Merge pull request #2401 from AFLplusplus/dev

v4.32c release

.custom-format.py

@@ -21,12 +21,15 @@ import os
 # import re # TODO: for future use
 import shutil
 import importlib.metadata
+import hashlib
 
 # string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use
 
 CURRENT_LLVM = os.getenv('LLVM_VERSION', 18)
 CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "")
 
+FORMAT_CACHE_DIR = '.format-cache'
+os.makedirs(FORMAT_CACHE_DIR, exist_ok=True)
 
 def check_clang_format_pip_version():
     """
@@ -69,6 +72,8 @@ to install via pip.")
 if CLANG_FORMAT_PIP:
     CLANG_FORMAT_BIN = shutil.which("clang-format")
 
+CLANG_FORMAT_VERSION = subprocess.check_output([CLANG_FORMAT_BIN, '--version'])
+
 COLUMN_LIMIT = 80
 for line in fmt.split("\n"):
     line = line.split(":")
@@ -86,9 +91,10 @@ def custom_format(filename):
     out = ""
 
     for line in src.split("\n"):
+        define_start = False
         if line.lstrip().startswith("#"):
             if line[line.find("#") + 1:].lstrip().startswith("define"):
-                in_define = True
+                define_start = True
 
         if (
                 "/*" in line
@@ -126,9 +132,7 @@ def custom_format(filename):
                 and last_line.strip() != ""
         ):
             line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
-
-        if not line.endswith("\\"):
-            in_define = False
+        in_define = (define_start or in_define) and line.endswith("\\")
 
         out += line + "\n"
         last_line = line
@@ -136,6 +140,38 @@ def custom_format(filename):
     return out
 
 
+def hash_code_and_formatter(code):
+    hasher = hashlib.sha256()
+
+    hasher.update(code.encode())
+    hasher.update(CLANG_FORMAT_VERSION)
+    with open(__file__, 'rb') as f:
+        hasher.update(f.read())
+
+    return hasher.hexdigest()
+
+
+def custom_format_cached(filename):
+    filename_hash = hashlib.sha256(filename.encode()).hexdigest()
+    cache_file = os.path.join(FORMAT_CACHE_DIR, filename_hash)
+
+    if os.path.exists(cache_file):
+        with open(filename) as f:
+            code = f.read()
+        code_hash = hash_code_and_formatter(code)
+        with open(cache_file) as f:
+            if f.read() == code_hash:
+                return code
+
+    code = custom_format(filename)
+
+    code_hash = hash_code_and_formatter(code)
+    with open(cache_file, 'w') as f:
+        f.write(code_hash)
+
+    return code
+
+
 args = sys.argv[1:]
 if len(args) == 0:
     print("Usage: ./format.py [-i] <filename>")
@@ -151,7 +187,7 @@ if args[0] == "-i":
     args = args[1:]
 
 for filename in args:
-    code = custom_format(filename)
+    code = custom_format_cached(filename)
     if in_place:
         with open(filename, "w") as f:
             f.write(code)

.github/workflows/ci.yml

@@ -14,18 +14,18 @@ jobs:
     runs-on: "${{ matrix.os }}"
     strategy:
       matrix:
-        os: [ubuntu-22.04, ubuntu-20.04]
+        os: [ubuntu-24.04, ubuntu-22.04, ubuntu-24.04-arm]
     env:
       AFL_SKIP_CPUFREQ: 1
       AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: update
         run: sudo apt-get update && sudo apt-get upgrade -y
       - name: debug
         run: apt-cache search plugin-dev | grep gcc-; echo; apt-cache search clang-format- | grep clang-format-
       - name: install packages
-        run: sudo apt-get install -y -m -f build-essential gcc-10 g++-10 git libtool libtool-bin automake flex bison libglib2.0-0 clang-12 llvm-12-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip gcc-10-plugin-dev
+        run: sudo apt-get install -y -m -f build-essential gcc-12 g++-12 git libtool libtool-bin automake flex bison libglib2.0-0 clang-15 llvm-15-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip gcc-12-plugin-dev
       - name: compiler installed
         run: gcc -v; echo; clang -v
       - name: install gcc plugin
@@ -45,7 +45,7 @@ jobs:
       - name: install
         run: brew install make gcc llvm
 #     - name: fix install
-#       run: cd /usr/local/bin; ln -s gcc-11 gcc; ln -s g++-11 g++; which gcc; gcc -v
+#       run: cd /usr/local/bin; ln -s gcc-12 gcc; ln -s g++-12 g++; which gcc; gcc -v
 #      - name: build
 #        run: export PATH=/usr/local/Cellar/llvm/*/":$PATH"; export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; export LLVM_CONFIG=/usr/local/Cellar/llvm/*/bin/llvm-config; sudo -E ./afl-system-config; gmake ASAN_BUILD=1 afl-fuzz
       - name: build

.github/workflows/container.yml

@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build amd64
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           context: .
           tags: aflplusplus:test-amd64
@@ -35,20 +35,41 @@ jobs:
           apt-get install -y libcmocka-dev && 
           make -i tests
           "
+  build-and-test-arm64:
+    name: Test arm64 image
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build arm64
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          tags: aflplusplus:test-arm64
+          load: true
+          cache-to: type=gha,mode=max
+          build-args: |
+            TEST_BUILD=1
+      - name: Test arm64
+        run: >
+          docker run --rm aflplusplus:test-arm64 bash -c "
+          apt-get update && 
+          apt-get install -y libcmocka-dev && 
+          make -i tests
+          "
 
   push:
     name: Push amd64 and arm64 images
     runs-on: ubuntu-latest
     needs:
       - build-and-test-amd64
+      - build-and-test-arm64
     if: ${{ github.event_name == 'push' && github.repository == 'AFLplusplus/AFLplusplus' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-        with:
-          platforms: arm64
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: Login to docker.io

.github/workflows/rust_custom_mutator.yml

@@ -18,7 +18,7 @@ jobs:
         working-directory: custom_mutators/rust
     strategy:
       matrix:
-        os: [ubuntu-22.04, ubuntu-20.04]
+        os: [ubuntu-22.04]
     steps:
       - uses: actions/checkout@v3
       - name: Install Rust Toolchain

.gitignore

@@ -7,6 +7,7 @@
 *.so
 *.swp
 .DS_Store
+.format-cache
 .sync_tmp
 .test
 .test2
@@ -113,4 +114,4 @@ utils/replay_record/persistent_demo_replay_argparse
 utils/plot_ui/afl-plot-ui
 vuln_prog
 argv_fuzz_demo
-argv_fuzz_persistent_demo
+argv_fuzz_persistent_demo

Dockerfile

@@ -61,6 +61,7 @@ RUN apt-get update && \
 
 RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${GCC_VERSION} 0 && \
     update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${GCC_VERSION} 0 && \
+    update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-${GCC_VERSION} 0 && \
     update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${LLVM_VERSION} 0 && \
     update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-${LLVM_VERSION} 0
 

GNUmakefile

@@ -41,10 +41,6 @@ ARCH = $(shell uname -m)
 
 $(info [*] Compiling AFL++ for OS $(SYS) on ARCH $(ARCH))
 
-ifdef NO_SPLICING
-  override CFLAGS_OPT += -DNO_SPLICING
-endif
-
 ifdef NO_UTF
   override CFLAGS_OPT += -DFANCY_BOXES_NO_UTF
 endif
@@ -65,11 +61,20 @@ ifdef MSAN_BUILD
   override CFLAGS += -fsanitize=memory -fno-omit-frame-pointer
   override LDFLAGS += -fsanitize=memory
 endif
+ifdef NO_SPLICING
+  $(info The NO_SPLICING parameter is deprecated)
+endif
+
 
 ifdef CODE_COVERAGE
   override CFLAGS += -D__AFL_CODE_COVERAGE=1
 endif
 
+IS_IOS:=$(findstring ios, $(shell $(CC) --version 2>/dev/null))
+ifdef IS_IOS
+  override CFLAGS += -DTARGET_OS_IPHONE -DTARGET_OS_IOS -isysroot $(IOS_SDK_PATH)
+endif
+
 ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
 ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	CFLAGS_FLTO ?= -flto=full
@@ -101,17 +106,19 @@ else
   SPECIAL_PERFORMANCE :=
 endif
 
-ifneq "$(SYS)" "Darwin"
- #ifeq "$(HAVE_MARCHNATIVE)" "1"
- #  SPECIAL_PERFORMANCE += -march=native
- #endif
- #ifndef DEBUG
- #  override CFLAGS_OPT += -D_FORTIFY_SOURCE=1
- #endif
-else
-  # On some odd MacOS system configurations, the Xcode sdk path is not set correctly
-  SDK_LD = -L$(shell xcrun --show-sdk-path)/usr/lib
-  override LDFLAGS += $(SDK_LD)
+ifndef IS_IOS
+  ifneq "$(SYS)" "Darwin"
+   #ifeq "$(HAVE_MARCHNATIVE)" "1"
+   #  SPECIAL_PERFORMANCE += -march=native
+   #endif
+   #ifndef DEBUG
+   #  override CFLAGS_OPT += -D_FORTIFY_SOURCE=1
+   #endif
+  else
+    # On some odd MacOS system configurations, the Xcode sdk path is not set correctly
+    SDK_LD = -L$(shell xcrun --show-sdk-path)/usr/lib
+    override LDFLAGS += $(SDK_LD)
+  endif
 endif
 
 COMPILER_TYPE=$(shell $(CC) --version|grep "Free Software Foundation")
@@ -282,7 +289,7 @@ ifneq "$(findstring OpenBSD, $(SYS))" ""
   override LDFLAGS += -lpthread -lm
 endif
 
-COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
+COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h include/afl-fuzz.h include/hash.h include/sharedmem.h include/forkserver.h include/common.h include/list.h
 
 ifeq "$(shell echo '$(HASH)include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	PYTHON_OK=1
@@ -408,7 +415,6 @@ help:
 	@echo PROFILING - compile afl-fuzz with profiling information
 	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
 	@echo NO_PYTHON - disable python support
-	@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 	@echo "NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL)"
 	@echo NO_NYX - disable building nyx mode dependencies
 	@echo "NO_CORESIGHT - disable building coresight (arm64 only)"
@@ -466,32 +472,47 @@ endif
 ready:
 	@echo "[+] Everything seems to be working, ready to compile. ($(shell $(CC) --version 2>&1|head -n 1))"
 
-src/afl-performance.o : $(COMM_HDR) src/afl-performance.c include/hash.h
-	$(CC) $(CFLAGS) $(CFLAGS_OPT) $(SPECIAL_PERFORMANCE) -Iinclude -c src/afl-performance.c -o src/afl-performance.o
+src/afl-performance.o: $(COMM_HDR) src/afl-performance.c
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(CFLAGS_OPT) $(SPECIAL_PERFORMANCE) -Iinclude -c src/afl-performance.c -o src/afl-performance.o
 
-src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
+src/afl-common.o: $(COMM_HDR) src/afl-common.c include/envs.h
 	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-common.c -o src/afl-common.o
 
-src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
+src/afl-forkserver.o: $(COMM_HDR) src/afl-forkserver.c 
 	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-forkserver.c -o src/afl-forkserver.o
 
-src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
+src/afl-sharedmem.o: $(COMM_HDR) src/afl-sharedmem.c include/android-ashmem.h include/cmplog.h
 	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 
-afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
+afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o include/cmplog.h include/envs.h | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
-afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
+afl-showmap: src/afl-showmap.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
-afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
+afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/afl-fuzz-python.o src/afl-fuzz-mutators.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/afl-fuzz-python.o src/afl-fuzz-mutators.o -o $@ $(PYFLAGS) $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o -o $@ $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 .PHONY: document
 document:	afl-fuzz-document
@@ -499,6 +520,9 @@ document:	afl-fuzz-document
 # document all mutations and only do one run (use with only one input file!)
 afl-fuzz-document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86
 	$(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES)
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o
@@ -506,20 +530,29 @@ test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittes
 unit_maybe_alloc: test/unittests/unit_maybe_alloc.o
 	@$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_maybe_alloc
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o
-	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o
 
 unit_hash: test/unittests/unit_hash.o src/afl-performance.o
-	@$(CC) $(CFLAGS) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_hash
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o
-	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o
 
 unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o
-	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_rand
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES)
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o
@@ -527,6 +560,9 @@ test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list
 unit_list: test/unittests/unit_list.o
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_list
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES)
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o
@@ -534,6 +570,9 @@ test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unitte
 unit_preallocable: test/unittests/unit_preallocable.o
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_preallocable
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 .PHONY: unit_clean
 unit_clean:
@@ -645,6 +684,7 @@ deepclean:	clean
 	rm -rf unicorn_mode/unicornafl
 	rm -rf qemu_mode/qemuafl
 	rm -rf nyx_mode/libnyx nyx_mode/packer nyx_mode/QEMU-Nyx
+	rm -rf .format-cache
 ifeq "$(IN_REPO)" "1"
 	git checkout coresight_mode/coresight-trace
 	git checkout unicorn_mode/unicornafl

GNUmakefile.llvm

@@ -28,11 +28,11 @@ MAN_PATH    ?= $(PREFIX)/share/man/man8
 
 BUILD_DATE  ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
 
-VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
+VERSION     = $(shell grep '^ *$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
 
 SYS = $(shell uname -s)
 
