1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - fuzzer header
3*08b48e0bSAndroid Build Coastguard Worker ------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>,
8*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]>,
9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>,
10*08b48e0bSAndroid Build Coastguard Worker Dominik Maier <[email protected]>
11*08b48e0bSAndroid Build Coastguard Worker
12*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved.
13*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
14*08b48e0bSAndroid Build Coastguard Worker
15*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
16*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
17*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
18*08b48e0bSAndroid Build Coastguard Worker
19*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0
20*08b48e0bSAndroid Build Coastguard Worker
21*08b48e0bSAndroid Build Coastguard Worker This is the real deal: the program takes an instrumented binary and
22*08b48e0bSAndroid Build Coastguard Worker attempts a variety of basic fuzzing tricks, paying close attention to
23*08b48e0bSAndroid Build Coastguard Worker how they affect the execution path.
24*08b48e0bSAndroid Build Coastguard Worker
25*08b48e0bSAndroid Build Coastguard Worker */
26*08b48e0bSAndroid Build Coastguard Worker
27*08b48e0bSAndroid Build Coastguard Worker #ifndef _AFL_FUZZ_H
28*08b48e0bSAndroid Build Coastguard Worker #define _AFL_FUZZ_H
29*08b48e0bSAndroid Build Coastguard Worker
30*08b48e0bSAndroid Build Coastguard Worker #define AFL_MAIN
31*08b48e0bSAndroid Build Coastguard Worker #define MESSAGES_TO_STDOUT
32*08b48e0bSAndroid Build Coastguard Worker
33*08b48e0bSAndroid Build Coastguard Worker #ifndef _GNU_SOURCE
34*08b48e0bSAndroid Build Coastguard Worker #define _GNU_SOURCE
35*08b48e0bSAndroid Build Coastguard Worker #endif
36*08b48e0bSAndroid Build Coastguard Worker #ifndef _FILE_OFFSET_BITS
37*08b48e0bSAndroid Build Coastguard Worker #define _FILE_OFFSET_BITS 64
38*08b48e0bSAndroid Build Coastguard Worker #endif
39*08b48e0bSAndroid Build Coastguard Worker
40*08b48e0bSAndroid Build Coastguard Worker #include "config.h"
41*08b48e0bSAndroid Build Coastguard Worker #include "types.h"
42*08b48e0bSAndroid Build Coastguard Worker #include "debug.h"
43*08b48e0bSAndroid Build Coastguard Worker #include "alloc-inl.h"
44*08b48e0bSAndroid Build Coastguard Worker #include "hash.h"
45*08b48e0bSAndroid Build Coastguard Worker #include "sharedmem.h"
46*08b48e0bSAndroid Build Coastguard Worker #include "forkserver.h"
47*08b48e0bSAndroid Build Coastguard Worker #include "common.h"
48*08b48e0bSAndroid Build Coastguard Worker
49*08b48e0bSAndroid Build Coastguard Worker #include <stdio.h>
50*08b48e0bSAndroid Build Coastguard Worker #include <unistd.h>
51*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h>
52*08b48e0bSAndroid Build Coastguard Worker #include <string.h>
53*08b48e0bSAndroid Build Coastguard Worker #include <time.h>
54*08b48e0bSAndroid Build Coastguard Worker #include <errno.h>
55*08b48e0bSAndroid Build Coastguard Worker #include <signal.h>
56*08b48e0bSAndroid Build Coastguard Worker #include <dirent.h>
57*08b48e0bSAndroid Build Coastguard Worker #include <ctype.h>
58*08b48e0bSAndroid Build Coastguard Worker #include <fcntl.h>
59*08b48e0bSAndroid Build Coastguard Worker #include <termios.h>
60*08b48e0bSAndroid Build Coastguard Worker #include <dlfcn.h>
61*08b48e0bSAndroid Build Coastguard Worker #include <sched.h>
62*08b48e0bSAndroid Build Coastguard Worker
63*08b48e0bSAndroid Build Coastguard Worker #include <netdb.h>
64*08b48e0bSAndroid Build Coastguard Worker #include <netinet/in.h>
65*08b48e0bSAndroid Build Coastguard Worker
66*08b48e0bSAndroid Build Coastguard Worker #include <sys/wait.h>
67*08b48e0bSAndroid Build Coastguard Worker #include <sys/time.h>
68*08b48e0bSAndroid Build Coastguard Worker #ifndef USEMMAP
69*08b48e0bSAndroid Build Coastguard Worker #include <sys/shm.h>
70*08b48e0bSAndroid Build Coastguard Worker #endif
71*08b48e0bSAndroid Build Coastguard Worker #include <sys/stat.h>
72*08b48e0bSAndroid Build Coastguard Worker #include <sys/types.h>
73*08b48e0bSAndroid Build Coastguard Worker #include <sys/resource.h>
74*08b48e0bSAndroid Build Coastguard Worker #include <sys/mman.h>
75*08b48e0bSAndroid Build Coastguard Worker #include <sys/ioctl.h>
76*08b48e0bSAndroid Build Coastguard Worker #include <sys/file.h>
77*08b48e0bSAndroid Build Coastguard Worker #include <sys/types.h>
78*08b48e0bSAndroid Build Coastguard Worker
79*08b48e0bSAndroid Build Coastguard Worker #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
80*08b48e0bSAndroid Build Coastguard Worker defined(__NetBSD__) || defined(__DragonFly__)
81*08b48e0bSAndroid Build Coastguard Worker #include <sys/sysctl.h>
82*08b48e0bSAndroid Build Coastguard Worker #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
83*08b48e0bSAndroid Build Coastguard Worker
84*08b48e0bSAndroid Build Coastguard Worker #if defined(__HAIKU__)
85*08b48e0bSAndroid Build Coastguard Worker #include <kernel/OS.h>
86*08b48e0bSAndroid Build Coastguard Worker #include <kernel/scheduler.h>
87*08b48e0bSAndroid Build Coastguard Worker #endif
88*08b48e0bSAndroid Build Coastguard Worker
89*08b48e0bSAndroid Build Coastguard Worker /* For systems that have sched_setaffinity; right now just Linux, but one
90*08b48e0bSAndroid Build Coastguard Worker can hope... */
91*08b48e0bSAndroid Build Coastguard Worker
92*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
93*08b48e0bSAndroid Build Coastguard Worker defined(__DragonFly__) || defined(__sun)
94*08b48e0bSAndroid Build Coastguard Worker #define HAVE_AFFINITY 1
95*08b48e0bSAndroid Build Coastguard Worker #if defined(__FreeBSD__) || defined(__DragonFly__)
96*08b48e0bSAndroid Build Coastguard Worker #include <sys/param.h>
97*08b48e0bSAndroid Build Coastguard Worker #if defined(__FreeBSD__)
98*08b48e0bSAndroid Build Coastguard Worker #include <sys/cpuset.h>
99*08b48e0bSAndroid Build Coastguard Worker #endif
100*08b48e0bSAndroid Build Coastguard Worker #include <sys/user.h>
101*08b48e0bSAndroid Build Coastguard Worker #include <pthread.h>
102*08b48e0bSAndroid Build Coastguard Worker #include <pthread_np.h>
103*08b48e0bSAndroid Build Coastguard Worker #define cpu_set_t cpuset_t
104*08b48e0bSAndroid Build Coastguard Worker #elif defined(__NetBSD__)
105*08b48e0bSAndroid Build Coastguard Worker #include <pthread.h>
106*08b48e0bSAndroid Build Coastguard Worker #elif defined(__sun)
107*08b48e0bSAndroid Build Coastguard Worker #include <sys/types.h>
108*08b48e0bSAndroid Build Coastguard Worker #include <kstat.h>
109*08b48e0bSAndroid Build Coastguard Worker #include <sys/sysinfo.h>
110*08b48e0bSAndroid Build Coastguard Worker #include <sys/pset.h>
111*08b48e0bSAndroid Build Coastguard Worker #include <strings.h>
112*08b48e0bSAndroid Build Coastguard Worker #endif
113*08b48e0bSAndroid Build Coastguard Worker #endif /* __linux__ */
114*08b48e0bSAndroid Build Coastguard Worker
115*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
116*08b48e0bSAndroid Build Coastguard Worker #include <TargetConditionals.h>
117*08b48e0bSAndroid Build Coastguard Worker #endif
118*08b48e0bSAndroid Build Coastguard Worker
119*08b48e0bSAndroid Build Coastguard Worker #undef LIST_FOREACH /* clashes with FreeBSD */
120*08b48e0bSAndroid Build Coastguard Worker #include "list.h"
121*08b48e0bSAndroid Build Coastguard Worker #ifndef SIMPLE_FILES
122*08b48e0bSAndroid Build Coastguard Worker #define CASE_PREFIX "id:"
123*08b48e0bSAndroid Build Coastguard Worker #else
124*08b48e0bSAndroid Build Coastguard Worker #define CASE_PREFIX "id_"
125*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!SIMPLE_FILES */
126*08b48e0bSAndroid Build Coastguard Worker
127*08b48e0bSAndroid Build Coastguard Worker #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */
128*08b48e0bSAndroid Build Coastguard Worker
129*08b48e0bSAndroid Build Coastguard Worker // Little helper to access the ptr to afl->##name_buf - for use in afl_realloc.
130*08b48e0bSAndroid Build Coastguard Worker #define AFL_BUF_PARAM(name) ((void **)&afl->name##_buf)
131*08b48e0bSAndroid Build Coastguard Worker
132*08b48e0bSAndroid Build Coastguard Worker #ifdef WORD_SIZE_64
133*08b48e0bSAndroid Build Coastguard Worker #define AFL_RAND_RETURN u64
134*08b48e0bSAndroid Build Coastguard Worker #else
135*08b48e0bSAndroid Build Coastguard Worker #define AFL_RAND_RETURN u32
136*08b48e0bSAndroid Build Coastguard Worker #endif
137*08b48e0bSAndroid Build Coastguard Worker
138*08b48e0bSAndroid Build Coastguard Worker extern s8 interesting_8[INTERESTING_8_LEN];
139*08b48e0bSAndroid Build Coastguard Worker extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
140*08b48e0bSAndroid Build Coastguard Worker extern s32
141*08b48e0bSAndroid Build Coastguard Worker interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
142*08b48e0bSAndroid Build Coastguard Worker
143*08b48e0bSAndroid Build Coastguard Worker struct tainted {
144*08b48e0bSAndroid Build Coastguard Worker
145*08b48e0bSAndroid Build Coastguard Worker u32 pos;
146*08b48e0bSAndroid Build Coastguard Worker u32 len;
147*08b48e0bSAndroid Build Coastguard Worker struct tainted *next;
148*08b48e0bSAndroid Build Coastguard Worker struct tainted *prev;
149*08b48e0bSAndroid Build Coastguard Worker
150*08b48e0bSAndroid Build Coastguard Worker };
151*08b48e0bSAndroid Build Coastguard Worker
152*08b48e0bSAndroid Build Coastguard Worker struct inf_profile {
153*08b48e0bSAndroid Build Coastguard Worker
154*08b48e0bSAndroid Build Coastguard Worker u32 inf_skipped_bytes; /* Inference Stage Profiling */
155*08b48e0bSAndroid Build Coastguard Worker u64 inf_execs_cost, inf_time_cost;
156*08b48e0bSAndroid Build Coastguard Worker
157*08b48e0bSAndroid Build Coastguard Worker };
158*08b48e0bSAndroid Build Coastguard Worker
159*08b48e0bSAndroid Build Coastguard Worker /* ToDo: add cmplog profile as well */
160*08b48e0bSAndroid Build Coastguard Worker struct havoc_profile {
161*08b48e0bSAndroid Build Coastguard Worker
162*08b48e0bSAndroid Build Coastguard Worker u32 queued_det_stage, /* Det/Havoc Stage Profiling */
163*08b48e0bSAndroid Build Coastguard Worker queued_havoc_stage, total_queued_det, edge_det_stage, edge_havoc_stage,
164*08b48e0bSAndroid Build Coastguard Worker total_det_edge;
165*08b48e0bSAndroid Build Coastguard Worker
166*08b48e0bSAndroid Build Coastguard Worker u64 det_stage_time, havoc_stage_time, total_det_time;
167*08b48e0bSAndroid Build Coastguard Worker
168*08b48e0bSAndroid Build Coastguard Worker };
169*08b48e0bSAndroid Build Coastguard Worker
170*08b48e0bSAndroid Build Coastguard Worker struct skipdet_entry {
171*08b48e0bSAndroid Build Coastguard Worker
172*08b48e0bSAndroid Build Coastguard Worker u8 continue_inf, done_eff;
173*08b48e0bSAndroid Build Coastguard Worker u32 undet_bits, quick_eff_bytes;
174*08b48e0bSAndroid Build Coastguard Worker
175*08b48e0bSAndroid Build Coastguard Worker u8 *skip_eff_map, /* we'v finish the eff_map */
176*08b48e0bSAndroid Build Coastguard Worker *done_inf_map; /* some bytes are not done yet */
177*08b48e0bSAndroid Build Coastguard Worker
178*08b48e0bSAndroid Build Coastguard Worker };
179*08b48e0bSAndroid Build Coastguard Worker
180*08b48e0bSAndroid Build Coastguard Worker struct skipdet_global {
181*08b48e0bSAndroid Build Coastguard Worker
182*08b48e0bSAndroid Build Coastguard Worker u8 use_skip_havoc;
