AFLplusplus/instrumentation/afl-compiler-rt.o.c

*08b48e0bSAndroid Build Coastguard Worker/*
*08b48e0bSAndroid Build Coastguard Worker   american fuzzy lop++ - instrumentation bootstrap
*08b48e0bSAndroid Build Coastguard Worker   ------------------------------------------------
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   Copyright 2015, 2016 Google Inc. All rights reserved.
*08b48e0bSAndroid Build Coastguard Worker   Copyright 2019-2024 AFLplusplus Project. All rights reserved.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   Licensed under the Apache License, Version 2.0 (the "License");
*08b48e0bSAndroid Build Coastguard Worker   you may not use this file except in compliance with the License.
*08b48e0bSAndroid Build Coastguard Worker   You may obtain a copy of the License at:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker     https://www.apache.org/licenses/LICENSE-2.0
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker*/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker  #ifndef _GNU_SOURCE
*08b48e0bSAndroid Build Coastguard Worker    #define _GNU_SOURCE
*08b48e0bSAndroid Build Coastguard Worker  #endif
*08b48e0bSAndroid Build Coastguard Worker  #ifndef __USE_GNU
*08b48e0bSAndroid Build Coastguard Worker    #define __USE_GNU
*08b48e0bSAndroid Build Coastguard Worker  #endif
*08b48e0bSAndroid Build Coastguard Worker  #include <dlfcn.h>
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void __sanitizer_symbolize_pc(void *, const char *fmt,
*08b48e0bSAndroid Build Coastguard Worker                                                    char  *out_buf,
*08b48e0bSAndroid Build Coastguard Worker                                                    size_t out_buf_size);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __ANDROID__
*08b48e0bSAndroid Build Coastguard Worker  #include "android-ashmem.h"
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker#include "config.h"
*08b48e0bSAndroid Build Coastguard Worker#include "types.h"
*08b48e0bSAndroid Build Coastguard Worker#include "cmplog.h"
*08b48e0bSAndroid Build Coastguard Worker#include "llvm-alternative-coverage.h"
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define XXH_INLINE_ALL
*08b48e0bSAndroid Build Coastguard Worker#include "xxhash.h"
*08b48e0bSAndroid Build Coastguard Worker#undef XXH_INLINE_ALL
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#include <stdio.h>
*08b48e0bSAndroid Build Coastguard Worker#include <stdlib.h>
*08b48e0bSAndroid Build Coastguard Worker#include <signal.h>
*08b48e0bSAndroid Build Coastguard Worker#include <unistd.h>
*08b48e0bSAndroid Build Coastguard Worker#include <string.h>
*08b48e0bSAndroid Build Coastguard Worker#include <assert.h>
*08b48e0bSAndroid Build Coastguard Worker#include <stdint.h>
*08b48e0bSAndroid Build Coastguard Worker#include <stddef.h>
*08b48e0bSAndroid Build Coastguard Worker#include <limits.h>
*08b48e0bSAndroid Build Coastguard Worker#include <errno.h>
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#include <sys/mman.h>
*08b48e0bSAndroid Build Coastguard Worker#if !defined(__HAIKU__) && !defined(__OpenBSD__)
*08b48e0bSAndroid Build Coastguard Worker  #include <sys/syscall.h>
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker#ifndef USEMMAP
*08b48e0bSAndroid Build Coastguard Worker  #include <sys/shm.h>
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker#include <sys/wait.h>
*08b48e0bSAndroid Build Coastguard Worker#include <sys/types.h>
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#if !__GNUC__
*08b48e0bSAndroid Build Coastguard Worker  #include "llvm/Config/llvm-config.h"
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __linux__
*08b48e0bSAndroid Build Coastguard Worker  #include "snapshot-inl.h"
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode.
*08b48e0bSAndroid Build Coastguard Worker   Basically, we need to make sure that the forkserver is initialized after
*08b48e0bSAndroid Build Coastguard Worker   the LLVM-generated runtime initialization pass, not before. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifndef MAP_FIXED_NOREPLACE
*08b48e0bSAndroid Build Coastguard Worker  #ifdef MAP_EXCL
*08b48e0bSAndroid Build Coastguard Worker    #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED
*08b48e0bSAndroid Build Coastguard Worker  #else
*08b48e0bSAndroid Build Coastguard Worker    #define MAP_FIXED_NOREPLACE MAP_FIXED
*08b48e0bSAndroid Build Coastguard Worker  #endif
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define CTOR_PRIO 3
*08b48e0bSAndroid Build Coastguard Worker#define EARLY_FS_PRIO 5
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#include <sys/mman.h>
*08b48e0bSAndroid Build Coastguard Worker#include <fcntl.h>
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Globals needed by the injected instrumentation. The __afl_area_initial region
*08b48e0bSAndroid Build Coastguard Worker   is used for instrumentation output before __afl_map_shm() has a chance to
*08b48e0bSAndroid Build Coastguard Worker   run. It will end up as .comm, so it shouldn't be too wasteful. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#if defined(__HAIKU__)
*08b48e0bSAndroid Build Coastguard Workerextern ssize_t _kern_write(int fd, off_t pos, const void *buffer,
*08b48e0bSAndroid Build Coastguard Worker                           size_t bufferSize);
*08b48e0bSAndroid Build Coastguard Worker#endif  // HAIKU
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerchar *strcasestr(const char *haystack, const char *needle);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic u8  __afl_area_initial[MAP_INITIAL_SIZE];
*08b48e0bSAndroid Build Coastguard Workerstatic u8 *__afl_area_ptr_dummy = __afl_area_initial;
*08b48e0bSAndroid Build Coastguard Workerstatic u8 *__afl_area_ptr_backup = __afl_area_initial;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru8        *__afl_area_ptr = __afl_area_initial;
*08b48e0bSAndroid Build Coastguard Workeru8        *__afl_dictionary;
*08b48e0bSAndroid Build Coastguard Workeru8        *__afl_fuzz_ptr;
*08b48e0bSAndroid Build Coastguard Workerstatic u32 __afl_fuzz_len_dummy;
*08b48e0bSAndroid Build Coastguard Workeru32       *__afl_fuzz_len = &__afl_fuzz_len_dummy;
*08b48e0bSAndroid Build Coastguard Workerint        __afl_sharedmem_fuzzing __attribute__((weak));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_final_loc;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_map_size = MAP_SIZE;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_dictionary_len;
*08b48e0bSAndroid Build Coastguard Workeru64 __afl_map_addr;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_first_final_loc;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Workertypedef struct afl_module_info_t afl_module_info_t;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstruct afl_module_info_t {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // A unique id starting with 0
*08b48e0bSAndroid Build Coastguard Worker  u32 id;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // Name and base address of the module
*08b48e0bSAndroid Build Coastguard Worker  char     *name;
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t base_address;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // PC Guard start/stop
*08b48e0bSAndroid Build Coastguard Worker  u32 *start;
*08b48e0bSAndroid Build Coastguard Worker  u32 *stop;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // PC Table begin/end
*08b48e0bSAndroid Build Coastguard Worker  const uintptr_t *pcs_beg;
*08b48e0bSAndroid Build Coastguard Worker  const uintptr_t *pcs_end;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 mapped;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl_module_info_t *next;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker};