-override LLVM_TOO_NEW_DEFAULT := 18
+override LLVM_TOO_NEW_DEFAULT := 19
 override LLVM_TOO_OLD_DEFAULT := 13
 
 ifeq "$(SYS)" "OpenBSD"
@@ -69,16 +69,16 @@ endif
 
 LLVM_STDCXX                  := gnu++11
 LLVM_LTO                     := 0
-LLVM_UNSUPPORTED             := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-7]\.' && echo 1 || echo 0)
+LLVM_UNSUPPORTED             := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-7]\.|^2[1-9]\.' && echo 1 || echo 0)
 # Uncomment to see the values assigned above
-# $(foreach var,LLVM_CONFIG LLVMVER LLVM_MAJOR LLVM_MINOR LLVM_TOO_NEW LLVM_TOO_OLD LLVM_TOO_NEW_DEFAULT LLVM_TOO_OLD_DEFAULT LLVM_NEW_API LLVM_NEWER_API LLVM_13_OK LLVM_HAVE_LTO LLVM_BINDIR LLVM_LIBDIR LLVM_STDCXX LLVM_APPLE_XCODE LLVM_LTO LLVM_UNSUPPORTED,$(warning $(var) = $($(var))))
+# $(foreach var,_CLANG_VERSIONS_TO_TEST LLVM_CONFIG LLVMVER LLVM_MAJOR LLVM_MINOR LLVM_TOO_NEW LLVM_TOO_OLD LLVM_TOO_NEW_DEFAULT LLVM_TOO_OLD_DEFAULT LLVM_NEW_API LLVM_NEWER_API LLVM_13_OK LLVM_HAVE_LTO LLVM_BINDIR LLVM_LIBDIR LLVM_STDCXX LLVM_APPLE_XCODE LLVM_LTO LLVM_UNSUPPORTED,$(warning $(var) = $($(var))))
 
 ifeq "$(LLVMVER)" ""
   $(warning [!] llvm_mode needs llvm-config, which was not found. Set LLVM_CONFIG to its path and retry.)
 endif
 
 ifeq "$(LLVM_UNSUPPORTED)" "1"
-  $(error llvm_mode only supports llvm from version 3.8 onwards)
+  $(error llvm_mode only supports llvm from version 3.8 onwards - or your version is too new. Upgrade AFL++ if possible or downgrade LLVM.)
 endif
 
 ifeq "$(LLVM_TOO_NEW)" "1"
@@ -237,20 +237,21 @@ ifeq "$(LLVM_LTO)" "1"
     ifeq "$(AFL_REAL_LD)" ""
       ifneq "$(shell readlink $(LLVM_BINDIR)/ld.lld 2>&1)" ""
         AFL_REAL_LD = $(LLVM_BINDIR)/ld.lld
-      else ifneq "$(shell command -v ld.lld 2>/dev/null)" ""
-        AFL_REAL_LD = $(shell command -v ld.lld)
-        TMP_LDLDD_VERSION = $(shell $(AFL_REAL_LD) --version | awk '{ print $$2 }')
-        ifeq "$(LLVMVER)" "$(TMP_LDLDD_VERSION)"
-          $(warning ld.lld found in a weird location ($(AFL_REAL_LD)), but its the same version as LLVM so we will allow it)
+      else
+        ifneq "$(shell command -v ld.lld 2>/dev/null)" ""
+          AFL_REAL_LD = $(shell command -v ld.lld)
+          TMP_LDLDD_VERSION = $(shell $(AFL_REAL_LD) --version | sed -E -ne '/^.*LLD\ ([12]?[0-9]\.[0-9]\.[0-9]).*/s//\1/p')
+          ifeq "$(LLVMVER)" "$(TMP_LDLDD_VERSION)"
+            $(warning ld.lld found in a weird location ($(AFL_REAL_LD)), but its the same version as LLVM so we will allow it)
+          else
+            $(warning ld.lld found in a weird location ($(AFL_REAL_LD)) and its of a different version than LLMV ($(TMP_LDLDD_VERSION) vs. $(LLVMVER)) - cannot enable LTO mode)
+            AFL_REAL_LD=
+            LLVM_LTO = 0
+          endif
         else
-          $(warning ld.lld found in a weird location ($(AFL_REAL_LD)) and its of a different version than LLMV ($(TMP_LDLDD_VERSION) vs. $(LLVMVER)) - cannot enable LTO mode)
-          AFL_REAL_LD=
+          $(warning ld.lld not found, cannot enable LTO mode)
           LLVM_LTO = 0
         endif
-        undefine TMP_LDLDD_VERSION
-      else
-        $(warning ld.lld not found, cannot enable LTO mode)
-        LLVM_LTO = 0
       endif
     endif
   else
@@ -272,11 +273,7 @@ ifeq "$(LLVM_LTO)" "1"
   endif
 endif
 
-ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fdebug-prefix-map=$(CURDIR)=llvm_mode -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-        AFL_CLANG_DEBUG_PREFIX = -fdebug-prefix-map="$(CURDIR)=llvm_mode"
-else
-        AFL_CLANG_DEBUG_PREFIX =
-endif
+IS_IOS          := $(findstring ios, $(shell $(CC) --version 2>/dev/null))
 
 CFLAGS          ?= -O3 -funroll-loops -fPIC
 # -D_FORTIFY_SOURCE=1
@@ -288,11 +285,15 @@ CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sig
                    -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
                    -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
                    -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) \
-                   -Wno-unused-function $(AFL_CLANG_DEBUG_PREFIX)
+                   -Wno-unused-function
 ifndef LLVM_DEBUG
   CFLAGS_SAFE += -Wno-deprecated
 endif
 
+ifdef IOS_SDK_PATH
+  override CFLAGS_SAFE += -isysroot $(IOS_SDK_PATH)
+endif
+
 ifdef CODE_COVERAGE
   override CFLAGS_SAFE += -D__AFL_CODE_COVERAGE=1
   override LDFLAGS += -ldl
@@ -310,6 +311,10 @@ override CXXFLAGS += -Wall -g -I ./include/ \
                      -DVERSION=\"$(VERSION)\" -Wno-variadic-macros -Wno-deprecated-copy-with-dtor \
                      -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR)
 
+ifdef IOS_SDK_PATH
+  override CXXFLAGS += -isysroot $(IOS_SDK_PATH)
+endif
+
 ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" ""
   CLANG_CFL  = -I$(shell $(LLVM_CONFIG) --includedir)
 endif
@@ -335,7 +340,7 @@ else
 endif
 
 ifeq "$(SYS)" "OpenBSD"
-  CLANG_LFL += $$($(LLVM_CONFIG) --libdir)/libLLVM.so
+  CLANG_LFL += $(LLVM_LIBDIR)/libLLVM.so
   CLANG_CPPFL += -mno-retpoline
   CFLAGS += -mno-retpoline
   # Needed for unwind symbols
@@ -356,7 +361,7 @@ ifeq "$(TEST_MMAP)" "1"
         LDFLAGS += -Wno-deprecated-declarations
 endif
 
-PROGS_ALWAYS = ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o 
+PROGS_ALWAYS = ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o
 PROGS        = $(PROGS_ALWAYS) ./afl-llvm-pass.so ./SanitizerCoveragePCGUARD.so ./split-compares-pass.so ./split-switches-pass.so ./cmplog-routines-pass.so ./cmplog-instructions-pass.so ./cmplog-switches-pass.so ./afl-llvm-dict2file.so ./compare-transform-pass.so ./afl-ld-lto ./afl-llvm-lto-instrumentlist.so ./SanitizerCoverageLTO.so ./injection-pass.so
 
 # If prerequisites are not given, warn, do not build anything, and exit with code 0
@@ -431,29 +436,44 @@ ifeq "$(LLVM_LTO)" "1"
 	@ln -sf afl-cc ./afl-lto++
 endif
 endif
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h
-	$(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ 
+	$(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@
 
 ./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 ifeq "$(LLVM_MIN_4_0_1)" "0"
 	$(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER))
 endif
 	$(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 ./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps
 ifeq "$(LLVM_13_OK)" "1"
 	-$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) -Wno-deprecated-copy-dtor -Wdeprecated instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif
 
 ./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o
 ifeq "$(LLVM_LTO)" "1"
 	$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif
 
 ./afl-ld-lto: src/afl-ld-lto.c
 ifeq "$(LLVM_LTO)" "1"
 	$(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif
 
 ./SanitizerCoverageLTO.so: instrumentation/SanitizerCoverageLTO.so.cc instrumentation/afl-llvm-common.o
@@ -462,31 +482,58 @@ ifeq "$(LLVM_LTO)" "1"
 	$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto.o
 	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m64 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-64.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
 	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m32 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-32.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif
 
 # laf
 ./split-switches-pass.so:	instrumentation/split-switches-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 ./compare-transform-pass.so:	instrumentation/compare-transform-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 ./split-compares-pass.so:	instrumentation/split-compares-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 # /laf
 
 ./cmplog-routines-pass.so:	instrumentation/cmplog-routines-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 ./cmplog-instructions-pass.so:	instrumentation/cmplog-instructions-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 ./cmplog-switches-pass.so:	instrumentation/cmplog-switches-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 afl-llvm-dict2file.so:	instrumentation/afl-llvm-dict2file.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 ./injection-pass.so:	instrumentation/injection-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 .PHONY: document
 document:
@@ -509,6 +556,9 @@ document:
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
 	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO AFL_LLVM_ALLOWLIST AFL_LLVM_DENYLIST; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist test-instr && echo "[+] Signed test-instr" || echo "[-] Failed to sign test-instr"
+endif
 	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr

README.md

@@ -2,9 +2,9 @@
 
 <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" height="250">
 
-Release version: [4.30c](https://github.com/AFLplusplus/AFLplusplus/releases)
+Release version: [4.32c](https://github.com/AFLplusplus/AFLplusplus/releases)
 
-GitHub version: 4.31a
+GitHub version: 4.32c
 
 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
@@ -16,7 +16,6 @@ AFL++ is maintained by:
 * Andrea Fioraldi <andreafioraldi@gmail.com>
 * Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de>
 * frida_mode is maintained by @Worksbutnottested
-* Documentation: Jana Aydinbas <jana.aydinbas@gmail.com>
 
 Originally developed by Michal "lcamtuf" Zalewski.
 
@@ -230,6 +229,8 @@ Thank you! (For people sending pull requests - please add yourself to this list
     Ruben ten Hove                        Joey Jiao
     fuzzah                                @intrigus-lgtm
     Yaakov Saxon                          Sergej Schumilo
+    Ziqiao Kong                           Ryan Berger
+    Sangjun Park
   ```
 
 </details>

TODO.md

@@ -2,6 +2,7 @@
 
 ## Must
 
+ - afl_fsrv_deinit cmplog
  - ijon support?
  - check for null ptr for xml/curl/g_ string transform functions
  - hardened_usercopy=0 page_alloc.shuffle=0

afl-cmin

@@ -331,7 +331,7 @@ BEGIN {
   }
 
   if (0 == system ( "grep -aq AFL_DUMP_MAP_SIZE " target_bin )) {
-    echo "[!] Trying to obtain the map size of the target ..."
+    print "[!] Trying to obtain the map size of the target ..."
     get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin
     get_map_size | getline mapsize
     close(get_map_size)
@@ -432,7 +432,7 @@ BEGIN {
   } else {
     stat_format = "-f '%z %N'" # *BSD, MacOS
   }
-  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r) | grep -Ev '^0'"
+  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o \\( -type f -a ! -name \"cmdline\" -a ! -name \"fastresume.bin\" -a ! -name \"fuzz_bitmap\" -a ! -name \"fuzzer_setup\" -a ! -name \"fuzzer_stats\" -a ! -name \"plot_data\" -a ! -name \"target_hash\" \\) -exec stat "stat_format" \\{\\} + | sort -k1n -k2r) | grep -Ev '^0'"
   #cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
   #cmdline = "(cd "in_dir" && stat "stat_format" *) | sort -k1n -k2r"
   #cmdline = "(cd "in_dir" && ls | xargs stat "stat_format" ) | sort -k1n -k2r"

afl-persistent-config

@@ -121,6 +121,7 @@ kernel.sched_child_runs_first=1
 kernel.sched_autogroup_enabled=1
 kernel.sched_migration_cost_ns=50000000
 kernel.sched_latency_ns=250000000
+vm.swappiness=10
 EOF
   }
 
@@ -129,7 +130,7 @@ EOF
     if ! grep -E "^$KEY=" /etc/default/grub | grep -E -q 'noibrs pcid nopti'; then
       echo "Configuring performance boot options"
       LINE=`grep -E "^$KEY=" /etc/default/grub | sed "s/^$KEY=//" | tr -d '"'`
-      OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off spec_rstack_overflow=off mds=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
+      OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off spec_rstack_overflow=off mds=off nokaslr no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
       echo Setting boot options in /etc/default/grub to $KEY=\"$OPTIONS\"
       sed -i "s|^$KEY=.*|$KEY=\"$OPTIONS\"|" /etc/default/grub
     fi

afl-system-config

@@ -41,6 +41,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
   sysctl -w kernel.sched_autogroup_enabled=1
   sysctl -w kernel.sched_migration_cost_ns=50000000 2>/dev/null
   sysctl -w kernel.sched_latency_ns=250000000 2>/dev/null
+  sysctl -w vm.swappiness=10 2>/dev/null
   echo never > /sys/kernel/mm/transparent_hugepage/enabled
   test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor
   test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
@@ -54,7 +55,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
   echo
   dmesg | grep -E -q 'noibrs pcid nopti' || {
     echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
+    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off spec_rstack_overflow=off mds=off nokaslr no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"'
     echo
   }
   echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed.

afl-whatsup

@@ -115,7 +115,7 @@ PLATFORM=`uname -s`
 #if [ "$PLATFORM" = "Linux" ] ; then
 #  CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'`
 #else
-  # This will lead to inacurate results but will prevent the script from breaking on platforms other than Linux
+  # This will lead to inaccurate results but will prevent the script from breaking on platforms other than Linux
   CUR_TIME=`date +%s`
 #fi
 

custom_mutators/aflpp/README.md

@@ -1,4 +1,4 @@
-# custum mutator: AFL++
+# custom mutator: AFL++
 
 this is the AFL++ havoc mutator as a custom mutator module for AFL++.
 

custom_mutators/atnwalk/atnwalk.c

@@ -409,7 +409,7 @@ size_t afl_custom_fuzz(atnwalk_mutator_t *data, uint8_t *buf, size_t buf_size,
 
   } else {
 
-    // new_size fits into buf, so re-use it
+    // new_size fits into buf, so reuse it
     *out_buf = buf;
 
   }

custom_mutators/autotokens/standalone/README.md

@@ -7,6 +7,6 @@ just type `make` to build.
 You *MUST* use a dictionary file to have an effective grammarless grammar fuzzer!
 
