS
   /* Create the vector shuffle mask for updating the previous block history.
      Note that the first element of the vector will store cur_loc, so just set
@@ -294,7 +350,8 @@ bool AFLCoverage::runOnModule(Module &M) {
   ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
   ConstantInt *One = ConstantInt::get(Int8Ty, 1);
 
-  LoadInst *PrevCtx = NULL;  // CTX sensitive coverage
+  LoadInst *PrevCtx = NULL;   // CTX sensitive coverage
+  LoadInst *PrevCtx2 = NULL;  // CTX sensitive coverage
 
   /* Instrument all the things! */
 
@@ -324,6 +381,40 @@ bool AFLCoverage::runOnModule(Module &M) {
         // variable on the stack
         PrevCtx = IRB.CreateLoad(AFLContext);
         PrevCtx->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+        PrevCtx2 = IRB.CreateLoad(AFLContext2);
+        PrevCtx2->setMetadata(M.getMDKindID("nosanitize"),
+                              MDNode::get(C, None));
+
+        int newctx = AFL_R(map_size);
+        int newctx2 = AFL_R(map_size);
+
+        if (getenv("AFL_COLLFREE_CTX")) {
+            Value *NewCtx = IRB.CreateXor(
+                  PrevCtx, ConstantInt::get(Int32Ty, newctx));
+
+            Value* NewCtx2 = IRB.CreateXor(PrevCtx2,
+                                   ConstantInt::get(Int32Ty, newctx2));
+
+            std::vector<Value *> coll_args;
+            coll_args.push_back(Zero);
+            coll_args.push_back(Zero);
+            coll_args.push_back(NewCtx);
+            coll_args.push_back(Zero);
+            coll_args.push_back(Zero);
+            coll_args.push_back(NewCtx2);
+            IRB.CreateCall(aflLogCollision, coll_args);
+
+            LoadInst *MapPtr = IRB.CreateLoad(AFLCtxMapPtr);
+            MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+            
+            Value* MapPtrIdx = IRB.CreateGEP(MapPtr, NewCtx);
+            LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
+            Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+
+            Value *Incr = IRB.CreateAdd(Counter, One);
+            IRB.CreateStore(Incr, MapPtrIdx)
+                ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+        }
 
         // does the function have calls? and is any of the calls larger than one
         // basic block?
@@ -354,8 +445,15 @@ bool AFLCoverage::runOnModule(Module &M) {
         // if yes we store a context ID for this function in the global var
         if (has_calls) {
 
-          ConstantInt *NewCtx = ConstantInt::get(Int32Ty, AFL_R(map_size));
-          StoreInst *  StoreCtx = IRB.CreateStore(NewCtx, AFLContext);
+          Value *NewCtx = IRB.CreateXor(
+              PrevCtx, ConstantInt::get(Int32Ty, newctx));
+          StoreInst *StoreCtx = IRB.CreateStore(NewCtx, AFLContext);
+          StoreCtx->setMetadata(M.getMDKindID("nosanitize"),
+                                MDNode::get(C, None));
+
+          NewCtx = IRB.CreateXor(PrevCtx2,
+                                 ConstantInt::get(Int32Ty, newctx2));
+          StoreCtx = IRB.CreateStore(NewCtx, AFLContext2);
           StoreCtx->setMetadata(M.getMDKindID("nosanitize"),
                                 MDNode::get(C, None));
 
@@ -363,12 +461,36 @@ bool AFLCoverage::runOnModule(Module &M) {
 
       }
 
+      if (getenv("AFL_COLLFREE_CTX")) {
+      
+        if (ctx_str && has_calls) {
+
+            Instruction *Inst = BB.getTerminator();
+            if (isa<ReturnInst>(Inst) || isa<ResumeInst>(Inst)) {
+
+              IRBuilder<> Post_IRB(Inst);
+              StoreInst * RestoreCtx = Post_IRB.CreateStore(PrevCtx, AFLContext);
+              RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
+                                      MDNode::get(C, None));
+              RestoreCtx = Post_IRB.CreateStore(PrevCtx2, AFLContext2);
+              RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
+                                      MDNode::get(C, None));
+
+            }
+
+          }
+
+          continue;
+      
+      }
+      
       if (AFL_R(100) >= inst_ratio) continue;
 