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workertypedef struct {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t PC, PCFlags;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker} PCTableEntry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerafl_module_info_t *__afl_module_info = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru32        __afl_pcmap_size = 0;
*08b48e0bSAndroid Build Coastguard Workeruintptr_t *__afl_pcmap_ptr = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workertypedef struct {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t start;
*08b48e0bSAndroid Build Coastguard Worker  u32       len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker} FilterPCEntry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru32            __afl_filter_pcs_size = 0;
*08b48e0bSAndroid Build Coastguard WorkerFilterPCEntry *__afl_filter_pcs = NULL;
*08b48e0bSAndroid Build Coastguard Workeru8            *__afl_filter_pcs_module = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif  // __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* 1 if we are running in afl, and the forkserver was started, else 0 */
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_connected = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// for the __AFL_COVERAGE_ON/__AFL_COVERAGE_OFF features to work:
*08b48e0bSAndroid Build Coastguard Workerint        __afl_selective_coverage __attribute__((weak));
*08b48e0bSAndroid Build Coastguard Workerint        __afl_selective_coverage_start_off __attribute__((weak));
*08b48e0bSAndroid Build Coastguard Workerstatic int __afl_selective_coverage_temp = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#if defined(__ANDROID__) || defined(__HAIKU__) || defined(NO_TLS)
*08b48e0bSAndroid Build Coastguard WorkerPREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX];
*08b48e0bSAndroid Build Coastguard WorkerPREV_LOC_T __afl_prev_caller[CTX_MAX_K];
*08b48e0bSAndroid Build Coastguard Workeru32        __afl_prev_ctx;
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker__thread PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX];
*08b48e0bSAndroid Build Coastguard Worker__thread PREV_LOC_T __afl_prev_caller[CTX_MAX_K];
*08b48e0bSAndroid Build Coastguard Worker__thread u32        __afl_prev_ctx;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstruct cmp_map *__afl_cmp_map;
*08b48e0bSAndroid Build Coastguard Workerstruct cmp_map *__afl_cmp_map_backup;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Child pid? */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic s32 child_pid;
*08b48e0bSAndroid Build Coastguard Workerstatic void (*old_sigterm_handler)(int) = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Running in persistent mode? */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic u8 is_persistent;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Are we in sancov mode? */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic u8 _is_sancov;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Debug? */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/*static*/ u32 __afl_debug;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Already initialized markers */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_already_initialized_shm;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_already_initialized_forkserver;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_already_initialized_first;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_already_initialized_second;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_already_initialized_early;
*08b48e0bSAndroid Build Coastguard Workeru32 __afl_already_initialized_init;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Dummy pipe for area_is_valid() */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic int __afl_dummy_fd[2] = {2, 2};
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* ensure we kill the child on termination */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void at_exit(int signal) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(child_pid > 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    kill(child_pid, SIGKILL);
*08b48e0bSAndroid Build Coastguard Worker    waitpid(child_pid, NULL, 0);
*08b48e0bSAndroid Build Coastguard Worker    child_pid = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  _exit(0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define default_hash(a, b) XXH3_64bits(a, b)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Uninspired gcc plugin instrumentation */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __afl_trace(const u32 x) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  PREV_LOC_T prev = __afl_prev_loc[0];
*08b48e0bSAndroid Build Coastguard Worker  __afl_prev_loc[0] = (x >> 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 *p = &__afl_area_ptr[prev ^ x];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#if 1                                      /* enable for neverZero feature. */
*08b48e0bSAndroid Build Coastguard Worker  #if __GNUC__
*08b48e0bSAndroid Build Coastguard Worker  u8 c = __builtin_add_overflow(*p, 1, p);
*08b48e0bSAndroid Build Coastguard Worker  *p += c;
*08b48e0bSAndroid Build Coastguard Worker  #else
*08b48e0bSAndroid Build Coastguard Worker  *p += 1 + ((u8)(1 + *p) == 0);
*08b48e0bSAndroid Build Coastguard Worker  #endif
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker  ++*p;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Error reporting to forkserver controller */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void send_forkserver_error(int error) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 status;
*08b48e0bSAndroid Build Coastguard Worker  if (!error || error > 0xffff) return;
*08b48e0bSAndroid Build Coastguard Worker  status = (FS_OPT_ERROR | FS_OPT_SET_ERROR(error));
*08b48e0bSAndroid Build Coastguard Worker  if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) { return; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* SHM fuzzing setup. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void __afl_map_shm_fuzz() {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  char *id_str = getenv(SHM_FUZZ_ENV_VAR);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "DEBUG: fuzzcase shmem %s\n", id_str ? id_str : "none");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 *map = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef USEMMAP
*08b48e0bSAndroid Build Coastguard Worker    const char *shm_file_path = id_str;
*08b48e0bSAndroid Build Coastguard Worker    int         shm_fd = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* create the shared memory segment as if it was a file */
*08b48e0bSAndroid Build Coastguard Worker    shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
*08b48e0bSAndroid Build Coastguard Worker    if (shm_fd == -1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "shm_open() failed for fuzz\n");
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    map =
*08b48e0bSAndroid Build Coastguard Worker        (u8 *)mmap(0, MAX_FILE + sizeof(u32), PROT_READ, MAP_SHARED, shm_fd, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker    u32 shm_id = atoi(id_str);
*08b48e0bSAndroid Build Coastguard Worker    map = (u8 *)shmat(shm_id, NULL, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Whooooops. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!map || map == (void *)-1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      perror("Could not access fuzzing shared memory");
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_fuzz_len = (u32 *)map;
*08b48e0bSAndroid Build Coastguard Worker    __afl_fuzz_ptr = map + sizeof(u32);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUG: successfully got fuzzing shared memory\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "Error: variable for fuzzing shared memory is not set\n");