 ```
-autotokens-standalone -h # to see all parameteres
+autotokens-standalone -h # to see all parameters
 autotokens-standalone -x foo.dict inputfile outputfile # example
 ```

custom_mutators/examples/XmlMutatorMin.py

@@ -304,7 +304,7 @@ class XmlMutatorMin:
 
         # Log something
         if self.verbose:
-            print("Reseting tag #%i '%s'" % (rand_elem_id, rand_elem.tag))
+            print("Resetting tag #%i '%s'" % (rand_elem_id, rand_elem.tag))
 
         # Reset the node
         rand_elem.clear()

custom_mutators/examples/wrapper_afl_min.py

@@ -80,12 +80,12 @@ def fuzz(buf, add_buf, max_size):
             via_buffer = False
             log("fuzz(): Can't initialize mutator with AFL buffer")
 
-    # If init from AFL buffer wasn't succesful
+    # If init from AFL buffer wasn't successful
     if not via_buffer:
         log("fuzz(): Returning unmodified AFL buffer")
         return buf
 
-    # Sucessful initialization -> mutate
+    # Successful initialization -> mutate
     try:
         __mutator__.mutate(max=5)
         log("fuzz(): Input mutated")

custom_mutators/gramatron/build_gramatron_mutator.sh

@@ -143,7 +143,7 @@ test -e json-c/.libs/libjson-c.a || {
 echo
 echo
 echo "[+] Json-c successfully prepared!"
-echo "[+] Builing gramatron now."
+echo "[+] Building gramatron now."
 $CC -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c ../../src/afl-performance.o json-c/.libs/libjson-c.a || exit 1
 echo
 echo "[+] gramatron successfully built!"

custom_mutators/honggfuzz/README.md

@@ -1,4 +1,4 @@
-# custum mutator: honggfuzz mangle
+# custom mutator: honggfuzz mangle
 
 this is the honggfuzz mutator in mangle.c as a custom mutator
 module for AFL++. It is the original mangle.c, mangle.h and honggfuzz.h

custom_mutators/honggfuzz/mangle.c

@@ -850,7 +850,7 @@ static void mangle_ASCIINumChange(run_t *run, bool printable) {
 
   size_t   len = 0;
   uint64_t val = 0;
-  /* 20 is maximum lenght of a string representing a 64-bit unsigned value */
+  /* 20 is maximum length of a string representing a 64-bit unsigned value */
   for (len = 0; (len < 20) && (len < left); len++) {
 
     char c = run->dynfile->data[off + len];

custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp

@@ -40,7 +40,7 @@ bool BlockCoverage::AppendCoverage(const std::string &S) {
 // Coverage lines have this form:
 // CN X Y Z T
 // where N is the number of the function, T is the total number of instrumented
-// BBs, and X,Y,Z, if present, are the indecies of covered BB.
+// BBs, and X,Y,Z, if present, are the indices of covered BB.
 // BB #0, which is the entry block, is not explicitly listed.
 bool BlockCoverage::AppendCoverage(std::istream &IN) {
 

custom_mutators/libfuzzer/FuzzerDictionary.h

@@ -106,7 +106,7 @@ private:
 };
 
 // Parses one dictionary entry.
-// If successful, write the enty to Unit and returns true,
+// If successful, write the entry to Unit and returns true,
 // otherwise returns false.
 bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
 // Parses the dictionary file, fills Units, returns true iff all lines

custom_mutators/libfuzzer/FuzzerFork.cpp

@@ -427,7 +427,7 @@ void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
 
     Env.RunOneMergeJob(Job.get());
 
-    // Continue if our crash is one of the ignorred ones.
+    // Continue if our crash is one of the ignored ones.
     if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
       Env.NumTimeouts++;
     else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)

custom_mutators/libfuzzer/FuzzerMerge.cpp

@@ -452,7 +452,7 @@ void CrashResistantMerge(const Vector<std::string> &Args,
     auto ExitCode = ExecuteCommand(Cmd);
     if (!ExitCode) {
 
-      VPrintf(V, "MERGE-OUTER: succesfull in %zd attempt(s)\n", Attempt);
+      VPrintf(V, "MERGE-OUTER: succesful in %zd attempt(s)\n", Attempt);
       break;
 
     }

custom_mutators/libfuzzer/FuzzerMutate.cpp

@@ -498,9 +498,9 @@ size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) {
     T Add = Rand(21);
     Add -= 10;
     if (Rand.RandBool())
-      Val = Bswap(T(Bswap(Val) + Add));  // Add assuming different endiannes.
+      Val = Bswap(T(Bswap(Val) + Add));  // Add assuming different endianness.
     else
-      Val = Val + Add;                // Add assuming current endiannes.
+      Val = Val + Add;                // Add assuming current endianness.
     if (Add == 0 || Rand.RandBool())  // Maybe negate.
       Val = -Val;
 

custom_mutators/libfuzzer/FuzzerTracePC.cpp

@@ -460,7 +460,7 @@ static size_t InternalStrnlen(const char *S, size_t MaxLen) {
 }
 
 // Finds min of (strlen(S1), strlen(S2)).
-// Needed bacause one of these strings may actually be non-zero terminated.
+// Needed because one of these strings may actually be non-zero terminated.
 static size_t InternalStrnlen2(const char *S1, const char *S2) {
 
   size_t Len = 0;

custom_mutators/libfuzzer/README.md

@@ -1,4 +1,4 @@
-# custum mutator: libfuzzer LLVMFuzzerMutate()
+# custom mutator: libfuzzer LLVMFuzzerMutate()
 
 This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12.
 

custom_mutators/radamsa/GNUmakefile

@@ -2,7 +2,7 @@ CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
 
 all: radamsa-mutator.so
 
-# These can be overriden:
+# These can be overridden:
 CFLAGS	?= $(CFLAGS_FLTO)
 
 # These are required: (otherwise radamsa gets very very slooooow)

custom_mutators/radamsa/README.md

@@ -1,4 +1,4 @@
-# custum mutator: libradamsa
+# custom mutator: libradamsa
 
 Pretranslated radamsa library. This code belongs to the radamsa author.
 

custom_mutators/symcc/README.md

@@ -1,4 +1,4 @@
-# custum mutator: symcc
+# custom mutator: symcc
 
 This uses the symcc to find new paths into the target.
 

custom_mutators/symqemu/README.md

@@ -1,4 +1,4 @@
-# custum mutator: symqemu
+# custom mutator: symqemu
 
 This uses the symcc to find new paths into the target.
 

docs/Changelog.md

@@ -3,6 +3,44 @@
   This is the list of all noteworthy changes made in every public
   release of the tool. See README.md for the general instruction manual.
 
+### Version ++4.32c (release)
+  - Fixed a bug where after a fast restart of a full fuzzed corpus afl-fuzz
+    terminates with "need at least one valid input seed that does not crash"
+  - Small improvements to afl-*-config
+  - afl-fuzz:
+    - memory leak fixes by @kcwu - thanks!
+    - many more nits and small memory saves thanks to @kcwu
+    - remove deprecated files from queue/.state
+    - fix bitmap update function if no current trace is present 
+    - fix for afl_custom_queue_get
+    - various small nits
+  - afl-cc:
+    - fix pass support for LLVM 20 (passes were run too early)
+    - dropped plugin support for LLVM 13
+    - fix AFL_OLD_FORKSERVER
+    - various minor fixes
+  - frida_mode:
+    - fixes for new MacOS + M4 hardware
+
+
+### Version ++4.31c (release)
+  - SAND mode added (docs/SAND.md) for more effecient fuzzing with sanitizers
+    (thanks to @wtdcode !)
+  - afl-fuzz:
+    - splicing phase is now DISABLED by default because research showed
+      it is counterproductive. New command line parameter `-u` to enable
+      it.
+    - Python 3.13+ support
+    - loose file and shared memory permissions on Android and iPhone
+  - afl-cc:
+    - LLVM 20 support (again - please don't change the API all the time ...)
+    - -fsanitize=fuzzer now inserts libAFLDriver.a addtionally early to help
+      compiling if LLVMFuzzerTestOneOnput is in an .a archive
+    - added __sanitizer_weak_hook_* functions (in case that is helpful in
+      weird setups)
+    - fix bug with large map sizes when multiple libraries are loaded after
+      the shared memory was obtained.
+
 ### Version ++4.30c (release)
   ! afl-gcc and afl-clang funcionality is now removed !
   - afl-fuzz:

docs/FAQ.md

@@ -106,7 +106,7 @@ If you find an interesting or important question missing, submit it via
 <details>
   <summary id="should-you-ever-stop-afl-fuzz-minimize-the-corpus-and-restart">Should you ever stop afl-fuzz, minimize the corpus and restart?</summary><p>
 
-  To stop afl-fuzz, minimize it's corpus and restart you would usually do:
+  To stop afl-fuzz, minimize its corpus and restart you would usually do:
 
   ```
   Control-C  # to terminate afl-fuzz
@@ -236,7 +236,7 @@ If you find an interesting or important question missing, submit it via
   [AFLFast](https://github.com/mboehme/aflfast), however, modified to be more
   effective and several more modes added.
 
-  The most effective modes are `-p fast` (default) and `-p explore`.
+  The most effective modes are `-p explore` (default) and `-p fast`.
 
   If you fuzz with several parallel afl-fuzz instances, then it is beneficial
   to assign a different schedule to each instance, however the majority should
@@ -274,7 +274,7 @@ If you find an interesting or important question missing, submit it via
   the existing map will be used also for the newly loaded libraries, which
   allows it to work, however, the efficiency of the fuzzing will be partially
   degraded. Note that there is additionally `AFL_IGNORE_PROBLEMS_COVERAGE` to
-  additionally tell AFL++ to ignore any coverage from the late loaded libaries.
+  additionally tell AFL++ to ignore any coverage from the late loaded libraries.
 </p></details>
 
 <details>

docs/INSTALL.md

@@ -90,7 +90,6 @@ These build options exist:
 * PROFILING - compile afl-fuzz with profiling information
 * INTROSPECTION - compile afl-fuzz with mutation introspection
 * NO_PYTHON - disable python support
-* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 * NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL)
 * NO_NYX - disable building nyx mode dependencies
 * NO_CORESIGHT - disable building coresight (arm64 only)
@@ -170,3 +169,47 @@ and definitely don't look POSIX-compliant. This means two things:
 User emulation mode of QEMU does not appear to be supported on macOS, so
 black-box instrumentation mode (`-Q`) will not work. However, FRIDA mode (`-O`)
 works on both x86 and arm64 macOS boxes.
+
+## iOS on arm64 and arm64e
+
+**Option 1: Compilation on jailbroken iOS (recommended)**
+
+To compile directly on a jailbroken iOS device, it is recommended to use a jailbreak that supports Procursus,
+as Procursus provides up-to-date pre-built packages for the required tools.
+
+Ensure `openssh` is installed on your iOS device, then SSH into it.
+Install the following packages:
+
+```shell
+sudo apt install wget git make cmake clang gawk llvm ldid coreutils build-essential xz-utils
+```
+
+Configure the environment for compilation:
+
+```shell
+export IOS_SDK_PATH="/usr/share/SDKs/iPhoneOS.sdk"
+export CC=clang
+export CXX=clang++
+```
+
+Then build following the general Linux instructions.
+
+**Option 2: Cross-Compilation on macOS for Jailbroken iOS**
+
+In addition to the packages required for a macOS build, install `ldid` for signing binaries:
+
+```shell
+brew install ldid-procursus
+```
+
+Configure the environment for compilation:
+
+```shell
+export IOS_SDK_PATH="$(xcrun --sdk iphoneos --show-sdk-path)"
+export CC="$(xcrun --sdk iphoneos -f clang) -target arm64-apple-ios14.0"
+export CXX="$(xcrun --sdk iphoneos -f clang++) -target arm64-apple-ios14.0"
+export HOST_CC=cc
+```
+
+Then build following the general Linux instructions.
+Finally, transfer the binaries to your iOS device.

docs/SAND.md

@@ -0,0 +1,81 @@
+# SAND: Decoupling Sanitization from Fuzzing for Low Overhead
+
+- Authors: Ziqiao Kong, Shaohua Li, Heqing Huang, Zhendong Su
+- Maintainer: [Ziqiao Kong](https://github.com/wtdcode)
+- Preprint: [arXiv](https://arxiv.org/abs/2402.16497), accepted by ICSE 2025
+- Main repo (for paper, reproduction, reference or cite): https://github.com/wtdcode/sand-aflpp
+
+## Motivation
+
+SAND introduces a new fuzzing workflow that can greatly reduce (or even eliminate) sanitizer overhead and combine different sanitizers in one fuzzing campaign.
+
+The key point of SAND is that: sanitizing all inputs is wasting fuzzing power, because bug-triggering inputs are extremely rare (~1%). Obviously, not all inputs worth going through sanitizers. Therefore, if we can somehow "predict" if an input could trigger bugs (defined as "execution pattern"), we could greatly save fuzzing power by only sanitizing a small proportion of all inputs. That's exactly how SAND works.
+
+## Usage
+
+For a normal fuzzing workflow, we have:
+
+1. Build target project with AFL_USE_ASAN=1 to get `target_asan`
+2. Fuzz the target with `afl-fuzz -i seeds -o out -- ./target_asan`
+
+For SAND fuzzing workflow, this is slightly different:
+
+1. Build target project _without_ any sanitizers to get `target_native`, which we will define as a "native binary". It is usually done by using `afl-clang-fast/lto(++)` to compile your project _without_ `AFL_USE_ASAN/UBSAN/MSAN`.
+2. Build target project with AFL_USE_ASAN=1 AFL_SAN_NO_INST=1 to get `target_asan`. Do note this step can be repeated for multiple sanitizers, like MSAN, UBSAN etc. It is also possible to have ASAN and UBSAN to build together.
+3. Fuzz the target with `afl-fuzz -i seeds -o out -w ./target_asan -- ./target_native`. Note `-w` can be specified multiple times.
+
+Then you get:
+
+- almost the same performance as `afl-fuzz -i seeds -o out -- ./target_native`
+- and the same bug-finding capability as `afl-fuzz -i seeds -o out -- ./target_asan`
+
+## Example Workflow
+
+Take [test-instr.c](../test-instr.c) as an example.
+
+1. Build the native binary
+
+```bash
+afl-clang-fast test-instr.c -o ./native
+```
+
+Just like the normal building process, except using `afl-clang-fast`
+
+2. Build the sanitizers-enabled binaries.
+
+```bash
+AFL_SAN_NO_INST=1 AFL_USE_UBSAN=1 AFL_USE_ASAN=1 afl-clang-fast test-instr.c -o ./asanubsan
+AFL_SAN_NO_INST=1 AFL_USE_MSAN=1 afl-clang-fast test-instr.c -o ./msan
+```
+
+Do note `AFL_SAN_NO_INST=1` is crucial, this enables forkservers but disables pc instrumentation. Do not reuse sanitizers-enabled binaries built _without_ `AFL_SAN_NO_INST=1`. This will mess up SAND execution pattern.
+
+3. Start fuzzing
+
+```bash
+mkdir /tmp/test
+echo "a" > /tmp/test/a
+AFL_NO_UI=1 AFL_SKIP_CPUFREQ=1 afl-fuzz -i /tmp/test -o /tmp/out -w ./asanubsan -w ./msan -- ./native @@
+```
+
+That's it!
+
+## Tips
+
+### Alternative execution patterns
+
+By default, SAND uses the hash value of the simplified coverage map as execution pattern, i.e. if an input has a unique simplefied coverage map, it will be sent to sanitizers for inspection. This shall work for most cases. However, if you are strongly worried about missing bugs, try `AFL_SAN_ABSTRACTION=unique_trace afl-fuzz ...`, which filters inputs having a _unique coverage map_. Do note this significantly increases the number of inputs by 4-10 times, leading to much lower throughput. Alternatively, SAND also supports `AFL_SAN_ABSTRACTION=coverage_increase`, which essentially equals to running sanitizers on the corpus and thus having almost zero overhead, but at a cost of missing ~15% bugs in our evaluation.
+
+### Run as many sanitizers as possible
+
+Though we just used ASAN as an example, SAND works best if you provide more sanitizers, for example, UBSAN and MSAN.
+
+You might do it via `afl-fuzz -i seeds -o out -w ./target_asan -w ./target_msan -w ./target_ubsan -- ./target_native`. Don't worry about the slow sanitizers like MSAN, SAND could still run very fast because only rather a few inputs are sanitized.
+
+### Bugs types
+
+The execution pattern evaluated in our papers is targeting the common bugs, as ASAN/MSAN/UBSAN catches. For other bug types, you probably need to define new execution patterns and re-evaluate.
+
+### My throughput is greatly impacted
+
+Generally, this is due to too many inputs going through sanitizers, for example, because of unstable targets. You could check stats from `plot_file` to confirm this. Try to switch execution patterns as stated above.

docs/afl-fuzz_approach.md

@@ -6,7 +6,7 @@ coverage to effortlessly pick up subtle, local-scale changes to program control
 flow.
 