183*08b48e0bSAndroid Build Coastguard Worker
184*08b48e0bSAndroid Build Coastguard Worker u32 undet_bits_threshold;
185*08b48e0bSAndroid Build Coastguard Worker
186*08b48e0bSAndroid Build Coastguard Worker u64 last_cov_undet;
187*08b48e0bSAndroid Build Coastguard Worker
188*08b48e0bSAndroid Build Coastguard Worker u8 *virgin_det_bits; /* global fuzzed bits */
189*08b48e0bSAndroid Build Coastguard Worker
190*08b48e0bSAndroid Build Coastguard Worker struct inf_profile *inf_prof;
191*08b48e0bSAndroid Build Coastguard Worker
192*08b48e0bSAndroid Build Coastguard Worker };
193*08b48e0bSAndroid Build Coastguard Worker
194*08b48e0bSAndroid Build Coastguard Worker struct queue_entry {
195*08b48e0bSAndroid Build Coastguard Worker
196*08b48e0bSAndroid Build Coastguard Worker u8 *fname; /* File name for the test case */
197*08b48e0bSAndroid Build Coastguard Worker u32 len; /* Input length */
198*08b48e0bSAndroid Build Coastguard Worker u32 id; /* entry number in queue_buf */
199*08b48e0bSAndroid Build Coastguard Worker
200*08b48e0bSAndroid Build Coastguard Worker u8 colorized, /* Do not run redqueen stage again */
201*08b48e0bSAndroid Build Coastguard Worker cal_failed; /* Calibration failed? */
202*08b48e0bSAndroid Build Coastguard Worker
203*08b48e0bSAndroid Build Coastguard Worker bool trim_done, /* Trimmed? */
204*08b48e0bSAndroid Build Coastguard Worker was_fuzzed, /* historical, but needed for MOpt */
205*08b48e0bSAndroid Build Coastguard Worker passed_det, /* Deterministic stages passed? */
206*08b48e0bSAndroid Build Coastguard Worker has_new_cov, /* Triggers new coverage? */
207*08b48e0bSAndroid Build Coastguard Worker var_behavior, /* Variable behavior? */
208*08b48e0bSAndroid Build Coastguard Worker favored, /* Currently favored? */
209*08b48e0bSAndroid Build Coastguard Worker fs_redundant, /* Marked as redundant in the fs? */
210*08b48e0bSAndroid Build Coastguard Worker is_ascii, /* Is the input just ascii text? */
211*08b48e0bSAndroid Build Coastguard Worker disabled; /* Is disabled from fuzz selection */
212*08b48e0bSAndroid Build Coastguard Worker
213*08b48e0bSAndroid Build Coastguard Worker u32 bitmap_size, /* Number of bits set in bitmap */
214*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
215*08b48e0bSAndroid Build Coastguard Worker stats_selected, /* stats: how often selected */
216*08b48e0bSAndroid Build Coastguard Worker stats_skipped, /* stats: how often skipped */
217*08b48e0bSAndroid Build Coastguard Worker stats_finds, /* stats: # of saved finds */
218*08b48e0bSAndroid Build Coastguard Worker stats_crashes, /* stats: # of saved crashes */
219*08b48e0bSAndroid Build Coastguard Worker stats_tmouts, /* stats: # of saved timeouts */
220*08b48e0bSAndroid Build Coastguard Worker #endif
221*08b48e0bSAndroid Build Coastguard Worker fuzz_level, /* Number of fuzzing iterations */
222*08b48e0bSAndroid Build Coastguard Worker n_fuzz_entry; /* offset in n_fuzz */
223*08b48e0bSAndroid Build Coastguard Worker
224*08b48e0bSAndroid Build Coastguard Worker u64 exec_us, /* Execution time (us) */
225*08b48e0bSAndroid Build Coastguard Worker handicap, /* Number of queue cycles behind */
226*08b48e0bSAndroid Build Coastguard Worker depth, /* Path depth */
227*08b48e0bSAndroid Build Coastguard Worker exec_cksum, /* Checksum of the execution trace */
228*08b48e0bSAndroid Build Coastguard Worker custom, /* Marker for custom mutators */
229*08b48e0bSAndroid Build Coastguard Worker stats_mutated; /* stats: # of mutations performed */
230*08b48e0bSAndroid Build Coastguard Worker
231*08b48e0bSAndroid Build Coastguard Worker u8 *trace_mini; /* Trace bytes, if kept */
232*08b48e0bSAndroid Build Coastguard Worker u32 tc_ref; /* Trace bytes ref count */
233*08b48e0bSAndroid Build Coastguard Worker
234*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
235*08b48e0bSAndroid Build Coastguard Worker u32 bitsmap_size;
236*08b48e0bSAndroid Build Coastguard Worker #endif
237*08b48e0bSAndroid Build Coastguard Worker
238*08b48e0bSAndroid Build Coastguard Worker double perf_score, /* performance score */
239*08b48e0bSAndroid Build Coastguard Worker weight;
240*08b48e0bSAndroid Build Coastguard Worker
241*08b48e0bSAndroid Build Coastguard Worker u8 *testcase_buf; /* The testcase buffer, if loaded. */
242*08b48e0bSAndroid Build Coastguard Worker
243*08b48e0bSAndroid Build Coastguard Worker u8 *cmplog_colorinput; /* the result buf of colorization */
244*08b48e0bSAndroid Build Coastguard Worker struct tainted *taint; /* Taint information from CmpLog */
245*08b48e0bSAndroid Build Coastguard Worker
246*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *mother; /* queue entry this based on */
247*08b48e0bSAndroid Build Coastguard Worker
248*08b48e0bSAndroid Build Coastguard Worker struct skipdet_entry *skipdet_e;
249*08b48e0bSAndroid Build Coastguard Worker
250*08b48e0bSAndroid Build Coastguard Worker };
251*08b48e0bSAndroid Build Coastguard Worker
252*08b48e0bSAndroid Build Coastguard Worker struct extra_data {
253*08b48e0bSAndroid Build Coastguard Worker
254*08b48e0bSAndroid Build Coastguard Worker u8 *data; /* Dictionary token data */
255*08b48e0bSAndroid Build Coastguard Worker u32 len; /* Dictionary token length */
256*08b48e0bSAndroid Build Coastguard Worker u32 hit_cnt; /* Use count in the corpus */
257*08b48e0bSAndroid Build Coastguard Worker
258*08b48e0bSAndroid Build Coastguard Worker };
259*08b48e0bSAndroid Build Coastguard Worker
260*08b48e0bSAndroid Build Coastguard Worker struct auto_extra_data {
261*08b48e0bSAndroid Build Coastguard Worker
262*08b48e0bSAndroid Build Coastguard Worker u8 data[MAX_AUTO_EXTRA]; /* Dictionary token data */
263*08b48e0bSAndroid Build Coastguard Worker u32 len; /* Dictionary token length */
264*08b48e0bSAndroid Build Coastguard Worker u32 hit_cnt; /* Use count in the corpus */
265*08b48e0bSAndroid Build Coastguard Worker
266*08b48e0bSAndroid Build Coastguard Worker };
267*08b48e0bSAndroid Build Coastguard Worker
268*08b48e0bSAndroid Build Coastguard Worker /* Fuzzing stages */
269*08b48e0bSAndroid Build Coastguard Worker
270*08b48e0bSAndroid Build Coastguard Worker enum {
271*08b48e0bSAndroid Build Coastguard Worker
272*08b48e0bSAndroid Build Coastguard Worker /* 00 */ STAGE_FLIP1,
273*08b48e0bSAndroid Build Coastguard Worker /* 01 */ STAGE_FLIP2,
274*08b48e0bSAndroid Build Coastguard Worker /* 02 */ STAGE_FLIP4,
275*08b48e0bSAndroid Build Coastguard Worker /* 03 */ STAGE_FLIP8,
276*08b48e0bSAndroid Build Coastguard Worker /* 04 */ STAGE_FLIP16,
277*08b48e0bSAndroid Build Coastguard Worker /* 05 */ STAGE_FLIP32,
278*08b48e0bSAndroid Build Coastguard Worker /* 06 */ STAGE_ARITH8,
279*08b48e0bSAndroid Build Coastguard Worker /* 07 */ STAGE_ARITH16,
280*08b48e0bSAndroid Build Coastguard Worker /* 08 */ STAGE_ARITH32,
281*08b48e0bSAndroid Build Coastguard Worker /* 09 */ STAGE_INTEREST8,
282*08b48e0bSAndroid Build Coastguard Worker /* 10 */ STAGE_INTEREST16,
283*08b48e0bSAndroid Build Coastguard Worker /* 11 */ STAGE_INTEREST32,
284*08b48e0bSAndroid Build Coastguard Worker /* 12 */ STAGE_EXTRAS_UO,
285*08b48e0bSAndroid Build Coastguard Worker /* 13 */ STAGE_EXTRAS_UI,
286*08b48e0bSAndroid Build Coastguard Worker /* 14 */ STAGE_EXTRAS_AO,
287*08b48e0bSAndroid Build Coastguard Worker /* 15 */ STAGE_EXTRAS_AI,
288*08b48e0bSAndroid Build Coastguard Worker /* 16 */ STAGE_HAVOC,
289*08b48e0bSAndroid Build Coastguard Worker /* 17 */ STAGE_SPLICE,
290*08b48e0bSAndroid Build Coastguard Worker /* 18 */ STAGE_PYTHON,
291*08b48e0bSAndroid Build Coastguard Worker /* 19 */ STAGE_CUSTOM_MUTATOR,
292*08b48e0bSAndroid Build Coastguard Worker /* 20 */ STAGE_COLORIZATION,
293*08b48e0bSAndroid Build Coastguard Worker /* 21 */ STAGE_ITS,
294*08b48e0bSAndroid Build Coastguard Worker /* 22 */ STAGE_INF,
295*08b48e0bSAndroid Build Coastguard Worker /* 23 */ STAGE_QUICK,
296*08b48e0bSAndroid Build Coastguard Worker
297*08b48e0bSAndroid Build Coastguard Worker STAGE_NUM_MAX
298*08b48e0bSAndroid Build Coastguard Worker
299*08b48e0bSAndroid Build Coastguard Worker };
300*08b48e0bSAndroid Build Coastguard Worker
301*08b48e0bSAndroid Build Coastguard Worker /* Stage value types */
302*08b48e0bSAndroid Build Coastguard Worker
303*08b48e0bSAndroid Build Coastguard Worker enum {
304*08b48e0bSAndroid Build Coastguard Worker
305*08b48e0bSAndroid Build Coastguard Worker /* 00 */ STAGE_VAL_NONE,
306*08b48e0bSAndroid Build Coastguard Worker /* 01 */ STAGE_VAL_LE,
307*08b48e0bSAndroid Build Coastguard Worker /* 02 */ STAGE_VAL_BE
308*08b48e0bSAndroid Build Coastguard Worker
309*08b48e0bSAndroid Build Coastguard Worker };
310*08b48e0bSAndroid Build Coastguard Worker
311*08b48e0bSAndroid Build Coastguard Worker #define operator_num 19
312*08b48e0bSAndroid Build Coastguard Worker #define swarm_num 5
313*08b48e0bSAndroid Build Coastguard Worker #define period_core 500000
314*08b48e0bSAndroid Build Coastguard Worker
315*08b48e0bSAndroid Build Coastguard Worker #define RAND_C (rand() % 1000 * 0.001)
316*08b48e0bSAndroid Build Coastguard Worker #define v_max 1
317*08b48e0bSAndroid Build Coastguard Worker #define v_min 0.05
318*08b48e0bSAndroid Build Coastguard Worker #define limit_time_bound 1.1
319*08b48e0bSAndroid Build Coastguard Worker #define SPLICE_CYCLES_puppet_up 25
320*08b48e0bSAndroid Build Coastguard Worker #define SPLICE_CYCLES_puppet_low 5
321*08b48e0bSAndroid Build Coastguard Worker #define STAGE_RANDOMBYTE 12
322*08b48e0bSAndroid Build Coastguard Worker #define STAGE_DELETEBYTE 13
323*08b48e0bSAndroid Build Coastguard Worker #define STAGE_Clone75 14
324*08b48e0bSAndroid Build Coastguard Worker #define STAGE_OverWrite75 15
325*08b48e0bSAndroid Build Coastguard Worker #define STAGE_OverWriteExtra 16
326*08b48e0bSAndroid Build Coastguard Worker #define STAGE_InsertExtra 17
327*08b48e0bSAndroid Build Coastguard Worker #define STAGE_Splice 18
328*08b48e0bSAndroid Build Coastguard Worker #define period_pilot 50000
329*08b48e0bSAndroid Build Coastguard Worker
330*08b48e0bSAndroid Build Coastguard Worker enum {
331*08b48e0bSAndroid Build Coastguard Worker
332*08b48e0bSAndroid Build Coastguard Worker /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */
333*08b48e0bSAndroid Build Coastguard Worker /* 01 */ MMOPT, /* Modified MOPT schedule */
334*08b48e0bSAndroid Build Coastguard Worker /* 02 */ EXPLOIT, /* AFL's exploitation-based const. */
335*08b48e0bSAndroid Build Coastguard Worker /* 03 */ FAST, /* Exponential schedule */
336*08b48e0bSAndroid Build Coastguard Worker /* 04 */ COE, /* Cut-Off Exponential schedule */
337*08b48e0bSAndroid Build Coastguard Worker /* 05 */ LIN, /* Linear schedule */
338*08b48e0bSAndroid Build Coastguard Worker /* 06 */ QUAD, /* Quadratic schedule */
339*08b48e0bSAndroid Build Coastguard Worker /* 07 */ RARE, /* Rare edges */
340*08b48e0bSAndroid Build Coastguard Worker /* 08 */ SEEK, /* EXPLORE that ignores timings */
341*08b48e0bSAndroid Build Coastguard Worker
342*08b48e0bSAndroid Build Coastguard Worker POWER_SCHEDULES_NUM
343*08b48e0bSAndroid Build Coastguard Worker
344*08b48e0bSAndroid Build Coastguard Worker };
345*08b48e0bSAndroid Build Coastguard Worker
346*08b48e0bSAndroid Build Coastguard Worker /* Python stuff */
347*08b48e0bSAndroid Build Coastguard Worker #ifdef USE_PYTHON
348*08b48e0bSAndroid Build Coastguard Worker
349*08b48e0bSAndroid Build Coastguard Worker // because Python sets stuff it should not ...