*08b48e0bSAndroid Build Coastguard Worker    send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker    exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* SHM setup. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void __afl_map_shm(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_shm) return;
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_shm = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // if we are not running in afl ensure the map exists
*08b48e0bSAndroid Build Coastguard Worker  if (!__afl_area_ptr) { __afl_area_ptr = __afl_area_ptr_dummy; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  char *id_str = getenv(SHM_ENV_VAR);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_final_loc) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_map_size = ++__afl_final_loc;  // as we count starting 0
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (getenv("AFL_DUMP_MAP_SIZE")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      printf("%u\n", __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker      exit(-1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_final_loc > MAP_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      char *ptr;
*08b48e0bSAndroid Build Coastguard Worker      u32   val = 0;
*08b48e0bSAndroid Build Coastguard Worker      if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); }
*08b48e0bSAndroid Build Coastguard Worker      if (val < __afl_final_loc) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (!getenv("AFL_QUIET"))
*08b48e0bSAndroid Build Coastguard Worker            fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker                    "Error: AFL++ tools *require* to set AFL_MAP_SIZE to %u "
*08b48e0bSAndroid Build Coastguard Worker                    "to be able to run this instrumented program!\n",
*08b48e0bSAndroid Build Coastguard Worker                    __afl_final_loc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            send_forkserver_error(FS_ERROR_MAP_SIZE);
*08b48e0bSAndroid Build Coastguard Worker            exit(-1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (__afl_final_loc > MAP_INITIAL_SIZE && !getenv("AFL_QUIET")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker                    "Warning: AFL++ tools might need to set AFL_MAP_SIZE to %u "
*08b48e0bSAndroid Build Coastguard Worker                    "to be able to run this instrumented program if this "
*08b48e0bSAndroid Build Coastguard Worker                    "crashes!\n",
*08b48e0bSAndroid Build Coastguard Worker                    __afl_final_loc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (getenv("AFL_DUMP_MAP_SIZE")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      printf("%u\n", MAP_SIZE);
*08b48e0bSAndroid Build Coastguard Worker      exit(-1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_sharedmem_fuzzing && (!id_str || !getenv(SHM_FUZZ_ENV_VAR) ||
*08b48e0bSAndroid Build Coastguard Worker                                  fcntl(FORKSRV_FD, F_GETFD) == -1 ||
*08b48e0bSAndroid Build Coastguard Worker                                  fcntl(FORKSRV_FD + 1, F_GETFD) == -1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker              "DEBUG: running not inside afl-fuzz, disabling shared memory "
*08b48e0bSAndroid Build Coastguard Worker              "testcases\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_sharedmem_fuzzing = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 val = 0;
*08b48e0bSAndroid Build Coastguard Worker    u8 *ptr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (val > MAP_INITIAL_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_map_size = val;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_first_final_loc > MAP_INITIAL_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        // done in second stage constructor
*08b48e0bSAndroid Build Coastguard Worker        __afl_map_size = __afl_first_final_loc;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        __afl_map_size = MAP_INITIAL_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_map_size > MAP_INITIAL_SIZE && __afl_final_loc < __afl_map_size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_final_loc = __afl_map_size;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUG: (0) init map size is %u to %p\n", __afl_map_size,
*08b48e0bSAndroid Build Coastguard Worker              __afl_area_ptr_dummy);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* If we're running under AFL, attach to the appropriate region, replacing the
*08b48e0bSAndroid Build Coastguard Worker     early-stage __afl_area_initial region that is needed to allow some really
*08b48e0bSAndroid Build Coastguard Worker     hacky .init code to work correctly in projects such as OpenSSL. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(
*08b48e0bSAndroid Build Coastguard Worker        stderr,
*08b48e0bSAndroid Build Coastguard Worker        "DEBUG: (1) id_str %s, __afl_area_ptr %p, __afl_area_initial %p, "
*08b48e0bSAndroid Build Coastguard Worker        "__afl_area_ptr_dummy %p, __afl_map_addr 0x%llx, MAP_SIZE %u, "
*08b48e0bSAndroid Build Coastguard Worker        "__afl_final_loc %u, __afl_map_size %u, max_size_forkserver %u/0x%x\n",
*08b48e0bSAndroid Build Coastguard Worker        id_str == NULL ? "<null>" : id_str, __afl_area_ptr, __afl_area_initial,
*08b48e0bSAndroid Build Coastguard Worker        __afl_area_ptr_dummy, __afl_map_addr, MAP_SIZE, __afl_final_loc,
*08b48e0bSAndroid Build Coastguard Worker        __afl_map_size, FS_OPT_MAX_MAPSIZE, FS_OPT_MAX_MAPSIZE);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial &&
*08b48e0bSAndroid Build Coastguard Worker        __afl_area_ptr != __afl_area_ptr_dummy) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_map_addr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        munmap((void *)__afl_map_addr, __afl_final_loc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        free(__afl_area_ptr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef USEMMAP
*08b48e0bSAndroid Build Coastguard Worker    const char    *shm_file_path = id_str;
*08b48e0bSAndroid Build Coastguard Worker    int            shm_fd = -1;
*08b48e0bSAndroid Build Coastguard Worker    unsigned char *shm_base = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* create the shared memory segment as if it was a file */
*08b48e0bSAndroid Build Coastguard Worker    shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
*08b48e0bSAndroid Build Coastguard Worker    if (shm_fd == -1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "shm_open() failed\n");
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* map the shared memory segment to the address space of the process */
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_map_addr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      shm_base =
*08b48e0bSAndroid Build Coastguard Worker          mmap((void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE,
*08b48e0bSAndroid Build Coastguard Worker               MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      shm_base = mmap(0, __afl_map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
*08b48e0bSAndroid Build Coastguard Worker                      shm_fd, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    close(shm_fd);
*08b48e0bSAndroid Build Coastguard Worker    shm_fd = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (shm_base == MAP_FAILED) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "mmap() failed\n");
*08b48e0bSAndroid Build Coastguard Worker      perror("mmap for map");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_map_addr)
*08b48e0bSAndroid Build Coastguard Worker        send_forkserver_error(FS_ERROR_MAP_ADDR);
*08b48e0bSAndroid Build Coastguard Worker      else