 Note: If you are interested in a more current up-to-date deep dive how AFL++
-works then we commend this blog post:
+works then we recommend this blog post:
 [https://blog.ritsec.club/posts/afl-under-hood/](https://blog.ritsec.club/posts/afl-under-hood/)
 
 Simplifying a bit, the overall algorithm can be summed up as:
@@ -385,10 +385,6 @@ there are several things to look at:
   subsequent iterations (e.g., due to incomplete clean-up or reinitialization of
   the state) and that most of the fuzzing effort goes to waste.
 
-The paths where variable behavior is detected are marked with a matching entry
-in the `<out_dir>/queue/.state/variable_behavior/` directory, so you can look
-them up easily.
-
 ### CPU load
 
 ```

docs/custom_mutators.md

@@ -151,7 +151,7 @@ def deinit():  # optional for Python
     splicing - or anything else - and can also be ignored. If you are not
     using this additional data then define `splice_optout` (see above).
     This function is optional.
-    Returing a length of 0 is valid and is interpreted as skipping this
+    Returning a length of 0 is valid and is interpreted as skipping this
     one mutation result.
     For non-Python: the returned output buffer is under **your** memory
     management!

docs/env_variables.md

@@ -107,6 +107,7 @@ fairly broad use of environment variables instead:
       conditions
     - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer
     - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected, instead of simply terminating with "Illegal Instruction"
+    . `AFL_USE_RTSAN` . activates the realtime sanitizer (realtime violations in deterministic run time constraints). (clang 20 minimum)
 
     - Note: both `AFL_CFISAN_VERBOSE=1` and `AFL_UBSAN_VERBOSE=1` are disabled by default as verbose output can significantly slow down fuzzing performance. Use these options only during debugging or when additional crash diagnostics are required
 
@@ -247,7 +248,7 @@ used if several separated instrumentations are performed which are then later
 combined.
 
   - `AFL_LLVM_LTO_CALLER` activates collision free CALLER instrumentation
-  - `AFL_LLVM_LTO_CALLER` sets the maximum mumber of single block functions
+  - `AFL_LLVM_LTO_CALLER` sets the maximum number of single block functions
     to dig deeper into a real function. Default 0.
   - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
     to which function. This helps to identify functions with variable bytes or

docs/features.md

@@ -106,6 +106,7 @@ Among others, the following features and patches have been integrated:
 * Win32 PE binary-only fuzzing with QEMU and Wine
 * AFLfast's power schedules by Marcel Böhme:
   [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
+* The fast deterministic stage by Han Zheng: [https://github.com/hexhive/mendelFuzz-Artifact/](https://github.com/hexhive/mendelFuzz-Artifact/)
 * The MOpt mutator:
   [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
 * LLVM mode Ngram coverage by Adrian Herrera

docs/fuzzing_binary-only_targets.md

@@ -196,7 +196,7 @@ afl-clang-fast's.
 
 RetroWrite is a static binary rewriter that can be combined with AFL++. If you
 have an x86_64 or arm64 binary that does not contain C++ exceptions and - if
-x86_64 - still has it's symbols and compiled with position independent code
+x86_64 - still has its symbols and compiled with position independent code
 (PIC/PIE), then the RetroWrite solution might be for you.
 It decompiles to ASM files which can then be instrumented with afl-gcc.
 Note that afl-gcc is only present until AFL++ v4.21c and was subsequently removed as it is obsolete.

docs/fuzzing_in_depth.md

@@ -203,6 +203,9 @@ instances, so running more than one address sanitized target would be a waste.
 *IF* you are running a saturated corpus, then you can run up to half of the 
 instances with sanitizers.
 
+An alternative but more effective approach is to use [SAND](./SAND.md) which could
+combine different sanitizers at a much higher throughput.
+
 The following sanitizers have built-in support in AFL++:
 
 * ASAN = Address SANitizer, finds memory corruption vulnerabilities like
@@ -244,6 +247,12 @@ CFISAN. You might need to experiment which sanitizers you can combine in a
 target (which means more instances can be run without a sanitized target, which
 is more effective).
 
+Note that some sanitizers (MSAN and LSAN) exit with a particular exit code
+instead of aborting. afl-fuzz treats these exit codes as a crash when these
+sanitizers are enabled. If the target uses these exit codes there could be false
+positives among the saved crashes. LSAN uses exit code 23 and MSAN uses exit
+code 86.
+
 ### d) Modifying the target
 
 If the target has features that make fuzzing more difficult, e.g., checksums,
@@ -493,6 +502,8 @@ Note:
   protection against attacks! So set strong firewall rules and only expose SSH
   as a network service if you use these (which is highly recommended).
 
+If you execute afl-fuzz in a Docker container, it is recommended to pass [`--cpuset-cpus`](https://docs.docker.com/engine/containers/resource_constraints/#configure-the-default-cfs-scheduler) option with free CPU cores to docker daemon when starting the container, or pass `AFL_NO_AFFINITY` to afl-fuzz. This is due to the fact that AFL++ will bind to a free CPU core by default, while Docker container will prevent AFL++ instance from seeing processes in other containers or host, which leads to all AFL++ instances trying to bind the same CPU core.
+
 If you have an input corpus from [step 2](#2-preparing-the-fuzzing-campaign),
 then specify this directory with the `-i` option. Otherwise, create a new
 directory and create a file with any content as test data in there.
@@ -624,8 +635,8 @@ The other secondaries should be run like this:
 * 40% should run with `-P explore` and 20% with `-P exploit`
 * If you use `-a` then set 30% of the instances to not use `-a`; if you did
   not set `-a` (why??), then set 30% to `-a ascii` and 30% to `-a binary`.
-* run each with a different power schedule, recommended are: `fast` (default),
-  `explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with
+* run each with a different power schedule, recommended are: `explore` (default),
+  `fast`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with
   the `-p` option, e.g., `-p explore`. See the
   [FAQ](FAQ.md#what-are-power-schedules) for details.
 

entitlements.plist

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>research.com.apple.license-to-operate</key> <true/>
+	<key>application-identifier</key> <string>aflplusplus</string>
+	<key>com.apple.asl.access_as_root</key> <true/>
+	<key>com.apple.backboardd.launchapplications</key> <true/>
+	<key>com.apple.companionappd.connect.allow</key> <true/>
+	<key>com.apple.multitasking.termination</key> <true/>
+	<key>com.apple.private.security.container-required</key> <false/>
+	<key>com.apple.seld.cm</key> <true/>
+	<key>com.apple.sh</key> <true/>
+	<key>com.apple.private.thread-set-state</key> <true/>
+	<key>com.apple.private.cs.debugger</key> <true/>
+	<key>com.apple.springboard.debugapplications</key> <true/>
+	<key>com.apple.springboard.launchapplications</key> <true/>
+	<key>com.apple.springboard.opensensitiveurl</key> <true/>
+	<key>dynamic-codesigning</key> <true/>
+	<key>get-task-allow</key> <true/>
+	<key>platform-application</key> <true/>
+	<key>run-unsigned-code</key> <true/>
+	<key>task_for_pid-allow</key> <true/>
+	<key>com.apple.private.skip-library-validation</key> <true/>
+	<key>com.apple.private.amfi.can-load-cdhash</key> <true/>
+	<key>com.apple.private.amfi.can-execute-cdhash</key> <true/>
+	<key>com.apple.private.security.no-container</key> <true/>
+</dict>
+</plist>

frida_mode/DEBUGGING.md

@@ -39,7 +39,7 @@ is *VERY* important to carry out these basic steps first before taking on the
 additional complexity of debugging with FRIDA mode or `afl-fuzz`.
 
 - Run your harness outside of the fuzzer, passing it a representative seed as
-  it's input `./harness <input>`.
+  its input `./harness <input>`.
 - Pass your harness multiple seeds to check that it is stable when running
   multiple tests as it will when running in fork server mode `./harness <input1>
   <intput2>`.

frida_mode/GNUmakefile

@@ -19,11 +19,15 @@ TARGET_CC?=$(CC)
 TARGET_CXX?=$(CXX)
 HOST_CC?=$(CC)
 HOST_CXX?=$(CXX)
-IS_ANDROID:=$(findstring android, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_x86:=$(findstring i686, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_x86_64:=$(findstring x86_64, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_ARM:=$(findstring arm, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_ARM64:=$(findstring aarch64, $(shell $(TARGET_CC) --version 2>/dev/null))
+TARGET_CC_INFO=$(shell $(TARGET_CC) --version)
+IS_IOS:=$(findstring ios, $(TARGET_CC_INFO))
+IS_SIMULATOR:=$(findstring sim, $(TARGET_CC_INFO))
+IS_ANDROID:=$(findstring android, $(TARGET_CC_INFO))
+IS_x86:=$(findstring i686, $(TARGET_CC_INFO))
+IS_x86_64:=$(findstring x86_64, $(TARGET_CC_INFO))
+IS_ARM:=$(findstring arm, $(TARGET_CC_INFO))
+IS_ARM64E:=$(findstring arm64e, $(TARGET_CC_INFO))
+IS_ARM64 := $(or $(findstring aarch64,$(TARGET_CC_INFO)), $(findstring arm64,$(TARGET_CC_INFO)))
 CFLAGS+=-fPIC \
 		-D_GNU_SOURCE \
 		-D_FORTIFY_SOURCE=2 \
@@ -95,7 +99,24 @@ endif
 
 GUM_ARCH="-$(ARCH)"
 
-ifeq "$(shell uname)" "Darwin"
+ifdef IS_IOS
+ OS:=ios
+ ifdef IS_SIMULATOR
+  ifdef IS_x86_64
+   ARCH := x86_64-simulator
+  else ifdef IS_ARM64
+   ARCH := arm64-simulator
+  endif
+ else
+  ifdef IS_ARM64E
+   ARCH := arm64e
+  else ifdef IS_ARM64
+   ARCH := arm64
+  endif
+ endif
+ override CFLAGS += -isysroot $(IOS_SDK_PATH)
+ override LDFLAGS += -L$(IOS_SDK_PATH)/usr/lib
+else ifeq "$(shell uname)" "Darwin"
  OS:=macos
  AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-deprecated-declarations
  GUM_ARCH:=""
@@ -165,10 +186,32 @@ ifndef OS
  $(error "Operating system unsupported")
 endif
 
-GUM_DEVKIT_VERSION=16.0.11
+GUM_DEVKIT_VERSION=16.1.11
 GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
 GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)"
 
+ifeq ($(OS),macos)
+	# Extract the major version
+	GUM_VERSION_MAJOR := $(shell echo "$(GUM_DEVKIT_VERSION)" | sed -E 's/\..*//')
+	# Extract the minor version (assumes format "MAJOR.MINOR[.PATCH...]")
+	GUM_VERSION_MINOR := $(shell echo "$(GUM_DEVKIT_VERSION)" | sed -E 's/^[^.]*\.//; s/\..*//')
+
+	# Evaluate the version condition in a separate shell call
+	IS_GUM_16_6_PLUS := $(shell \
+		if (( $(GUM_VERSION_MAJOR) > 16 || ( $(GUM_VERSION_MAJOR) == 16 && $(GUM_VERSION_MINOR) >= 6 ) )); then \
+			echo 1; \
+		fi)
+else
+	IS_GUM_16_6_PLUS := $(shell VERSION="$(GUM_DEVKIT_VERSION)"; \
+		MAJOR=$${VERSION%%.*}; \
+		MINOR=$${VERSION#*.}; MINOR=$${MINOR%%.*}; \
+		if [ $$MAJOR -gt 16 ] || { [ $$MAJOR -eq 16 ] && [ $$MINOR -ge 6 ]; }; then \
+			echo 1; \
+		fi)
+endif
+
+CFLAGS += $(if $(IS_GUM_16_6_PLUS),-DGUM_16_6_PLUS)
+
 GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
 ifdef FRIDA_SOURCE
 GUM_DEVIT_LIBRARY=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gumjs-1.0.a
@@ -373,6 +416,11 @@ $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC)
 
 $(BIN2C): $(BIN2C_SRC)
 	$(HOST_CC) -D_GNU_SOURCE -o $@ $<
+ifdef IS_IOS
+ifeq ($(HOST_CC),$(TARGET_CC))
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
+endif
 
 $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR)
 	cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@
@@ -413,8 +461,10 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL
 		$(TRACE_LDFLAGS) \
 		$(LDFLAGS) \
 		$(LDSCRIPT) \
-		-o $@ \
-
+		-o $@
+ifdef IS_IOS
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 	cp -v $(FRIDA_TRACE) $(ROOT)
 
 $(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR)
@@ -430,9 +480,15 @@ $(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $
 
 $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR)
 	$(TARGET_CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@
+ifdef IS_IOS
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR)
 	$(TARGET_CC) $(CFLAGS) $(LDFLAGS) $< -o $@
+ifdef IS_IOS
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 
 hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ)
 

frida_mode/MapDensity.md

@@ -107,7 +107,7 @@ every block of code we execute, performance is critical.
 However, the design of the binary instrumentation modes of AFL++ has moved on.
 Both QEMU and FRIDA modes use a two stage process when executing a target
 application. Each block is first compiled or instrumented, and then it is
-executed. The compiled blocks can be re-used each time the target executes them.
+executed. The compiled blocks can be reused each time the target executes them.
 
 Since a blocks ID is based on its address, and this is known at compile time, we
 only need to generate this ID once per block and so this ID generation no longer

frida_mode/README.md

@@ -200,10 +200,10 @@ instrumented address block translations.
 * `AFL_FRIDA_INST_NO_SUPPRESS` - Disable deterministic branch suppression.
   Deterministic branch suppression skips the preamble which generates coverage
   information at the start of each block, if the block is reached by a
-  deterministic branch. This reduces map polution, and may improve performance
+  deterministic branch. This reduces map pollution, and may improve performance
   when all the executing blocks have been prefetched and backpatching applied.
   However, in the event that backpatching is incomplete, this may incur a
-  performance penatly as branch instructions are disassembled on each branch.
+  performance penalty as branch instructions are disassembled on each branch.
 * `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to
   generate block (and hence edge) IDs. Setting this to a constant value may be
   useful for debugging purposes, e.g., investigating unstable edges.
@@ -215,7 +215,7 @@ instrumented address block translations.
   coverage information for unstable edges (e.g., to be loaded within IDA
   lighthouse).
 * `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting
-  engine. See [Scipting.md](Scripting.md) for details.
+  engine. See [Scripting.md](Scripting.md) for details.
 * `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target
   application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`).
 * `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target

frida_mode/Scripting.md

@@ -724,16 +724,16 @@ class Afl {
    * it takes as arguments a `NativePointer` and a `number`. It can be
    * called multiple times to exclude several ranges.
    */
-  static addExcludedRange(addressess, size) {
-      Afl.jsApiAddExcludeRange(addressess, size);
+  static addExcludedRange(addresses, size) {
+      Afl.jsApiAddExcludeRange(addresses, size);
   }
   /**
    * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
    * it takes as arguments a `NativePointer` and a `number`. It can be
    * called multiple times to include several ranges.
    */
-  static addIncludedRange(addressess, size) {
-      Afl.jsApiAddIncludeRange(addressess, size);
+  static addIncludedRange(addresses, size) {
+      Afl.jsApiAddIncludeRange(addresses, size);
   }
   /**
    * This must always be called at the end of your script. This lets
@@ -771,7 +771,7 @@ class Afl {
   }
   /**
    * Print a message to the STDOUT. This should be preferred to
-   * FRIDA's `console.log` since FRIDA will queue it's log messages.
+   * FRIDA's `console.log` since FRIDA will queue its log messages.
    * If `console.log` is used in a callback in particular, then there
    * may no longer be a thread running to service this queue.
    */
@@ -893,14 +893,14 @@ class Afl {
   }
   /**
    * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
-   * `NativePointer` should be provided as it's argument.
+   * `NativePointer` should be provided as its argument.
    */
   static setPersistentAddress(address) {
       Afl.jsApiSetPersistentAddress(address);
   }
   /**
    * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
-   * `number` should be provided as it's argument.
+   * `number` should be provided as its argument.
    */
   static setPersistentCount(count) {
       Afl.jsApiSetPersistentCount(count);
@@ -920,7 +920,7 @@ class Afl {
   }
   /**
    * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
