aboutsummaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorAndrea Fioraldi <andreafioraldi@gmail.com>2019-09-02 18:49:43 +0200
committerAndrea Fioraldi <andreafioraldi@gmail.com>2019-09-02 18:49:43 +0200
commitb24639d0113e15933e749ea0f96abe3f25a134a0 (patch)
tree4272020625c80c0d6982d3787bebc573c0da01b8 /include
parent2ae4ca91b48407add0e940ee13bd8b385e319a7a (diff)
downloadAFLplusplus-b24639d0113e15933e749ea0f96abe3f25a134a0.tar.gz
run code formatter
Diffstat (limited to 'include')
-rw-r--r--include/afl-as.h95
-rw-r--r--include/afl-fuzz.h545
-rw-r--r--include/alloc-inl.h225
-rw-r--r--include/android-ashmem.h87
-rw-r--r--include/common.h1
-rw-r--r--include/config.h214
-rw-r--r--include/debug.h180
-rw-r--r--include/forkserver.h18
-rw-r--r--include/hash.h25
-rw-r--r--include/sharedmem.h1
-rw-r--r--include/types.h43
11 files changed, 737 insertions, 697 deletions
diff --git a/include/afl-as.h b/include/afl-as.h
index 4748eda7..4f8fb640 100644
--- a/include/afl-as.h
+++ b/include/afl-as.h
@@ -37,7 +37,7 @@
#include "config.h"
#include "types.h"
-/*
+/*
------------------
Performances notes
------------------
@@ -106,47 +106,47 @@
static const u8* trampoline_fmt_32 =
- "\n"
- "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
- "\n"
- ".align 4\n"
- "\n"
- "leal -16(%%esp), %%esp\n"
- "movl %%edi, 0(%%esp)\n"
- "movl %%edx, 4(%%esp)\n"
- "movl %%ecx, 8(%%esp)\n"
- "movl %%eax, 12(%%esp)\n"
- "movl $0x%08x, %%ecx\n"
- "call __afl_maybe_log\n"
- "movl 12(%%esp), %%eax\n"
- "movl 8(%%esp), %%ecx\n"
- "movl 4(%%esp), %%edx\n"
- "movl 0(%%esp), %%edi\n"
- "leal 16(%%esp), %%esp\n"
- "\n"
- "/* --- END --- */\n"
- "\n";
+ "\n"
+ "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
+ "\n"
+ ".align 4\n"
+ "\n"
+ "leal -16(%%esp), %%esp\n"
+ "movl %%edi, 0(%%esp)\n"
+ "movl %%edx, 4(%%esp)\n"
+ "movl %%ecx, 8(%%esp)\n"
+ "movl %%eax, 12(%%esp)\n"
+ "movl $0x%08x, %%ecx\n"
+ "call __afl_maybe_log\n"
+ "movl 12(%%esp), %%eax\n"
+ "movl 8(%%esp), %%ecx\n"
+ "movl 4(%%esp), %%edx\n"
+ "movl 0(%%esp), %%edi\n"
+ "leal 16(%%esp), %%esp\n"
+ "\n"
+ "/* --- END --- */\n"
+ "\n";
static const u8* trampoline_fmt_64 =
- "\n"
- "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
- "\n"
- ".align 4\n"
- "\n"
- "leaq -(128+24)(%%rsp), %%rsp\n"
- "movq %%rdx, 0(%%rsp)\n"
- "movq %%rcx, 8(%%rsp)\n"
- "movq %%rax, 16(%%rsp)\n"
- "movq $0x%08x, %%rcx\n"
- "call __afl_maybe_log\n"
- "movq 16(%%rsp), %%rax\n"
- "movq 8(%%rsp), %%rcx\n"
- "movq 0(%%rsp), %%rdx\n"
- "leaq (128+24)(%%rsp), %%rsp\n"
- "\n"
- "/* --- END --- */\n"
- "\n";
+ "\n"
+ "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
+ "\n"
+ ".align 4\n"
+ "\n"
+ "leaq -(128+24)(%%rsp), %%rsp\n"
+ "movq %%rdx, 0(%%rsp)\n"
+ "movq %%rcx, 8(%%rsp)\n"
+ "movq %%rax, 16(%%rsp)\n"
+ "movq $0x%08x, %%rcx\n"
+ "call __afl_maybe_log\n"
+ "movq 16(%%rsp), %%rax\n"
+ "movq 8(%%rsp), %%rcx\n"
+ "movq 0(%%rsp), %%rdx\n"
+ "leaq (128+24)(%%rsp), %%rsp\n"
+ "\n"
+ "/* --- END --- */\n"
+ "\n";
static const u8* main_payload_32 =
@@ -398,9 +398,9 @@ static const u8* main_payload_32 =
recognize .string. */
#ifdef __APPLE__
-# define CALL_L64(str) "call _" str "\n"
+# define CALL_L64(str) "call _" str "\n"
#else
-# define CALL_L64(str) "call " str "@PLT\n"
+# define CALL_L64(str) "call " str "@PLT\n"
#endif /* ^__APPLE__ */
static const u8* main_payload_64 =
@@ -415,7 +415,7 @@ static const u8* main_payload_64 =
"\n"
"__afl_maybe_log:\n"
"\n"
-#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
" .byte 0x9f /* lahf */\n"
#else
" lahf\n"
@@ -448,7 +448,7 @@ static const u8* main_payload_64 =
"__afl_return:\n"
"\n"
" addb $127, %al\n"
-#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
" .byte 0x9e /* sahf */\n"
#else
" sahf\n"
@@ -737,9 +737,9 @@ static const u8* main_payload_64 =
#ifdef __APPLE__
" .comm __afl_area_ptr, 8\n"
-#ifndef COVERAGE_ONLY
+# ifndef COVERAGE_ONLY
" .comm __afl_prev_loc, 8\n"
-#endif /* !COVERAGE_ONLY */
+# endif /* !COVERAGE_ONLY */
" .comm __afl_fork_pid, 4\n"
" .comm __afl_temp, 4\n"
" .comm __afl_setup_failure, 1\n"
@@ -747,9 +747,9 @@ static const u8* main_payload_64 =
#else
" .lcomm __afl_area_ptr, 8\n"
-#ifndef COVERAGE_ONLY
+# ifndef COVERAGE_ONLY
" .lcomm __afl_prev_loc, 8\n"
-#endif /* !COVERAGE_ONLY */
+# endif /* !COVERAGE_ONLY */
" .lcomm __afl_fork_pid, 4\n"
" .lcomm __afl_temp, 4\n"
" .lcomm __afl_setup_failure, 1\n"
@@ -765,3 +765,4 @@ static const u8* main_payload_64 =
"\n";
#endif /* !_HAVE_AFL_AS_H */
+
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index ca22ef75..3e121851 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -27,12 +27,12 @@
#define MESSAGES_TO_STDOUT
#ifndef _GNU_SOURCE
-#define _GNU_SOURCE
+# define _GNU_SOURCE
#endif
#define _FILE_OFFSET_BITS 64
#ifdef __ANDROID__
- #include "android-ashmem.h"
+# include "android-ashmem.h"
#endif
#include "config.h"
@@ -68,7 +68,7 @@
#include <sys/ioctl.h>
#include <sys/file.h>
-#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__)
+#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__)
# include <sys/sysctl.h>
# define HAVE_ARC4RANDOM 1
#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
@@ -88,45 +88,47 @@
struct queue_entry {
- u8* fname; /* File name for the test case */
- u32 len; /* Input length */
+ u8* fname; /* File name for the test case */
+ u32 len; /* Input length */
- u8 cal_failed, /* Calibration failed? */
- trim_done, /* Trimmed? */
- was_fuzzed, /* historical, but needed for MOpt */
- passed_det, /* Deterministic stages passed? */
- has_new_cov, /* Triggers new coverage? */
- var_behavior, /* Variable behavior? */
- favored, /* Currently favored? */
- fs_redundant; /* Marked as redundant in the fs? */
+ u8 cal_failed, /* Calibration failed? */
+ trim_done, /* Trimmed? */
+ was_fuzzed, /* historical, but needed for MOpt */
+ passed_det, /* Deterministic stages passed? */
+ has_new_cov, /* Triggers new coverage? */
+ var_behavior, /* Variable behavior? */
+ favored, /* Currently favored? */
+ fs_redundant; /* Marked as redundant in the fs? */
- u32 bitmap_size, /* Number of bits set in bitmap */
- fuzz_level, /* Number of fuzzing iterations */
- exec_cksum; /* Checksum of the execution trace */
+ u32 bitmap_size, /* Number of bits set in bitmap */
+ fuzz_level, /* Number of fuzzing iterations */
+ exec_cksum; /* Checksum of the execution trace */
- u64 exec_us, /* Execution time (us) */
- handicap, /* Number of queue cycles behind */
- n_fuzz, /* Number of fuzz, does not overflow */
- depth; /* Path depth */
+ u64 exec_us, /* Execution time (us) */
+ handicap, /* Number of queue cycles behind */
+ n_fuzz, /* Number of fuzz, does not overflow */
+ depth; /* Path depth */
- u8* trace_mini; /* Trace bytes, if kept */
- u32 tc_ref; /* Trace bytes ref count */
+ u8* trace_mini; /* Trace bytes, if kept */
+ u32 tc_ref; /* Trace bytes ref count */
- struct queue_entry *next, /* Next element, if any */
- *next_100; /* 100 elements ahead */
+ struct queue_entry *next, /* Next element, if any */
+ *next_100; /* 100 elements ahead */
};
struct extra_data {
- u8* data; /* Dictionary token data */
- u32 len; /* Dictionary token length */
- u32 hit_cnt; /* Use count in the corpus */
-};
+ u8* data; /* Dictionary token data */
+ u32 len; /* Dictionary token length */
+ u32 hit_cnt; /* Use count in the corpus */
+
+};
/* Fuzzing stages */
enum {
+
/* 00 */ STAGE_FLIP1,
/* 01 */ STAGE_FLIP2,
/* 02 */ STAGE_FLIP4,
@@ -146,72 +148,60 @@ enum {
/* 16 */ STAGE_SPLICE,
/* 17 */ STAGE_PYTHON,
/* 18 */ STAGE_CUSTOM_MUTATOR
+
};
/* Stage value types */
enum {
+
/* 00 */ STAGE_VAL_NONE,
/* 01 */ STAGE_VAL_LE,
/* 02 */ STAGE_VAL_BE
+
};
/* Execution status fault codes */
enum {
+
/* 00 */ FAULT_NONE,
/* 01 */ FAULT_TMOUT,
/* 02 */ FAULT_CRASH,
/* 03 */ FAULT_ERROR,
/* 04 */ FAULT_NOINST,
/* 05 */ FAULT_NOBITS
-};
+};
/* MOpt:
Lots of globals, but mostly for the status UI and other things where it
really makes no sense to haul them around as function parameters. */
-extern u64 limit_time_puppet,
- orig_hit_cnt_puppet,
- last_limit_time_start,
- tmp_pilot_time,
- total_pacemaker_time,
- total_puppet_find,
- temp_puppet_find,
- most_time_key,
- most_time,
- most_execs_key,
- most_execs,
- old_hit_count;
-
-extern s32 SPLICE_CYCLES_puppet,
- limit_time_sig,
- key_puppet,
- key_module;
-
-extern double w_init,
- w_end,
- w_now;
+extern u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start,
+ tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find,
+ most_time_key, most_time, most_execs_key, most_execs, old_hit_count;
+
+extern s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module;