*08b48e0bSAndroid Build Coastguard Worker        send_forkserver_error(FS_ERROR_MMAP);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      exit(2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = shm_base;
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker    u32 shm_id = atoi(id_str);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_map_size && __afl_map_size > MAP_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u8 *map_env = (u8 *)getenv("AFL_MAP_SIZE");
*08b48e0bSAndroid Build Coastguard Worker      if (!map_env || atoi((char *)map_env) < MAP_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        fprintf(stderr, "FS_ERROR_MAP_SIZE\n");
*08b48e0bSAndroid Build Coastguard Worker        send_forkserver_error(FS_ERROR_MAP_SIZE);
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = (u8 *)shmat(shm_id, (void *)__afl_map_addr, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Whooooops. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!__afl_area_ptr || __afl_area_ptr == (void *)-1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_map_addr)
*08b48e0bSAndroid Build Coastguard Worker        send_forkserver_error(FS_ERROR_MAP_ADDR);
*08b48e0bSAndroid Build Coastguard Worker      else
*08b48e0bSAndroid Build Coastguard Worker        send_forkserver_error(FS_ERROR_SHMAT);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      perror("shmat for map");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Write something into the bitmap so that even with low AFL_INST_RATIO,
*08b48e0bSAndroid Build Coastguard Worker       our parent doesn't give up on us. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr[0] = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if ((!__afl_area_ptr || __afl_area_ptr == __afl_area_initial) &&
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker             __afl_map_addr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = (u8 *)mmap(
*08b48e0bSAndroid Build Coastguard Worker        (void *)__afl_map_addr, __afl_map_size, PROT_READ | PROT_WRITE,
*08b48e0bSAndroid Build Coastguard Worker        MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_area_ptr == MAP_FAILED) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "can not acquire mmap for address %p\n",
*08b48e0bSAndroid Build Coastguard Worker              (void *)__afl_map_addr);
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if (__afl_final_loc > MAP_INITIAL_SIZE &&
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker             __afl_final_loc > __afl_first_final_loc) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_area_initial != __afl_area_ptr_dummy) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      free(__afl_area_ptr_dummy);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr_dummy = (u8 *)malloc(__afl_final_loc);
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker    __afl_map_size = __afl_final_loc;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!__afl_area_ptr_dummy) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker              "Error: AFL++ could not acquire %u bytes of memory, exiting!\n",
*08b48e0bSAndroid Build Coastguard Worker              __afl_final_loc);
*08b48e0bSAndroid Build Coastguard Worker      exit(-1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }  // else: nothing to be done
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_area_ptr_backup = __afl_area_ptr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker            "DEBUG: (2) id_str %s, __afl_area_ptr %p, __afl_area_initial %p, "
*08b48e0bSAndroid Build Coastguard Worker            "__afl_area_ptr_dummy %p, __afl_map_addr 0x%llx, MAP_SIZE "
*08b48e0bSAndroid Build Coastguard Worker            "%u, __afl_final_loc %u, __afl_map_size %u, "
*08b48e0bSAndroid Build Coastguard Worker            "max_size_forkserver %u/0x%x\n",
*08b48e0bSAndroid Build Coastguard Worker            id_str == NULL ? "<null>" : id_str, __afl_area_ptr,
*08b48e0bSAndroid Build Coastguard Worker            __afl_area_initial, __afl_area_ptr_dummy, __afl_map_addr, MAP_SIZE,
*08b48e0bSAndroid Build Coastguard Worker            __afl_final_loc, __afl_map_size, FS_OPT_MAX_MAPSIZE,
*08b48e0bSAndroid Build Coastguard Worker            FS_OPT_MAX_MAPSIZE);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_selective_coverage) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_map_size > MAP_INITIAL_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr_dummy = (u8 *)malloc(__afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_area_ptr_dummy) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (__afl_selective_coverage_start_off) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        fprintf(stderr, "Error: __afl_selective_coverage failed!\n");
*08b48e0bSAndroid Build Coastguard Worker        __afl_selective_coverage = 0;
*08b48e0bSAndroid Build Coastguard Worker        // continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  id_str = getenv(CMPLOG_SHM_ENV_VAR);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "DEBUG: cmplog id_str %s\n",
*08b48e0bSAndroid Build Coastguard Worker            id_str == NULL ? "<null>" : id_str);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    // /dev/null doesn't work so we use /dev/urandom
*08b48e0bSAndroid Build Coastguard Worker    if ((__afl_dummy_fd[1] = open("/dev/urandom", O_WRONLY)) < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (pipe(__afl_dummy_fd) < 0) { __afl_dummy_fd[1] = 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef USEMMAP
*08b48e0bSAndroid Build Coastguard Worker    const char     *shm_file_path = id_str;
*08b48e0bSAndroid Build Coastguard Worker    int             shm_fd = -1;
*08b48e0bSAndroid Build Coastguard Worker    struct cmp_map *shm_base = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* create the shared memory segment as if it was a file */
*08b48e0bSAndroid Build Coastguard Worker    shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
*08b48e0bSAndroid Build Coastguard Worker    if (shm_fd == -1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      perror("shm_open() failed\n");
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* map the shared memory segment to the address space of the process */
*08b48e0bSAndroid Build Coastguard Worker    shm_base = mmap(0, sizeof(struct cmp_map), PROT_READ | PROT_WRITE,
*08b48e0bSAndroid Build Coastguard Worker                    MAP_SHARED, shm_fd, 0);
*08b48e0bSAndroid Build Coastguard Worker    if (shm_base == MAP_FAILED) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      close(shm_fd);
*08b48e0bSAndroid Build Coastguard Worker      shm_fd = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "mmap() failed\n");
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      exit(2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map = shm_base;
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker    u32 shm_id = atoi(id_str);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map = (struct cmp_map *)shmat(shm_id, NULL, 0);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map_backup = __afl_cmp_map;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!__afl_cmp_map || __afl_cmp_map == (void *)-1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      perror("shmat for cmplog");
*08b48e0bSAndroid Build Coastguard Worker      send_forkserver_error(FS_ERROR_SHM_OPEN);
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker  char *pcmap_id_str = getenv("__AFL_PCMAP_SHM_ID");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (pcmap_id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_pcmap_size = __afl_map_size * sizeof(void *);
*08b48e0bSAndroid Build Coastguard Worker    u32 shm_id = atoi(pcmap_id_str);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_pcmap_ptr = (uintptr_t *)shmat(shm_id, NULL, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUG: Received %p via shmat for pcmap\n",