-   * `NativePointer` should be provided as it's argument.
+   * `NativePointer` should be provided as its argument.
    */
   static setPersistentReturn(address) {
       Afl.jsApiSetPersistentReturn(address);

frida_mode/many-linux/README.md

@@ -4,6 +4,6 @@ This folder contains a Docker image to allow the building of
 `afl-frida-trace.so` using the `many-linux` docker image. This docker image is
 based on CentOS Linux 5. By building `afl-frida-trace.so` for such an old
 version of Linux, given the strong backward compatibility of Linux, this should
-work on the majority of Linux environments. This may be useful for targetting
+work on the majority of Linux environments. This may be useful for targeting
 Linux distributions other than your development environment. `many-local` builds
 `AFLplusplus` from the local working copy in the `many-linux` environment.

frida_mode/src/asan/asan.c

@@ -27,6 +27,27 @@ void asan_init(void) {
 
 }
 
+#ifdef GUM_16_6_PLUS
+static gboolean asan_exclude_module(GumModule *module, gpointer user_data) {
+
+  gchar                *symbol_name = (gchar *)user_data;
+  GumAddress            address;
+  const GumMemoryRange *range = gum_module_get_range(module);
+
+  address = gum_module_find_export_by_name(module, symbol_name);
+  if (address == 0) { return TRUE; }
+
+  /* If the reported address of the symbol is outside of the range of the module
+   * then ignore it */
+  if (address < range->base_address) { return TRUE; }
+  if (address > (range->base_address + range->size)) { return TRUE; }
+
+  ranges_add_exclude((GumMemoryRange *)range);
+  return FALSE;
+
+}
+
+#else
 static gboolean asan_exclude_module(const GumModuleDetails *details,
                                     gpointer                user_data) {
 
@@ -50,6 +71,8 @@ static gboolean asan_exclude_module(const GumModuleDetails *details,
 
 }
 
+#endif
+
 void asan_exclude_module_by_symbol(gchar *symbol_name) {
 
   gum_process_enumerate_modules(asan_exclude_module, symbol_name);

frida_mode/src/cmplog/cmplog.c

@@ -166,7 +166,7 @@ gboolean cmplog_is_readable(guint64 addr, size_t size) {
    */
   if (addr < DEFAULT_MMAP_MIN_ADDR) { return false; }
 
-  /* Check our addres/length don't wrap around */
+  /* Check our address/length don't wrap around */
   if (SIZE_MAX - addr < size) { return false; }
 
   GumAddress inner_base = addr;

frida_mode/src/instrument/instrument.c

@@ -186,7 +186,7 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
      * execution), we instead ensure that we honour the additional
      * instrumentation requested (e.g. coverage, asan and complog) when a block
      * is compiled no matter where we are during initialization. We will end up
-     * re-using these blocks if the code under test calls a block which is also
+     * reusing these blocks if the code under test calls a block which is also
      * used during initialization.
      *
      * Coverage data generated during initialization isn't a problem since the

frida_mode/src/instrument/instrument_arm64.c

@@ -285,7 +285,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self,
 
   /*
    * If the branch is deterministic, then we should start execution at the
-   * begining of the block. From here, we will branch and skip the coverage
+   * beginning of the block. From here, we will branch and skip the coverage
    * code and jump right to the target code of the instrumented block.
    * Otherwise, if the branch is non-deterministic, then we need to branch
    * part way into the block to where the coverage instrumentation starts.
@@ -516,7 +516,7 @@ void instrument_coverage_optimize(const cs_insn    *instr,
    * an instruction to load x16,x17 from beyond the red-zone on the stack. A
    * pair of registers are saved/restored because on AARCH64, the stack pointer
    * must be 16 byte aligned. This instruction is emitted into the block before
-   * the tranformer (from which we are called) is executed. If is is possible
+   * the transformer (from which we are called) is executed. If is is possible
    * for Stalker to make a direct branch (the target block is close enough), it
    * can forego pushing the registers and instead branch at an offset into the
    * block to skip this restoration prolog.

frida_mode/src/js/api.js

@@ -5,16 +5,16 @@ class Afl {
      * it takes as arguments a `NativePointer` and a `number`. It can be
      * called multiple times to exclude several ranges.
      */
-    static addExcludedRange(addressess, size) {
-        Afl.jsApiAddExcludeRange(addressess, size);
+    static addExcludedRange(addresses, size) {
+        Afl.jsApiAddExcludeRange(addresses, size);
     }
     /**
      * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
      * it takes as arguments a `NativePointer` and a `number`. It can be
      * called multiple times to include several ranges.
      */
-    static addIncludedRange(addressess, size) {
-        Afl.jsApiAddIncludeRange(addressess, size);
+    static addIncludedRange(addresses, size) {
+        Afl.jsApiAddIncludeRange(addresses, size);
     }
     /**
      * This must always be called at the end of your script. This lets
@@ -52,7 +52,7 @@ class Afl {
     }
     /**
      * Print a message to the STDOUT. This should be preferred to
-     * FRIDA's `console.log` since FRIDA will queue it's log messages.
+     * FRIDA's `console.log` since FRIDA will queue its log messages.
      * If `console.log` is used in a callback in particular, then there
      * may no longer be a thread running to service this queue.
      */
@@ -205,14 +205,14 @@ class Afl {
     }
     /**
      * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
-     * `NativePointer` should be provided as it's argument.
+     * `NativePointer` should be provided as its argument.
      */
     static setPersistentAddress(address) {
         Afl.jsApiSetPersistentAddress(address);
     }
     /**
      * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
-     * `number` should be provided as it's argument.
+     * `number` should be provided as its argument.
      */
     static setPersistentCount(count) {
         Afl.jsApiSetPersistentCount(count);
@@ -232,7 +232,7 @@ class Afl {
     }
     /**
      * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
-     * `NativePointer` should be provided as it's argument.
+     * `NativePointer` should be provided as its argument.
      */
     static setPersistentReturn(address) {
         Afl.jsApiSetPersistentReturn(address);

frida_mode/src/lib/lib.c

@@ -39,6 +39,25 @@ typedef struct {
 static guint64 text_base = 0;
 static guint64 text_limit = 0;
 
+  #ifdef GUM_16_6_PLUS
+static gboolean lib_find_exe(GumModule *module, gpointer user_data) {
+
+  lib_details_t        *lib_details = (lib_details_t *)user_data;
+  const gchar          *name = gum_module_get_name(module);
+  const gchar          *path = gum_module_get_path(module);
+  const GumMemoryRange *range = gum_module_get_range(module);
+
+  strncpy(lib_details->name, name, PATH_MAX);
+  strncpy(lib_details->path, path, PATH_MAX);
+  lib_details->name[PATH_MAX] = '\0';
+  lib_details->path[PATH_MAX] = '\0';
+  lib_details->base_address = range->base_address;
+  lib_details->size = range->size;
+  return FALSE;
+
+}
+
+  #else
 static gboolean lib_find_exe(const GumModuleDetails *details,
                              gpointer                user_data) {
 
@@ -54,6 +73,8 @@ static gboolean lib_find_exe(const GumModuleDetails *details,
 
 }
 
+  #endif
+
 static void lib_validate_hdr(Elf_Ehdr *hdr) {
 
   if (hdr->e_ident[0] != ELFMAG0) FFATAL("Invalid e_ident[0]");

frida_mode/src/lib/lib_apple.c

@@ -12,6 +12,25 @@ extern void        gum_darwin_enumerate_modules(mach_port_t        task,
 static guint64 text_base = 0;
 static guint64 text_limit = 0;
 
+  #ifdef GUM_16_6_PLUS
+static gboolean lib_get_main_module(GumModule *module, gpointer user_data) {
+
+  GumDarwinModule     **ret = (GumDarwinModule **)user_data;
+  const gchar          *path = gum_module_get_path(module);
+  const GumMemoryRange *range = gum_module_get_range(module);
+  GumDarwinModule      *darwin_module = gum_darwin_module_new_from_memory(
+      path, mach_task_self(), range->base_address, GUM_DARWIN_MODULE_FLAGS_NONE,
+      NULL);
+
+  FVERBOSE("Found main module: %s", darwin_module->name);
+
+  *ret = darwin_module;
+
+  return FALSE;
+
+}
+
+  #else
 static gboolean lib_get_main_module(const GumModuleDetails *details,
                                     gpointer                user_data) {
 
@@ -28,6 +47,8 @@ static gboolean lib_get_main_module(const GumModuleDetails *details,
 
 }
 
+  #endif
+
 gboolean lib_get_text_section(const GumDarwinSectionDetails *details,
                               gpointer                       user_data) {
 

frida_mode/src/persistent/persistent_arm64.c

@@ -295,6 +295,8 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
    *  CALL instrument_afl_persistent_loop
    *  CALL hook (optionally)
    *  RESTORE REGS
+   *  CALL INSTRUMENTED PERSISTENT FUNC
+   *  JMP loop
    *  INSTRUMENTED PERSISTENT FUNC
    */
 
@@ -302,15 +304,25 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
 
   FVERBOSE("Persistent loop reached");
 
+  /* This is the location our epilogue should be written below */
   if (persistent_ret == 0) { instrument_persitent_save_lr(cw); }
 
   /* Save the current context */
   instrument_persitent_save_regs(cw, &saved_regs);
 
-  /* Store a pointer to where we should return for our next iteration */
+  /*
+   * Store a pointer to where we should return for our next iteration.
+   * This is the location our epilogue should branch to
+   */
   persistent_loop = gum_arm64_writer_cur(cw);
 
-  /* call __afl_persistent_loop and _exit if zero. Also reset our previous_pc */
+  gconstpointer loop = cw->code + 1;
+  gum_arm64_writer_put_label(cw, loop);
+
+  /*
+   * call __afl_persistent_loop which will _exit if we have reached our
+   * loop count. Also reset our previous_pc
+   */
   instrument_afl_persistent_loop(cw);
 
   /* Optionally call the persistent hook */
@@ -319,6 +331,27 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
   /* Restore our CPU context before we continue execution */
   instrument_persitent_restore_regs(cw, &saved_regs);
 
+  gconstpointer original = cw->code + 1;
+
+  /*
+   * Call our original code, that way we regain control if our target
+   * function returns without reaching the epilogue as an additional
+   * safety net
+   */
+  gum_arm64_writer_put_bl_label(cw, original);
+
+  /*
+   * Return for our next iteration if our original function returns
+   * and control hasn't reached the epilogue for some reason
+   */
+  gum_arm64_writer_put_b_label(cw, loop);
+
+  /*
+   * The original code for our target function will be emitted
+   * immediately following this
+   */
+  gum_arm64_writer_put_label(cw, original);
+
   if (persistent_debug) { gum_arm64_writer_put_brk_imm(cw, 0); }
 
 }

frida_mode/src/prefetch.c

@@ -263,8 +263,13 @@ static int prefetch_on_fork(void) {
 
 static void prefetch_hook_fork(void) {
 
+#ifdef GUM_16_6_PLUS
+  void *fork_addr =
+      GSIZE_TO_POINTER(gum_module_find_global_export_by_name("fork"));
+#else
   void *fork_addr =
       GSIZE_TO_POINTER(gum_module_find_export_by_name(NULL, "fork"));
+#endif
   intercept_hook(fork_addr, prefetch_on_fork, NULL);
 
 }

frida_mode/src/ranges.c

@@ -37,7 +37,7 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) {
 
   if (token_count != 2) {
 
-    FFATAL("Invalid range (should have two addresses seperated by a '-'): %s\n",
+    FFATAL("Invalid range (should have two addresses separated by a '-'): %s\n",
            token);
 
   }
@@ -116,6 +116,29 @@ static void convert_address_token(gchar *token, GumMemoryRange *range) {
 
 }
 
+#ifdef GUM_16_6_PLUS
+static gboolean convert_name_token_for_module(GumModule *module,
+                                              gpointer   user_data) {
+
+  convert_name_ctx_t   *ctx = (convert_name_ctx_t *)user_data;
+  const GumMemoryRange *range = gum_module_get_range(module);
+  const gchar          *path = gum_module_get_path(module);
+  if (path == NULL) { return true; };
+
+  if (!g_str_has_suffix(path, ctx->suffix)) { return true; };
+
+  FVERBOSE("Found module - prefix: %s, 0x%016" G_GINT64_MODIFIER
+           "x-0x%016" G_GINT64_MODIFIER "x %s",
+           ctx->suffix, range->base_address, range->base_address + range->size,
+           path);
+
+  *ctx->range = *range;
+  ctx->done = true;
+  return false;
+
+}
+
+#else
 static gboolean convert_name_token_for_module(const GumModuleDetails *details,
                                               gpointer user_data) {
 
@@ -135,6 +158,8 @@ static gboolean convert_name_token_for_module(const GumModuleDetails *details,
 
 }
 
+#endif
+
 static void convert_name_token(gchar *token, GumMemoryRange *range) {
 
   gchar             *suffix = g_strconcat("/", token, NULL);

frida_mode/ts/lib/afl.ts

@@ -11,8 +11,8 @@ class Afl {
    * it takes as arguments a `NativePointer` and a `number`. It can be
    * called multiple times to exclude several ranges.
    */
-  public static addExcludedRange(addressess: NativePointer, size: number): void {
-    Afl.jsApiAddExcludeRange(addressess, size);
+  public static addExcludedRange(addresses: NativePointer, size: number): void {
+    Afl.jsApiAddExcludeRange(addresses, size);
   }
 
   /**
@@ -20,8 +20,8 @@ class Afl {
    * it takes as arguments a `NativePointer` and a `number`. It can be
    * called multiple times to include several ranges.
    */
-  public static addIncludedRange(addressess: NativePointer, size: number): void {
-    Afl.jsApiAddIncludeRange(addressess, size);
+  public static addIncludedRange(addresses: NativePointer, size: number): void {
+    Afl.jsApiAddIncludeRange(addresses, size);
   }
 
   /**
@@ -66,7 +66,7 @@ class Afl {
 
   /**
    * Print a message to the STDOUT. This should be preferred to
-   * FRIDA's `console.log` since FRIDA will queue it's log messages.
+   * FRIDA's `console.log` since FRIDA will queue its log messages.
    * If `console.log` is used in a callback in particular, then there
    * may no longer be a thread running to service this queue.
    */
@@ -241,7 +241,7 @@ class Afl {
 
   /**
    * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
-   * `NativePointer` should be provided as it's argument.
+   * `NativePointer` should be provided as its argument.
    */
   public static setPersistentAddress(address: NativePointer): void {
     Afl.jsApiSetPersistentAddress(address);
@@ -249,7 +249,7 @@ class Afl {
 
   /**
    * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
-   * `number` should be provided as it's argument.
+   * `number` should be provided as its argument.
    */
   public static setPersistentCount(count: number): void {
     Afl.jsApiSetPersistentCount(count);
@@ -272,7 +272,7 @@ class Afl {
 
   /**
    * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
-   * `NativePointer` should be provided as it's argument.
+   * `NativePointer` should be provided as its argument.
    */
   public static setPersistentReturn(address: NativePointer): void {
     Afl.jsApiSetPersistentReturn(address);

frida_mode/update_frida_version.sh

@@ -9,5 +9,11 @@ echo Newest available version: $NEW
 
 test -z "$OLD" -o -z "$NEW" -o "$OLD" = "$NEW" && { echo Nothing to be done. ; exit 0 ; }
 
-sed -i "s/=$OLD/=$NEW/" GNUmakefile || exit 1
+# Determine the correct sed command
+case $(sed --help 2>&1) in
+  *GNU*) set sed -i;;
+  *) set sed -i '';;
+esac
+
+"$@" "s/=$OLD/=$NEW/" GNUmakefile || exit 1
 echo Successfully updated GNUmakefile

include/afl-fuzz.h

@@ -75,6 +75,7 @@
 #include <sys/ioctl.h>
 #include <sys/file.h>
 #include <sys/types.h>
+#include "asanfuzz.h"
 
 #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
     defined(__NetBSD__) || defined(__DragonFly__)
@@ -352,6 +353,8 @@ enum {
 
 };
 
+#define FAST_RESUME_VERSION 0x01000000
+
 /* Python stuff */
 #ifdef USE_PYTHON
 
@@ -610,7 +613,11 @@ typedef struct afl_state {
   u8 *var_bytes;                        /* Bytes that appear to be variable */
 
 #define N_FUZZ_SIZE (1 << 21)
+#define N_FUZZ_SIZE_BITMAP (1 << 29)
   u32 *n_fuzz;
+  u8  *n_fuzz_dup;
+  u8  *classified_n_fuzz;
+  u8  *simplified_n_fuzz;
 