+
+extern double w_init, w_end, w_now;
extern s32 g_now;
extern s32 g_max;
#define operator_num 16
#define swarm_num 5
-#define period_core 500000
+#define period_core 500000
extern u64 tmp_core_time;
extern s32 swarm_now;
-extern double x_now[swarm_num][operator_num],
- L_best[swarm_num][operator_num],
- eff_best[swarm_num][operator_num],
- G_best[operator_num],
- v_now[swarm_num][operator_num],
- probability_now[swarm_num][operator_num],
- swarm_fitness[swarm_num];
+extern double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num],
+ eff_best[swarm_num][operator_num], G_best[operator_num],
+ v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num],
+ swarm_fitness[swarm_num];
-extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per fuzz stage */
+extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per
+ fuzz stage */
stage_finds_puppet_v2[swarm_num][operator_num],
stage_cycles_puppet_v2[swarm_num][operator_num],
stage_cycles_puppet_v3[swarm_num][operator_num],
@@ -221,9 +211,9 @@ extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns fo
core_operator_finds_puppet_v2[operator_num],
core_operator_cycles_puppet[operator_num],
core_operator_cycles_puppet_v2[operator_num],
- core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
+ core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
-#define RAND_C (rand()%1000*0.001)
+#define RAND_C (rand() % 1000 * 0.001)
#define v_max 1
#define v_min 0.05
#define limit_time_bound 1.1
@@ -236,225 +226,228 @@ extern u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns fo
#define period_pilot 50000
extern double period_pilot_tmp;
-extern s32 key_lv;
-
-extern u8 *in_dir, /* Input directory with test cases */
- *out_dir, /* Working & output directory */
- *tmp_dir , /* Temporary directory for input */
- *sync_dir, /* Synchronization directory */
- *sync_id, /* Fuzzer ID */
- *power_name, /* Power schedule name */
- *use_banner, /* Display banner */
- *in_bitmap, /* Input bitmap */
- *file_extension, /* File extension */
- *orig_cmdline; /* Original command line */
-extern u8 *doc_path, /* Path to documentation dir */
- *target_path, /* Path to target binary */
- *out_file; /* File to fuzz, if any */
-
-extern u32 exec_tmout; /* Configurable exec timeout (ms) */
-extern u32 hang_tmout; /* Timeout used for hang det (ms) */
-
-extern u64 mem_limit; /* Memory cap for child (MB) */
-
-extern u8 cal_cycles, /* Calibration cycles defaults */
- cal_cycles_long,
- debug, /* Debug mode */
- python_only; /* Python-only mode */
-
-extern u32 stats_update_freq; /* Stats update frequency (execs) */
+extern s32 key_lv;
+
+extern u8 *in_dir, /* Input directory with test cases */
+ *out_dir, /* Working & output directory */
+ *tmp_dir, /* Temporary directory for input */
+ *sync_dir, /* Synchronization directory */
+ *sync_id, /* Fuzzer ID */
+ *power_name, /* Power schedule name */
+ *use_banner, /* Display banner */
+ *in_bitmap, /* Input bitmap */
+ *file_extension, /* File extension */
+ *orig_cmdline; /* Original command line */
+extern u8 *doc_path, /* Path to documentation dir */
+ *target_path, /* Path to target binary */
+ *out_file; /* File to fuzz, if any */
+
+extern u32 exec_tmout; /* Configurable exec timeout (ms) */
+extern u32 hang_tmout; /* Timeout used for hang det (ms) */
+
+extern u64 mem_limit; /* Memory cap for child (MB) */
+
+extern u8 cal_cycles, /* Calibration cycles defaults */
+ cal_cycles_long, debug, /* Debug mode */
+ python_only; /* Python-only mode */
+
+extern u32 stats_update_freq; /* Stats update frequency (execs) */
enum {
- /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */
- /* 01 */ FAST, /* Exponential schedule */
- /* 02 */ COE, /* Cut-Off Exponential schedule */
- /* 03 */ LIN, /* Linear schedule */
- /* 04 */ QUAD, /* Quadratic schedule */
- /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */
-
+
+ /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */
+ /* 01 */ FAST, /* Exponential schedule */
+ /* 02 */ COE, /* Cut-Off Exponential schedule */
+ /* 03 */ LIN, /* Linear schedule */
+ /* 04 */ QUAD, /* Quadratic schedule */
+ /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */
+
POWER_SCHEDULES_NUM
+
};
-extern char *power_names[POWER_SCHEDULES_NUM];
+extern char* power_names[POWER_SCHEDULES_NUM];
-extern u8 schedule; /* Power schedule (default: EXPLORE)*/
+extern u8 schedule; /* Power schedule (default: EXPLORE)*/
extern u8 havoc_max_mult;
-extern u8 skip_deterministic, /* Skip deterministic stages? */
- force_deterministic, /* Force deterministic stages? */
- use_splicing, /* Recombine input files? */
- dumb_mode, /* Run in non-instrumented mode? */
- score_changed, /* Scoring for favorites changed? */
- kill_signal, /* Signal that killed the child */
- resuming_fuzz, /* Resuming an older fuzzing job? */
- timeout_given, /* Specific timeout given? */
- not_on_tty, /* stdout is not a tty */
- term_too_small, /* terminal dimensions too small */
- no_forkserver, /* Disable forkserver? */
- crash_mode, /* Crash mode! Yeah! */
- in_place_resume, /* Attempt in-place resume? */
- auto_changed, /* Auto-generated tokens changed? */
- no_cpu_meter_red, /* Feng shui on the status screen */
- no_arith, /* Skip most arithmetic ops */
- shuffle_queue, /* Shuffle input queue? */
- bitmap_changed, /* Time to update bitmap? */
- qemu_mode, /* Running in QEMU mode? */
- unicorn_mode, /* Running in Unicorn mode? */
- skip_requested, /* Skip request, via SIGUSR1 */
- run_over10m, /* Run time over 10 minutes? */
- persistent_mode, /* Running in persistent mode? */
- deferred_mode, /* Deferred forkserver mode? */
- fixed_seed, /* do not reseed */
- fast_cal, /* Try to calibrate faster? */
- uses_asan; /* Target uses ASAN? */
-
-extern s32 out_fd, /* Persistent fd for out_file */
+extern u8 skip_deterministic, /* Skip deterministic stages? */
+ force_deterministic, /* Force deterministic stages? */
+ use_splicing, /* Recombine input files? */
+ dumb_mode, /* Run in non-instrumented mode? */
+ score_changed, /* Scoring for favorites changed? */
+ kill_signal, /* Signal that killed the child */
+ resuming_fuzz, /* Resuming an older fuzzing job? */
+ timeout_given, /* Specific timeout given? */
+ not_on_tty, /* stdout is not a tty */
+ term_too_small, /* terminal dimensions too small */
+ no_forkserver, /* Disable forkserver? */
+ crash_mode, /* Crash mode! Yeah! */
+ in_place_resume, /* Attempt in-place resume? */
+ auto_changed, /* Auto-generated tokens changed? */
+ no_cpu_meter_red, /* Feng shui on the status screen */
+ no_arith, /* Skip most arithmetic ops */
+ shuffle_queue, /* Shuffle input queue? */
+ bitmap_changed, /* Time to update bitmap? */
+ qemu_mode, /* Running in QEMU mode? */
+ unicorn_mode, /* Running in Unicorn mode? */
+ skip_requested, /* Skip request, via SIGUSR1 */
+ run_over10m, /* Run time over 10 minutes? */
+ persistent_mode, /* Running in persistent mode? */
+ deferred_mode, /* Deferred forkserver mode? */
+ fixed_seed, /* do not reseed */
+ fast_cal, /* Try to calibrate faster? */
+ uses_asan; /* Target uses ASAN? */
+
+extern s32 out_fd, /* Persistent fd for out_file */
#ifndef HAVE_ARC4RANDOM
- dev_urandom_fd, /* Persistent fd for /dev/urandom */
+ dev_urandom_fd, /* Persistent fd for /dev/urandom */
#endif
- dev_null_fd, /* Persistent fd for /dev/null */
- fsrv_ctl_fd, /* Fork server control pipe (write) */
- fsrv_st_fd; /* Fork server status pipe (read) */
-
-extern s32 forksrv_pid, /* PID of the fork server */
- child_pid, /* PID of the fuzzed program */
- out_dir_fd; /* FD of the lock file */
-
-extern u8* trace_bits; /* SHM with instrumentation bitmap */
-
-extern u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
- virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */
- virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */
-
-extern u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */
-
-extern volatile u8 stop_soon, /* Ctrl-C pressed? */
- clear_screen, /* Window resized? */
- child_timed_out; /* Traced process timed out? */
-
-extern u32 queued_paths, /* Total number of queued testcases */
- queued_variable, /* Testcases with variable behavior */
- queued_at_start, /* Total number of initial inputs */
- queued_discovered, /* Items discovered during this run */
- queued_imported, /* Items imported via -S */
- queued_favored, /* Paths deemed favorable */
- queued_with_cov, /* Paths with new coverage bytes */
- pending_not_fuzzed, /* Queued but not done yet */
- pending_favored, /* Pending favored paths */
- cur_skipped_paths, /* Abandoned inputs in cur cycle */