       /* Make up cur_loc */
 
       // cur_loc++;
       cur_loc = AFL_R(map_size);
+      uint32_t cur_loc2 = AFL_R(map_size);
 
 /* There is a problem with Ubuntu 18.04 and llvm 6.0 (see issue #63).
    The inline function successors() is not inlined and also not found at runtime
@@ -420,6 +542,9 @@ bool AFLCoverage::runOnModule(Module &M) {
             StoreInst * RestoreCtx = Post_IRB.CreateStore(PrevCtx, AFLContext);
             RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
                                     MDNode::get(C, None));
+            RestoreCtx = Post_IRB.CreateStore(PrevCtx2, AFLContext2);
+            RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
+                                  MDNode::get(C, None));
 
           }
 
@@ -440,12 +565,17 @@ bool AFLCoverage::runOnModule(Module &M) {
 #endif
         CurLoc = ConstantInt::get(Int32Ty, cur_loc);
 
+      ConstantInt *CurLoc2 = ConstantInt::get(Int32Ty, cur_loc2);
+
       /* Load prev_loc */
 
       LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
       PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
       Value *PrevLocTrans;
 
+      LoadInst *PrevLoc2 = IRB.CreateLoad(AFLPrevLoc2);
+      PrevLoc2->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+
 #ifdef AFL_HAVE_VECTOR_INTRINSICS
       /* "For efficiency, we propose to hash the tuple as a key into the
          hit_count map as (prev_block_trans << 1) ^ curr_block_trans, where
@@ -458,6 +588,15 @@ bool AFLCoverage::runOnModule(Module &M) {
 #endif
         PrevLocTrans = PrevLoc;
 
+      std::vector<Value *> coll_args;
+      coll_args.push_back(CurLoc);
+      coll_args.push_back(PrevLocTrans);
+      coll_args.push_back(PrevCtx ? (Value*)PrevCtx : (Value*)Zero);
+      coll_args.push_back(CurLoc2);
+      coll_args.push_back(PrevLoc2);
+      coll_args.push_back(PrevCtx2 ? (Value*)PrevCtx2 : (Value*)Zero);
+      IRB.CreateCall(aflLogCollision, coll_args);
+
       if (ctx_str)
         PrevLocTrans =
             IRB.CreateZExt(IRB.CreateXor(PrevLocTrans, PrevCtx), Int32Ty);
@@ -540,6 +679,10 @@ bool AFLCoverage::runOnModule(Module &M) {
                                 AFLPrevLoc);
         Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
 
+        Store = IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc2 >> 1),
+                                AFLPrevLoc2);
+        Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
+
       }
 
       // in CTX mode we have to restore the original context for the caller -
@@ -554,6 +697,9 @@ bool AFLCoverage::runOnModule(Module &M) {
           StoreInst * RestoreCtx = Post_IRB.CreateStore(PrevCtx, AFLContext);
           RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
                                   MDNode::get(C, None));
+          RestoreCtx = Post_IRB.CreateStore(PrevCtx2, AFLContext2);
+          RestoreCtx->setMetadata(M.getMDKindID("nosanitize"),
+                                  MDNode::get(C, None));
 
         }
 

src/afl-cc.c

@@ -424,6 +424,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
     cc_params[cc_par_cnt++] = fplugin_arg;
 
   }
+  
+  if (getenv("AFL_COLLFREE_CTX")) cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
 
   if (compiler_mode == LLVM || compiler_mode == LTO) {
 
@@ -1274,6 +1276,8 @@ int main(int argc, char **argv, char **envp) {
 
   if (getenv("AFL_LLVM_CTX")) instrument_opt_mode |= INSTRUMENT_OPT_CTX;
 
+  if (getenv("AFL_COLLFREE_CTX")) instrument_opt_mode |= INSTRUMENT_CLASSIC;
+
   if (getenv("AFL_LLVM_NGRAM_SIZE")) {
 
     instrument_opt_mode |= INSTRUMENT_OPT_NGRAM;

src/afl-fuzz-run.c

@@ -58,8 +58,24 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
 
 #endif
 
+  memset(afl->shm.collisions_map, 0,
+         afl->shm.map_size * sizeof(struct collision_entry));
+
   fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon);
 