*08b48e0bSAndroid Build Coastguard Worker              __afl_pcmap_ptr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif  // __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* unmap SHM. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void __afl_unmap_shm(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!__afl_already_initialized_shm) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_pcmap_size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    shmdt((void *)__afl_pcmap_ptr);
*08b48e0bSAndroid Build Coastguard Worker    __afl_pcmap_ptr = NULL;
*08b48e0bSAndroid Build Coastguard Worker    __afl_pcmap_size = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif  // __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  char *id_str = getenv(SHM_ENV_VAR);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef USEMMAP
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    munmap((void *)__afl_area_ptr, __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    shmdt((void *)__afl_area_ptr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if ((!__afl_area_ptr || __afl_area_ptr == __afl_area_initial) &&
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker             __afl_map_addr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    munmap((void *)__afl_map_addr, __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  id_str = getenv(CMPLOG_SHM_ENV_VAR);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (id_str) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef USEMMAP
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    munmap((void *)__afl_cmp_map, __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    shmdt((void *)__afl_cmp_map);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map = NULL;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map_backup = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_shm = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define write_error(text) write_error_with_location(text, __FILE__, __LINE__)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid write_error_with_location(char *text, char *filename, int linenumber) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8   *o = getenv("__AFL_OUT_DIR");
*08b48e0bSAndroid Build Coastguard Worker  char *e = strerror(errno);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (o) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    char buf[4096];
*08b48e0bSAndroid Build Coastguard Worker    snprintf(buf, sizeof(buf), "%s/error.txt", o);
*08b48e0bSAndroid Build Coastguard Worker    FILE *f = fopen(buf, "a");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (f) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(f, "File %s, line %d: Error(%s): %s\n", filename, linenumber,
*08b48e0bSAndroid Build Coastguard Worker              text, e);
*08b48e0bSAndroid Build Coastguard Worker      fclose(f);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  fprintf(stderr, "File %s, line %d: Error(%s): %s\n", filename, linenumber,
*08b48e0bSAndroid Build Coastguard Worker          text, e);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __linux__
*08b48e0bSAndroid Build Coastguard Workerstatic void __afl_start_snapshots(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  static u8 tmp[4] = {0, 0, 0, 0};
*08b48e0bSAndroid Build Coastguard Worker  u32       status = 0;
*08b48e0bSAndroid Build Coastguard Worker  u32       already_read_first = 0;
*08b48e0bSAndroid Build Coastguard Worker  u32       was_killed;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 child_stopped = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Phone home and tell the parent that we're OK. If parent isn't there,
*08b48e0bSAndroid Build Coastguard Worker     assume we're not running in forkserver mode and just execute program. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG);
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_sharedmem_fuzzing) { status |= FS_OPT_SHDMEM_FUZZ; }
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_map_size <= FS_OPT_MAX_MAPSIZE)
*08b48e0bSAndroid Build Coastguard Worker    status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE);
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_dictionary_len && __afl_dictionary) { status |= FS_OPT_AUTODICT; }
*08b48e0bSAndroid Build Coastguard Worker  memcpy(tmp, &status, 4);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_sharedmem_fuzzing || (__afl_dictionary_len && __afl_dictionary)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (read(FORKSRV_FD, &was_killed, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("read to afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUG: target forkserver recv: %08x\n", was_killed);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) ==
*08b48e0bSAndroid Build Coastguard Worker        (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_map_shm_fuzz();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((was_killed & (FS_OPT_ENABLED | FS_OPT_AUTODICT)) ==
*08b48e0bSAndroid Build Coastguard Worker            (FS_OPT_ENABLED | FS_OPT_AUTODICT) &&
*08b48e0bSAndroid Build Coastguard Worker        __afl_dictionary_len && __afl_dictionary) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // great lets pass the dictionary through the forkserver FD
*08b48e0bSAndroid Build Coastguard Worker      u32 len = __afl_dictionary_len, offset = 0;
*08b48e0bSAndroid Build Coastguard Worker      s32 ret;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (write(FORKSRV_FD + 1, &len, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write(2, "Error: could not send dictionary len\n",
*08b48e0bSAndroid Build Coastguard Worker              strlen("Error: could not send dictionary len\n"));
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      while (len != 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ret = write(FORKSRV_FD + 1, __afl_dictionary + offset, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (ret < 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          write(2, "Error: could not send dictionary\n",
*08b48e0bSAndroid Build Coastguard Worker                strlen("Error: could not send dictionary\n"));
*08b48e0bSAndroid Build Coastguard Worker          _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        len -= ret;
*08b48e0bSAndroid Build Coastguard Worker        offset += ret;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // uh this forkserver does not understand extended option passing
*08b48e0bSAndroid Build Coastguard Worker      // or does not want the dictionary
*08b48e0bSAndroid Build Coastguard Worker      if (!__afl_fuzz_ptr) already_read_first = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  while (1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    int status;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (already_read_first) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      already_read_first = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Wait for parent by reading from the pipe. Abort if read fails. */
*08b48e0bSAndroid Build Coastguard Worker      if (read(FORKSRV_FD, &was_killed, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write_error("reading from afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  #ifdef _AFL_DOCUMENT_MUTATIONS
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_fuzz_ptr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      static uint32_t counter = 0;
*08b48e0bSAndroid Build Coastguard Worker      char            fn[32];
*08b48e0bSAndroid Build Coastguard Worker      sprintf(fn, "%09u:forkserver", counter);
*08b48e0bSAndroid Build Coastguard Worker      s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