- cur_depth, /* Current path depth */
- max_depth, /* Max path depth */
- useless_at_start, /* Number of useless starting paths */
- var_byte_count, /* Bitmap bytes with var behavior */
- current_entry, /* Current queue entry ID */
- havoc_div; /* Cycle count divisor for havoc */
-
-extern u64 total_crashes, /* Total number of crashes */
- unique_crashes, /* Crashes with unique signatures */
- total_tmouts, /* Total number of timeouts */
- unique_tmouts, /* Timeouts with unique signatures */
- unique_hangs, /* Hangs with unique signatures */
- total_execs, /* Total execve() calls */
- slowest_exec_ms, /* Slowest testcase non hang in ms */
- start_time, /* Unix start time (ms) */
- last_path_time, /* Time for most recent path (ms) */
- last_crash_time, /* Time for most recent crash (ms) */
- last_hang_time, /* Time for most recent hang (ms) */
- last_crash_execs, /* Exec counter at last crash */
- queue_cycle, /* Queue round counter */
- cycles_wo_finds, /* Cycles without any new paths */
- trim_execs, /* Execs done to trim input files */
- bytes_trim_in, /* Bytes coming into the trimmer */
- bytes_trim_out, /* Bytes coming outa the trimmer */
- blocks_eff_total, /* Blocks subject to effector maps */
- blocks_eff_select; /* Blocks selected as fuzzable */
-
-extern u32 subseq_tmouts; /* Number of timeouts in a row */
-
-extern u8 *stage_name, /* Name of the current fuzz stage */
- *stage_short, /* Short stage name */
- *syncing_party; /* Currently syncing with... */
-
-extern s32 stage_cur, stage_max; /* Stage progression */
-extern s32 splicing_with; /* Splicing with which test case? */
-
-extern u32 master_id, master_max; /* Master instance job splitting */
-
-extern u32 syncing_case; /* Syncing with case #... */
-
-extern s32 stage_cur_byte, /* Byte offset of current stage op */
- stage_cur_val; /* Value used for stage op */
-
-extern u8 stage_val_type; /* Value type (STAGE_VAL_*) */
-
-extern u64 stage_finds[32], /* Patterns found per fuzz stage */
- stage_cycles[32]; /* Execs per fuzz stage */
+ dev_null_fd, /* Persistent fd for /dev/null */
+ fsrv_ctl_fd, /* Fork server control pipe (write) */
+ fsrv_st_fd; /* Fork server status pipe (read) */
+
+extern s32 forksrv_pid, /* PID of the fork server */
+ child_pid, /* PID of the fuzzed program */
+ out_dir_fd; /* FD of the lock file */
+
+extern u8* trace_bits; /* SHM with instrumentation bitmap */
+
+extern u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
+ virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */
+ virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */
+
+extern u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */
+
+extern volatile u8 stop_soon, /* Ctrl-C pressed? */
+ clear_screen, /* Window resized? */
+ child_timed_out; /* Traced process timed out? */
+
+extern u32 queued_paths, /* Total number of queued testcases */
+ queued_variable, /* Testcases with variable behavior */
+ queued_at_start, /* Total number of initial inputs */
+ queued_discovered, /* Items discovered during this run */
+ queued_imported, /* Items imported via -S */
+ queued_favored, /* Paths deemed favorable */
+ queued_with_cov, /* Paths with new coverage bytes */
+ pending_not_fuzzed, /* Queued but not done yet */
+ pending_favored, /* Pending favored paths */
+ cur_skipped_paths, /* Abandoned inputs in cur cycle */
+ cur_depth, /* Current path depth */
+ max_depth, /* Max path depth */
+ useless_at_start, /* Number of useless starting paths */
+ var_byte_count, /* Bitmap bytes with var behavior */
+ current_entry, /* Current queue entry ID */
+ havoc_div; /* Cycle count divisor for havoc */
+
+extern u64 total_crashes, /* Total number of crashes */
+ unique_crashes, /* Crashes with unique signatures */
+ total_tmouts, /* Total number of timeouts */
+ unique_tmouts, /* Timeouts with unique signatures */
+ unique_hangs, /* Hangs with unique signatures */
+ total_execs, /* Total execve() calls */
+ slowest_exec_ms, /* Slowest testcase non hang in ms */
+ start_time, /* Unix start time (ms) */
+ last_path_time, /* Time for most recent path (ms) */
+ last_crash_time, /* Time for most recent crash (ms) */
+ last_hang_time, /* Time for most recent hang (ms) */
+ last_crash_execs, /* Exec counter at last crash */
+ queue_cycle, /* Queue round counter */
+ cycles_wo_finds, /* Cycles without any new paths */
+ trim_execs, /* Execs done to trim input files */
+ bytes_trim_in, /* Bytes coming into the trimmer */
+ bytes_trim_out, /* Bytes coming outa the trimmer */
+ blocks_eff_total, /* Blocks subject to effector maps */
+ blocks_eff_select; /* Blocks selected as fuzzable */
+
+extern u32 subseq_tmouts; /* Number of timeouts in a row */
+
+extern u8 *stage_name, /* Name of the current fuzz stage */
+ *stage_short, /* Short stage name */
+ *syncing_party; /* Currently syncing with... */
+
+extern s32 stage_cur, stage_max; /* Stage progression */
+extern s32 splicing_with; /* Splicing with which test case? */
+
+extern u32 master_id, master_max; /* Master instance job splitting */
+
+extern u32 syncing_case; /* Syncing with case #... */
+
+extern s32 stage_cur_byte, /* Byte offset of current stage op */
+ stage_cur_val; /* Value used for stage op */
+
+extern u8 stage_val_type; /* Value type (STAGE_VAL_*) */
+
+extern u64 stage_finds[32], /* Patterns found per fuzz stage */
+ stage_cycles[32]; /* Execs per fuzz stage */
#ifndef HAVE_ARC4RANDOM
-extern u32 rand_cnt; /* Random number counter */
+extern u32 rand_cnt; /* Random number counter */
#endif
-extern u64 total_cal_us, /* Total calibration time (us) */
- total_cal_cycles; /* Total calibration cycles */
+extern u64 total_cal_us, /* Total calibration time (us) */
+ total_cal_cycles; /* Total calibration cycles */
-extern u64 total_bitmap_size, /* Total bit count for all bitmaps */
- total_bitmap_entries; /* Number of bitmaps counted */
+extern u64 total_bitmap_size, /* Total bit count for all bitmaps */
+ total_bitmap_entries; /* Number of bitmaps counted */
-extern s32 cpu_core_count; /* CPU core count */
+extern s32 cpu_core_count; /* CPU core count */
#ifdef HAVE_AFFINITY
-extern s32 cpu_aff; /* Selected CPU core */
+extern s32 cpu_aff; /* Selected CPU core */
#endif /* HAVE_AFFINITY */
-extern FILE* plot_file; /* Gnuplot output file */
-
+extern FILE* plot_file; /* Gnuplot output file */
-
-extern struct queue_entry *queue, /* Fuzzing queue (linked list) */
- *queue_cur, /* Current offset within the queue */
- *queue_top, /* Top of the list */
- *q_prev100; /* Previous 100 marker */
+extern struct queue_entry *queue, /* Fuzzing queue (linked list) */
+ *queue_cur, /* Current offset within the queue */
+ *queue_top, /* Top of the list */
+ *q_prev100; /* Previous 100 marker */
extern struct queue_entry*
- top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
+ top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
-extern struct extra_data* extras; /* Extra tokens to fuzz with */
-extern u32 extras_cnt; /* Total number of tokens read */
+extern struct extra_data* extras; /* Extra tokens to fuzz with */
+extern u32 extras_cnt; /* Total number of tokens read */
-extern struct extra_data* a_extras; /* Automatically selected extras */
-extern u32 a_extras_cnt; /* Total number of tokens available */
+extern struct extra_data* a_extras; /* Automatically selected extras */
+extern u32 a_extras_cnt; /* Total number of tokens available */
u8* (*post_handler)(u8* buf, u32* len);
/* hooks for the custom mutator function */
-size_t (*custom_mutator)(u8 *data, size_t size, u8* mutated_out, size_t max_size, unsigned int seed);
-size_t (*pre_save_handler)(u8 *data, size_t size, u8 **new_data);
+size_t (*custom_mutator)(u8* data, size_t size, u8* mutated_out,
+ size_t max_size, unsigned int seed);
+size_t (*pre_save_handler)(u8* data, size_t size, u8** new_data);
/* Interesting values, as per config.h */
extern s8 interesting_8[INTERESTING_8_LEN];
extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
-extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
+extern s32
+ interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
/* Python stuff */
#ifdef USE_PYTHON
-#include <Python.h>
+# include <Python.h>
-extern PyObject *py_module;
+extern PyObject* py_module;
enum {
+
/* 00 */ PY_FUNC_INIT,
/* 01 */ PY_FUNC_FUZZ,
/* 02 */ PY_FUNC_INIT_TRIM,
/* 03 */ PY_FUNC_POST_TRIM,
/* 04 */ PY_FUNC_TRIM,
PY_FUNC_COUNT
+
};
-extern PyObject *py_functions[PY_FUNC_COUNT];
+extern PyObject* py_functions[PY_FUNC_COUNT];
#endif
@@ -462,13 +455,13 @@ extern PyObject *py_functions[PY_FUNC_COUNT];
/* Python */
#ifdef USE_PYTHON