350*08b48e0bSAndroid Build Coastguard Worker #ifdef _POSIX_C_SOURCE
351*08b48e0bSAndroid Build Coastguard Worker #define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE
352*08b48e0bSAndroid Build Coastguard Worker #undef _POSIX_C_SOURCE
353*08b48e0bSAndroid Build Coastguard Worker #endif
354*08b48e0bSAndroid Build Coastguard Worker #ifdef _XOPEN_SOURCE
355*08b48e0bSAndroid Build Coastguard Worker #define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE
356*08b48e0bSAndroid Build Coastguard Worker #undef _XOPEN_SOURCE
357*08b48e0bSAndroid Build Coastguard Worker #endif
358*08b48e0bSAndroid Build Coastguard Worker
359*08b48e0bSAndroid Build Coastguard Worker #include <Python.h>
360*08b48e0bSAndroid Build Coastguard Worker
361*08b48e0bSAndroid Build Coastguard Worker #ifdef _SAVE_POSIX_C_SOURCE
362*08b48e0bSAndroid Build Coastguard Worker #ifdef _POSIX_C_SOURCE
363*08b48e0bSAndroid Build Coastguard Worker #undef _POSIX_C_SOURCE
364*08b48e0bSAndroid Build Coastguard Worker #endif
365*08b48e0bSAndroid Build Coastguard Worker #define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE
366*08b48e0bSAndroid Build Coastguard Worker #endif
367*08b48e0bSAndroid Build Coastguard Worker #ifdef _SAVE_XOPEN_SOURCE
368*08b48e0bSAndroid Build Coastguard Worker #ifdef _XOPEN_SOURCE
369*08b48e0bSAndroid Build Coastguard Worker #undef _XOPEN_SOURCE
370*08b48e0bSAndroid Build Coastguard Worker #endif
371*08b48e0bSAndroid Build Coastguard Worker #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE
372*08b48e0bSAndroid Build Coastguard Worker #endif
373*08b48e0bSAndroid Build Coastguard Worker
374*08b48e0bSAndroid Build Coastguard Worker enum {
375*08b48e0bSAndroid Build Coastguard Worker
376*08b48e0bSAndroid Build Coastguard Worker /* 00 */ PY_FUNC_INIT,
377*08b48e0bSAndroid Build Coastguard Worker /* 01 */ PY_FUNC_DEINIT,
378*08b48e0bSAndroid Build Coastguard Worker /* FROM HERE ON BELOW ALL ARE OPTIONAL */
379*08b48e0bSAndroid Build Coastguard Worker /* 02 */ PY_OPTIONAL = 2,
380*08b48e0bSAndroid Build Coastguard Worker /* 02 */ PY_FUNC_FUZZ = 2,
381*08b48e0bSAndroid Build Coastguard Worker /* 03 */ PY_FUNC_FUZZ_COUNT,
382*08b48e0bSAndroid Build Coastguard Worker /* 04 */ PY_FUNC_POST_PROCESS,
383*08b48e0bSAndroid Build Coastguard Worker /* 05 */ PY_FUNC_INIT_TRIM,
384*08b48e0bSAndroid Build Coastguard Worker /* 06 */ PY_FUNC_POST_TRIM,
385*08b48e0bSAndroid Build Coastguard Worker /* 07 */ PY_FUNC_TRIM,
386*08b48e0bSAndroid Build Coastguard Worker /* 08 */ PY_FUNC_HAVOC_MUTATION,
387*08b48e0bSAndroid Build Coastguard Worker /* 09 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY,
388*08b48e0bSAndroid Build Coastguard Worker /* 10 */ PY_FUNC_QUEUE_GET,
389*08b48e0bSAndroid Build Coastguard Worker /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY,
390*08b48e0bSAndroid Build Coastguard Worker /* 12 */ PY_FUNC_INTROSPECTION,
391*08b48e0bSAndroid Build Coastguard Worker /* 13 */ PY_FUNC_DESCRIBE,
392*08b48e0bSAndroid Build Coastguard Worker /* 14 */ PY_FUNC_FUZZ_SEND,
393*08b48e0bSAndroid Build Coastguard Worker /* 15 */ PY_FUNC_SPLICE_OPTOUT,
394*08b48e0bSAndroid Build Coastguard Worker /* 16 */ PY_FUNC_POST_RUN,
395*08b48e0bSAndroid Build Coastguard Worker PY_FUNC_COUNT
396*08b48e0bSAndroid Build Coastguard Worker
397*08b48e0bSAndroid Build Coastguard Worker };
398*08b48e0bSAndroid Build Coastguard Worker
399*08b48e0bSAndroid Build Coastguard Worker typedef struct py_mutator {
400*08b48e0bSAndroid Build Coastguard Worker
401*08b48e0bSAndroid Build Coastguard Worker PyObject *py_module;
402*08b48e0bSAndroid Build Coastguard Worker PyObject *py_functions[PY_FUNC_COUNT];
403*08b48e0bSAndroid Build Coastguard Worker void *afl_state;
404*08b48e0bSAndroid Build Coastguard Worker void *py_data;
405*08b48e0bSAndroid Build Coastguard Worker
406*08b48e0bSAndroid Build Coastguard Worker u8 *fuzz_buf;
407*08b48e0bSAndroid Build Coastguard Worker size_t fuzz_size;
408*08b48e0bSAndroid Build Coastguard Worker
409*08b48e0bSAndroid Build Coastguard Worker Py_buffer post_process_buf;
410*08b48e0bSAndroid Build Coastguard Worker
411*08b48e0bSAndroid Build Coastguard Worker u8 *trim_buf;
412*08b48e0bSAndroid Build Coastguard Worker size_t trim_size;
413*08b48e0bSAndroid Build Coastguard Worker
414*08b48e0bSAndroid Build Coastguard Worker u8 *havoc_buf;
415*08b48e0bSAndroid Build Coastguard Worker size_t havoc_size;
416*08b48e0bSAndroid Build Coastguard Worker
417*08b48e0bSAndroid Build Coastguard Worker } py_mutator_t;
418*08b48e0bSAndroid Build Coastguard Worker
419*08b48e0bSAndroid Build Coastguard Worker #endif
420*08b48e0bSAndroid Build Coastguard Worker
421*08b48e0bSAndroid Build Coastguard Worker typedef struct MOpt_globals {
422*08b48e0bSAndroid Build Coastguard Worker
423*08b48e0bSAndroid Build Coastguard Worker u64 *finds;
424*08b48e0bSAndroid Build Coastguard Worker u64 *finds_v2;
425*08b48e0bSAndroid Build Coastguard Worker u64 *cycles;
426*08b48e0bSAndroid Build Coastguard Worker u64 *cycles_v2;
427*08b48e0bSAndroid Build Coastguard Worker u64 *cycles_v3;
428*08b48e0bSAndroid Build Coastguard Worker u32 is_pilot_mode;
429*08b48e0bSAndroid Build Coastguard Worker u64 *pTime;
430*08b48e0bSAndroid Build Coastguard Worker u64 period;
431*08b48e0bSAndroid Build Coastguard Worker char *havoc_stagename;
432*08b48e0bSAndroid Build Coastguard Worker char *splice_stageformat;
433*08b48e0bSAndroid Build Coastguard Worker char *havoc_stagenameshort;
434*08b48e0bSAndroid Build Coastguard Worker char *splice_stagenameshort;
435*08b48e0bSAndroid Build Coastguard Worker
436*08b48e0bSAndroid Build Coastguard Worker } MOpt_globals_t;
437*08b48e0bSAndroid Build Coastguard Worker
438*08b48e0bSAndroid Build Coastguard Worker extern char *power_names[POWER_SCHEDULES_NUM];
439*08b48e0bSAndroid Build Coastguard Worker
440*08b48e0bSAndroid Build Coastguard Worker typedef struct afl_env_vars {
441*08b48e0bSAndroid Build Coastguard Worker
442*08b48e0bSAndroid Build Coastguard Worker u8 afl_skip_cpufreq, afl_exit_when_done, afl_no_affinity, afl_skip_bin_check,
443*08b48e0bSAndroid Build Coastguard Worker afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
444*08b48e0bSAndroid Build Coastguard Worker afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
445*08b48e0bSAndroid Build Coastguard Worker afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
446*08b48e0bSAndroid Build Coastguard Worker afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
447*08b48e0bSAndroid Build Coastguard Worker afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
448*08b48e0bSAndroid Build Coastguard Worker afl_keep_timeouts, afl_no_crash_readme, afl_ignore_timeouts,
449*08b48e0bSAndroid Build Coastguard Worker afl_no_startup_calibration, afl_no_warn_instability,
450*08b48e0bSAndroid Build Coastguard Worker afl_post_process_keep_original, afl_crashing_seeds_as_new_crash,
451*08b48e0bSAndroid Build Coastguard Worker afl_final_sync, afl_ignore_seed_problems;
452*08b48e0bSAndroid Build Coastguard Worker
453*08b48e0bSAndroid Build Coastguard Worker u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
454*08b48e0bSAndroid Build Coastguard Worker *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
455*08b48e0bSAndroid Build Coastguard Worker *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
456*08b48e0bSAndroid Build Coastguard Worker *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
457*08b48e0bSAndroid Build Coastguard Worker *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal,
458*08b48e0bSAndroid Build Coastguard Worker *afl_target_env, *afl_persistent_record, *afl_exit_on_time;
459*08b48e0bSAndroid Build Coastguard Worker
460*08b48e0bSAndroid Build Coastguard Worker s32 afl_pizza_mode;
461*08b48e0bSAndroid Build Coastguard Worker
462*08b48e0bSAndroid Build Coastguard Worker } afl_env_vars_t;
463*08b48e0bSAndroid Build Coastguard Worker
464*08b48e0bSAndroid Build Coastguard Worker struct afl_pass_stat {
465*08b48e0bSAndroid Build Coastguard Worker
466*08b48e0bSAndroid Build Coastguard Worker u8 total;
467*08b48e0bSAndroid Build Coastguard Worker u8 faileds;
468*08b48e0bSAndroid Build Coastguard Worker
469*08b48e0bSAndroid Build Coastguard Worker };
470*08b48e0bSAndroid Build Coastguard Worker
471*08b48e0bSAndroid Build Coastguard Worker struct foreign_sync {
472*08b48e0bSAndroid Build Coastguard Worker
473*08b48e0bSAndroid Build Coastguard Worker u8 *dir;
474*08b48e0bSAndroid Build Coastguard Worker time_t mtime;
475*08b48e0bSAndroid Build Coastguard Worker
476*08b48e0bSAndroid Build Coastguard Worker };
477*08b48e0bSAndroid Build Coastguard Worker
478*08b48e0bSAndroid Build Coastguard Worker typedef struct afl_state {
479*08b48e0bSAndroid Build Coastguard Worker
480*08b48e0bSAndroid Build Coastguard Worker /* Position of this state in the global states list */
481*08b48e0bSAndroid Build Coastguard Worker u32 _id;
482*08b48e0bSAndroid Build Coastguard Worker
483*08b48e0bSAndroid Build Coastguard Worker afl_forkserver_t fsrv;
484*08b48e0bSAndroid Build Coastguard Worker sharedmem_t shm;
485*08b48e0bSAndroid Build Coastguard Worker sharedmem_t *shm_fuzz;
486*08b48e0bSAndroid Build Coastguard Worker afl_env_vars_t afl_env;
487*08b48e0bSAndroid Build Coastguard Worker
488*08b48e0bSAndroid Build Coastguard Worker char **argv; /* argv if needed */
489*08b48e0bSAndroid Build Coastguard Worker
490*08b48e0bSAndroid Build Coastguard Worker /* MOpt:
491*08b48e0bSAndroid Build Coastguard Worker Lots of globals, but mostly for the status UI and other things where it
492*08b48e0bSAndroid Build Coastguard Worker really makes no sense to haul them around as function parameters. */
493*08b48e0bSAndroid Build Coastguard Worker u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time,
494*08b48e0bSAndroid Build Coastguard Worker total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key,
495*08b48e0bSAndroid Build Coastguard Worker most_time, most_execs_key, most_execs, old_hit_count, force_ui_update,
496*08b48e0bSAndroid Build Coastguard Worker prev_run_time;
497*08b48e0bSAndroid Build Coastguard Worker
498*08b48e0bSAndroid Build Coastguard Worker MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
499*08b48e0bSAndroid Build Coastguard Worker
500*08b48e0bSAndroid Build Coastguard Worker s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
501*08b48e0bSAndroid Build Coastguard Worker key_module;
502*08b48e0bSAndroid Build Coastguard Worker
503*08b48e0bSAndroid Build Coastguard Worker double w_init, w_end, w_now;
504*08b48e0bSAndroid Build Coastguard Worker
505*08b48e0bSAndroid Build Coastguard Worker s32 g_now;
506*08b48e0bSAndroid Build Coastguard Worker s32 g_max;
507*08b48e0bSAndroid Build Coastguard Worker
508*08b48e0bSAndroid Build Coastguard Worker u64 tmp_core_time;
509*08b48e0bSAndroid Build Coastguard Worker s32 swarm_now;
510*08b48e0bSAndroid Build Coastguard Worker
511*08b48e0bSAndroid Build Coastguard Worker double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num],
512*08b48e0bSAndroid Build Coastguard Worker eff_best[swarm_num][operator_num], G_best[operator_num],
513*08b48e0bSAndroid Build Coastguard Worker v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num],
514*08b48e0bSAndroid Build Coastguard Worker swarm_fitness[swarm_num];
515*08b48e0bSAndroid Build Coastguard Worker
516*08b48e0bSAndroid Build Coastguard Worker u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per
517*08b48e0bSAndroid Build Coastguard Worker fuzz stage */
518*08b48e0bSAndroid Build Coastguard Worker stage_finds_puppet_v2[swarm_num][operator_num],
519*08b48e0bSAndroid Build Coastguard Worker stage_cycles_puppet_v2[swarm_num][operator_num],
520*08b48e0bSAndroid Build Coastguard Worker stage_cycles_puppet_v3[swarm_num][operator_num],
521*08b48e0bSAndroid Build Coastguard Worker stage_cycles_puppet[swarm_num][operator_num],
522*08b48e0bSAndroid Build Coastguard Worker operator_finds_puppet[operator_num],
523*08b48e0bSAndroid Build Coastguard Worker core_operator_finds_puppet[operator_num],
524*08b48e0bSAndroid Build Coastguard Worker core_operator_finds_puppet_v2[operator_num],
525*08b48e0bSAndroid Build Coastguard Worker core_operator_cycles_puppet[operator_num],
526*08b48e0bSAndroid Build Coastguard Worker core_operator_cycles_puppet_v2[operator_num],
527*08b48e0bSAndroid Build Coastguard Worker core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
528*08b48e0bSAndroid Build Coastguard Worker
529*08b48e0bSAndroid Build Coastguard Worker double period_pilot_tmp;
530*08b48e0bSAndroid Build Coastguard Worker s32 key_lv;
531*08b48e0bSAndroid Build Coastguard Worker
532*08b48e0bSAndroid Build Coastguard Worker u8 *in_dir, /* Input directory with test cases */
533*08b48e0bSAndroid Build Coastguard Worker *out_dir, /* Working & output directory */
534*08b48e0bSAndroid Build Coastguard Worker *tmp_dir, /* Temporary directory for input */
535*08b48e0bSAndroid Build Coastguard Worker *sync_dir, /* Synchronization directory */
536*08b48e0bSAndroid Build Coastguard Worker *sync_id, /* Fuzzer ID */
537*08b48e0bSAndroid Build Coastguard Worker *power_name, /* Power schedule name */
538*08b48e0bSAndroid Build Coastguard Worker *use_banner, /* Display banner */