*08b48e0bSAndroid Build Coastguard Worker      if (fd_doc >= 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          fprintf(stderr, "write of mutation file failed: %s\n", fn);
*08b48e0bSAndroid Build Coastguard Worker          unlink(fn);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        close(fd_doc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      counter++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  #endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* If we stopped the child in persistent mode, but there was a race
*08b48e0bSAndroid Build Coastguard Worker       condition and afl-fuzz already issued SIGKILL, write off the old
*08b48e0bSAndroid Build Coastguard Worker       process. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (child_stopped && was_killed) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      child_stopped = 0;
*08b48e0bSAndroid Build Coastguard Worker      if (waitpid(child_pid, &status, 0) < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write_error("child_stopped && was_killed");
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);  // TODO why exit?
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!child_stopped) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Once woken up, create a clone of our process. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      child_pid = fork();
*08b48e0bSAndroid Build Coastguard Worker      if (child_pid < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write_error("fork");
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* In child process: close fds, resume execution. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!child_pid) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        //(void)nice(-20);  // does not seem to improve
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        signal(SIGCHLD, old_sigchld_handler);
*08b48e0bSAndroid Build Coastguard Worker        signal(SIGTERM, old_sigterm_handler);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        close(FORKSRV_FD);
*08b48e0bSAndroid Build Coastguard Worker        close(FORKSRV_FD + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (!afl_snapshot_take(AFL_SNAPSHOT_MMAP | AFL_SNAPSHOT_FDS |
*08b48e0bSAndroid Build Coastguard Worker                               AFL_SNAPSHOT_REGS | AFL_SNAPSHOT_EXIT)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          raise(SIGSTOP);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        __afl_area_ptr[0] = 1;
*08b48e0bSAndroid Build Coastguard Worker        memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Special handling for persistent mode: if the child is alive but
*08b48e0bSAndroid Build Coastguard Worker         currently stopped, simply restart it with SIGCONT. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      kill(child_pid, SIGCONT);
*08b48e0bSAndroid Build Coastguard Worker      child_stopped = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* In parent process: write PID to pipe, then wait for child. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("write to afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (waitpid(child_pid, &status, WUNTRACED) < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("waitpid");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* In persistent mode, the child stops itself with SIGSTOP to indicate
*08b48e0bSAndroid Build Coastguard Worker       a successful run. In this case, we want to wake it up without forking
*08b48e0bSAndroid Build Coastguard Worker       again. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (WIFSTOPPED(status)) child_stopped = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Relay wait status to pipe, then loop back. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (write(FORKSRV_FD + 1, &status, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("writing to afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Fork server logic. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void __afl_start_forkserver(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_forkserver) return;
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_forkserver = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  struct sigaction orig_action;
*08b48e0bSAndroid Build Coastguard Worker  sigaction(SIGTERM, NULL, &orig_action);
*08b48e0bSAndroid Build Coastguard Worker  old_sigterm_handler = orig_action.sa_handler;
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGTERM, at_exit);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __linux__
*08b48e0bSAndroid Build Coastguard Worker  if (/*!is_persistent &&*/ !__afl_cmp_map && !getenv("AFL_NO_SNAPSHOT") &&
*08b48e0bSAndroid Build Coastguard Worker      afl_snapshot_init() >= 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_start_snapshots();
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8  tmp[4] = {0, 0, 0, 0};
*08b48e0bSAndroid Build Coastguard Worker  u32 status_for_fsrv = 0;
*08b48e0bSAndroid Build Coastguard Worker  u32 already_read_first = 0;
*08b48e0bSAndroid Build Coastguard Worker  u32 was_killed;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 child_stopped = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    status_for_fsrv |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_dictionary_len && __afl_dictionary) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    status_for_fsrv |= FS_OPT_AUTODICT;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_sharedmem_fuzzing) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; }
*08b48e0bSAndroid Build Coastguard Worker  if (status_for_fsrv) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  memcpy(tmp, &status_for_fsrv, 4);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Phone home and tell the parent that we're OK. If parent isn't there,
*08b48e0bSAndroid Build Coastguard Worker     assume we're not running in forkserver mode and just execute program. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_connected = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_sharedmem_fuzzing || (__afl_dictionary_len && __afl_dictionary)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUG: target forkserver recv: %08x\n", was_killed);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) ==
*08b48e0bSAndroid Build Coastguard Worker        (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_map_shm_fuzz();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((was_killed & (FS_OPT_ENABLED | FS_OPT_AUTODICT)) ==
*08b48e0bSAndroid Build Coastguard Worker            (FS_OPT_ENABLED | FS_OPT_AUTODICT) &&
*08b48e0bSAndroid Build Coastguard Worker        __afl_dictionary_len && __afl_dictionary) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // great lets pass the dictionary through the forkserver FD
*08b48e0bSAndroid Build Coastguard Worker      u32 len = __afl_dictionary_len, offset = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (write(FORKSRV_FD + 1, &len, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write(2, "Error: could not send dictionary len\n",
*08b48e0bSAndroid Build Coastguard Worker              strlen("Error: could not send dictionary len\n"));
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      while (len != 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        s32 ret;
*08b48e0bSAndroid Build Coastguard Worker        ret = write(FORKSRV_FD + 1, __afl_dictionary + offset, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (ret < 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          write(2, "Error: could not send dictionary\n",
*08b48e0bSAndroid Build Coastguard Worker                strlen("Error: could not send dictionary\n"));
*08b48e0bSAndroid Build Coastguard Worker          _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        len -= ret;