   volatile u8 stop_soon,                /* Ctrl-C pressed?                  */
       clear_screen;                     /* Window resized?                  */
@@ -714,6 +721,8 @@ typedef struct afl_state {
 
   struct queue_entry **top_rated;           /* Top entries for bitmap bytes */
 
+  u32 **top_rated_candidates;             /* Candidate IDs per bitmap index */
+
   struct extra_data *extras;            /* Extra tokens to fuzz with        */
   u32                extras_cnt;        /* Total number of tokens read      */
 
@@ -728,6 +737,13 @@ typedef struct afl_state {
   char            *cmplog_binary;
   afl_forkserver_t cmplog_fsrv;     /* cmplog has its own little forkserver */
 
+  /* ASAN Fuzing */
+  char            *san_binary[MAX_EXTRA_SAN_BINARY];
+  afl_forkserver_t san_fsrvs[MAX_EXTRA_SAN_BINARY];
+  u8               san_binary_length; /* 0 means extra san binaries not given */
+  u32              san_case_status;
+  enum SanitizerAbstraction san_abstraction;
+
   /* Custom mutators */
   struct custom_mutator *mutator;
 
@@ -747,7 +763,7 @@ typedef struct afl_state {
                                   up to 256 */
 
   unsigned long long int last_avg_exec_update;
-  u32                    last_avg_execs;
+  u64                    last_avg_total_execs;
   double                 last_avg_execs_saved;
 
 /* foreign sync */
@@ -848,6 +864,8 @@ typedef struct afl_state {
 
   struct skipdet_global *skipdet_g;
 
+  s64 last_scored_idx;           /* Index of the last queue entry re-scored */
+
 #ifdef INTROSPECTION
   char  mutation[8072];
   char  m_tmp[4096];
@@ -908,7 +926,7 @@ struct custom_mutator {
   /**
    * Opt-out of a splicing input for the fuzz mutator
    *
-   * Empty dummy function. It's presence tells afl-fuzz not to pass a
+   * Empty dummy function. Its presence tells afl-fuzz not to pass a
    * splice data pointer and len.
    *
    * @param data pointer returned in afl_custom_init by this custom mutator
@@ -940,12 +958,12 @@ struct custom_mutator {
   /**
    * Describe the current testcase, generated by the last mutation.
    * This will be called, for example, to give the written testcase a name
-   * after a crash ocurred. It can help to reproduce crashing mutations.
+   * after a crash occurred. It can help to reproduce crashing mutations.
    *
    * (Optional)
    *
    * @param data pointer returned by afl_customm_init for this custom mutator
-   * @paramp[in] max_description_len maximum size avaliable for the description.
+   * @paramp[in] max_description_len maximum size available for the description.
    *             A longer return string is legal, but will be truncated.
    * @return A valid ptr to a 0-terminated string.
    *         An empty or NULL return will result in a default description
@@ -1122,7 +1140,7 @@ struct custom_mutator {
 void afl_state_init(afl_state_t *, uint32_t map_size);
 void afl_state_deinit(afl_state_t *);
 
-/* Set stop_soon flag on all childs, kill all childs */
+/* Set stop_soon flag on all children, kill all children */
 void afl_states_stop(void);
 /* Set clear_screen flag on all states */
 void afl_states_clear_screen(void);
@@ -1170,13 +1188,13 @@ void        deinit_py(void *);
 /* Queue */
 
 void mark_as_det_done(afl_state_t *, struct queue_entry *);
-void mark_as_variable(afl_state_t *, struct queue_entry *);
-void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
 void add_to_queue(afl_state_t *, u8 *, u32, u8);
 void destroy_queue(afl_state_t *);
-void update_bitmap_score(afl_state_t *, struct queue_entry *);
+void update_bitmap_score(afl_state_t *, struct queue_entry *, bool);
 void cull_queue(afl_state_t *);
 u32  calculate_score(afl_state_t *, struct queue_entry *);
+void recalculate_all_scores(afl_state_t *);
+void update_bitmap_rescore(afl_state_t *, struct queue_entry *, u32);
 
 /* Bitmap */
 
@@ -1326,7 +1344,6 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) {
 
     ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed),
             "/dev/urandom");
-    // srandom(afl->rand_seed[0]);
     afl->rand_cnt = (RESEED_RNG / 2) + (afl->rand_seed[1] % RESEED_RNG);
 
   }
@@ -1440,6 +1457,18 @@ static inline int permissive_create(afl_state_t *afl, const char *fn) {
 
 }
 
+static inline void bitmap_set(u8 *map, u32 index) {
+
+  map[index / 8] |= (1u << (index % 8));
+
+}
+
+static inline u8 bitmap_read(u8 *map, u32 index) {
+
+  return (map[index / 8] >> (index % 8)) & 1;
+
+}
+
 #if TESTCASE_CACHE == 1
   #error define of TESTCASE_CACHE must be zero or larger than 1
 #endif

include/android-ashmem.h

@@ -31,7 +31,8 @@ int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
   if (__cmd == IPC_RMID) {
 
     int               length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
-    struct ashmem_pin pin = {0, length};
+    unsigned int      safe_length = length >= 0 ? length : 0;
+    struct ashmem_pin pin = {0, safe_length};
     ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
     close(__shmid);
 

include/asanfuzz.h

@@ -0,0 +1,55 @@
+/*
+   american fuzzy lop++ - cmplog header
+   ------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Forkserver design by Jann Horn <jannhorn@googlemail.com>
+
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
+                     Dominik Maier <mail@dmnk.co>,
+                     Andrea Fioraldi <andreafioraldi@gmail.com>,
+                     Heiko Eissfeldt <heiko.eissfeldt@hexco.de>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019-2023 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+   Shared code to handle the shared memory. This is used by the fuzzer
+   as well the other components like afl-tmin, afl-showmap, etc...
+
+ */
+
+#ifndef _AFL_ASAMFUZZ_H
+#define _AFL_ASAMFUZZ_H
+
+#include "config.h"
+
+// new_bits for describe_op
+// new_bits value 1, 2 and 0x80 are already used!
+#define SAN_CRASH_ONLY (1 << 4)
+#define NON_COV_INCREASE_BUG (1 << 5)
+
+enum SanitizerAbstraction {
+
+  SIMPLIFY_TRACE = 0,  // Feed all simplified trace to sanitizers, moderate
+                       // sensitive and default for SAND. Not missing bugs.
+  UNIQUE_TRACE,      // Feed all unique trace to sanitizers, the most sensitive
+                     // and not missing bugs.
+  COVERAGE_INCREASE  // Feed all coverage increasing cases to sanitizers, the
+                     // least sensitive at a risk of missing ~20% bugs.
+
+};
+
+/* Execs the child */
+
+struct afl_forkserver;
+void sanfuzz_exec_child(struct afl_forkserver *fsrv, char **argv);
+
+#endif
+

include/common.h

@@ -76,8 +76,9 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname);
 int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal);
 
 /* Configure the signals that are used to kill the forkserver
-   and the forked childs. If `afl_kill_signal_env` or `afl_fsrv_kill_signal_env`
-   is NULL, the appropiate values are read from the environment. */
+   and the forked children. If `afl_kill_signal_env` or
+   `afl_fsrv_kill_signal_env` is NULL, the appropriate values are read from the
+   environment. */
 void configure_afl_kill_signals(afl_forkserver_t *fsrv,
                                 char             *afl_kill_signal_env,
                                 char             *afl_fsrv_kill_signal_env,

include/config.h

@@ -26,7 +26,7 @@
 /* Version string: */
 
 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++4.30c"
+#define VERSION "++4.32c"
 
 /******************************************************
  *                                                    *
@@ -39,7 +39,7 @@
    However if a target has problematic constructors and init arrays then
    this can fail. Hence afl-fuzz deploys a larger default map. The largest
    map seen so far is the xlsx fuzzer for libreoffice which is 5MB.
-   At runtime this value can be overriden via AFL_MAP_SIZE.
+   At runtime this value can be overridden via AFL_MAP_SIZE.
    Default: 8MB (defined in bytes) */
 #define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024)
 
@@ -52,6 +52,18 @@
 /* Default file permission umode when creating files (default: 0600) */
 #define DEFAULT_PERMISSION 0600
 
+#ifdef __APPLE__
+  #include <TargetConditionals.h>
+  #if TARGET_OS_IOS
+    #undef DEFAULT_PERMISSION
+    #define DEFAULT_PERMISSION 0666
+  #endif
+#endif
+#ifdef __ANDROID__
+  #undef DEFAULT_PERMISSION
+  #define DEFAULT_PERMISSION 0666
+#endif
+
 /* SkipDet's global configuration */
 
 #define MINIMAL_BLOCK_SIZE 64
@@ -85,11 +97,17 @@
 /* Maximum allowed fails per CMP value. Default: 96 */
 #define CMPLOG_FAIL_MAX 96
 
+/*
+ * Effective fuzzing with selective feeding inputs
+ */
+
+#define MAX_EXTRA_SAN_BINARY 4
+
 /* -------------------------------------*/
 /* Now non-cmplog configuration options */
 /* -------------------------------------*/
 
-/* If a persistent target keeps state and found crashes are not reproducable
+/* If a persistent target keeps state and found crashes are not reproducible
    then enable this option and set the AFL_PERSISTENT_RECORD env variable
    to a number. These number of testcases prior and including the crash case
    will be kept and written to the crash/ directory as RECORD:... files.
@@ -153,7 +171,8 @@
 #define EXEC_TM_ROUND 20U
 
 /* 64bit arch MACRO */
-#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
+#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__) || \
+     (defined(__riscv) && __riscv_xlen == 64))
   #define WORD_SIZE_64 1
 #endif
 
@@ -182,8 +201,8 @@
 
 /* Maximum number of unique hangs or crashes to record: */
 
-#define KEEP_UNIQUE_HANG 500U
-#define KEEP_UNIQUE_CRASH 10000U
+#define KEEP_UNIQUE_HANG 512U
+#define KEEP_UNIQUE_CRASH 25600U
 
 /* Baseline number of random tweaks during a single 'havoc' stage: */
 
@@ -492,6 +511,9 @@
 
 #define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID"
 
+/* ASAN SHM ID */
+#define AFL_ASAN_FUZZ_SHM_ENV_VAR "__AFL_ASAN_SHM_ID"
+
 /* CPU Affinity lockfile env var */
 
 #define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE"
@@ -523,7 +545,7 @@
 
 #define AFL_TXT_MAX_LEN 65535
 
-/* What is the minimum percentage of ascii characters present to be classifed
+/* What is the minimum percentage of ascii characters present to be classified
    as "is_ascii"? */
 
 #define AFL_TXT_MIN_PERCENT 99

include/coverage-32.h

@@ -1,6 +1,12 @@
+#ifndef _COVERAGE_H
+
+#define _COVERAGE_H
+
 #include "config.h"
 #include "types.h"
 
+#define _AFL_INTSIZEVAR u32
+
 u32 skim(const u32 *virgin, const u32 *current, const u32 *current_end);
 u32 classify_word(u32 word);
 
@@ -110,3 +116,5 @@ inline u32 skim(const u32 *virgin, const u32 *current, const u32 *current_end) {
 
 }
 
+#endif
+

include/coverage-64.h

@@ -1,6 +1,12 @@
+#ifndef _COVERAGE_H
+
+#define _COVERAGE_H
+
 #include "config.h"
 #include "types.h"
 
+#define _AFL_INTSIZEVAR u64
+
 #if (defined(__AVX512F__) && defined(__AVX512DQ__)) || defined(__AVX2__)
   #include <immintrin.h>
 #endif
@@ -118,7 +124,7 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) {
     /* All bytes are zero. */
     if (likely(mask == 0xff)) continue;
 
-      /* Look for nonzero bytes and check for new bits. */
+        /* Look for nonzero bytes and check for new bits. */
   #define UNROLL(x)                                                            \
     if (unlikely(!(mask & (1 << x)) && classify_word(current[x]) & virgin[x])) \
     return 1
@@ -192,3 +198,5 @@ inline u32 skim(const u64 *virgin, const u64 *current, const u64 *current_end) {
 
 #endif
 
+#endif
+

include/debug.h

@@ -331,6 +331,7 @@ static inline const char *colorfilter(const char *x) {
          "\n[-] PROGRAM ABORT : " cRST x);                               \
     SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n\n", __func__, \
          __FILE__, (u32)__LINE__);                                       \
+    fflush(stdout);                                                      \
     abort();                                                             \
                                                                          \
   } while (0)

include/envs.h

@@ -117,9 +117,8 @@ static char *afl_environment_variables[] = {
     "AFL_USE_UBSAN", "AFL_UBSAN_VERBOSE", "AFL_USE_TSAN", "AFL_USE_CFISAN",
     "AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT",
     "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN",
-    "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", NULL
-
-};
+    "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME",
+    "AFL_SAN_ABSTRACTION", "AFL_SAN_NO_INST", "AFL_SAN_RECOVER", NULL};
 
 extern char *afl_environment_variables[];
 

include/forkserver.h

@@ -137,6 +137,8 @@ typedef struct afl_forkserver {
 
   u8 last_kill_signal;                  /* Signal that killed the child     */
 
+  u8 last_exit_code;               /* Child exit code if counted as a crash */
+
   bool use_shmem_fuzz;                  /* use shared mem for test cases    */
 
   bool support_shmem_fuzz;              /* set by afl-fuzz                  */
@@ -155,10 +157,13 @@ typedef struct afl_forkserver {
 
   bool no_unlink;                       /* do not unlink cur_input          */
 
-  bool uses_asan;                       /* Target uses ASAN?                */
+  u8 uses_asan;     /* Target uses ASAN/LSAN/MSAN? (bit 0/1/2 respectively) */
 
   bool debug;                           /* debug mode?                      */
 
+  u8 san_but_not_instrumented; /* Is it sanitizer enabled but not instrumented?
+                                */
+
   bool uses_crash_exitcode;             /* Custom crash exitcode specified? */
   u8   crash_exitcode;                  /* The crash exitcode specified     */
 
@@ -167,6 +172,7 @@ typedef struct afl_forkserver {
   u8 *shmem_fuzz;                       /* allocated memory for fuzzing     */
 
   char *cmplog_binary;                  /* the name of the cmplog binary    */
+  char *asanfuzz_binary;                /* the name of the ASAN binary      */
 
   /* persistent mode replay functionality */
   u32 persistent_record;                /* persistent replay setting        */

include/sharedmem.h

@@ -51,6 +51,7 @@ typedef struct sharedmem {
   size_t map_size;                                 /* actual allocated size */
 
   int             cmplog_mode;
+  int             sanfuzz_mode;
   int             shmemfuzz_mode;
   struct cmp_map *cmp_map;
 

include/t1ha.h

@@ -63,7 +63,7 @@
  *      // To enable unaligned access, but indicate that it significantly slow.
  *      #define T1HA_SYS_UNALIGNED_ACCESS 1
  *
- *      // To enable unaligned access, and indicate that it effecient.
+ *      // To enable unaligned access, and indicate that it's efficient.
  *      #define T1HA_SYS_UNALIGNED_ACCESS 2
  *
  *
@@ -512,7 +512,7 @@ T1HA_API uint64_t t1ha2_atonce128(uint64_t *__restrict extra_result,
                                   uint64_t seed);
 
 /* The init/update/final trinity for streaming.
- * Return 64 or 128-bit result depentently from `extra_result` argument. */
+ * Return 64 or 128-bit result dependently from `extra_result` argument. */
 T1HA_API void t1ha2_init(t1ha_context_t *ctx, uint64_t seed_x, uint64_t seed_y);
 T1HA_API void t1ha2_update(t1ha_context_t *__restrict ctx,
                            const void *__restrict data, size_t length);

include/xxhash.h

@@ -3169,7 +3169,7 @@ static xxh_u32 XXH32_avalanche(xxh_u32 hash) {
  */
 static XXH_PUREF xxh_u32 XXH32_finalize(xxh_u32 hash, const xxh_u8 *ptr,
                                         size_t len, XXH_alignment align) {
-\
+
   #define XXH_PROCESS1                             \
     do {                                           \
                                                    \

instrumentation/README.injections.md

@@ -29,7 +29,7 @@ Alternatively you can set `AFL_LLVM_INJECTIONS_ALL` to enable all.
 
 ## How to modify
 
-If you want to add more fuctions to check for e.g. SQL injections:
+If you want to add more functions to check for e.g. SQL injections:
 Add these to `instrumentation/injection-pass.cc` and recompile.
 
 If you want to test for more injection inputs:

instrumentation/README.lto.md

@@ -79,11 +79,11 @@ LLVM 13 to 19 should be available in all current Linux repositories.
 
 That part is easy.
 Just set `LLVM_CONFIG` to the llvm-config-VERSION and build AFL++, e.g. for
-LLVM 15:
+LLVM 19:
 