-int init_py();
+int init_py();
void finalize_py();
void fuzz_py(char*, size_t, char*, size_t, char**, size_t*);
-u32 init_trim_py(char*, size_t);
-u32 post_trim_py(char);
+u32 init_trim_py(char*, size_t);
+u32 post_trim_py(char);
void trim_py(char**, size_t*);
-u8 trim_case_python(char**, struct queue_entry*, u8*);
+u8 trim_case_python(char**, struct queue_entry*, u8*);
#endif
/* Queue */
@@ -480,16 +473,16 @@ void add_to_queue(u8*, u32, u8);
void destroy_queue(void);
void update_bitmap_score(struct queue_entry*);
void cull_queue(void);
-u32 calculate_score(struct queue_entry*);
+u32 calculate_score(struct queue_entry*);
/* Bitmap */
void write_bitmap(void);
void read_bitmap(u8*);
-u8 has_new_bits(u8*);
-u32 count_bits(u8*);
-u32 count_bytes(u8*);
-u32 count_non_255_bytes(u8*);
+u8 has_new_bits(u8*);
+u32 count_bits(u8*);
+u32 count_bytes(u8*);
+u32 count_non_255_bytes(u8*);
#ifdef __x86_64__
void simplify_trace(u64*);
void classify_counts(u64*);
@@ -529,51 +522,51 @@ void show_init_stats(void);
/* Run */
-u8 run_target(char**, u32);
+u8 run_target(char**, u32);
void write_to_testcase(void*, u32);
void write_with_gap(void*, u32, u32, u32);
-u8 calibrate_case(char**, struct queue_entry*, u8*, u32, u8);
+u8 calibrate_case(char**, struct queue_entry*, u8*, u32, u8);
void sync_fuzzers(char**);
-u8 trim_case(char**, struct queue_entry*, u8*);
-u8 common_fuzz_stuff(char**, u8*, u32);
+u8 trim_case(char**, struct queue_entry*, u8*);
+u8 common_fuzz_stuff(char**, u8*, u32);
/* Fuzz one */
-u8 fuzz_one_original(char**);
+u8 fuzz_one_original(char**);
static u8 pilot_fuzzing(char**);
-u8 core_fuzzing(char**);
-void pso_updating(void);
-u8 fuzz_one(char**);
+u8 core_fuzzing(char**);
+void pso_updating(void);
+u8 fuzz_one(char**);
/* Init */
#ifdef HAVE_AFFINITY
void bind_to_free_cpu(void);
#endif
-void setup_post(void);
-void setup_custom_mutator(void);
-void read_testcases(void);
-void perform_dry_run(char**);
-void pivot_inputs(void);
-u32 find_start_position(void);
-void find_timeout(void);
+void setup_post(void);
+void setup_custom_mutator(void);
+void read_testcases(void);
+void perform_dry_run(char**);
+void pivot_inputs(void);
+u32 find_start_position(void);
+void find_timeout(void);
double get_runnable_processes(void);
-void nuke_resume_dir(void);
-void maybe_delete_out_dir(void);
-void setup_dirs_fds(void);
-void setup_cmdline_file(char**);
-void setup_stdio_file(void);
-void check_crash_handling(void);
-void check_cpu_governor(void);
-void get_core_count(void);
-void fix_up_sync(void);
-void check_asan_opts(void);
-void check_binary(u8*);
-void fix_up_banner(u8*);
-void check_if_tty(void);
-void setup_signal_handlers(void);
+void nuke_resume_dir(void);
+void maybe_delete_out_dir(void);
+void setup_dirs_fds(void);
+void setup_cmdline_file(char**);
+void setup_stdio_file(void);
+void check_crash_handling(void);
+void check_cpu_governor(void);
+void get_core_count(void);
+void fix_up_sync(void);
+void check_asan_opts(void);
+void check_binary(u8*);
+void fix_up_banner(u8*);
+void check_if_tty(void);
+void setup_signal_handlers(void);
char** get_qemu_argv(u8*, char**, int);
-void save_cmdline(u32, char**);
+void save_cmdline(u32, char**);
/**** Inline routines ****/
@@ -581,25 +574,27 @@ void save_cmdline(u32, char**);
have slight bias. */
static inline u32 UR(u32 limit) {
+
#ifdef HAVE_ARC4RANDOM
- if (fixed_seed) {
- return random() % limit;
- }
+ if (fixed_seed) { return random() % limit; }
/* The boundary not being necessarily a power of 2,
we need to ensure the result uniformity. */
return arc4random_uniform(limit);
#else
if (!fixed_seed && unlikely(!rand_cnt--)) {
+
u32 seed[2];
ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom");
srandom(seed[0]);
rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG);
+
}
return random() % limit;
#endif
+
}
/* Find first power of two greater or equal to val (assuming val under
@@ -608,7 +603,8 @@ static inline u32 UR(u32 limit) {
static u64 next_p2(u64 val) {
u64 ret = 1;
- while (val > ret) ret <<= 1;
+ while (val > ret)
+ ret <<= 1;
return ret;
}
@@ -617,7 +613,7 @@ static u64 next_p2(u64 val) {
static u64 get_cur_time(void) {
- struct timeval tv;
+ struct timeval tv;
struct timezone tz;
gettimeofday(&tv, &tz);
@@ -626,12 +622,11 @@ static u64 get_cur_time(void) {
}
-
/* Get unix time in microseconds */
static u64 get_cur_time_us(void) {
- struct timeval tv;
+ struct timeval tv;
struct timezone tz;
gettimeofday(&tv, &tz);
diff --git a/include/alloc-inl.h b/include/alloc-inl.h
index 2f98da0e..4a4beff1 100644
--- a/include/alloc-inl.h
+++ b/include/alloc-inl.h
@@ -31,82 +31,105 @@
/* User-facing macro to sprintf() to a dynamically allocated buffer. */
-#define alloc_printf(_str...) ({ \
- u8* _tmp; \
- s32 _len = snprintf(NULL, 0, _str); \
+#define alloc_printf(_str...) \
+ ({ \
+ \
+ u8* _tmp; \
+ s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
- _tmp = ck_alloc(_len + 1); \
- snprintf((char*)_tmp, _len + 1, _str); \
- _tmp; \
+ _tmp = ck_alloc(_len + 1); \
+ snprintf((char*)_tmp, _len + 1, _str); \
+ _tmp; \
+ \
})
/* Macro to enforce allocation limits as a last-resort defense against
integer overflows. */
-#define ALLOC_CHECK_SIZE(_s) do { \
- if ((_s) > MAX_ALLOC) \
- ABORT("Bad alloc request: %u bytes", (_s)); \
+#define ALLOC_CHECK_SIZE(_s) \
+ do { \
+ \
+ if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \
+ \
} while (0)
/* Macro to check malloc() failures and the like. */
-#define ALLOC_CHECK_RESULT(_r, _s) do { \
- if (!(_r)) \
- ABORT("Out of memory: can't allocate %u bytes", (_s)); \
+#define ALLOC_CHECK_RESULT(_r, _s) \
+ do { \
+ \
+ if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \
+ \
} while (0)
/* Magic tokens used to mark used / freed chunks. */
-#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */
-#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */
-#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */
+#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */
+#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */
+#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */
/* Positions of guard tokens in relation to the user-visible pointer. */
-#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2])
-#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1])
-#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)])
+#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2])
+#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1])
+#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)])
-#define ALLOC_OFF_HEAD 8
+#define ALLOC_OFF_HEAD 8
#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
/* Allocator increments for ck_realloc_block(). */
-#define ALLOC_BLK_INC 256
+#define ALLOC_BLK_INC 256
/* Sanity-checking macros for pointers. */
-#define CHECK_PTR(_p) do { \
- if (_p) { \
- if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
- if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
- ABORT("Use after free."); \
- else ABORT("Corrupted head alloc canary."); \
- } \
- } \
+#define CHECK_PTR(_p) \
+ do { \
+ \
+ if (_p) { \
+ \
+ if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) { \
+ \
+ if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
+ ABORT("Use after free."); \
+ else \
+ ABORT("Corrupted head alloc canary."); \
+ \
+ } \
+ \
+ } \
+ \
} while (0)
/*
#define CHECK_PTR(_p) do { \
+ \
if (_p) { \
+ \
if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
+ \
if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
ABORT("Use after free."); \
else ABORT("Corrupted head alloc canary."); \
+ \
} \
if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
ABORT("Corrupted tail alloc canary."); \
+ \
} \
+ \
} while (0)
*/
-#define CHECK_PTR_EXPR(_p) ({ \
- typeof (_p) _tmp = (_p); \
- CHECK_PTR(_tmp); \
- _tmp; \
+#define CHECK_PTR_EXPR(_p) \
+ ({ \
+ \
+ typeof(_p) _tmp = (_p); \
+ CHECK_PTR(_tmp); \
+ _tmp; \
+ \
})
-
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */
@@ -123,14 +146,13 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
- ALLOC_S(ret) = size;
+ ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
- return (void *)ret;
+ return (void*)ret;
}
-
/* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) {
@@ -144,7 +166,6 @@ static inline void* DFL_ck_alloc(u32 size) {
}
-
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */
@@ -163,20 +184,19 @@ static inline void DFL_ck_free(void* mem) {
ALLOC_C1(mem) = ALLOC_MAGIC_F;
- u8 *realStart = mem;
+ u8* realStart = mem;
free(realStart - ALLOC_OFF_HEAD);
}
-
/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail.