*08b48e0bSAndroid Build Coastguard Worker        offset += ret;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // uh this forkserver does not understand extended option passing
*08b48e0bSAndroid Build Coastguard Worker      // or does not want the dictionary
*08b48e0bSAndroid Build Coastguard Worker      if (!__afl_fuzz_ptr) already_read_first = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  while (1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    int status;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Wait for parent by reading from the pipe. Abort if read fails. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (already_read_first) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      already_read_first = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (read(FORKSRV_FD, &was_killed, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        // write_error("read from afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef _AFL_DOCUMENT_MUTATIONS
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_fuzz_ptr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      static uint32_t counter = 0;
*08b48e0bSAndroid Build Coastguard Worker      char            fn[32];
*08b48e0bSAndroid Build Coastguard Worker      sprintf(fn, "%09u:forkserver", counter);
*08b48e0bSAndroid Build Coastguard Worker      s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
*08b48e0bSAndroid Build Coastguard Worker      if (fd_doc >= 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          fprintf(stderr, "write of mutation file failed: %s\n", fn);
*08b48e0bSAndroid Build Coastguard Worker          unlink(fn);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        close(fd_doc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      counter++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* If we stopped the child in persistent mode, but there was a race
*08b48e0bSAndroid Build Coastguard Worker       condition and afl-fuzz already issued SIGKILL, write off the old
*08b48e0bSAndroid Build Coastguard Worker       process. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (child_stopped && was_killed) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      child_stopped = 0;
*08b48e0bSAndroid Build Coastguard Worker      if (waitpid(child_pid, &status, 0) < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write_error("child_stopped && was_killed");
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!child_stopped) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Once woken up, create a clone of our process. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      child_pid = fork();
*08b48e0bSAndroid Build Coastguard Worker      if (child_pid < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        write_error("fork");
*08b48e0bSAndroid Build Coastguard Worker        _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* In child process: close fds, resume execution. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!child_pid) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        //(void)nice(-20);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        signal(SIGCHLD, old_sigchld_handler);
*08b48e0bSAndroid Build Coastguard Worker        signal(SIGTERM, old_sigterm_handler);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        close(FORKSRV_FD);
*08b48e0bSAndroid Build Coastguard Worker        close(FORKSRV_FD + 1);
*08b48e0bSAndroid Build Coastguard Worker        return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Special handling for persistent mode: if the child is alive but
*08b48e0bSAndroid Build Coastguard Worker         currently stopped, simply restart it with SIGCONT. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      kill(child_pid, SIGCONT);
*08b48e0bSAndroid Build Coastguard Worker      child_stopped = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* In parent process: write PID to pipe, then wait for child. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("write to afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("waitpid");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* In persistent mode, the child stops itself with SIGSTOP to indicate
*08b48e0bSAndroid Build Coastguard Worker       a successful run. In this case, we want to wake it up without forking
*08b48e0bSAndroid Build Coastguard Worker       again. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (WIFSTOPPED(status)) child_stopped = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Relay wait status to pipe, then loop back. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (write(FORKSRV_FD + 1, &status, 4) != 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      write_error("writing to afl-fuzz");
*08b48e0bSAndroid Build Coastguard Worker      _exit(1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* A simplified persistent mode handler, used as explained in
*08b48e0bSAndroid Build Coastguard Worker * README.llvm.md. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerint __afl_persistent_loop(unsigned int max_cnt) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  static u8  first_pass = 1;
*08b48e0bSAndroid Build Coastguard Worker  static u32 cycle_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (first_pass) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
*08b48e0bSAndroid Build Coastguard Worker       On subsequent calls, the parent will take care of that, but on the first
*08b48e0bSAndroid Build Coastguard Worker       iteration, it's our job to erase any trace of whatever happened
*08b48e0bSAndroid Build Coastguard Worker       before the loop. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    memset(__afl_area_ptr, 0, __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr[0] = 1;
*08b48e0bSAndroid Build Coastguard Worker    memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    cycle_cnt = max_cnt;
*08b48e0bSAndroid Build Coastguard Worker    first_pass = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_selective_coverage_temp = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if (--cycle_cnt) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    raise(SIGSTOP);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr[0] = 1;
*08b48e0bSAndroid Build Coastguard Worker    memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));
*08b48e0bSAndroid Build Coastguard Worker    __afl_selective_coverage_temp = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* When exiting __AFL_LOOP(), make sure that the subsequent code that
*08b48e0bSAndroid Build Coastguard Worker        follows the loop is not traced. We do that by pivoting back to the
*08b48e0bSAndroid Build Coastguard Worker        dummy output region. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* This one can be called from user code when deferred forkserver mode
*08b48e0bSAndroid Build Coastguard Worker    is enabled. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __afl_manual_init(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  static u8 init_done;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    init_done = 1;
*08b48e0bSAndroid Build Coastguard Worker    is_persistent = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_sharedmem_fuzzing = 0;
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_area_ptr == NULL) __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker              "DEBUG: disabled instrumentation because of "
*08b48e0bSAndroid Build Coastguard Worker              "AFL_DISABLE_LLVM_INSTRUMENTATION\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!init_done) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_start_forkserver();