 ```
 cd ~/AFLplusplus
-export LLVM_CONFIG=llvm-config-15
+export LLVM_CONFIG=llvm-config-19
 make
 sudo make install
 ```
@@ -96,7 +96,7 @@ Also, the instrument file listing (AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST ->
 [README.instrument_list.md](README.instrument_list.md)) and laf-intel/compcov
 (AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work.
 
-Example (note that you might need to add the version, e.g. `llvm-ar-15`:
+Example (note that you might need to add the version, e.g. `llvm-ar-19`:
 
 ```
 CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar AS=llvm-as ./configure

instrumentation/README.persistent_mode.md

@@ -8,7 +8,7 @@ most effective way to fuzz, as the speed can easily be x10 or x20 times faster
 without any disadvantages. *All professional fuzzing uses this mode.*
 
 Persistent mode requires that the target can be called in one or more functions,
-and that it's state can be completely reset so that multiple calls can be
+and that its state can be completely reset so that multiple calls can be
 performed without resource leaks, and that earlier runs will have no impact on
 future runs. An indicator for this is the `stability` value in the `afl-fuzz`
 UI. If this decreases to lower values in persistent mode compared to

instrumentation/SanitizerCoverageLTO.so.cc

@@ -327,7 +327,16 @@ class ModuleSanitizerCoverageLTOLegacyPass : public ModulePass {
 
     };
 
-    return ModuleSancov.instrumentModule(M, DTCallback, PDTCallback);
+    if (!getenv("AFL_SAN_NO_INST")) {
+
+      return ModuleSancov.instrumentModule(M, DTCallback, PDTCallback);
+
+    } else {
+
+      if (getenv("AFL_DEBUG")) { DEBUGF("Instrument disabled\n"); }
+      return false;
+
+    }
 
   }
 
@@ -380,8 +389,16 @@ PreservedAnalyses ModuleSanitizerCoverageLTO::run(Module                &M,
 
   };
 
-  if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
-    return PreservedAnalyses::none();
+  if (!getenv("AFL_SAN_NO_INST")) {
+
+    if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
+      return PreservedAnalyses::none();
+
+  } else {
+
+    if (debug) { DEBUGF("Instrument disabled\n"); }
+
+  }
 
   return PreservedAnalyses::all();
 
@@ -500,7 +517,7 @@ bool ModuleSanitizerCoverageLTO::instrumentModule(
   }
 
   // we make this the default as the fixed map has problems with
-  // defered forkserver, early constructors, ifuncs and maybe more
+  // deferred forkserver, early constructors, ifuncs and maybe more
   /*if (getenv("AFL_LLVM_MAP_DYNAMIC"))*/
   map_addr = 0;
 
@@ -1988,8 +2005,11 @@ void ModuleSanitizerCoverageLTO::instrumentFunction(
 
     }
 
-    extra_ctx_inst += inst_in_this_func * (call_counter - 1);
-    afl_global_id += extra_ctx_inst;
+    uint32_t extra_ctx_inst_in_this_func =
+        inst_in_this_func * (call_counter - 1);
+
+    extra_ctx_inst += extra_ctx_inst_in_this_func;
+    afl_global_id += extra_ctx_inst_in_this_func;
 
   }
 

instrumentation/SanitizerCoveragePCGUARD.so.cc

@@ -226,16 +226,28 @@ llvmGetPassPluginInfo() {
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
 #endif
 #if LLVM_VERSION_MAJOR >= 16
-            PB.registerOptimizerEarlyEPCallback(
+            PB.registerOptimizerEarlyEPCallback([](ModulePassManager &MPM,
+                                                   OptimizationLevel  OL
+  #if LLVM_VERSION_MAJOR >= 20
+                                                   ,
+                                                   ThinOrFullLTOPhase Phase
+  #endif
+                                                ) {
+
+              MPM.addPass(ModuleSanitizerCoverageAFL());
+
+            });
+
 #else
             PB.registerOptimizerLastEPCallback(
-#endif
                 [](ModulePassManager &MPM, OptimizationLevel OL) {
 
                   MPM.addPass(ModuleSanitizerCoverageAFL());
 
                 });
 
+#endif
+
           }};
 
 }
@@ -257,8 +269,20 @@ PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module                &M,
 
   };
 
-  if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
-    return PreservedAnalyses::none();
+  // TODO: Support LTO or llvm classic?
+  // Note we still need afl-compiler-rt so we just disable the instrumentation
+  // here.
+  if (!getenv("AFL_SAN_NO_INST")) {
+
+    if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
+      return PreservedAnalyses::none();
+
+  } else {
+
+    if (getenv("AFL_DEBUG")) { DEBUGF("Instrument disabled\n"); }
+
+  }
+
   return PreservedAnalyses::all();
 
 }
@@ -326,7 +350,7 @@ Function *ModuleSanitizerCoverageAFL::CreateInitCallsForSections(
 
   if (TargetTriple.isOSBinFormatCOFF()) {
 
-    // In COFF files, if the contructors are set as COMDAT (they are because
+    // In COFF files, if the constructors are set as COMDAT (they are because
     // COFF supports COMDAT) and the linker flag /OPT:REF (strip unreferenced
     // functions and data) is used, the constructors get stripped. To prevent
     // this, give the constructors weak ODR linkage and ensure the linker knows

instrumentation/afl-compiler-rt.o.c

@@ -11,7 +11,6 @@
 
      https://www.apache.org/licenses/LICENSE-2.0
 
-
 */
 
 #ifdef __AFL_CODE_COVERAGE
@@ -358,7 +357,7 @@ static void __afl_map_shm(void) {
 
   if (__afl_final_loc) {
 
-    __afl_map_size = ++__afl_final_loc;  // as we count starting 0
+    __afl_map_size = __afl_final_loc + 1;  // as we count starting 0
 
     if (getenv("AFL_DUMP_MAP_SIZE")) {
 
@@ -601,9 +600,9 @@ static void __afl_map_shm(void) {
 
     }
 
-    __afl_area_ptr_dummy = (u8 *)malloc(__afl_final_loc);
+    __afl_map_size = __afl_final_loc + 1;
+    __afl_area_ptr_dummy = (u8 *)malloc(__afl_map_size);
     __afl_area_ptr = __afl_area_ptr_dummy;
-    __afl_map_size = __afl_final_loc;
 
     if (!__afl_area_ptr_dummy) {
 
@@ -892,10 +891,10 @@ static void __afl_start_forkserver(void) {
   /* Phone home and tell the parent that we're OK. If parent isn't there,
      assume we're not running in forkserver mode and just execute program. */
 
-  if (!__afl_old_forkserver) {
+  // return because possible non-forkserver usage
+  if (write(FORKSRV_FD + 1, msg, 4) != 4) { return; }
 
-    // return because possible non-forkserver usage
-    if (write(FORKSRV_FD + 1, msg, 4) != 4) { return; }
+  if (!__afl_old_forkserver) {
 
     if (read(FORKSRV_FD, reply, 4) != 4) { _exit(1); }
     if (tmp != status2) {
@@ -2670,6 +2669,89 @@ void __cmplog_rtn_llvm_stdstring_stdstring(u8 *stdstring1, u8 *stdstring2) {
 
 }
 
+/* llvm weak hooks */
+
+void __sanitizer_weak_hook_memcmp(void *pc, const void *s1, const void *s2,
+                                  size_t n, int result) {
+
+  __cmplog_rtn_hook_n((u8 *)s1, (u8 *)s2, (u64)n);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_memmem(void *pc, const void *s1, size_t len1,
+                                  const void *s2, size_t len2, void *result) {
+
+  __cmplog_rtn_hook_n((u8 *)s1, (u8 *)s2, len1 < len2 ? (u64)len1 : (u64)len2);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strncasecmp(void *pc, const void *s1, const void *s2,
+                                       size_t n, int result) {
+
+  __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strncasestr(void *pc, const void *s1, const void *s2,
+                                       size_t n, char *result) {
+
+  __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strncmp(void *pc, const void *s1, const void *s2,
+                                   size_t n, int result) {
+
+  __cmplog_rtn_hook_strn((u8 *)s1, (u8 *)s2, (u64)n);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strcasecmp(void *pc, const void *s1, const void *s2,
+                                      int result) {
+
+  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strcasestr(void *pc, const void *s1, const void *s2,
+                                      size_t n, char *result) {
+
+  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strcmp(void *pc, const void *s1, const void *s2,
+                                  int result) {
+
+  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
+  (void)pc;
+  (void)result;
+
+}
+
+void __sanitizer_weak_hook_strstr(void *pc, const void *s1, const void *s2,
+                                  char *result) {
+
+  __cmplog_rtn_hook_str((u8 *)s1, (u8 *)s2);
+  (void)pc;
+  (void)result;
+
+}
+
 /* COVERAGE manipulation features */
 
 // this variable is then used in the shm setup to create an additional map

instrumentation/afl-llvm-common.cc

@@ -157,7 +157,7 @@ bool isIgnoreFunction(const llvm::Function *F) {
   // mangled name of the user-written function
   for (auto const &ignoreListFunc : ignoreSubstringList) {
 
-    // hexcoder: F->getName().contains() not avaiilable in llvm 3.8.0
+    // hexcoder: F->getName().contains() not available in llvm 3.8.0
     if (StringRef::npos != F->getName().find(ignoreListFunc)) { return true; }
 