539*08b48e0bSAndroid Build Coastguard Worker *in_bitmap, /* Input bitmap */
540*08b48e0bSAndroid Build Coastguard Worker *file_extension, /* File extension */
541*08b48e0bSAndroid Build Coastguard Worker *orig_cmdline, /* Original command line */
542*08b48e0bSAndroid Build Coastguard Worker *infoexec; /* Command to execute on a new crash */
543*08b48e0bSAndroid Build Coastguard Worker
544*08b48e0bSAndroid Build Coastguard Worker u32 hang_tmout, /* Timeout used for hang det (ms) */
545*08b48e0bSAndroid Build Coastguard Worker stats_update_freq; /* Stats update frequency (execs) */
546*08b48e0bSAndroid Build Coastguard Worker
547*08b48e0bSAndroid Build Coastguard Worker u8 havoc_stack_pow2, /* HAVOC_STACK_POW2 */
548*08b48e0bSAndroid Build Coastguard Worker no_unlink, /* do not unlink cur_input */
549*08b48e0bSAndroid Build Coastguard Worker debug, /* Debug mode */
550*08b48e0bSAndroid Build Coastguard Worker custom_only, /* Custom mutator only mode */
551*08b48e0bSAndroid Build Coastguard Worker custom_splice_optout, /* Custom mutator no splice buffer */
552*08b48e0bSAndroid Build Coastguard Worker is_main_node, /* if this is the main node */
553*08b48e0bSAndroid Build Coastguard Worker is_secondary_node, /* if this is a secondary instance */
554*08b48e0bSAndroid Build Coastguard Worker pizza_is_served, /* pizza mode */
555*08b48e0bSAndroid Build Coastguard Worker input_mode, /* target wants text inputs */
556*08b48e0bSAndroid Build Coastguard Worker fuzz_mode, /* coverage/exploration or crash/exploitation mode */
557*08b48e0bSAndroid Build Coastguard Worker schedule, /* Power schedule (default: EXPLORE)*/
558*08b48e0bSAndroid Build Coastguard Worker havoc_max_mult, /* havoc multiplier */
559*08b48e0bSAndroid Build Coastguard Worker skip_deterministic, /* Skip deterministic stages? */
560*08b48e0bSAndroid Build Coastguard Worker use_splicing, /* Recombine input files? */
561*08b48e0bSAndroid Build Coastguard Worker non_instrumented_mode, /* Run in non-instrumented mode? */
562*08b48e0bSAndroid Build Coastguard Worker score_changed, /* Scoring for favorites changed? */
563*08b48e0bSAndroid Build Coastguard Worker resuming_fuzz, /* Resuming an older fuzzing job? */
564*08b48e0bSAndroid Build Coastguard Worker timeout_given, /* Specific timeout given? */
565*08b48e0bSAndroid Build Coastguard Worker not_on_tty, /* stdout is not a tty */
566*08b48e0bSAndroid Build Coastguard Worker term_too_small, /* terminal dimensions too small */
567*08b48e0bSAndroid Build Coastguard Worker no_forkserver, /* Disable forkserver? */
568*08b48e0bSAndroid Build Coastguard Worker crash_mode, /* Crash mode! Yeah! */
569*08b48e0bSAndroid Build Coastguard Worker in_place_resume, /* Attempt in-place resume? */
570*08b48e0bSAndroid Build Coastguard Worker autoresume, /* Resume if afl->out_dir exists? */
571*08b48e0bSAndroid Build Coastguard Worker auto_changed, /* Auto-generated tokens changed? */
572*08b48e0bSAndroid Build Coastguard Worker no_cpu_meter_red, /* Feng shui on the status screen */
573*08b48e0bSAndroid Build Coastguard Worker no_arith, /* Skip most arithmetic ops */
574*08b48e0bSAndroid Build Coastguard Worker shuffle_queue, /* Shuffle input queue? */
575*08b48e0bSAndroid Build Coastguard Worker bitmap_changed, /* Time to update bitmap? */
576*08b48e0bSAndroid Build Coastguard Worker unicorn_mode, /* Running in Unicorn mode? */
577*08b48e0bSAndroid Build Coastguard Worker use_wine, /* Use WINE with QEMU mode */
578*08b48e0bSAndroid Build Coastguard Worker skip_requested, /* Skip request, via SIGUSR1 */
579*08b48e0bSAndroid Build Coastguard Worker run_over10m, /* Run time over 10 minutes? */
580*08b48e0bSAndroid Build Coastguard Worker persistent_mode, /* Running in persistent mode? */
581*08b48e0bSAndroid Build Coastguard Worker deferred_mode, /* Deferred forkserver mode? */
582*08b48e0bSAndroid Build Coastguard Worker fixed_seed, /* do not reseed */
583*08b48e0bSAndroid Build Coastguard Worker fast_cal, /* Try to calibrate faster? */
584*08b48e0bSAndroid Build Coastguard Worker disable_trim, /* Never trim in fuzz_one */
585*08b48e0bSAndroid Build Coastguard Worker shmem_testcase_mode, /* If sharedmem testcases are used */
586*08b48e0bSAndroid Build Coastguard Worker expand_havoc, /* perform expensive havoc after no find */
587*08b48e0bSAndroid Build Coastguard Worker cycle_schedules, /* cycle power schedules? */
588*08b48e0bSAndroid Build Coastguard Worker old_seed_selection, /* use vanilla afl seed selection */
589*08b48e0bSAndroid Build Coastguard Worker reinit_table; /* reinit the queue weight table */
590*08b48e0bSAndroid Build Coastguard Worker
591*08b48e0bSAndroid Build Coastguard Worker u8 *virgin_bits, /* Regions yet untouched by fuzzing */
592*08b48e0bSAndroid Build Coastguard Worker *virgin_tmout, /* Bits we haven't seen in tmouts */
593*08b48e0bSAndroid Build Coastguard Worker *virgin_crash; /* Bits we haven't seen in crashes */
594*08b48e0bSAndroid Build Coastguard Worker
595*08b48e0bSAndroid Build Coastguard Worker double *alias_probability; /* alias weighted probabilities */
596*08b48e0bSAndroid Build Coastguard Worker u32 *alias_table; /* alias weighted random lookup table */
597*08b48e0bSAndroid Build Coastguard Worker u32 active_items; /* enabled entries in the queue */
598*08b48e0bSAndroid Build Coastguard Worker
599*08b48e0bSAndroid Build Coastguard Worker u8 *var_bytes; /* Bytes that appear to be variable */
600*08b48e0bSAndroid Build Coastguard Worker
601*08b48e0bSAndroid Build Coastguard Worker #define N_FUZZ_SIZE (1 << 21)
602*08b48e0bSAndroid Build Coastguard Worker u32 *n_fuzz;
603*08b48e0bSAndroid Build Coastguard Worker
604*08b48e0bSAndroid Build Coastguard Worker volatile u8 stop_soon, /* Ctrl-C pressed? */
605*08b48e0bSAndroid Build Coastguard Worker clear_screen; /* Window resized? */
606*08b48e0bSAndroid Build Coastguard Worker
607*08b48e0bSAndroid Build Coastguard Worker u32 queued_items, /* Total number of queued testcases */
608*08b48e0bSAndroid Build Coastguard Worker queued_variable, /* Testcases with variable behavior */
609*08b48e0bSAndroid Build Coastguard Worker queued_at_start, /* Total number of initial inputs */
610*08b48e0bSAndroid Build Coastguard Worker queued_discovered, /* Items discovered during this run */
611*08b48e0bSAndroid Build Coastguard Worker queued_imported, /* Items imported via -S */
612*08b48e0bSAndroid Build Coastguard Worker queued_favored, /* Paths deemed favorable */
613*08b48e0bSAndroid Build Coastguard Worker queued_with_cov, /* Paths with new coverage bytes */
614*08b48e0bSAndroid Build Coastguard Worker pending_not_fuzzed, /* Queued but not done yet */
615*08b48e0bSAndroid Build Coastguard Worker pending_favored, /* Pending favored paths */
616*08b48e0bSAndroid Build Coastguard Worker cur_skipped_items, /* Abandoned inputs in cur cycle */
617*08b48e0bSAndroid Build Coastguard Worker cur_depth, /* Current path depth */
618*08b48e0bSAndroid Build Coastguard Worker max_depth, /* Max path depth */
619*08b48e0bSAndroid Build Coastguard Worker useless_at_start, /* Number of useless starting paths */
620*08b48e0bSAndroid Build Coastguard Worker var_byte_count, /* Bitmap bytes with var behavior */
621*08b48e0bSAndroid Build Coastguard Worker current_entry, /* Current queue entry ID */
622*08b48e0bSAndroid Build Coastguard Worker havoc_div, /* Cycle count divisor for havoc */
623*08b48e0bSAndroid Build Coastguard Worker max_det_extras; /* deterministic extra count (dicts)*/
624*08b48e0bSAndroid Build Coastguard Worker
625*08b48e0bSAndroid Build Coastguard Worker u64 total_crashes, /* Total number of crashes */
626*08b48e0bSAndroid Build Coastguard Worker saved_crashes, /* Crashes with unique signatures */
627*08b48e0bSAndroid Build Coastguard Worker total_tmouts, /* Total number of timeouts */
628*08b48e0bSAndroid Build Coastguard Worker saved_tmouts, /* Timeouts with unique signatures */
629*08b48e0bSAndroid Build Coastguard Worker saved_hangs, /* Hangs with unique signatures */
630*08b48e0bSAndroid Build Coastguard Worker last_crash_execs, /* Exec counter at last crash */
631*08b48e0bSAndroid Build Coastguard Worker queue_cycle, /* Queue round counter */
632*08b48e0bSAndroid Build Coastguard Worker cycles_wo_finds, /* Cycles without any new paths */
633*08b48e0bSAndroid Build Coastguard Worker trim_execs, /* Execs done to trim input files */
634*08b48e0bSAndroid Build Coastguard Worker bytes_trim_in, /* Bytes coming into the trimmer */
635*08b48e0bSAndroid Build Coastguard Worker bytes_trim_out, /* Bytes coming outa the trimmer */
636*08b48e0bSAndroid Build Coastguard Worker blocks_eff_total, /* Blocks subject to effector maps */
637*08b48e0bSAndroid Build Coastguard Worker blocks_eff_select, /* Blocks selected as fuzzable */
638*08b48e0bSAndroid Build Coastguard Worker start_time, /* Unix start time (ms) */
639*08b48e0bSAndroid Build Coastguard Worker last_sync_time, /* Time of last sync */
640*08b48e0bSAndroid Build Coastguard Worker last_sync_cycle, /* Cycle no. of the last sync */
641*08b48e0bSAndroid Build Coastguard Worker last_find_time, /* Time for most recent path (ms) */
642*08b48e0bSAndroid Build Coastguard Worker last_crash_time, /* Time for most recent crash (ms) */
643*08b48e0bSAndroid Build Coastguard Worker last_hang_time, /* Time for most recent hang (ms) */
644*08b48e0bSAndroid Build Coastguard Worker longest_find_time, /* Longest time taken for a find */
645*08b48e0bSAndroid Build Coastguard Worker exit_on_time, /* Delay to exit if no new paths */
646*08b48e0bSAndroid Build Coastguard Worker sync_time, /* Sync time (ms) */
647*08b48e0bSAndroid Build Coastguard Worker switch_fuzz_mode; /* auto or fixed fuzz mode */
648*08b48e0bSAndroid Build Coastguard Worker
649*08b48e0bSAndroid Build Coastguard Worker u32 slowest_exec_ms, /* Slowest testcase non hang in ms */
650*08b48e0bSAndroid Build Coastguard Worker subseq_tmouts; /* Number of timeouts in a row */
651*08b48e0bSAndroid Build Coastguard Worker
652*08b48e0bSAndroid Build Coastguard Worker u8 *stage_name, /* Name of the current fuzz stage */
653*08b48e0bSAndroid Build Coastguard Worker *stage_short, /* Short stage name */
654*08b48e0bSAndroid Build Coastguard Worker *syncing_party; /* Currently syncing with... */
655*08b48e0bSAndroid Build Coastguard Worker
656*08b48e0bSAndroid Build Coastguard Worker u8 stage_name_buf[STAGE_BUF_SIZE]; /* reused stagename buf with len 64 */
657*08b48e0bSAndroid Build Coastguard Worker
658*08b48e0bSAndroid Build Coastguard Worker u32 stage_cur, stage_max; /* Stage progression */
659*08b48e0bSAndroid Build Coastguard Worker s32 splicing_with; /* Splicing with which test case? */
660*08b48e0bSAndroid Build Coastguard Worker s64 smallest_favored; /* smallest queue id favored */
661*08b48e0bSAndroid Build Coastguard Worker
662*08b48e0bSAndroid Build Coastguard Worker u32 main_node_id, main_node_max; /* Main instance job splitting */
663*08b48e0bSAndroid Build Coastguard Worker
664*08b48e0bSAndroid Build Coastguard Worker u32 syncing_case; /* Syncing with case #... */
665*08b48e0bSAndroid Build Coastguard Worker
666*08b48e0bSAndroid Build Coastguard Worker s32 stage_cur_byte, /* Byte offset of current stage op */
667*08b48e0bSAndroid Build Coastguard Worker stage_cur_val; /* Value used for stage op */
668*08b48e0bSAndroid Build Coastguard Worker
669*08b48e0bSAndroid Build Coastguard Worker u8 stage_val_type; /* Value type (STAGE_VAL_*) */
670*08b48e0bSAndroid Build Coastguard Worker
671*08b48e0bSAndroid Build Coastguard Worker u64 stage_finds[32], /* Patterns found per fuzz stage */
672*08b48e0bSAndroid Build Coastguard Worker stage_cycles[32]; /* Execs per fuzz stage */
673*08b48e0bSAndroid Build Coastguard Worker
674*08b48e0bSAndroid Build Coastguard Worker u32 rand_cnt; /* Random number counter */
675*08b48e0bSAndroid Build Coastguard Worker
676*08b48e0bSAndroid Build Coastguard Worker /* unsigned long rand_seed[3]; would also work */
677*08b48e0bSAndroid Build Coastguard Worker AFL_RAND_RETURN rand_seed[3];
678*08b48e0bSAndroid Build Coastguard Worker s64 init_seed;
679*08b48e0bSAndroid Build Coastguard Worker
680*08b48e0bSAndroid Build Coastguard Worker u64 total_cal_us, /* Total calibration time (us) */
681*08b48e0bSAndroid Build Coastguard Worker total_cal_cycles; /* Total calibration cycles */
682*08b48e0bSAndroid Build Coastguard Worker
683*08b48e0bSAndroid Build Coastguard Worker u64 total_bitmap_size, /* Total bit count for all bitmaps */
684*08b48e0bSAndroid Build Coastguard Worker total_bitmap_entries; /* Number of bitmaps counted */
685*08b48e0bSAndroid Build Coastguard Worker
686*08b48e0bSAndroid Build Coastguard Worker s32 cpu_core_count, /* CPU core count */
687*08b48e0bSAndroid Build Coastguard Worker cpu_to_bind; /* bind to specific CPU */
688*08b48e0bSAndroid Build Coastguard Worker
689*08b48e0bSAndroid Build Coastguard Worker #ifdef HAVE_AFFINITY
690*08b48e0bSAndroid Build Coastguard Worker s32 cpu_aff; /* Selected CPU core */
691*08b48e0bSAndroid Build Coastguard Worker #endif /* HAVE_AFFINITY */
692*08b48e0bSAndroid Build Coastguard Worker
693*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *queue, /* Fuzzing queue (linked list) */