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */
static inline void* DFL_ck_realloc(void* orig, u32 size) {
- u8* ret;
- u32 old_size = 0;
+ u8* ret;
+ u32 old_size = 0;
if (!size) {
@@ -193,9 +213,9 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
ALLOC_C1(orig) = ALLOC_MAGIC_F;
#endif /* !DEBUG_BUILD */
- old_size = ALLOC_S(orig);
- u8 *origu8 = orig;
- origu8 -= ALLOC_OFF_HEAD;
+ old_size = ALLOC_S(orig);
+ u8* origu8 = orig;
+ origu8 -= ALLOC_OFF_HEAD;
orig = origu8;
ALLOC_CHECK_SIZE(old_size);
@@ -219,7 +239,7 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
if (orig) {
- u8 *origu8 = orig;
+ u8* origu8 = orig;
memcpy(ret + ALLOC_OFF_HEAD, origu8 + ALLOC_OFF_HEAD, MIN(size, old_size));
memset(origu8 + ALLOC_OFF_HEAD, 0xFF, old_size);
@@ -234,17 +254,15 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
- ALLOC_S(ret) = size;
+ ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
- if (size > old_size)
- memset(ret + old_size, 0, size - old_size);
+ if (size > old_size) memset(ret + old_size, 0, size - old_size);
- return (void *)ret;
+ return (void*)ret;
}
-
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */
@@ -268,13 +286,12 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
}
-
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) {
- u8* ret;
- u32 size;
+ u8* ret;
+ u32 size;
if (!str) return NULL;
@@ -287,38 +304,36 @@ static inline u8* DFL_ck_strdup(u8* str) {
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
- ALLOC_S(ret) = size;
+ ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return memcpy(ret, str, size);
}
-
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */
static inline void* DFL_ck_memdup(void* mem, u32 size) {
- u8* ret;
+ u8* ret;
if (!mem || !size) return NULL;
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size);
-
+
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
- ALLOC_S(ret) = size;
+ ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return memcpy(ret, mem, size);
}
-
/* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */
@@ -331,11 +346,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL + 1);
ALLOC_CHECK_RESULT(ret, size);
-
+
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
- ALLOC_S(ret) = size;
+ ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
memcpy(ret, mem, size);
@@ -345,22 +360,21 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
}
-
#ifndef DEBUG_BUILD
/* In non-debug mode, we just do straightforward aliasing of the above functions
to user-visible names such as ck_alloc(). */
-#define ck_alloc DFL_ck_alloc
-#define ck_alloc_nozero DFL_ck_alloc_nozero
-#define ck_realloc DFL_ck_realloc
-#define ck_realloc_block DFL_ck_realloc_block
-#define ck_strdup DFL_ck_strdup
-#define ck_memdup DFL_ck_memdup
-#define ck_memdup_str DFL_ck_memdup_str
-#define ck_free DFL_ck_free
+# define ck_alloc DFL_ck_alloc
+# define ck_alloc_nozero DFL_ck_alloc_nozero
+# define ck_realloc DFL_ck_realloc
+# define ck_realloc_block DFL_ck_realloc_block
+# define ck_strdup DFL_ck_strdup
+# define ck_memdup DFL_ck_memdup
+# define ck_memdup_str DFL_ck_memdup_str
+# define ck_free DFL_ck_free
-#define alloc_report()
+# define alloc_report()
#else
@@ -369,34 +383,35 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
/* Alloc tracking data structures: */
-#define ALLOC_BUCKETS 4096
+# define ALLOC_BUCKETS 4096
struct TRK_obj {
- void *ptr;
+
+ void* ptr;
char *file, *func;
- u32 line;
+ u32 line;
+
};
-#ifdef AFL_MAIN
+# ifdef AFL_MAIN
struct TRK_obj* TRK[ALLOC_BUCKETS];
u32 TRK_cnt[ALLOC_BUCKETS];
-# define alloc_report() TRK_report()
+# define alloc_report() TRK_report()
-#else
+# else
extern struct TRK_obj* TRK[ALLOC_BUCKETS];
-extern u32 TRK_cnt[ALLOC_BUCKETS];
+extern u32 TRK_cnt[ALLOC_BUCKETS];
-# define alloc_report()
+# define alloc_report()
-#endif /* ^AFL_MAIN */
+# endif /* ^AFL_MAIN */
/* Bucket-assigning function for a given pointer: */
-#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS)
-
+# define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS)
/* Add a new entry to the list of allocated objects. */
@@ -415,7 +430,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
if (!TRK[bucket][i].ptr) {
- TRK[bucket][i].ptr = ptr;
+ TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func;
TRK[bucket][i].line = line;
@@ -425,10 +440,10 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
/* No space available - allocate more. */
- TRK[bucket] = DFL_ck_realloc_block(TRK[bucket],
- (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
+ TRK[bucket] = DFL_ck_realloc_block(
+ TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
- TRK[bucket][i].ptr = ptr;
+ TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func;
TRK[bucket][i].line = line;
@@ -437,7 +452,6 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
}
-
/* Remove entry from the list of allocated objects. */
static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
@@ -460,12 +474,11 @@ static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
}
- WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)",
- func, file, line);
+ WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", func, file,
+ line);
}
-
/* Do a final report on all non-deallocated objects. */
static inline void TRK_report(void) {
@@ -482,7 +495,6 @@ static inline void TRK_report(void) {
}
-
/* Simple wrappers for non-debugging functions: */
static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
@@ -494,7 +506,6 @@ static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
}
-
static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
const char* func, u32 line) {
@@ -505,7 +516,6 @@ static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
}
-
static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
const char* func, u32 line) {
@@ -516,7 +526,6 @@ static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
}
-
static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
u32 line) {
@@ -526,7 +535,6 @@ static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
}
-
static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
const char* func, u32 line) {
@@ -536,7 +544,6 @@ static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
}
-
static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
const char* func, u32 line) {
@@ -546,9 +553,8 @@ static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
}
-
-static inline void TRK_ck_free(void* ptr, const char* file,
- const char* func, u32 line) {
+static inline void TRK_ck_free(void* ptr, const char* file, const char* func,
+ u32 line) {
TRK_free_buf(ptr, file, func, line);
DFL_ck_free(ptr);
@@ -557,30 +563,27 @@ static inline void TRK_ck_free(void* ptr, const char* file,
/* Aliasing user-facing names to tracking functions: */
-#define ck_alloc(_p1) \
- TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
+# define ck_alloc(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
-#define ck_alloc_nozero(_p1) \
- TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
+#define ck_alloc_nozero(_p1) TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
-#define ck_realloc(_p1, _p2) \
+# define ck_realloc(_p1, _p2)\
TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-#define ck_realloc_block(_p1, _p2) \
+# define ck_realloc_block(_p1, _p2)\
TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-#define ck_strdup(_p1) \
- TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
+# define ck_strdup(_p1) TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
-#define ck_memdup(_p1, _p2) \
+# define ck_memdup(_p1, _p2)\
TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-#define ck_memdup_str(_p1, _p2) \
+# define ck_memdup_str(_p1, _p2)\
TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-#define ck_free(_p1) \
- TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
+# define ck_free(_p1) TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
#endif /* ^!DEBUG_BUILD */
#endif /* ! _HAVE_ALLOC_INL_H */
+
diff --git a/include/android-ashmem.h b/include/android-ashmem.h
index a787c04b..a4b5bf30 100644
--- a/include/android-ashmem.h
+++ b/include/android-ashmem.h
@@ -8,74 +8,73 @@
#include <sys/mman.h>
#if __ANDROID_API__ >= 26
-#define shmat bionic_shmat
-#define shmctl bionic_shmctl
-#define shmdt bionic_shmdt
-#define shmget bionic_shmget
+# define shmat bionic_shmat
+# define shmctl bionic_shmctl
+# define shmdt bionic_shmdt
+# define shmget bionic_shmget
#endif
- #include <sys/shm.h>
+#include <sys/shm.h>
#undef shmat
#undef shmctl
#undef shmdt
#undef shmget
#include <stdio.h>