+  u32 coll_idx;
+  for (coll_idx = 0; coll_idx < MAP_SIZE; ++coll_idx) {
+
+    if (afl->shm.collisions_map[coll_idx].touched) {
+        afl->touched_bits[coll_idx] = 1;
+    }
+
+    if (afl->shm.collisions_map[coll_idx].is_colliding) {
+      afl->colliding_bits[coll_idx] = 1;
+    }
+
+  }
+
 #ifdef PROFILING
   clock_gettime(CLOCK_REALTIME, &spec);
   time_spent_start = (spec.tv_sec * 1000000000) + spec.tv_nsec;

src/afl-fuzz-state.c

@@ -114,6 +114,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
 #endif                                                     /* HAVE_AFFINITY */
 
   afl->virgin_bits = ck_alloc(map_size);
+  afl->colliding_bits = ck_alloc(MAP_SIZE);
+  afl->touched_bits = ck_alloc(MAP_SIZE);
   afl->virgin_tmout = ck_alloc(map_size);
   afl->virgin_crash = ck_alloc(map_size);
   afl->var_bytes = ck_alloc(map_size);

src/afl-fuzz-stats.c

@@ -183,11 +183,35 @@ void load_stats_file(afl_state_t *afl) {
 
 }
 
+u32 count_bytes_scozzo(afl_state_t *afl, u8 *mem) {
+
+  u32 *ptr = (u32 *)mem;
+  u32  i = (MAP_SIZE >> 2);
+  u32  ret = 0;
+
+  while (i--) {
+
+    u32 v = *(ptr++);
+
+    if (!v) { continue; }
+    if (v & 0x000000ffU) { ++ret; }
+    if (v & 0x0000ff00U) { ++ret; }
+    if (v & 0x00ff0000U) { ++ret; }
+    if (v & 0xff000000U) { ++ret; }
+
+  }
+
+  return ret;
+
+}
+
 /* Update stats file for unattended monitoring. */
 
 void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
                       double stability, double eps) {
 
+  if (unlikely(afl->stop_soon)) return;
+
 #ifndef __HAIKU__
   struct rusage rus;
 #endif
@@ -262,6 +286,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
           "peak_rss_mb       : %lu\n"
           "cpu_affinity      : %d\n"
           "edges_found       : %u\n"
+          "colliding         : %u/%u\n"
           "var_byte_count    : %u\n"
           "havoc_expansion   : %u\n"
           "testcache_size    : %llu\n"
@@ -301,10 +326,10 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
 #else
           -1,
 #endif
-          t_bytes, afl->var_byte_count, afl->expand_havoc,
-          afl->q_testcase_cache_size, afl->q_testcase_cache_count,
-          afl->q_testcase_evictions, afl->use_banner,
-          afl->unicorn_mode ? "unicorn" : "",
+          t_bytes, count_bytes_scozzo(afl, afl->colliding_bits), count_bytes_scozzo(afl, afl->touched_bits), afl->var_byte_count,
+          afl->expand_havoc, afl->q_testcase_cache_size,
+          afl->q_testcase_cache_count, afl->q_testcase_evictions,
+          afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
           afl->fsrv.qemu_mode ? "qemu " : "",
           afl->non_instrumented_mode ? " non_instrumented " : "",
           afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",

src/afl-sharedmem.c

@@ -174,8 +174,8 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
   }
 
   /* map the shared memory segment to the address space of the process */
-  shm->map =
-      mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm->g_shm_fd, 0);
+  shm->map = mmap(0, map_size + map_size * sizeof(struct collision_entry),
+                  PROT_READ | PROT_WRITE, MAP_SHARED, shm->g_shm_fd, 0);
   if (shm->map == MAP_FAILED) {
 
     close(shm->g_shm_fd);
@@ -241,7 +241,9 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
 #else
   u8 *shm_str;
 
-  shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | 0600);
+  shm->shm_id =
+      shmget(IPC_PRIVATE, map_size + map_size * sizeof(struct collision_entry),
+             IPC_CREAT | IPC_EXCL | 0600);
   if (shm->shm_id < 0) { PFATAL("shmget() failed"); }
 
   if (shm->cmplog_mode) {
@@ -317,6 +319,8 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
 
 #endif
 
+  shm->collisions_map = (struct collision_entry *)(shm->map + map_size);
+
   shm->map_size = map_size;
   list_append(&shm_list, shm);