694*08b48e0bSAndroid Build Coastguard Worker *queue_cur, /* Current offset within the queue */
695*08b48e0bSAndroid Build Coastguard Worker *queue_top; /* Top of the list */
696*08b48e0bSAndroid Build Coastguard Worker
697*08b48e0bSAndroid Build Coastguard Worker // growing buf
698*08b48e0bSAndroid Build Coastguard Worker struct queue_entry **queue_buf;
699*08b48e0bSAndroid Build Coastguard Worker
700*08b48e0bSAndroid Build Coastguard Worker struct queue_entry **top_rated; /* Top entries for bitmap bytes */
701*08b48e0bSAndroid Build Coastguard Worker
702*08b48e0bSAndroid Build Coastguard Worker struct extra_data *extras; /* Extra tokens to fuzz with */
703*08b48e0bSAndroid Build Coastguard Worker u32 extras_cnt; /* Total number of tokens read */
704*08b48e0bSAndroid Build Coastguard Worker
705*08b48e0bSAndroid Build Coastguard Worker struct auto_extra_data
706*08b48e0bSAndroid Build Coastguard Worker a_extras[MAX_AUTO_EXTRAS]; /* Automatically selected extras */
707*08b48e0bSAndroid Build Coastguard Worker u32 a_extras_cnt; /* Total number of tokens available */
708*08b48e0bSAndroid Build Coastguard Worker
709*08b48e0bSAndroid Build Coastguard Worker /* afl_postprocess API - Now supported via custom mutators */
710*08b48e0bSAndroid Build Coastguard Worker
711*08b48e0bSAndroid Build Coastguard Worker /* CmpLog */
712*08b48e0bSAndroid Build Coastguard Worker
713*08b48e0bSAndroid Build Coastguard Worker char *cmplog_binary;
714*08b48e0bSAndroid Build Coastguard Worker afl_forkserver_t cmplog_fsrv; /* cmplog has its own little forkserver */
715*08b48e0bSAndroid Build Coastguard Worker
716*08b48e0bSAndroid Build Coastguard Worker /* Custom mutators */
717*08b48e0bSAndroid Build Coastguard Worker struct custom_mutator *mutator;
718*08b48e0bSAndroid Build Coastguard Worker
719*08b48e0bSAndroid Build Coastguard Worker /* cmplog forkserver ids */
720*08b48e0bSAndroid Build Coastguard Worker s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
721*08b48e0bSAndroid Build Coastguard Worker u32 cmplog_prev_timed_out;
722*08b48e0bSAndroid Build Coastguard Worker u32 cmplog_max_filesize;
723*08b48e0bSAndroid Build Coastguard Worker u32 cmplog_lvl;
724*08b48e0bSAndroid Build Coastguard Worker u32 colorize_success;
725*08b48e0bSAndroid Build Coastguard Worker u8 cmplog_enable_arith, cmplog_enable_transform, cmplog_enable_scale,
726*08b48e0bSAndroid Build Coastguard Worker cmplog_enable_xtreme_transform, cmplog_random_colorization;
727*08b48e0bSAndroid Build Coastguard Worker
728*08b48e0bSAndroid Build Coastguard Worker struct afl_pass_stat *pass_stats;
729*08b48e0bSAndroid Build Coastguard Worker struct cmp_map *orig_cmp_map;
730*08b48e0bSAndroid Build Coastguard Worker
731*08b48e0bSAndroid Build Coastguard Worker u8 describe_op_buf_256[256]; /* describe_op will use this to return a string
732*08b48e0bSAndroid Build Coastguard Worker up to 256 */
733*08b48e0bSAndroid Build Coastguard Worker
734*08b48e0bSAndroid Build Coastguard Worker unsigned long long int last_avg_exec_update;
735*08b48e0bSAndroid Build Coastguard Worker u32 last_avg_execs;
736*08b48e0bSAndroid Build Coastguard Worker double last_avg_execs_saved;
737*08b48e0bSAndroid Build Coastguard Worker
738*08b48e0bSAndroid Build Coastguard Worker /* foreign sync */
739*08b48e0bSAndroid Build Coastguard Worker #define FOREIGN_SYNCS_MAX 32U
740*08b48e0bSAndroid Build Coastguard Worker u8 foreign_sync_cnt;
741*08b48e0bSAndroid Build Coastguard Worker struct foreign_sync foreign_syncs[FOREIGN_SYNCS_MAX];
742*08b48e0bSAndroid Build Coastguard Worker
743*08b48e0bSAndroid Build Coastguard Worker #ifdef _AFL_DOCUMENT_MUTATIONS
744*08b48e0bSAndroid Build Coastguard Worker u8 do_document;
745*08b48e0bSAndroid Build Coastguard Worker u32 document_counter;
746*08b48e0bSAndroid Build Coastguard Worker #endif
747*08b48e0bSAndroid Build Coastguard Worker
748*08b48e0bSAndroid Build Coastguard Worker /* statistics file */
749*08b48e0bSAndroid Build Coastguard Worker double last_bitmap_cvg, last_stability, last_eps;
750*08b48e0bSAndroid Build Coastguard Worker u64 stats_file_update_freq_msecs; /* Stats update frequency (msecs) */
751*08b48e0bSAndroid Build Coastguard Worker
752*08b48e0bSAndroid Build Coastguard Worker /* plot file saves from last run */
753*08b48e0bSAndroid Build Coastguard Worker u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md;
754*08b48e0bSAndroid Build Coastguard Worker u64 plot_prev_qc, plot_prev_uc, plot_prev_uh, plot_prev_ed;
755*08b48e0bSAndroid Build Coastguard Worker
756*08b48e0bSAndroid Build Coastguard Worker u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_queue_ms,
757*08b48e0bSAndroid Build Coastguard Worker stats_last_ms, stats_last_execs;
758*08b48e0bSAndroid Build Coastguard Worker
759*08b48e0bSAndroid Build Coastguard Worker /* StatsD */
760*08b48e0bSAndroid Build Coastguard Worker u64 statsd_last_send_ms;
761*08b48e0bSAndroid Build Coastguard Worker struct sockaddr_in statsd_server;
762*08b48e0bSAndroid Build Coastguard Worker int statsd_sock;
763*08b48e0bSAndroid Build Coastguard Worker char *statsd_tags_flavor;
764*08b48e0bSAndroid Build Coastguard Worker char *statsd_tags_format;
765*08b48e0bSAndroid Build Coastguard Worker char *statsd_metric_format;
766*08b48e0bSAndroid Build Coastguard Worker int statsd_metric_format_type;
767*08b48e0bSAndroid Build Coastguard Worker
768*08b48e0bSAndroid Build Coastguard Worker double stats_avg_exec;
769*08b48e0bSAndroid Build Coastguard Worker
770*08b48e0bSAndroid Build Coastguard Worker u8 *clean_trace;
771*08b48e0bSAndroid Build Coastguard Worker u8 *clean_trace_custom;
772*08b48e0bSAndroid Build Coastguard Worker u8 *first_trace;
773*08b48e0bSAndroid Build Coastguard Worker
774*08b48e0bSAndroid Build Coastguard Worker /*needed for afl_fuzz_one */
775*08b48e0bSAndroid Build Coastguard Worker // TODO: see which we can reuse
776*08b48e0bSAndroid Build Coastguard Worker u8 *out_buf;
777*08b48e0bSAndroid Build Coastguard Worker
778*08b48e0bSAndroid Build Coastguard Worker u8 *out_scratch_buf;
779*08b48e0bSAndroid Build Coastguard Worker
780*08b48e0bSAndroid Build Coastguard Worker u8 *eff_buf;
781*08b48e0bSAndroid Build Coastguard Worker
782*08b48e0bSAndroid Build Coastguard Worker u8 *in_buf;
783*08b48e0bSAndroid Build Coastguard Worker
784*08b48e0bSAndroid Build Coastguard Worker u8 *in_scratch_buf;
785*08b48e0bSAndroid Build Coastguard Worker
786*08b48e0bSAndroid Build Coastguard Worker u8 *ex_buf;
787*08b48e0bSAndroid Build Coastguard Worker
788*08b48e0bSAndroid Build Coastguard Worker u8 *testcase_buf, *splicecase_buf;
789*08b48e0bSAndroid Build Coastguard Worker
790*08b48e0bSAndroid Build Coastguard Worker u32 custom_mutators_count;
791*08b48e0bSAndroid Build Coastguard Worker
792*08b48e0bSAndroid Build Coastguard Worker struct custom_mutator *current_custom_fuzz;
793*08b48e0bSAndroid Build Coastguard Worker
794*08b48e0bSAndroid Build Coastguard Worker list_t custom_mutator_list;
795*08b48e0bSAndroid Build Coastguard Worker
796*08b48e0bSAndroid Build Coastguard Worker /* this is a fixed buffer of size map_size that can be used by any function if
797*08b48e0bSAndroid Build Coastguard Worker * they do not call another function */
798*08b48e0bSAndroid Build Coastguard Worker u8 *map_tmp_buf;
799*08b48e0bSAndroid Build Coastguard Worker
800*08b48e0bSAndroid Build Coastguard Worker /* queue entries ready for splicing count (len > 4) */
801*08b48e0bSAndroid Build Coastguard Worker u32 ready_for_splicing_count;
802*08b48e0bSAndroid Build Coastguard Worker
803*08b48e0bSAndroid Build Coastguard Worker /* min/max length for generated fuzzing inputs */
804*08b48e0bSAndroid Build Coastguard Worker u32 min_length, max_length;
805*08b48e0bSAndroid Build Coastguard Worker
806*08b48e0bSAndroid Build Coastguard Worker /* This is the user specified maximum size to use for the testcase cache */
807*08b48e0bSAndroid Build Coastguard Worker u64 q_testcase_max_cache_size;
808*08b48e0bSAndroid Build Coastguard Worker
809*08b48e0bSAndroid Build Coastguard Worker /* This is the user specified maximum entries in the testcase cache */
810*08b48e0bSAndroid Build Coastguard Worker u32 q_testcase_max_cache_entries;
811*08b48e0bSAndroid Build Coastguard Worker
812*08b48e0bSAndroid Build Coastguard Worker /* How much of the testcase cache is used so far */
813*08b48e0bSAndroid Build Coastguard Worker u64 q_testcase_cache_size;
814*08b48e0bSAndroid Build Coastguard Worker
815*08b48e0bSAndroid Build Coastguard Worker /* highest cache count so far */
816*08b48e0bSAndroid Build Coastguard Worker u32 q_testcase_max_cache_count;
817*08b48e0bSAndroid Build Coastguard Worker
818*08b48e0bSAndroid Build Coastguard Worker /* How many queue entries currently have cached testcases */
819*08b48e0bSAndroid Build Coastguard Worker u32 q_testcase_cache_count;
820*08b48e0bSAndroid Build Coastguard Worker
821*08b48e0bSAndroid Build Coastguard Worker /* the smallest id currently known free entry */
822*08b48e0bSAndroid Build Coastguard Worker u32 q_testcase_smallest_free;
823*08b48e0bSAndroid Build Coastguard Worker
824*08b48e0bSAndroid Build Coastguard Worker /* How often did we evict from the cache (for statistics only) */
825*08b48e0bSAndroid Build Coastguard Worker u32 q_testcase_evictions;
826*08b48e0bSAndroid Build Coastguard Worker
827*08b48e0bSAndroid Build Coastguard Worker /* Refs to each queue entry with cached testcase (for eviction, if cache_count
828*08b48e0bSAndroid Build Coastguard Worker * is too large) */
829*08b48e0bSAndroid Build Coastguard Worker struct queue_entry **q_testcase_cache;
830*08b48e0bSAndroid Build Coastguard Worker
831*08b48e0bSAndroid Build Coastguard Worker /* Global Profile Data for deterministic/havoc-splice stage */
832*08b48e0bSAndroid Build Coastguard Worker struct havoc_profile *havoc_prof;
833*08b48e0bSAndroid Build Coastguard Worker
834*08b48e0bSAndroid Build Coastguard Worker struct skipdet_global *skipdet_g;
835*08b48e0bSAndroid Build Coastguard Worker
836*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
837*08b48e0bSAndroid Build Coastguard Worker char mutation[8072];
838*08b48e0bSAndroid Build Coastguard Worker char m_tmp[4096];
839*08b48e0bSAndroid Build Coastguard Worker FILE *introspection_file;
840*08b48e0bSAndroid Build Coastguard Worker u32 bitsmap_size;
841*08b48e0bSAndroid Build Coastguard Worker #endif
842*08b48e0bSAndroid Build Coastguard Worker
843*08b48e0bSAndroid Build Coastguard Worker } afl_state_t;
844*08b48e0bSAndroid Build Coastguard Worker
845*08b48e0bSAndroid Build Coastguard Worker struct custom_mutator {
846*08b48e0bSAndroid Build Coastguard Worker
847*08b48e0bSAndroid Build Coastguard Worker const char *name;
848*08b48e0bSAndroid Build Coastguard Worker char *name_short;
849*08b48e0bSAndroid Build Coastguard Worker void *dh;
850*08b48e0bSAndroid Build Coastguard Worker u8 *post_process_buf;
851*08b48e0bSAndroid Build Coastguard Worker u8 stacked_custom_prob, stacked_custom;
852*08b48e0bSAndroid Build Coastguard Worker
853*08b48e0bSAndroid Build Coastguard Worker void *data; /* custom mutator data ptr */
854*08b48e0bSAndroid Build Coastguard Worker
855*08b48e0bSAndroid Build Coastguard Worker /* hooks for the custom mutator function */
856*08b48e0bSAndroid Build Coastguard Worker
857*08b48e0bSAndroid Build Coastguard Worker /**
858*08b48e0bSAndroid Build Coastguard Worker * Initialize the custom mutator.
859*08b48e0bSAndroid Build Coastguard Worker *
860*08b48e0bSAndroid Build Coastguard Worker * @param afl AFL instance.
861*08b48e0bSAndroid Build Coastguard Worker * @param seed Seed used for the mutation.
862*08b48e0bSAndroid Build Coastguard Worker * @return pointer to internal data or NULL on error
863*08b48e0bSAndroid Build Coastguard Worker */
864*08b48e0bSAndroid Build Coastguard Worker void *(*afl_custom_init)(afl_state_t *afl, unsigned int seed);
865*08b48e0bSAndroid Build Coastguard Worker
866*08b48e0bSAndroid Build Coastguard Worker /**
867*08b48e0bSAndroid Build Coastguard Worker * When afl-fuzz was compiled with INTROSPECTION=1 then custom mutators can
868*08b48e0bSAndroid Build Coastguard Worker * also give introspection information back with this function.
869*08b48e0bSAndroid Build Coastguard Worker *
870*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
871*08b48e0bSAndroid Build Coastguard Worker * @return pointer to a text string (const char*)
872*08b48e0bSAndroid Build Coastguard Worker */
873*08b48e0bSAndroid Build Coastguard Worker const char *(*afl_custom_introspection)(void *data);
874*08b48e0bSAndroid Build Coastguard Worker
875*08b48e0bSAndroid Build Coastguard Worker /**
876*08b48e0bSAndroid Build Coastguard Worker * This method is called just before fuzzing a queue entry with the custom
877*08b48e0bSAndroid Build Coastguard Worker * mutator, and receives the initial buffer. It should return the number of
878*08b48e0bSAndroid Build Coastguard Worker * fuzzes to perform.
879*08b48e0bSAndroid Build Coastguard Worker *
880*08b48e0bSAndroid Build Coastguard Worker * A value of 0 means no fuzzing of this queue entry.
881*08b48e0bSAndroid Build Coastguard Worker *
882*08b48e0bSAndroid Build Coastguard Worker * The function is now allowed to change the data.