-#define ASHMEM_DEVICE "/dev/ashmem"
+#define ASHMEM_DEVICE "/dev/ashmem"
-static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf)
-{
- int ret = 0;
- if (__cmd == IPC_RMID) {
- int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
- struct ashmem_pin pin = {0, length};
- ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
- close(__shmid);
- }
+static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
+
+ int ret = 0;
+ if (__cmd == IPC_RMID) {
+
+ int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
+ struct ashmem_pin pin = {0, length};
+ ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
+ close(__shmid);
+
+ }
+
+ return ret;
- return ret;
}
-static inline int shmget (key_t __key, size_t __size, int __shmflg)
-{
- int fd,ret;
- char ourkey[11];
+static inline int shmget(key_t __key, size_t __size, int __shmflg) {
+
+ int fd, ret;
+ char ourkey[11];
- fd = open(ASHMEM_DEVICE, O_RDWR);
- if (fd < 0)
- return fd;
+ fd = open(ASHMEM_DEVICE, O_RDWR);
+ if (fd < 0) return fd;
- sprintf(ourkey,"%d",__key);
- ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
- if (ret < 0)
- goto error;
+ sprintf(ourkey, "%d", __key);
+ ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
+ if (ret < 0) goto error;
- ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
- if (ret < 0)
- goto error;
+ ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
+ if (ret < 0) goto error;
- return fd;
+ return fd;
error:
- close(fd);
- return ret;
+ close(fd);
+ return ret;
+
}
-static inline void *shmat (int __shmid, const void *__shmaddr, int __shmflg)
-{
- int size;
+static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
+
+ int size;
void *ptr;
-
+
size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
- if (size < 0) {
- return NULL;
- }
+ if (size < 0) { return NULL; }
ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
- if (ptr == MAP_FAILED) {
- return NULL;
- }
-
+ if (ptr == MAP_FAILED) { return NULL; }
+
return ptr;
+
}
#endif
+
diff --git a/include/common.h b/include/common.h
index 161caa39..9845c2af 100644
--- a/include/common.h
+++ b/include/common.h
@@ -4,3 +4,4 @@
void detect_file_args(char **argv, u8 *prog_in);
#endif
+
diff --git a/include/config.h b/include/config.h
index 17836151..babba3bd 100644
--- a/include/config.h
+++ b/include/config.h
@@ -21,7 +21,7 @@
/* Version string: */
-#define VERSION "++2.53d" // c = release, d = volatile github dev
+#define VERSION "++2.53d" // c = release, d = volatile github dev
/******************************************************
* *
@@ -41,64 +41,64 @@
/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
also used for detecting hangs; the actual value is auto-scaled: */
-#define EXEC_TIMEOUT 1000
+#define EXEC_TIMEOUT 1000
/* Timeout rounding factor when auto-scaling (milliseconds): */
-#define EXEC_TM_ROUND 20
+#define EXEC_TM_ROUND 20
/* Default memory limit for child process (MB): */
-#ifndef __x86_64__
-# define MEM_LIMIT 25
+#ifndef __x86_64__
+# define MEM_LIMIT 25
#else
-# define MEM_LIMIT 50
+# define MEM_LIMIT 50
#endif /* ^!__x86_64__ */
/* Default memory limit when running in QEMU mode (MB): */
-#define MEM_LIMIT_QEMU 200
+#define MEM_LIMIT_QEMU 200
/* Default memory limit when running in Unicorn mode (MB): */
-#define MEM_LIMIT_UNICORN 200
+#define MEM_LIMIT_UNICORN 200
/* Number of calibration cycles per every new test case (and for test
cases that show variable behavior): */
-#define CAL_CYCLES 8
-#define CAL_CYCLES_LONG 40
+#define CAL_CYCLES 8
+#define CAL_CYCLES_LONG 40
/* Number of subsequent timeouts before abandoning an input file: */
-#define TMOUT_LIMIT 250
+#define TMOUT_LIMIT 250
/* Maximum number of unique hangs or crashes to record: */
-#define KEEP_UNIQUE_HANG 500
-#define KEEP_UNIQUE_CRASH 5000
+#define KEEP_UNIQUE_HANG 500
+#define KEEP_UNIQUE_CRASH 5000
/* Baseline number of random tweaks during a single 'havoc' stage: */
-#define HAVOC_CYCLES 256
-#define HAVOC_CYCLES_INIT 1024
+#define HAVOC_CYCLES 256
+#define HAVOC_CYCLES_INIT 1024
/* Maximum multiplier for the above (should be a power of two, beware
of 32-bit int overflows): */
-#define HAVOC_MAX_MULT 16
+#define HAVOC_MAX_MULT 16
#define HAVOC_MAX_MULT_MOPT 32
/* Absolute minimum number of havoc cycles (after all adjustments): */
-#define HAVOC_MIN 16
+#define HAVOC_MIN 16
/* Power Schedule Divisor */
-#define POWER_BETA 1
-#define MAX_FACTOR (POWER_BETA * 32)
+#define POWER_BETA 1
+#define MAX_FACTOR (POWER_BETA * 32)
/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
- like this:
+ like this:
n = random between 1 and HAVOC_STACK_POW2
stacking = 2^n
@@ -106,116 +106,116 @@
In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
128 stacked tweaks: */
-#define HAVOC_STACK_POW2 7
+#define HAVOC_STACK_POW2 7
/* Caps on block sizes for cloning and deletion operations. Each of these
ranges has a 33% probability of getting picked, except for the first
two cycles where smaller blocks are favored: */
-#define HAVOC_BLK_SMALL 32
-#define HAVOC_BLK_MEDIUM 128
-#define HAVOC_BLK_LARGE 1500
+#define HAVOC_BLK_SMALL 32
+#define HAVOC_BLK_MEDIUM 128
+#define HAVOC_BLK_LARGE 1500
/* Extra-large blocks, selected very rarely (<5% of the time): */
-#define HAVOC_BLK_XL 32768
+#define HAVOC_BLK_XL 32768
/* Probabilities of skipping non-favored entries in the queue, expressed as
percentages: */
-#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */
-#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
-#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
+#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */
+#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
+#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
/* Splicing cycle count: */
-#define SPLICE_CYCLES 15
+#define SPLICE_CYCLES 15
/* Nominal per-splice havoc cycle length: */
-#define SPLICE_HAVOC 32
+#define SPLICE_HAVOC 32
/* Maximum offset for integer addition / subtraction stages: */
-#define ARITH_MAX 35
+#define ARITH_MAX 35
/* Limits for the test case trimmer. The absolute minimum chunk size; and
the starting and ending divisors for chopping up the input file: */
-#define TRIM_MIN_BYTES 4
-#define TRIM_START_STEPS 16
-#define TRIM_END_STEPS 1024
+#define TRIM_MIN_BYTES 4
+#define TRIM_START_STEPS 16
+#define TRIM_END_STEPS 1024
/* Maximum size of input file, in bytes (keep under 100MB): */
-#define MAX_FILE (1 * 1024 * 1024)
+#define MAX_FILE (1 * 1024 * 1024)
/* The same, for the test case minimizer: */
-#define TMIN_MAX_FILE (10 * 1024 * 1024)
+#define TMIN_MAX_FILE (10 * 1024 * 1024)
/* Block normalization steps for afl-tmin: */
-#define TMIN_SET_MIN_SIZE 4
-#define TMIN_SET_STEPS 128
+#define TMIN_SET_MIN_SIZE 4
+#define TMIN_SET_STEPS 128
/* Maximum dictionary token size (-x), in bytes: */
-#define MAX_DICT_FILE 128
+#define MAX_DICT_FILE 128
/* Length limits for auto-detected dictionary tokens: */
-#define MIN_AUTO_EXTRA 3
-#define MAX_AUTO_EXTRA 32
+#define MIN_AUTO_EXTRA 3
+#define MAX_AUTO_EXTRA 32
/* Maximum number of user-specified dictionary tokens to use in deterministic
steps; past this point, the "extras/user" step will be still carried out,
but with proportionally lower odds: */
-#define MAX_DET_EXTRAS 200
+#define MAX_DET_EXTRAS 200
/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
(first value), and to keep in memory as candidates. The latter should be much
higher than the former. */
-#define USE_AUTO_EXTRAS 50
-#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
+#define USE_AUTO_EXTRAS 50
+#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
/* Scaling factor for the effector map used to skip some of the more
expensive deterministic steps. The actual divisor is set to
2^EFF_MAP_SCALE2 bytes: */
-#define EFF_MAP_SCALE2 3
+#define EFF_MAP_SCALE2 3
/* Minimum input file length at which the effector logic kicks in: */
-#define EFF_MIN_LEN 128
+#define EFF_MIN_LEN 128
/* Maximum effector density past which everything is just fuzzed
unconditionally (%): */
-#define EFF_MAX_PERC 90
+#define EFF_MAX_PERC 90
/* UI refresh frequency (Hz): */
-#define UI_TARGET_HZ 5
+#define UI_TARGET_HZ 5
/* Fuzzer stats file and plot update intervals (sec): */
-#define STATS_UPDATE_SEC 60
-#define PLOT_UPDATE_SEC 5
+#define STATS_UPDATE_SEC 60
+#define PLOT_UPDATE_SEC 5
/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
-#define AVG_SMOOTHING 16
+#define AVG_SMOOTHING 16
/* Sync interval (every n havoc cycles): */
-#define SYNC_INTERVAL 5
+#define SYNC_INTERVAL 5
/* Output directory reuse grace period (minutes): */
-#define OUTPUT_GRACE 25