   }

instrumentation/afl-llvm-dict2file.so.cc

@@ -120,12 +120,17 @@ llvmGetPassPluginInfo() {
   #if LLVM_VERSION_MAJOR <= 13
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
   #endif
-            PB.registerOptimizerLastEPCallback(
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+            PB.registerOptimizerLastEPCallback([](ModulePassManager &MPM,
+                                                  OptimizationLevel  OL
+  #if LLVM_VERSION_MAJOR >= 20
+                                                  ,
+                                                  ThinOrFullLTOPhase Phase
+  #endif
+                                               ) {
 
-                  MPM.addPass(AFLdict2filePass());
+              MPM.addPass(AFLdict2filePass());
 
-                });
+            });
 
           }};
 

instrumentation/afl-llvm-lto-instrumentlist.so.cc

@@ -83,12 +83,17 @@ llvmGetPassPluginInfo() {
 #if LLVM_VERSION_MAJOR <= 13
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
 #endif
-            PB.registerOptimizerLastEPCallback(
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+            PB.registerOptimizerLastEPCallback([](ModulePassManager &MPM,
+                                                  OptimizationLevel  OL
+#if LLVM_VERSION_MAJOR >= 20
+                                                  ,
+                                                  ThinOrFullLTOPhase Phase
+#endif
+                                               ) {
 
-                  MPM.addPass(AFLcheckIfInstrument());
+              MPM.addPass(AFLcheckIfInstrument());
 
-                });
+            });
 
           }};
 

instrumentation/afl-llvm-pass.so.cc

@@ -110,8 +110,7 @@ class AFLCoverage : public ModulePass {
 }  // namespace
 
 #if LLVM_VERSION_MAJOR >= 11                        /* use new pass manager */
-extern "C" ::llvm::PassPluginLibraryInfo LLVM_ATTRIBUTE_WEAK
-llvmGetPassPluginInfo() {
+extern "C" LLVM_ATTRIBUTE_WEAK PassPluginLibraryInfo llvmGetPassPluginInfo() {
 
   return {LLVM_PLUGIN_API_VERSION, "AFLCoverage", "v0.1",
           /* lambda to insert our pass into the pass pipeline. */
@@ -126,7 +125,12 @@ llvmGetPassPluginInfo() {
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+                ) {
 
                   MPM.addPass(AFLCoverage());
 
@@ -220,6 +224,24 @@ bool AFLCoverage::runOnModule(Module &M) {
 
   if (getenv("AFL_DEBUG")) debug = 1;
 
+#if LLVM_VERSION_MAJOR >= 11                        /* use new pass manager */
+  if (getenv("AFL_SAN_NO_INST")) {
+
+    if (debug) { fprintf(stderr, "Instrument disabled\n"); }
+    return PreservedAnalyses::all();
+
+  }
+
+#else
+  if (getenv("AFL_SAN_NO_INST")) {
+
+    if (debug) { fprintf(stderr, "Instrument disabled\n"); }
+    return true;
+
+  }
+
+#endif
+
   if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
 
     SAYF(cCYA "afl-llvm-pass" VERSION cRST

instrumentation/cmplog-instructions-pass.cc

@@ -123,12 +123,17 @@ llvmGetPassPluginInfo() {
   #if LLVM_VERSION_MAJOR <= 13
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
   #endif
-            PB.registerOptimizerLastEPCallback(
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+            PB.registerOptimizerLastEPCallback([](ModulePassManager &MPM,
+                                                  OptimizationLevel  OL
+  #if LLVM_VERSION_MAJOR >= 20
+                                                  ,
+                                                  ThinOrFullLTOPhase Phase
+  #endif
+                                               ) {
 
-                  MPM.addPass(CmpLogInstructions());
+              MPM.addPass(CmpLogInstructions());
 
-                });
+            });
 
           }};
 

instrumentation/cmplog-routines-pass.cc

@@ -118,12 +118,17 @@ llvmGetPassPluginInfo() {
   #if LLVM_VERSION_MAJOR <= 13
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
   #endif
-            PB.registerOptimizerLastEPCallback(
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+            PB.registerOptimizerLastEPCallback([](ModulePassManager &MPM,
+                                                  OptimizationLevel  OL
+  #if LLVM_VERSION_MAJOR >= 20
+                                                  ,
+                                                  ThinOrFullLTOPhase Phase
+  #endif
+                                               ) {
 
-                  MPM.addPass(CmpLogRoutines());
+              MPM.addPass(CmpLogRoutines());
 
-                });
+            });
 
           }};
 

instrumentation/cmplog-switches-pass.cc

@@ -118,12 +118,17 @@ llvmGetPassPluginInfo() {
   #if LLVM_VERSION_MAJOR <= 13
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
   #endif
-            PB.registerOptimizerLastEPCallback(
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+            PB.registerOptimizerLastEPCallback([](ModulePassManager &MPM,
+                                                  OptimizationLevel  OL
+  #if LLVM_VERSION_MAJOR >= 20
+                                                  ,
+                                                  ThinOrFullLTOPhase Phase
+  #endif
+                                               ) {
 
-                  MPM.addPass(CmplogSwitches());
+              MPM.addPass(CmplogSwitches());
 
-                });
+            });
 
           }};
 

instrumentation/compare-transform-pass.so.cc

@@ -134,7 +134,12 @@ llvmGetPassPluginInfo() {
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+                ) {
 
                   MPM.addPass(CompareTransform());
 

instrumentation/injection-pass.cc

@@ -122,12 +122,17 @@ llvmGetPassPluginInfo() {
   #if LLVM_VERSION_MAJOR <= 13
             using OptimizationLevel = typename PassBuilder::OptimizationLevel;
   #endif
-            PB.registerOptimizerLastEPCallback(
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+            PB.registerOptimizerLastEPCallback([](ModulePassManager &MPM,
+                                                  OptimizationLevel  OL
+  #if LLVM_VERSION_MAJOR >= 20
+                                                  ,
+                                                  ThinOrFullLTOPhase Phase
+  #endif
+                                               ) {
 
-                  MPM.addPass(InjectionRoutines());
+              MPM.addPass(InjectionRoutines());
 
-                });
+            });
 
           }};
 

instrumentation/split-compares-pass.so.cc

@@ -112,7 +112,7 @@ class SplitComparesTransform : public ModulePass {
   /// simplify a signed comparison (signed less or greater than)
   bool simplifySignedCompare(CmpInst *IcmpInst, Module &M,
                              CmpWorklist &worklist);
-  /// splits an icmp into nested icmps recursivly until target_bitwidth is
+  /// splits an icmp into nested icmps recursively until target_bitwidth is
   /// reached
   bool splitCompare(CmpInst *I, Module &M, CmpWorklist &worklist);
 
@@ -194,7 +194,12 @@ llvmGetPassPluginInfo() {
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+                ) {
 
                   MPM.addPass(SplitComparesTransform());
 
@@ -675,7 +680,7 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M,
 
   PHINode *PN = nullptr;
 
-  /* now we have to destinguish between == != and > < */
+  /* now we have to distinguish between == != and > < */
   switch (pred) {
 
     case CmpInst::ICMP_EQ:
@@ -763,7 +768,7 @@ bool SplitComparesTransform::splitCompare(CmpInst *cmp_inst, Module &M,
 
       } else {
 
-        // Never gonna appen
+        // Never gonna happen
         if (!be_quiet)
           fprintf(stderr,
                   "Error: split-compare: Equals or signed not removed: %d\n",
@@ -1431,14 +1436,14 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
 
         case CmpInst::FCMP_UEQ:
         case CmpInst::FCMP_OEQ:
-          /* if the exponents are satifying the compare do a fraction cmp in
+          /* if the exponents are satisfying the compare do a fraction cmp in
            * middle_bb */
           BranchInst::Create(middle_bb, end_bb, icmp_exponent_result,
                              signequal2_bb);
           break;
         case CmpInst::FCMP_ONE:
         case CmpInst::FCMP_UNE:
-          /* if the exponents are satifying the compare do a fraction cmp in
+          /* if the exponents are satisfying the compare do a fraction cmp in
            * middle_bb */
           BranchInst::Create(end_bb, middle_bb, icmp_exponent_result,
                              signequal2_bb);

instrumentation/split-switches-pass.so.cc

@@ -142,7 +142,13 @@ llvmGetPassPluginInfo() {
     #else
             PB.registerOptimizerLastEPCallback(
     #endif
-                [](ModulePassManager &MPM, OptimizationLevel OL) {
+                [](ModulePassManager &MPM, OptimizationLevel OL
+    #if LLVM_VERSION_MAJOR >= 20
+                   ,
+                   ThinOrFullLTOPhase Phase
+    #endif
+
+                ) {
 
                   MPM.addPass(SplitSwitchesTransform());
 

nyx_mode/custom_harness/example.c

@@ -17,14 +17,14 @@ int main(int argc, char **argv) {
    */
   hprintf("Agent test\n");
 
-  /* Request information on available (host) capabilites (optional) */
+  /* Request information on available (host) capabilities (optional) */
   host_config_t host_config;
   kAFL_hypercall(HYPERCALL_KAFL_GET_HOST_CONFIG, (uintptr_t)&host_config);
-  hprintf("[capablities] host_config.bitmap_size: 0x%" PRIx64 "\n",
+  hprintf("[capabilities] host_config.bitmap_size: 0x%" PRIx64 "\n",
           host_config.bitmap_size);
-  hprintf("[capablities] host_config.ijon_bitmap_size: 0x%" PRIx64 "\n",
+  hprintf("[capabilities] host_config.ijon_bitmap_size: 0x%" PRIx64 "\n",
           host_config.ijon_bitmap_size);
-  hprintf("[capablities] host_config.payload_buffer_size: 0x%" PRIx64 "x\n",
+  hprintf("[capabilities] host_config.payload_buffer_size: 0x%" PRIx64 "x\n",
           host_config.payload_buffer_size);
 
   /* this is our "bitmap" that is later shared with the fuzzer (you can also
@@ -47,9 +47,9 @@ int main(int argc, char **argv) {
           */
   agent_config.agent_tracing =
       1; /* set this flag to propagade that instrumentation-based fuzzing is
-            availabe */
+            available */
   agent_config.agent_ijon_tracing = 0; /* set this flag to propagade that IJON
-                                          extension is implmented agent-wise */
+                                          extension is implemented agent-wise */
   agent_config.trace_buffer_vaddr =
       (uintptr_t)trace_buffer; /* trace "bitmap" pointer - required for
                                   instrumentation-only fuzzing */
@@ -106,8 +106,8 @@ int main(int argc, char **argv) {
             if (payload_buffer->data[3] == 'X') {
 
               ((uint8_t *)trace_buffer)[4] = 0x1;
-              /* Notifiy the hypervisor and the fuzzer that a "crash" has
-               * occured. Also a string is passed by this hypercall (this is
+              /* Notify the hypervisor and the fuzzer that a "crash" has
+               * occurred. Also a string is passed by this hypercall (this is
                * currently not supported by AFL++-Nyx) */
               kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED,
                              (uintptr_t) "Something went wrong\n");

qemu_mode/QEMUAFL_VERSION

@@ -1 +1 @@
-4d837f06d5
+ef1cd9a8cb

qemu_mode/README.deferred_initialization_example.md

@@ -40,7 +40,7 @@ ALPINE_ROOT=<your-alpine-sysroot-directory>
 FUZZ=<your-path-to-the-code>
 sudo systemd-nspawn -D $ALPINE_ROOT --bind=$FUZZ:/fuzz
 CC=$(which clang) CFLAGS="-g" LDSHARED="clang -shared" python3 -m pip install /fuzz
-clang $(python3-config --embed --cflags) $(python3-config --embed --ldflags) -o /fuzz/fuzz_harness /fuzz/fuzz_harness.c
+clang $(python3-config --embed --cflags) -o /fuzz/fuzz_harness /fuzz/fuzz_harness.c $(python3-config --embed --ldflags)
 exit
 ```
 

qemu_mode/hooking_bridge/README.md

@@ -11,7 +11,7 @@ Run build_qemu_support.sh as you do to compile qemuafl, additionally with three
 * `ENABLE_HOOKING=1` to compile the bridge
 * `GLIB_H` and `GLIB_CONFIG_H` point to headers `glib.h` and `glibconfig.h` to wherever they are installed on your system
 
-## Writting hooks
+## Writing hooks
 1. Create one or more hooking functions in a shared library, say `hook.so`.
 2. Include `exports.h` in your hook build. You can find this header at `<your AFL++ path>/qemu_mode/hooking_bridge/inc`.
 3. Shown below is an example which will use to walkthrough hook creation

qemu_mode/libcompcov/pmparser.h

@@ -101,7 +101,7 @@ void _pmparser_split_line(char *buf, char *addr1, char *addr2, char *perm,
 void pmparser_print(procmaps_struct *map, int order);
 
 /**
- * gobal variables
+ * global variables
  */
 // procmaps_struct *g_last_head=NULL;
 // procmaps_struct *g_current=NULL;

qemu_mode/libqasan/patch.c

@@ -175,7 +175,7 @@ static void find_libc(void) {
 }
 
 /* Why this shit? https://twitter.com/andreafioraldi/status/1227635146452541441
-   Unfortunatly, symbol override with LD_PRELOAD is not enough to prevent libc
+   Unfortunately, symbol override with LD_PRELOAD is not enough to prevent libc
    code to call this optimized XMM-based routines.
    We patch them at runtime to call our unoptimized version of the same routine.
 */

src/afl-analyze.c

@@ -110,8 +110,9 @@ static u8 count_class_lookup[256] = {
 
 };
 
-static void kill_child() {
+static void kill_child(int signal) {
 
+  (void)signal;
   if (fsrv.child_pid > 0) {
 
     kill(fsrv.child_pid, fsrv.child_kill_signal);
@@ -695,14 +696,18 @@ static void set_up_environment(char **argv) {
       ck_free(frida_binary);
 
       setenv("LD_PRELOAD", frida_afl_preload, 1);
+#ifdef __APPLE__
       setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1);
+#endif
 
     } else {
 
       /* CoreSight mode uses the default behavior. */
 
       setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
+#ifdef __APPLE__
       setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1);
+#endif
 
     }
 
@@ -710,7 +715,9 @@ static void set_up_environment(char **argv) {
 
     u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
     setenv("LD_PRELOAD", frida_binary, 1);
+#ifdef __APPLE__
     setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1);
+#endif
     ck_free(frida_binary);
 
   }
@@ -968,7 +975,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
         break;
 
-      case 'Y':  // fallthough
+      case 'Y':  // fallthrough
 #ifdef __linux__
       case 'X':                                                 /* NYX mode */
 
@@ -981,7 +988,7 @@ int main(int argc, char **argv_orig, char **envp) {
         break;
 #else
       case 'X':
-        FATAL("Nyx mode is only availabe on linux...");
+        FATAL("Nyx mode is only available on linux...");
         break;
 #endif