883*08b48e0bSAndroid Build Coastguard Worker *
884*08b48e0bSAndroid Build Coastguard Worker * (Optional)
885*08b48e0bSAndroid Build Coastguard Worker *
886*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
887*08b48e0bSAndroid Build Coastguard Worker * @param buf Buffer containing the test case
888*08b48e0bSAndroid Build Coastguard Worker * @param buf_size Size of the test case
889*08b48e0bSAndroid Build Coastguard Worker * @return The amount of fuzzes to perform on this queue entry, 0 = skip
890*08b48e0bSAndroid Build Coastguard Worker */
891*08b48e0bSAndroid Build Coastguard Worker u32 (*afl_custom_fuzz_count)(void *data, const u8 *buf, size_t buf_size);
892*08b48e0bSAndroid Build Coastguard Worker
893*08b48e0bSAndroid Build Coastguard Worker /**
894*08b48e0bSAndroid Build Coastguard Worker * Opt-out of a splicing input for the fuzz mutator
895*08b48e0bSAndroid Build Coastguard Worker *
896*08b48e0bSAndroid Build Coastguard Worker * Empty dummy function. It's presence tells afl-fuzz not to pass a
897*08b48e0bSAndroid Build Coastguard Worker * splice data pointer and len.
898*08b48e0bSAndroid Build Coastguard Worker *
899*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
900*08b48e0bSAndroid Build Coastguard Worker * @noreturn
901*08b48e0bSAndroid Build Coastguard Worker */
902*08b48e0bSAndroid Build Coastguard Worker void (*afl_custom_splice_optout)(void *data);
903*08b48e0bSAndroid Build Coastguard Worker
904*08b48e0bSAndroid Build Coastguard Worker /**
905*08b48e0bSAndroid Build Coastguard Worker * Perform custom mutations on a given input
906*08b48e0bSAndroid Build Coastguard Worker *
907*08b48e0bSAndroid Build Coastguard Worker * (Optional)
908*08b48e0bSAndroid Build Coastguard Worker *
909*08b48e0bSAndroid Build Coastguard Worker * Getting an add_buf can be skipped by using afl_custom_splice_optout().
910*08b48e0bSAndroid Build Coastguard Worker *
911*08b48e0bSAndroid Build Coastguard Worker * @param[in] data Pointer returned in afl_custom_init by this custom mutator
912*08b48e0bSAndroid Build Coastguard Worker * @param[in] buf Pointer to the input data to be mutated and the mutated
913*08b48e0bSAndroid Build Coastguard Worker * output
914*08b48e0bSAndroid Build Coastguard Worker * @param[in] buf_size Size of the input/output data
915*08b48e0bSAndroid Build Coastguard Worker * @param[out] out_buf The new buffer, under your memory mgmt.
916*08b48e0bSAndroid Build Coastguard Worker * @param[in] add_buf Buffer containing an additional test case (splicing)
917*08b48e0bSAndroid Build Coastguard Worker * @param[in] add_buf_size Size of the additional test case
918*08b48e0bSAndroid Build Coastguard Worker * @param[in] max_size Maximum size of the mutated output. The mutation must
919*08b48e0bSAndroid Build Coastguard Worker * not produce data larger than max_size.
920*08b48e0bSAndroid Build Coastguard Worker * @return Size of the mutated output.
921*08b48e0bSAndroid Build Coastguard Worker */
922*08b48e0bSAndroid Build Coastguard Worker size_t (*afl_custom_fuzz)(void *data, u8 *buf, size_t buf_size, u8 **out_buf,
923*08b48e0bSAndroid Build Coastguard Worker u8 *add_buf, size_t add_buf_size, size_t max_size);
924*08b48e0bSAndroid Build Coastguard Worker
925*08b48e0bSAndroid Build Coastguard Worker /**
926*08b48e0bSAndroid Build Coastguard Worker * Describe the current testcase, generated by the last mutation.
927*08b48e0bSAndroid Build Coastguard Worker * This will be called, for example, to give the written testcase a name
928*08b48e0bSAndroid Build Coastguard Worker * after a crash ocurred. It can help to reproduce crashing mutations.
929*08b48e0bSAndroid Build Coastguard Worker *
930*08b48e0bSAndroid Build Coastguard Worker * (Optional)
931*08b48e0bSAndroid Build Coastguard Worker *
932*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned by afl_customm_init for this custom mutator
933*08b48e0bSAndroid Build Coastguard Worker * @paramp[in] max_description_len maximum size avaliable for the description.
934*08b48e0bSAndroid Build Coastguard Worker * A longer return string is legal, but will be truncated.
935*08b48e0bSAndroid Build Coastguard Worker * @return A valid ptr to a 0-terminated string.
936*08b48e0bSAndroid Build Coastguard Worker * An empty or NULL return will result in a default description
937*08b48e0bSAndroid Build Coastguard Worker */
938*08b48e0bSAndroid Build Coastguard Worker const char *(*afl_custom_describe)(void *data, size_t max_description_len);
939*08b48e0bSAndroid Build Coastguard Worker
940*08b48e0bSAndroid Build Coastguard Worker /**
941*08b48e0bSAndroid Build Coastguard Worker * A post-processing function to use right before AFL writes the test case to
942*08b48e0bSAndroid Build Coastguard Worker * disk in order to execute the target.
943*08b48e0bSAndroid Build Coastguard Worker *
944*08b48e0bSAndroid Build Coastguard Worker * NOTE: Do not do any random changes to the data in this function!
945*08b48e0bSAndroid Build Coastguard Worker *
946*08b48e0bSAndroid Build Coastguard Worker * PERFORMANCE: If you can modify the data in-place you will have a better
947*08b48e0bSAndroid Build Coastguard Worker * performance. Modify *data and set `*out_buf = data`.
948*08b48e0bSAndroid Build Coastguard Worker *
949*08b48e0bSAndroid Build Coastguard Worker * (Optional) If this functionality is not needed, simply do not define this
950*08b48e0bSAndroid Build Coastguard Worker * function.
951*08b48e0bSAndroid Build Coastguard Worker *
952*08b48e0bSAndroid Build Coastguard Worker * @param[in] data pointer returned in afl_custom_init by this custom mutator
953*08b48e0bSAndroid Build Coastguard Worker * @param[in] buf Buffer containing the test case to be executed
954*08b48e0bSAndroid Build Coastguard Worker * @param[in] buf_size Size of the test case
955*08b48e0bSAndroid Build Coastguard Worker * @param[out] out_buf Pointer to the buffer storing the test case after
956*08b48e0bSAndroid Build Coastguard Worker * processing. The external library should allocate memory for out_buf.
957*08b48e0bSAndroid Build Coastguard Worker * It can chose to alter buf in-place, if the space is large enough.
958*08b48e0bSAndroid Build Coastguard Worker * @return Size of the output buffer.
959*08b48e0bSAndroid Build Coastguard Worker */
960*08b48e0bSAndroid Build Coastguard Worker size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size,
961*08b48e0bSAndroid Build Coastguard Worker u8 **out_buf);
962*08b48e0bSAndroid Build Coastguard Worker
963*08b48e0bSAndroid Build Coastguard Worker /**
964*08b48e0bSAndroid Build Coastguard Worker * This method is called at the start of each trimming operation and receives
965*08b48e0bSAndroid Build Coastguard Worker * the initial buffer. It should return the amount of iteration steps possible
966*08b48e0bSAndroid Build Coastguard Worker * on this input (e.g. if your input has n elements and you want to remove
967*08b48e0bSAndroid Build Coastguard Worker * them one by one, return n, if you do a binary search, return log(n),
968*08b48e0bSAndroid Build Coastguard Worker * and so on...).
969*08b48e0bSAndroid Build Coastguard Worker *
970*08b48e0bSAndroid Build Coastguard Worker * If your trimming algorithm doesn't allow you to determine the amount of
971*08b48e0bSAndroid Build Coastguard Worker * (remaining) steps easily (esp. while running), then you can alternatively
972*08b48e0bSAndroid Build Coastguard Worker * return 1 here and always return 0 in post_trim until you are finished and
973*08b48e0bSAndroid Build Coastguard Worker * no steps remain. In that case, returning 1 in post_trim will end the
974*08b48e0bSAndroid Build Coastguard Worker * trimming routine. The whole current index/max iterations stuff is only used
975*08b48e0bSAndroid Build Coastguard Worker * to show progress.
976*08b48e0bSAndroid Build Coastguard Worker *
977*08b48e0bSAndroid Build Coastguard Worker * (Optional)
978*08b48e0bSAndroid Build Coastguard Worker *
979*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
980*08b48e0bSAndroid Build Coastguard Worker * @param buf Buffer containing the test case
981*08b48e0bSAndroid Build Coastguard Worker * @param buf_size Size of the test case
982*08b48e0bSAndroid Build Coastguard Worker * @return The amount of possible iteration steps to trim the input.
983*08b48e0bSAndroid Build Coastguard Worker * Negative on error.
984*08b48e0bSAndroid Build Coastguard Worker */
985*08b48e0bSAndroid Build Coastguard Worker s32 (*afl_custom_init_trim)(void *data, u8 *buf, size_t buf_size);
986*08b48e0bSAndroid Build Coastguard Worker
987*08b48e0bSAndroid Build Coastguard Worker /**
988*08b48e0bSAndroid Build Coastguard Worker * This method is called for each trimming operation. It doesn't have any
989*08b48e0bSAndroid Build Coastguard Worker * arguments because we already have the initial buffer from init_trim and we
990*08b48e0bSAndroid Build Coastguard Worker * can memorize the current state in global variables. This can also save
991*08b48e0bSAndroid Build Coastguard Worker * reparsing steps for each iteration. It should return the trimmed input
992*08b48e0bSAndroid Build Coastguard Worker * buffer, where the returned data must not exceed the initial input data in
993*08b48e0bSAndroid Build Coastguard Worker * length. Returning anything that is larger than the original data (passed
994*08b48e0bSAndroid Build Coastguard Worker * to init_trim) will result in a fatal abort of AFLFuzz.
995*08b48e0bSAndroid Build Coastguard Worker *
996*08b48e0bSAndroid Build Coastguard Worker * (Optional)
997*08b48e0bSAndroid Build Coastguard Worker *
998*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
999*08b48e0bSAndroid Build Coastguard Worker * @param[out] out_buf Pointer to the buffer containing the trimmed test case.
1000*08b48e0bSAndroid Build Coastguard Worker * The library can reuse a buffer for each call
1001*08b48e0bSAndroid Build Coastguard Worker * and will have to free the buf (for example in deinit)
1002*08b48e0bSAndroid Build Coastguard Worker * @return the size of the trimmed test case
1003*08b48e0bSAndroid Build Coastguard Worker */
1004*08b48e0bSAndroid Build Coastguard Worker size_t (*afl_custom_trim)(void *data, u8 **out_buf);
1005*08b48e0bSAndroid Build Coastguard Worker
1006*08b48e0bSAndroid Build Coastguard Worker /**
1007*08b48e0bSAndroid Build Coastguard Worker * This method is called after each trim operation to inform you if your
1008*08b48e0bSAndroid Build Coastguard Worker * trimming step was successful or not (in terms of coverage). If you receive
1009*08b48e0bSAndroid Build Coastguard Worker * a failure here, you should reset your input to the last known good state.
1010*08b48e0bSAndroid Build Coastguard Worker *
1011*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1012*08b48e0bSAndroid Build Coastguard Worker *
1013*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1014*08b48e0bSAndroid Build Coastguard Worker * @param success Indicates if the last trim operation was successful.
1015*08b48e0bSAndroid Build Coastguard Worker * @return The next trim iteration index (from 0 to the maximum amount of
1016*08b48e0bSAndroid Build Coastguard Worker * steps returned in init_trim). Negative on error.
1017*08b48e0bSAndroid Build Coastguard Worker */
1018*08b48e0bSAndroid Build Coastguard Worker s32 (*afl_custom_post_trim)(void *data, u8 success);
1019*08b48e0bSAndroid Build Coastguard Worker
1020*08b48e0bSAndroid Build Coastguard Worker /**
1021*08b48e0bSAndroid Build Coastguard Worker * Perform a single custom mutation on a given input.
1022*08b48e0bSAndroid Build Coastguard Worker * This mutation is stacked with the other muatations in havoc.
1023*08b48e0bSAndroid Build Coastguard Worker *
1024*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1025*08b48e0bSAndroid Build Coastguard Worker *
1026*08b48e0bSAndroid Build Coastguard Worker * @param[in] data pointer returned in afl_custom_init by this custom mutator
1027*08b48e0bSAndroid Build Coastguard Worker * @param[in] buf Pointer to the input data to be mutated and the mutated
1028*08b48e0bSAndroid Build Coastguard Worker * output
1029*08b48e0bSAndroid Build Coastguard Worker * @param[in] buf_size Size of input data
1030*08b48e0bSAndroid Build Coastguard Worker * @param[out] out_buf The new buffer. It's legal to reuse *buf if it's <
1031*08b48e0bSAndroid Build Coastguard Worker * buf_size.
1032*08b48e0bSAndroid Build Coastguard Worker * @param[in] max_size Maximum size of the mutated output. The mutation must
1033*08b48e0bSAndroid Build Coastguard Worker * not produce data larger than max_size.
1034*08b48e0bSAndroid Build Coastguard Worker * @return Size of the mutated output (out_size).
1035*08b48e0bSAndroid Build Coastguard Worker */
1036*08b48e0bSAndroid Build Coastguard Worker size_t (*afl_custom_havoc_mutation)(void *data, u8 *buf, size_t buf_size,
1037*08b48e0bSAndroid Build Coastguard Worker u8 **out_buf, size_t max_size);
1038*08b48e0bSAndroid Build Coastguard Worker
1039*08b48e0bSAndroid Build Coastguard Worker /**
1040*08b48e0bSAndroid Build Coastguard Worker * Return the probability (in percentage) that afl_custom_havoc_mutation
1041*08b48e0bSAndroid Build Coastguard Worker * is called in havoc. By default it is 6 %.
1042*08b48e0bSAndroid Build Coastguard Worker *
1043*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1044*08b48e0bSAndroid Build Coastguard Worker *
1045*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1046*08b48e0bSAndroid Build Coastguard Worker * @return The probability (0-100).
1047*08b48e0bSAndroid Build Coastguard Worker */
1048*08b48e0bSAndroid Build Coastguard Worker u8 (*afl_custom_havoc_mutation_probability)(void *data);
1049*08b48e0bSAndroid Build Coastguard Worker
1050*08b48e0bSAndroid Build Coastguard Worker /**
1051*08b48e0bSAndroid Build Coastguard Worker * Determine whether the fuzzer should fuzz the current queue entry or not.
1052*08b48e0bSAndroid Build Coastguard Worker *
1053*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1054*08b48e0bSAndroid Build Coastguard Worker *
1055*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1056*08b48e0bSAndroid Build Coastguard Worker * @param filename File name of the test case in the queue entry
1057*08b48e0bSAndroid Build Coastguard Worker * @return Return True(1) if the fuzzer will fuzz the queue entry, and
1058*08b48e0bSAndroid Build Coastguard Worker * False(0) otherwise.
1059*08b48e0bSAndroid Build Coastguard Worker */
1060*08b48e0bSAndroid Build Coastguard Worker u8 (*afl_custom_queue_get)(void *data, const u8 *filename);
1061*08b48e0bSAndroid Build Coastguard Worker
1062*08b48e0bSAndroid Build Coastguard Worker /**
1063*08b48e0bSAndroid Build Coastguard Worker * This method can be used if you want to send data to the target yourself,
1064*08b48e0bSAndroid Build Coastguard Worker * e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
1065*08b48e0bSAndroid Build Coastguard Worker * that you start the target with afl-fuzz.