+#define OUTPUT_GRACE 25
/* Uncomment to use simple file names (id_NNNNNN): */
@@ -223,42 +223,42 @@
/* List of interesting values to use in fuzzing. */
-#define INTERESTING_8 \
- -128, /* Overflow signed 8-bit when decremented */ \
- -1, /* */ \
- 0, /* */ \
- 1, /* */ \
- 16, /* One-off with common buffer size */ \
- 32, /* One-off with common buffer size */ \
- 64, /* One-off with common buffer size */ \
- 100, /* One-off with common buffer size */ \
- 127 /* Overflow signed 8-bit when incremented */
+#define INTERESTING_8 \
+ -128, /* Overflow signed 8-bit when decremented */ \
+ -1, /* */ \
+ 0, /* */ \
+ 1, /* */ \
+ 16, /* One-off with common buffer size */ \
+ 32, /* One-off with common buffer size */ \
+ 64, /* One-off with common buffer size */ \
+ 100, /* One-off with common buffer size */ \
+ 127 /* Overflow signed 8-bit when incremented */
#define INTERESTING_8_LEN 9
-#define INTERESTING_16 \
- -32768, /* Overflow signed 16-bit when decremented */ \
- -129, /* Overflow signed 8-bit */ \
- 128, /* Overflow signed 8-bit */ \
- 255, /* Overflow unsig 8-bit when incremented */ \
- 256, /* Overflow unsig 8-bit */ \
- 512, /* One-off with common buffer size */ \
- 1000, /* One-off with common buffer size */ \
- 1024, /* One-off with common buffer size */ \
- 4096, /* One-off with common buffer size */ \
- 32767 /* Overflow signed 16-bit when incremented */
+#define INTERESTING_16 \
+ -32768, /* Overflow signed 16-bit when decremented */ \
+ -129, /* Overflow signed 8-bit */ \
+ 128, /* Overflow signed 8-bit */ \
+ 255, /* Overflow unsig 8-bit when incremented */ \
+ 256, /* Overflow unsig 8-bit */ \
+ 512, /* One-off with common buffer size */ \
+ 1000, /* One-off with common buffer size */ \
+ 1024, /* One-off with common buffer size */ \
+ 4096, /* One-off with common buffer size */ \
+ 32767 /* Overflow signed 16-bit when incremented */
#define INTERESTING_16_LEN 10
-#define INTERESTING_32 \
- -2147483648LL, /* Overflow signed 32-bit when decremented */ \
- -100663046, /* Large negative number (endian-agnostic) */ \
- -32769, /* Overflow signed 16-bit */ \
- 32768, /* Overflow signed 16-bit */ \
- 65535, /* Overflow unsig 16-bit when incremented */ \
- 65536, /* Overflow unsig 16 bit */ \
- 100663045, /* Large positive number (endian-agnostic) */ \
- 2147483647 /* Overflow signed 32-bit when incremented */
+#define INTERESTING_32 \
+ -2147483648LL, /* Overflow signed 32-bit when decremented */ \
+ -100663046, /* Large negative number (endian-agnostic) */ \
+ -32769, /* Overflow signed 16-bit */ \
+ 32768, /* Overflow signed 16-bit */ \
+ 65535, /* Overflow unsig 16-bit when incremented */ \
+ 65536, /* Overflow unsig 16 bit */ \
+ 100663045, /* Large positive number (endian-agnostic) */ \
+ 2147483647 /* Overflow signed 32-bit when incremented */
#define INTERESTING_32_LEN 8
@@ -270,57 +270,57 @@
/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
-#define RESEED_RNG 10000
+#define RESEED_RNG 10000
/* Maximum line length passed from GCC to 'as' and used for parsing
configuration files: */
-#define MAX_LINE 8192
+#define MAX_LINE 8192
/* Environment variable used to pass SHM ID to the called program. */
-#define SHM_ENV_VAR "__AFL_SHM_ID"
+#define SHM_ENV_VAR "__AFL_SHM_ID"
/* Other less interesting, internal-only variables. */
-#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
-#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
-#define PERSIST_ENV_VAR "__AFL_PERSISTENT"
-#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
+#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
+#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
+#define PERSIST_ENV_VAR "__AFL_PERSISTENT"
+#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
/* In-code signatures for deferred and persistent mode. */
-#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
-#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
+#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
+#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
/* Distinctive bitmap signature used to indicate failed execution: */
-#define EXEC_FAIL_SIG 0xfee1dead
+#define EXEC_FAIL_SIG 0xfee1dead
/* Distinctive exit code used to indicate MSAN trip condition: */
-#define MSAN_ERROR 86
+#define MSAN_ERROR 86
/* Designated file descriptors for forkserver commands (the application will
use FORKSRV_FD and FORKSRV_FD + 1): */
-#define FORKSRV_FD 198
+#define FORKSRV_FD 198
/* Fork server init timeout multiplier: we'll wait the user-selected
timeout plus this much for the fork server to spin up. */
-#define FORK_WAIT_MULT 10
+#define FORK_WAIT_MULT 10
/* Calibration timeout adjustments, to be a bit more generous when resuming
fuzzing sessions or trying to calibrate already-added internal finds.
The first value is a percentage, the other is in milliseconds: */
-#define CAL_TMOUT_PERC 125
-#define CAL_TMOUT_ADD 50
+#define CAL_TMOUT_PERC 125
+#define CAL_TMOUT_ADD 50
/* Number of chances to calibrate a case before giving up: */
-#define CAL_CHANCES 3
+#define CAL_CHANCES 3
/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
2; you probably want to keep it under 18 or so for performance reasons
@@ -328,28 +328,27 @@
problems with complex programs). You need to recompile the target binary
after changing this - otherwise, SEGVs may ensue. */
-#define MAP_SIZE_POW2 16
-#define MAP_SIZE (1 << MAP_SIZE_POW2)
+#define MAP_SIZE_POW2 16
+#define MAP_SIZE (1 << MAP_SIZE_POW2)
/* Maximum allocator request size (keep well under INT_MAX): */
-#define MAX_ALLOC 0x40000000
+#define MAX_ALLOC 0x40000000
/* A made-up hashing seed: */
-#define HASH_CONST 0xa5b35705
+#define HASH_CONST 0xa5b35705
/* Constants for afl-gotcpu to control busy loop timing: */
-#define CTEST_TARGET_MS 5000
-#define CTEST_CORE_TRG_MS 1000
-#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
+#define CTEST_TARGET_MS 5000
+#define CTEST_CORE_TRG_MS 1000
+#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
/* Enable NeverZero counters in QEMU mode */
#define AFL_QEMU_NOT_ZERO
-
/* Uncomment this to use inferior block-coverage-based instrumentation. Note
that you need to recompile the target binary for this to have any effect: */
@@ -368,3 +367,4 @@
// #define IGNORE_FINDS
#endif /* ! _HAVE_CONFIG_H */
+
diff --git a/include/debug.h b/include/debug.h
index c0044280..6a59ad7a 100644
--- a/include/debug.h
+++ b/include/debug.h
@@ -108,39 +108,39 @@
#ifdef FANCY_BOXES
-# define SET_G1 "\x1b)0" /* Set G1 for box drawing */
-# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
-# define bSTART "\x0e" /* Enter G1 drawing mode */
-# define bSTOP "\x0f" /* Leave G1 drawing mode */
-# define bH "q" /* Horizontal line */
-# define bV "x" /* Vertical line */
-# define bLT "l" /* Left top corner */
-# define bRT "k" /* Right top corner */
-# define bLB "m" /* Left bottom corner */
-# define bRB "j" /* Right bottom corner */
-# define bX "n" /* Cross */
-# define bVR "t" /* Vertical, branch right */
-# define bVL "u" /* Vertical, branch left */
-# define bHT "v" /* Horizontal, branch top */
-# define bHB "w" /* Horizontal, branch bottom */
+# define SET_G1 "\x1b)0" /* Set G1 for box drawing */
+# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
+# define bSTART "\x0e" /* Enter G1 drawing mode */
+# define bSTOP "\x0f" /* Leave G1 drawing mode */
+# define bH "q" /* Horizontal line */
+# define bV "x" /* Vertical line */
+# define bLT "l" /* Left top corner */
+# define bRT "k" /* Right top corner */
+# define bLB "m" /* Left bottom corner */
+# define bRB "j" /* Right bottom corner */
+# define bX "n" /* Cross */
+# define bVR "t" /* Vertical, branch right */
+# define bVL "u" /* Vertical, branch left */
+# define bHT "v" /* Horizontal, branch top */
+# define bHB "w" /* Horizontal, branch bottom */
#else
-# define SET_G1 ""
+# define SET_G1 ""
# define RESET_G1 ""
-# define bSTART ""
-# define bSTOP ""
-# define bH "-"
-# define bV "|"
-# define bLT "+"
-# define bRT "+"
-# define bLB "+"
-# define bRB "+"
-# define bX "+"
-# define bVR "+"
-# define bVL "+"
-# define bHT "+"
-# define bHB "+"
+# define bSTART ""
+# define bSTOP ""
+# define bH "-"
+# define bV "|"
+# define bLT "+"
+# define bRT "+"
+# define bLB "+"
+# define bRB "+"
+# define bX "+"
+# define bVR "+"
+# define bVL "+"
+# define bHT "+"
+# define bHB "+"
#endif /* ^FANCY_BOXES */
@@ -148,11 +148,11 @@
* Misc terminal codes *
***********************/
-#define TERM_HOME "\x1b[H"
-#define TERM_CLEAR TERM_HOME "\x1b[2J"
-#define cEOL "\x1b[0K"
-#define CURSOR_HIDE "\x1b[?25l"
-#define CURSOR_SHOW "\x1b[?25h"