1066*08b48e0bSAndroid Build Coastguard Worker *
1067*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1068*08b48e0bSAndroid Build Coastguard Worker *
1069*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1070*08b48e0bSAndroid Build Coastguard Worker * @param buf Buffer containing the test case
1071*08b48e0bSAndroid Build Coastguard Worker * @param buf_size Size of the test case
1072*08b48e0bSAndroid Build Coastguard Worker */
1073*08b48e0bSAndroid Build Coastguard Worker void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size);
1074*08b48e0bSAndroid Build Coastguard Worker
1075*08b48e0bSAndroid Build Coastguard Worker /**
1076*08b48e0bSAndroid Build Coastguard Worker * This method can be used if you want to run some code or scripts each time
1077*08b48e0bSAndroid Build Coastguard Worker * AFL++ executes the target with afl-fuzz.
1078*08b48e0bSAndroid Build Coastguard Worker *
1079*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1080*08b48e0bSAndroid Build Coastguard Worker *
1081*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1082*08b48e0bSAndroid Build Coastguard Worker */
1083*08b48e0bSAndroid Build Coastguard Worker void (*afl_custom_post_run)(void *data);
1084*08b48e0bSAndroid Build Coastguard Worker
1085*08b48e0bSAndroid Build Coastguard Worker /**
1086*08b48e0bSAndroid Build Coastguard Worker * Allow for additional analysis (e.g. calling a different tool that does a
1087*08b48e0bSAndroid Build Coastguard Worker * different kind of coverage and saves this for the custom mutator).
1088*08b48e0bSAndroid Build Coastguard Worker *
1089*08b48e0bSAndroid Build Coastguard Worker * (Optional)
1090*08b48e0bSAndroid Build Coastguard Worker *
1091*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1092*08b48e0bSAndroid Build Coastguard Worker * @param filename_new_queue File name of the new queue entry
1093*08b48e0bSAndroid Build Coastguard Worker * @param filename_orig_queue File name of the original queue entry. This
1094*08b48e0bSAndroid Build Coastguard Worker * argument can be NULL while initializing the fuzzer
1095*08b48e0bSAndroid Build Coastguard Worker */
1096*08b48e0bSAndroid Build Coastguard Worker u8 (*afl_custom_queue_new_entry)(void *data, const u8 *filename_new_queue,
1097*08b48e0bSAndroid Build Coastguard Worker const u8 *filename_orig_queue);
1098*08b48e0bSAndroid Build Coastguard Worker /**
1099*08b48e0bSAndroid Build Coastguard Worker * Deinitialize the custom mutator.
1100*08b48e0bSAndroid Build Coastguard Worker *
1101*08b48e0bSAndroid Build Coastguard Worker * @param data pointer returned in afl_custom_init by this custom mutator
1102*08b48e0bSAndroid Build Coastguard Worker */
1103*08b48e0bSAndroid Build Coastguard Worker void (*afl_custom_deinit)(void *data);
1104*08b48e0bSAndroid Build Coastguard Worker
1105*08b48e0bSAndroid Build Coastguard Worker };
1106*08b48e0bSAndroid Build Coastguard Worker
1107*08b48e0bSAndroid Build Coastguard Worker void afl_state_init(afl_state_t *, uint32_t map_size);
1108*08b48e0bSAndroid Build Coastguard Worker void afl_state_deinit(afl_state_t *);
1109*08b48e0bSAndroid Build Coastguard Worker
1110*08b48e0bSAndroid Build Coastguard Worker /* Set stop_soon flag on all childs, kill all childs */
1111*08b48e0bSAndroid Build Coastguard Worker void afl_states_stop(void);
1112*08b48e0bSAndroid Build Coastguard Worker /* Set clear_screen flag on all states */
1113*08b48e0bSAndroid Build Coastguard Worker void afl_states_clear_screen(void);
1114*08b48e0bSAndroid Build Coastguard Worker /* Sets the skip flag on all states */
1115*08b48e0bSAndroid Build Coastguard Worker void afl_states_request_skip(void);
1116*08b48e0bSAndroid Build Coastguard Worker
1117*08b48e0bSAndroid Build Coastguard Worker /* Setup shmem for testcase delivery */
1118*08b48e0bSAndroid Build Coastguard Worker void setup_testcase_shmem(afl_state_t *afl);
1119*08b48e0bSAndroid Build Coastguard Worker
1120*08b48e0bSAndroid Build Coastguard Worker void read_afl_environment(afl_state_t *, char **);
1121*08b48e0bSAndroid Build Coastguard Worker
1122*08b48e0bSAndroid Build Coastguard Worker /**** Prototypes ****/
1123*08b48e0bSAndroid Build Coastguard Worker
1124*08b48e0bSAndroid Build Coastguard Worker /* Custom mutators */
1125*08b48e0bSAndroid Build Coastguard Worker void setup_custom_mutators(afl_state_t *);
1126*08b48e0bSAndroid Build Coastguard Worker void destroy_custom_mutators(afl_state_t *);
1127*08b48e0bSAndroid Build Coastguard Worker u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf,
1128*08b48e0bSAndroid Build Coastguard Worker struct custom_mutator *mutator);
1129*08b48e0bSAndroid Build Coastguard Worker void run_afl_custom_queue_new_entry(afl_state_t *, struct queue_entry *, u8 *,
1130*08b48e0bSAndroid Build Coastguard Worker u8 *);
1131*08b48e0bSAndroid Build Coastguard Worker
1132*08b48e0bSAndroid Build Coastguard Worker /* Python */
1133*08b48e0bSAndroid Build Coastguard Worker #ifdef USE_PYTHON
1134*08b48e0bSAndroid Build Coastguard Worker
1135*08b48e0bSAndroid Build Coastguard Worker struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *);
1136*08b48e0bSAndroid Build Coastguard Worker void finalize_py_module(void *);
1137*08b48e0bSAndroid Build Coastguard Worker
1138*08b48e0bSAndroid Build Coastguard Worker u32 fuzz_count_py(void *, const u8 *, size_t);
1139*08b48e0bSAndroid Build Coastguard Worker void fuzz_send_py(void *, const u8 *, size_t);
1140*08b48e0bSAndroid Build Coastguard Worker void post_run_py(void *);
1141*08b48e0bSAndroid Build Coastguard Worker size_t post_process_py(void *, u8 *, size_t, u8 **);
1142*08b48e0bSAndroid Build Coastguard Worker s32 init_trim_py(void *, u8 *, size_t);
1143*08b48e0bSAndroid Build Coastguard Worker s32 post_trim_py(void *, u8);
1144*08b48e0bSAndroid Build Coastguard Worker size_t trim_py(void *, u8 **);
1145*08b48e0bSAndroid Build Coastguard Worker size_t havoc_mutation_py(void *, u8 *, size_t, u8 **, size_t);
1146*08b48e0bSAndroid Build Coastguard Worker u8 havoc_mutation_probability_py(void *);
1147*08b48e0bSAndroid Build Coastguard Worker u8 queue_get_py(void *, const u8 *);
1148*08b48e0bSAndroid Build Coastguard Worker const char *introspection_py(void *);
1149*08b48e0bSAndroid Build Coastguard Worker u8 queue_new_entry_py(void *, const u8 *, const u8 *);
1150*08b48e0bSAndroid Build Coastguard Worker void splice_optout(void *);
1151*08b48e0bSAndroid Build Coastguard Worker void deinit_py(void *);
1152*08b48e0bSAndroid Build Coastguard Worker
1153*08b48e0bSAndroid Build Coastguard Worker #endif
1154*08b48e0bSAndroid Build Coastguard Worker
1155*08b48e0bSAndroid Build Coastguard Worker /* Queue */
1156*08b48e0bSAndroid Build Coastguard Worker
1157*08b48e0bSAndroid Build Coastguard Worker void mark_as_det_done(afl_state_t *, struct queue_entry *);
1158*08b48e0bSAndroid Build Coastguard Worker void mark_as_variable(afl_state_t *, struct queue_entry *);
1159*08b48e0bSAndroid Build Coastguard Worker void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
1160*08b48e0bSAndroid Build Coastguard Worker void add_to_queue(afl_state_t *, u8 *, u32, u8);
1161*08b48e0bSAndroid Build Coastguard Worker void destroy_queue(afl_state_t *);
1162*08b48e0bSAndroid Build Coastguard Worker void update_bitmap_score(afl_state_t *, struct queue_entry *);
1163*08b48e0bSAndroid Build Coastguard Worker void cull_queue(afl_state_t *);
1164*08b48e0bSAndroid Build Coastguard Worker u32 calculate_score(afl_state_t *, struct queue_entry *);
1165*08b48e0bSAndroid Build Coastguard Worker
1166*08b48e0bSAndroid Build Coastguard Worker /* Bitmap */
1167*08b48e0bSAndroid Build Coastguard Worker
1168*08b48e0bSAndroid Build Coastguard Worker void write_bitmap(afl_state_t *);
1169*08b48e0bSAndroid Build Coastguard Worker u32 count_bits(afl_state_t *, u8 *);
1170*08b48e0bSAndroid Build Coastguard Worker u32 count_bytes(afl_state_t *, u8 *);
1171*08b48e0bSAndroid Build Coastguard Worker u32 count_non_255_bytes(afl_state_t *, u8 *);
1172*08b48e0bSAndroid Build Coastguard Worker void simplify_trace(afl_state_t *, u8 *);
1173*08b48e0bSAndroid Build Coastguard Worker #ifdef WORD_SIZE_64
1174*08b48e0bSAndroid Build Coastguard Worker void discover_word(u8 *ret, u64 *current, u64 *virgin);
1175*08b48e0bSAndroid Build Coastguard Worker #else
1176*08b48e0bSAndroid Build Coastguard Worker void discover_word(u8 *ret, u32 *current, u32 *virgin);
1177*08b48e0bSAndroid Build Coastguard Worker #endif
1178*08b48e0bSAndroid Build Coastguard Worker void init_count_class16(void);
1179*08b48e0bSAndroid Build Coastguard Worker void minimize_bits(afl_state_t *, u8 *, u8 *);
1180*08b48e0bSAndroid Build Coastguard Worker #ifndef SIMPLE_FILES
1181*08b48e0bSAndroid Build Coastguard Worker u8 *describe_op(afl_state_t *, u8, size_t);
1182*08b48e0bSAndroid Build Coastguard Worker #endif
1183*08b48e0bSAndroid Build Coastguard Worker u8 save_if_interesting(afl_state_t *, void *, u32, u8);
1184*08b48e0bSAndroid Build Coastguard Worker u8 has_new_bits(afl_state_t *, u8 *);
1185*08b48e0bSAndroid Build Coastguard Worker u8 has_new_bits_unclassified(afl_state_t *, u8 *);
1186*08b48e0bSAndroid Build Coastguard Worker #ifndef AFL_SHOWMAP
1187*08b48e0bSAndroid Build Coastguard Worker void classify_counts(afl_forkserver_t *);
1188*08b48e0bSAndroid Build Coastguard Worker #endif
1189*08b48e0bSAndroid Build Coastguard Worker
1190*08b48e0bSAndroid Build Coastguard Worker /* Extras */
1191*08b48e0bSAndroid Build Coastguard Worker
1192*08b48e0bSAndroid Build Coastguard Worker void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32);
1193*08b48e0bSAndroid Build Coastguard Worker void load_extras(afl_state_t *, u8 *);
1194*08b48e0bSAndroid Build Coastguard Worker void dedup_extras(afl_state_t *);
1195*08b48e0bSAndroid Build Coastguard Worker void deunicode_extras(afl_state_t *);
1196*08b48e0bSAndroid Build Coastguard Worker void add_extra(afl_state_t *afl, u8 *mem, u32 len);
1197*08b48e0bSAndroid Build Coastguard Worker void maybe_add_auto(afl_state_t *, u8 *, u32);
1198*08b48e0bSAndroid Build Coastguard Worker void save_auto(afl_state_t *);
1199*08b48e0bSAndroid Build Coastguard Worker void load_auto(afl_state_t *);
1200*08b48e0bSAndroid Build Coastguard Worker void destroy_extras(afl_state_t *);
1201*08b48e0bSAndroid Build Coastguard Worker
1202*08b48e0bSAndroid Build Coastguard Worker /* Stats */
1203*08b48e0bSAndroid Build Coastguard Worker
1204*08b48e0bSAndroid Build Coastguard Worker void load_stats_file(afl_state_t *);
1205*08b48e0bSAndroid Build Coastguard Worker void write_setup_file(afl_state_t *, u32, char **);
1206*08b48e0bSAndroid Build Coastguard Worker void write_stats_file(afl_state_t *, u32, double, double, double);
1207*08b48e0bSAndroid Build Coastguard Worker void maybe_update_plot_file(afl_state_t *, u32, double, double);
1208*08b48e0bSAndroid Build Coastguard Worker void write_queue_stats(afl_state_t *);
1209*08b48e0bSAndroid Build Coastguard Worker void show_stats(afl_state_t *);
1210*08b48e0bSAndroid Build Coastguard Worker void show_stats_normal(afl_state_t *);
1211*08b48e0bSAndroid Build Coastguard Worker void show_stats_pizza(afl_state_t *);
1212*08b48e0bSAndroid Build Coastguard Worker void show_init_stats(afl_state_t *);
1213*08b48e0bSAndroid Build Coastguard Worker
1214*08b48e0bSAndroid Build Coastguard Worker /* StatsD */
1215*08b48e0bSAndroid Build Coastguard Worker
1216*08b48e0bSAndroid Build Coastguard Worker void statsd_setup_format(afl_state_t *afl);
1217*08b48e0bSAndroid Build Coastguard Worker int statsd_socket_init(afl_state_t *afl);
1218*08b48e0bSAndroid Build Coastguard Worker int statsd_send_metric(afl_state_t *afl);
1219*08b48e0bSAndroid Build Coastguard Worker int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen);
1220*08b48e0bSAndroid Build Coastguard Worker
1221*08b48e0bSAndroid Build Coastguard Worker /* Run */
1222*08b48e0bSAndroid Build Coastguard Worker
1223*08b48e0bSAndroid Build Coastguard Worker void sync_fuzzers(afl_state_t *);
1224*08b48e0bSAndroid Build Coastguard Worker u32 write_to_testcase(afl_state_t *, void **, u32, u32);
1225*08b48e0bSAndroid Build Coastguard Worker u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8);
1226*08b48e0bSAndroid Build Coastguard Worker u8 trim_case(afl_state_t *, struct queue_entry *, u8 *);
1227*08b48e0bSAndroid Build Coastguard Worker u8 common_fuzz_stuff(afl_state_t *, u8 *, u32);
1228*08b48e0bSAndroid Build Coastguard Worker fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32);
1229*08b48e0bSAndroid Build Coastguard Worker