+#define TERM_HOME "\x1b[H"
+#define TERM_CLEAR TERM_HOME "\x1b[2J"
+#define cEOL "\x1b[0K"
+#define CURSOR_HIDE "\x1b[?25l"
+#define CURSOR_SHOW "\x1b[?25h"
/************************
* Debug & error macros *
@@ -161,91 +161,125 @@
/* Just print stuff to the appropriate stream. */
#ifdef MESSAGES_TO_STDOUT
-# define SAYF(x...) printf(x)
-#else
-# define SAYF(x...) fprintf(stderr, x)
+# define SAYF(x...) printf(x)
+#else
+# define SAYF(x...) fprintf(stderr, x)
#endif /* ^MESSAGES_TO_STDOUT */
/* Show a prefixed warning. */
-#define WARNF(x...) do { \
+#define WARNF(x...) \
+ do { \
+ \
SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
- SAYF(cRST "\n"); \
+ SAYF(cRST "\n"); \
+ \
} while (0)
/* Show a prefixed "doing something" message. */
-#define ACTF(x...) do { \
+#define ACTF(x...) \
+ do { \
+ \
SAYF(cLBL "[*] " cRST x); \
- SAYF(cRST "\n"); \
+ SAYF(cRST "\n"); \
+ \
} while (0)
/* Show a prefixed "success" message. */
-#define OKF(x...) do { \
+#define OKF(x...) \
+ do { \
+ \
SAYF(cLGN "[+] " cRST x); \
- SAYF(cRST "\n"); \
+ SAYF(cRST "\n"); \
+ \
} while (0)
/* Show a prefixed fatal error message (not used in afl). */
-#define BADF(x...) do { \
+#define BADF(x...) \
+ do { \
+ \
SAYF(cLRD "\n[-] " cRST x); \
- SAYF(cRST "\n"); \
+ SAYF(cRST "\n"); \
+ \
} while (0)
/* Die with a verbose non-OS fatal error message. */
-#define FATAL(x...) do { \
- SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
- cRST x); \
- SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \
- __FUNCTION__, __FILE__, __LINE__); \
- exit(1); \
+#define FATAL(x...) \
+ do { \
+ \
+ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
+ "\n[-] PROGRAM ABORT : " cRST x); \
+ SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __FUNCTION__, \
+ __FILE__, __LINE__); \
+ exit(1); \
+ \
} while (0)
/* Die by calling abort() to provide a core dump. */
-#define ABORT(x...) do { \
- SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
- cRST x); \
- SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \
- __FUNCTION__, __FILE__, __LINE__); \
- abort(); \
+#define ABORT(x...) \
+ do { \
+ \
+ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
+ "\n[-] PROGRAM ABORT : " cRST x); \
+ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __FUNCTION__, \
+ __FILE__, __LINE__); \
+ abort(); \
+ \
} while (0)
/* Die while also including the output of perror(). */
-#define PFATAL(x...) do { \
- fflush(stdout); \
- SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \
- cRST x); \
- SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \
- __FUNCTION__, __FILE__, __LINE__); \
- SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
- exit(1); \
+#define PFATAL(x...) \
+ do { \
+ \
+ fflush(stdout); \
+ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
+ "\n[-] SYSTEM ERROR : " cRST x); \
+ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __FUNCTION__, \
+ __FILE__, __LINE__); \
+ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
+ exit(1); \
+ \
} while (0)
/* Die with FAULT() or PFAULT() depending on the value of res (used to
interpret different failure modes for read(), write(), etc). */
-#define RPFATAL(res, x...) do { \
- if (res < 0) PFATAL(x); else FATAL(x); \
+#define RPFATAL(res, x...) \
+ do { \
+ \
+ if (res < 0) \
+ PFATAL(x); \
+ else \
+ FATAL(x); \
+ \
} while (0)
/* Error-checking versions of read() and write() that call RPFATAL() as
appropriate. */
-#define ck_write(fd, buf, len, fn) do { \
- u32 _len = (len); \
- s32 _res = write(fd, buf, _len); \
+#define ck_write(fd, buf, len, fn) \
+ do { \
+ \
+ u32 _len = (len); \
+ s32 _res = write(fd, buf, _len); \
if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
+ \
} while (0)
-#define ck_read(fd, buf, len, fn) do { \
- u32 _len = (len); \
- s32 _res = read(fd, buf, _len); \
+#define ck_read(fd, buf, len, fn) \
+ do { \
+ \
+ u32 _len = (len); \
+ s32 _res = read(fd, buf, _len); \
if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
+ \
} while (0)
#endif /* ! _HAVE_DEBUG_H */
+
diff --git a/include/forkserver.h b/include/forkserver.h
index fa40d9c6..af5dab72 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -5,21 +5,21 @@ void handle_timeout(int sig);
void init_forkserver(char **argv);
#ifdef __APPLE__
-#define MSG_FORK_ON_APPLE \
- " - On MacOS X, the semantics of fork() syscalls are non-standard and " \
- "may\n" \
- " break afl-fuzz performance optimizations when running " \
- "platform-specific\n" \
+# define MSG_FORK_ON_APPLE \
+ " - On MacOS X, the semantics of fork() syscalls are non-standard and " \
+ "may\n" \
+ " break afl-fuzz performance optimizations when running " \
+ "platform-specific\n" \
" targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n"
#else
-#define MSG_FORK_ON_APPLE ""
+# define MSG_FORK_ON_APPLE ""
#endif
#ifdef RLIMIT_AS
- #define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];"
+# define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];"
#else
- #define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];"
+# define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];"
#endif /* ^RLIMIT_AS */
-
#endif
+
diff --git a/include/hash.h b/include/hash.h
index f39a8257..5d0512a6 100644
--- a/include/hash.h
+++ b/include/hash.h
@@ -31,12 +31,12 @@
#ifdef __x86_64__
-#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
+# define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) {
const u64* data = (u64*)key;
- u64 h1 = seed ^ len;
+ u64 h1 = seed ^ len;
len >>= 3;
@@ -45,12 +45,12 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
u64 k1 = *data++;
k1 *= 0x87c37b91114253d5ULL;
- k1 = ROL64(k1, 31);
+ k1 = ROL64(k1, 31);
k1 *= 0x4cf5ad432745937fULL;
h1 ^= k1;
- h1 = ROL64(h1, 27);
- h1 = h1 * 5 + 0x52dce729;
+ h1 = ROL64(h1, 27);
+ h1 = h1 * 5 + 0x52dce729;
}
@@ -64,14 +64,14 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
}
-#else
+#else
-#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
+# define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) {
- const u32* data = (u32*)key;
- u32 h1 = seed ^ len;
+ const u32* data = (u32*)key;
+ u32 h1 = seed ^ len;
len >>= 2;
@@ -80,12 +80,12 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
u32 k1 = *data++;
k1 *= 0xcc9e2d51;
- k1 = ROL32(k1, 15);
+ k1 = ROL32(k1, 15);
k1 *= 0x1b873593;
h1 ^= k1;
- h1 = ROL32(h1, 13);
- h1 = h1 * 5 + 0xe6546b64;
+ h1 = ROL32(h1, 13);
+ h1 = h1 * 5 + 0xe6546b64;
}
@@ -102,3 +102,4 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
#endif /* ^__x86_64__ */
#endif /* !_HAVE_HASH_H */
+
diff --git a/include/sharedmem.h b/include/sharedmem.h
index 9aa44d0e..7e13b13b 100644
--- a/include/sharedmem.h
+++ b/include/sharedmem.h
@@ -5,3 +5,4 @@ void setup_shm(unsigned char dumb_mode);
void remove_shm(void);
#endif
+
diff --git a/include/types.h b/include/types.h
index 7606d4ed..60ae64c2 100644
--- a/include/types.h
+++ b/include/types.h
@@ -46,26 +46,31 @@ typedef unsigned long long u64;
typedef uint64_t u64;
#endif /* ^__x86_64__ */
-typedef int8_t s8;
-typedef int16_t s16;
-typedef int32_t s32;
-typedef int64_t s64;
+typedef int8_t s8;
+typedef int16_t s16;
+typedef int32_t s32;
+typedef int64_t s64;
#ifndef MIN
-# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a))
-# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b))
+# define MIN(_a, _b) ((_a) > (_b) ? (_b) : (_a))
+# define MAX(_a, _b) ((_a) > (_b) ? (_a) : (_b))
#endif /* !MIN */
-#define SWAP16(_x) ({ \
- u16 _ret = (_x); \
+#define SWAP16(_x) \
+ ({ \
+ \
+ u16 _ret = (_x); \
(u16)((_ret << 8) | (_ret >> 8)); \
+ \
})
-#define SWAP32(_x) ({ \
- u32 _ret = (_x); \
- (u32)((_ret << 24) | (_ret >> 24) | \
- ((_ret << 8) & 0x00FF0000) | \
- ((_ret >> 8) & 0x0000FF00)); \
+#define SWAP32(_x) \
+ ({ \
+ \
+ u32 _ret = (_x); \
+ (u32)((_ret << 24) | (_ret >> 24) | ((_ret << 8) & 0x00FF0000) | \
+ ((_ret >> 8) & 0x0000FF00)); \
+ \
})
#ifdef AFL_LLVM_PASS
@@ -77,15 +82,15 @@ typedef int64_t s64;
#define STRINGIFY_INTERNAL(x) #x
#define STRINGIFY(x) STRINGIFY_INTERNAL(x)
-#define MEM_BARRIER() \
- __asm__ volatile("" ::: "memory")
+#define MEM_BARRIER() __asm__ volatile("" ::: "memory")
#if __GNUC__ < 6
- #define likely(_x) (_x)
- #define unlikely(_x) (_x)
+# define likely(_x) (_x)
+# define unlikely(_x) (_x)
#else
- #define likely(_x) __builtin_expect(!!(_x), 1)
- #define unlikely(_x) __builtin_expect(!!(_x), 0)
+# define likely(_x) __builtin_expect(!!(_x), 1)
+# define unlikely(_x) __builtin_expect(!!(_x), 0)
#endif
#endif /* ! _HAVE_TYPES_H */
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-22 19:39:13 +0000