1230*08b48e0bSAndroid Build Coastguard Worker /* Fuzz one */
1231*08b48e0bSAndroid Build Coastguard Worker
1232*08b48e0bSAndroid Build Coastguard Worker u8 fuzz_one_original(afl_state_t *);
1233*08b48e0bSAndroid Build Coastguard Worker u8 pilot_fuzzing(afl_state_t *);
1234*08b48e0bSAndroid Build Coastguard Worker u8 core_fuzzing(afl_state_t *);
1235*08b48e0bSAndroid Build Coastguard Worker void pso_updating(afl_state_t *);
1236*08b48e0bSAndroid Build Coastguard Worker u8 fuzz_one(afl_state_t *);
1237*08b48e0bSAndroid Build Coastguard Worker
1238*08b48e0bSAndroid Build Coastguard Worker /* Init */
1239*08b48e0bSAndroid Build Coastguard Worker
1240*08b48e0bSAndroid Build Coastguard Worker #ifdef HAVE_AFFINITY
1241*08b48e0bSAndroid Build Coastguard Worker void bind_to_free_cpu(afl_state_t *);
1242*08b48e0bSAndroid Build Coastguard Worker #endif
1243*08b48e0bSAndroid Build Coastguard Worker void setup_post(afl_state_t *);
1244*08b48e0bSAndroid Build Coastguard Worker void read_testcases(afl_state_t *, u8 *);
1245*08b48e0bSAndroid Build Coastguard Worker void perform_dry_run(afl_state_t *);
1246*08b48e0bSAndroid Build Coastguard Worker void pivot_inputs(afl_state_t *);
1247*08b48e0bSAndroid Build Coastguard Worker u32 find_start_position(afl_state_t *);
1248*08b48e0bSAndroid Build Coastguard Worker void find_timeout(afl_state_t *);
1249*08b48e0bSAndroid Build Coastguard Worker double get_runnable_processes(void);
1250*08b48e0bSAndroid Build Coastguard Worker void nuke_resume_dir(afl_state_t *);
1251*08b48e0bSAndroid Build Coastguard Worker int check_main_node_exists(afl_state_t *);
1252*08b48e0bSAndroid Build Coastguard Worker u32 select_next_queue_entry(afl_state_t *afl);
1253*08b48e0bSAndroid Build Coastguard Worker void create_alias_table(afl_state_t *afl);
1254*08b48e0bSAndroid Build Coastguard Worker void setup_dirs_fds(afl_state_t *);
1255*08b48e0bSAndroid Build Coastguard Worker void setup_cmdline_file(afl_state_t *, char **);
1256*08b48e0bSAndroid Build Coastguard Worker void setup_stdio_file(afl_state_t *);
1257*08b48e0bSAndroid Build Coastguard Worker void check_crash_handling(void);
1258*08b48e0bSAndroid Build Coastguard Worker void check_cpu_governor(afl_state_t *);
1259*08b48e0bSAndroid Build Coastguard Worker void get_core_count(afl_state_t *);
1260*08b48e0bSAndroid Build Coastguard Worker void fix_up_sync(afl_state_t *);
1261*08b48e0bSAndroid Build Coastguard Worker void check_asan_opts(afl_state_t *);
1262*08b48e0bSAndroid Build Coastguard Worker void check_binary(afl_state_t *, u8 *);
1263*08b48e0bSAndroid Build Coastguard Worker void check_if_tty(afl_state_t *);
1264*08b48e0bSAndroid Build Coastguard Worker void save_cmdline(afl_state_t *, u32, char **);
1265*08b48e0bSAndroid Build Coastguard Worker void read_foreign_testcases(afl_state_t *, int);
1266*08b48e0bSAndroid Build Coastguard Worker void write_crash_readme(afl_state_t *afl);
1267*08b48e0bSAndroid Build Coastguard Worker u8 check_if_text_buf(u8 *buf, u32 len);
1268*08b48e0bSAndroid Build Coastguard Worker #ifndef AFL_SHOWMAP
1269*08b48e0bSAndroid Build Coastguard Worker void setup_signal_handlers(void);
1270*08b48e0bSAndroid Build Coastguard Worker #endif
1271*08b48e0bSAndroid Build Coastguard Worker char *get_fuzzing_state(afl_state_t *afl);
1272*08b48e0bSAndroid Build Coastguard Worker
1273*08b48e0bSAndroid Build Coastguard Worker /* CmpLog */
1274*08b48e0bSAndroid Build Coastguard Worker
1275*08b48e0bSAndroid Build Coastguard Worker u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
1276*08b48e0bSAndroid Build Coastguard Worker
1277*08b48e0bSAndroid Build Coastguard Worker /* RedQueen */
1278*08b48e0bSAndroid Build Coastguard Worker u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len);
1279*08b48e0bSAndroid Build Coastguard Worker
1280*08b48e0bSAndroid Build Coastguard Worker /* our RNG wrapper */
1281*08b48e0bSAndroid Build Coastguard Worker AFL_RAND_RETURN rand_next(afl_state_t *afl);
1282*08b48e0bSAndroid Build Coastguard Worker
1283*08b48e0bSAndroid Build Coastguard Worker /* probability between 0.0 and 1.0 */
1284*08b48e0bSAndroid Build Coastguard Worker double rand_next_percent(afl_state_t *afl);
1285*08b48e0bSAndroid Build Coastguard Worker
1286*08b48e0bSAndroid Build Coastguard Worker /* SkipDet Functions */
1287*08b48e0bSAndroid Build Coastguard Worker
1288*08b48e0bSAndroid Build Coastguard Worker u8 skip_deterministic_stage(afl_state_t *, u8 *, u8 *, u32, u64);
1289*08b48e0bSAndroid Build Coastguard Worker u8 is_det_timeout(u64, u8);
1290*08b48e0bSAndroid Build Coastguard Worker
1291*08b48e0bSAndroid Build Coastguard Worker void plot_profile_data(afl_state_t *, struct queue_entry *);
1292*08b48e0bSAndroid Build Coastguard Worker
1293*08b48e0bSAndroid Build Coastguard Worker /**** Inline routines ****/
1294*08b48e0bSAndroid Build Coastguard Worker
1295*08b48e0bSAndroid Build Coastguard Worker /* Generate a random number (from 0 to limit - 1). This may
1296*08b48e0bSAndroid Build Coastguard Worker have slight bias. */
1297*08b48e0bSAndroid Build Coastguard Worker
rand_below(afl_state_t * afl,u32 limit)1298*08b48e0bSAndroid Build Coastguard Worker static inline u32 rand_below(afl_state_t *afl, u32 limit) {
1299*08b48e0bSAndroid Build Coastguard Worker
1300*08b48e0bSAndroid Build Coastguard Worker if (unlikely(limit <= 1)) return 0;
1301*08b48e0bSAndroid Build Coastguard Worker
1302*08b48e0bSAndroid Build Coastguard Worker /* The boundary not being necessarily a power of 2,
1303*08b48e0bSAndroid Build Coastguard Worker we need to ensure the result uniformity. */
1304*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->rand_cnt--) && likely(!afl->fixed_seed)) {
1305*08b48e0bSAndroid Build Coastguard Worker
1306*08b48e0bSAndroid Build Coastguard Worker ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed),
1307*08b48e0bSAndroid Build Coastguard Worker "/dev/urandom");
1308*08b48e0bSAndroid Build Coastguard Worker // srandom(afl->rand_seed[0]);
1309*08b48e0bSAndroid Build Coastguard Worker afl->rand_cnt = (RESEED_RNG / 2) + (afl->rand_seed[1] % RESEED_RNG);
1310*08b48e0bSAndroid Build Coastguard Worker
1311*08b48e0bSAndroid Build Coastguard Worker }
1312*08b48e0bSAndroid Build Coastguard Worker
1313*08b48e0bSAndroid Build Coastguard Worker /* Modulo is biased - we don't want our fuzzing to be biased so let's do it
1314*08b48e0bSAndroid Build Coastguard Worker right. See:
1315*08b48e0bSAndroid Build Coastguard Worker https://stackoverflow.com/questions/10984974/why-do-people-say-there-is-modulo-bias-when-using-a-random-number-generator
1316*08b48e0bSAndroid Build Coastguard Worker */
1317*08b48e0bSAndroid Build Coastguard Worker u64 unbiased_rnd;
1318*08b48e0bSAndroid Build Coastguard Worker do {
1319*08b48e0bSAndroid Build Coastguard Worker
1320*08b48e0bSAndroid Build Coastguard Worker unbiased_rnd = rand_next(afl);
1321*08b48e0bSAndroid Build Coastguard Worker
1322*08b48e0bSAndroid Build Coastguard Worker } while (unlikely(unbiased_rnd >= (UINT64_MAX - (UINT64_MAX % limit))));
1323*08b48e0bSAndroid Build Coastguard Worker
1324*08b48e0bSAndroid Build Coastguard Worker return unbiased_rnd % limit;
1325*08b48e0bSAndroid Build Coastguard Worker
1326*08b48e0bSAndroid Build Coastguard Worker }
1327*08b48e0bSAndroid Build Coastguard Worker
1328*08b48e0bSAndroid Build Coastguard Worker /* we prefer lower range values here */
1329*08b48e0bSAndroid Build Coastguard Worker /* this is only called with normal havoc, not MOpt, to have an equalizer for
1330*08b48e0bSAndroid Build Coastguard Worker expand havoc mode */
rand_below_datalen(afl_state_t * afl,u32 limit)1331*08b48e0bSAndroid Build Coastguard Worker static inline u32 rand_below_datalen(afl_state_t *afl, u32 limit) {
1332*08b48e0bSAndroid Build Coastguard Worker
1333*08b48e0bSAndroid Build Coastguard Worker if (unlikely(limit <= 1)) return 0;
1334*08b48e0bSAndroid Build Coastguard Worker
1335*08b48e0bSAndroid Build Coastguard Worker switch (rand_below(afl, 3)) {
1336*08b48e0bSAndroid Build Coastguard Worker
1337*08b48e0bSAndroid Build Coastguard Worker case 2:
1338*08b48e0bSAndroid Build Coastguard Worker return (rand_below(afl, limit) % (1 + rand_below(afl, limit - 1))) %
1339*08b48e0bSAndroid Build Coastguard Worker (1 + rand_below(afl, limit - 1));
1340*08b48e0bSAndroid Build Coastguard Worker break;
1341*08b48e0bSAndroid Build Coastguard Worker case 1:
1342*08b48e0bSAndroid Build Coastguard Worker return rand_below(afl, limit) % (1 + rand_below(afl, limit - 1));
1343*08b48e0bSAndroid Build Coastguard Worker break;
1344*08b48e0bSAndroid Build Coastguard Worker case 0:
1345*08b48e0bSAndroid Build Coastguard Worker return rand_below(afl, limit);
1346*08b48e0bSAndroid Build Coastguard Worker break;
1347*08b48e0bSAndroid Build Coastguard Worker
1348*08b48e0bSAndroid Build Coastguard Worker }
1349*08b48e0bSAndroid Build Coastguard Worker
1350*08b48e0bSAndroid Build Coastguard Worker return 1; // cannot be reached
1351*08b48e0bSAndroid Build Coastguard Worker
1352*08b48e0bSAndroid Build Coastguard Worker }
1353*08b48e0bSAndroid Build Coastguard Worker
rand_get_seed(afl_state_t * afl)1354*08b48e0bSAndroid Build Coastguard Worker static inline s64 rand_get_seed(afl_state_t *afl) {
1355*08b48e0bSAndroid Build Coastguard Worker
1356*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->fixed_seed)) { return afl->init_seed; }
1357*08b48e0bSAndroid Build Coastguard Worker return afl->rand_seed[0];
1358*08b48e0bSAndroid Build Coastguard Worker
1359*08b48e0bSAndroid Build Coastguard Worker }
1360*08b48e0bSAndroid Build Coastguard Worker
1361*08b48e0bSAndroid Build Coastguard Worker /* initialize randomness with a given seed. Can be called again at any time. */
1362*08b48e0bSAndroid Build Coastguard Worker void rand_set_seed(afl_state_t *afl, s64 init_seed);
1363*08b48e0bSAndroid Build Coastguard Worker
1364*08b48e0bSAndroid Build Coastguard Worker /* Find first power of two greater or equal to val (assuming val under
1365*08b48e0bSAndroid Build Coastguard Worker 2^63). */
1366*08b48e0bSAndroid Build Coastguard Worker
next_p2(u64 val)1367*08b48e0bSAndroid Build Coastguard Worker static inline u64 next_p2(u64 val) {
1368*08b48e0bSAndroid Build Coastguard Worker
1369*08b48e0bSAndroid Build Coastguard Worker u64 ret = 1;
1370*08b48e0bSAndroid Build Coastguard Worker while (val > ret) {
1371*08b48e0bSAndroid Build Coastguard Worker
1372*08b48e0bSAndroid Build Coastguard Worker ret <<= 1;
1373*08b48e0bSAndroid Build Coastguard Worker
1374*08b48e0bSAndroid Build Coastguard Worker }
1375*08b48e0bSAndroid Build Coastguard Worker
1376*08b48e0bSAndroid Build Coastguard Worker return ret;
1377*08b48e0bSAndroid Build Coastguard Worker
1378*08b48e0bSAndroid Build Coastguard Worker }
1379*08b48e0bSAndroid Build Coastguard Worker
1380*08b48e0bSAndroid Build Coastguard Worker /* Returns the testcase buf from the file behind this queue entry.
1381*08b48e0bSAndroid Build Coastguard Worker Increases the refcount. */
1382*08b48e0bSAndroid Build Coastguard Worker u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q);
1383*08b48e0bSAndroid Build Coastguard Worker
1384*08b48e0bSAndroid Build Coastguard Worker /* If trimming changes the testcase size we have to reload it */
1385*08b48e0bSAndroid Build Coastguard Worker void queue_testcase_retake(afl_state_t *afl, struct queue_entry *q,
1386*08b48e0bSAndroid Build Coastguard Worker u32 old_len);
1387*08b48e0bSAndroid Build Coastguard Worker
1388*08b48e0bSAndroid Build Coastguard Worker /* If trimming changes the testcase size we have to replace it */
1389*08b48e0bSAndroid Build Coastguard Worker void queue_testcase_retake_mem(afl_state_t *afl, struct queue_entry *q, u8 *in,
1390*08b48e0bSAndroid Build Coastguard Worker u32 len, u32 old_len);
1391*08b48e0bSAndroid Build Coastguard Worker
1392*08b48e0bSAndroid Build Coastguard Worker /* Add a new queue entry directly to the cache */
1393*08b48e0bSAndroid Build Coastguard Worker
1394*08b48e0bSAndroid Build Coastguard Worker void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q, u8 *mem);
1395*08b48e0bSAndroid Build Coastguard Worker
1396*08b48e0bSAndroid Build Coastguard Worker #if TESTCASE_CACHE == 1
1397*08b48e0bSAndroid Build Coastguard Worker #error define of TESTCASE_CACHE must be zero or larger than 1
1398*08b48e0bSAndroid Build Coastguard Worker #endif
1399*08b48e0bSAndroid Build Coastguard Worker
1400*08b48e0bSAndroid Build Coastguard Worker #endif
1401*08b48e0bSAndroid Build Coastguard Worker
1402