*08b48e0bSAndroid Build Coastguard Worker    init_done = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Initialization of the forkserver - latest possible */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((constructor())) void __afl_auto_init(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_init) { return; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __ANDROID__
*08b48e0bSAndroid Build Coastguard Worker  // Disable handlers in linker/debuggerd, check include/debuggerd/handler.h
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGABRT, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGBUS, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGFPE, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGILL, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGSEGV, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGSTKFLT, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGSYS, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker  signal(SIGTRAP, SIG_DFL);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_init = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv(DEFER_ENV_VAR)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_manual_init();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Optionally run an early forkserver */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((constructor(EARLY_FS_PRIO))) void __early_forkserver(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_EARLY_FORKSERVER")) { __afl_auto_init(); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Initialization of the shmem - earliest possible because of LTO fixed mem. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((constructor(CTOR_PRIO))) void __afl_auto_early(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_early) return;
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_early = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  is_persistent = !!getenv(PERSIST_ENV_VAR);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_map_shm();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* preset __afl_area_ptr #2 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((constructor(1))) void __afl_auto_second(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_second) return;
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_second = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_DEBUG")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_debug = 1;
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "DEBUG: debug enabled\n");
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "DEBUG: AFL++ afl-compiler-rt" VERSION "\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
*08b48e0bSAndroid Build Coastguard Worker  u8 *ptr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_final_loc > MAP_INITIAL_SIZE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_first_final_loc = __afl_final_loc + 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_area_ptr && __afl_area_ptr != __afl_area_initial)
*08b48e0bSAndroid Build Coastguard Worker      free(__afl_area_ptr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_map_addr)
*08b48e0bSAndroid Build Coastguard Worker      ptr = (u8 *)mmap((void *)__afl_map_addr, __afl_first_final_loc,
*08b48e0bSAndroid Build Coastguard Worker                       PROT_READ | PROT_WRITE,
*08b48e0bSAndroid Build Coastguard Worker                       MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
*08b48e0bSAndroid Build Coastguard Worker    else
*08b48e0bSAndroid Build Coastguard Worker      ptr = (u8 *)malloc(__afl_first_final_loc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (ptr && (ssize_t)ptr != -1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr = ptr;
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr_dummy = __afl_area_ptr;
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr_backup = __afl_area_ptr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}  // ptr memleak report is a false positive
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* preset __afl_area_ptr #1 - at constructor level 0 global variables have
*08b48e0bSAndroid Build Coastguard Worker   not been set */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((constructor(0))) void __afl_auto_first(void) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_first) return;
*08b48e0bSAndroid Build Coastguard Worker  __afl_already_initialized_first = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker    u8 *ptr = (u8 *)malloc(MAP_INITIAL_SIZE);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (ptr && (ssize_t)ptr != -1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr = ptr;
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr_backup = __afl_area_ptr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}  // ptr memleak report is a false positive
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
*08b48e0bSAndroid Build Coastguard Worker   It remains non-operational in the traditional, plugin-backed LLVM mode.
*08b48e0bSAndroid Build Coastguard Worker   For more info about 'trace-pc-guard', see README.llvm.md.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   The first function (__sanitizer_cov_trace_pc_guard) is called back on every
*08b48e0bSAndroid Build Coastguard Worker   edge (as opposed to every basic block). */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // For stability analysis, if you want to know to which function unstable
*08b48e0bSAndroid Build Coastguard Worker  // edge IDs belong - uncomment, recompile+install llvm_mode, recompile
*08b48e0bSAndroid Build Coastguard Worker  // the target. libunwind and libbacktrace are better solutions.
*08b48e0bSAndroid Build Coastguard Worker  // Set AFL_DEBUG_CHILD=1 and run afl-fuzz with 2>file to capture
*08b48e0bSAndroid Build Coastguard Worker  // the backtrace output
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker  uint32_t unstable[] = { ... unstable edge IDs };
*08b48e0bSAndroid Build Coastguard Worker  uint32_t idx;
*08b48e0bSAndroid Build Coastguard Worker  char bt[1024];
*08b48e0bSAndroid Build Coastguard Worker  for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unstable[idx] == __afl_area_ptr[*guard]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      int bt_size = backtrace(bt, 256);
*08b48e0bSAndroid Build Coastguard Worker      if (bt_size > 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        char **bt_syms = backtrace_symbols(bt, bt_size);
*08b48e0bSAndroid Build Coastguard Worker        if (bt_syms) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx],
*08b48e0bSAndroid Build Coastguard Worker  bt_syms[0]);
*08b48e0bSAndroid Build Coastguard Worker          free(bt_syms);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#if (LLVM_VERSION_MAJOR < 9)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_area_ptr[*guard]++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_area_ptr[*guard] =
*08b48e0bSAndroid Build Coastguard Worker      __afl_area_ptr[*guard] + 1 + (__afl_area_ptr[*guard] == 255 ? 1 : 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Workervoid afl_read_pc_filter_file(const char *filter_file) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  FILE *file;
*08b48e0bSAndroid Build Coastguard Worker  char  ch;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  file = fopen(filter_file, "r");
*08b48e0bSAndroid Build Coastguard Worker  if (file == NULL) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    perror("Error opening file");
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // Check how many PCs we expect to read
*08b48e0bSAndroid Build Coastguard Worker  while ((ch = fgetc(file)) != EOF) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (ch == '\n') { __afl_filter_pcs_size++; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // Rewind to actually read the PCs
*08b48e0bSAndroid Build Coastguard Worker  fseek(file, 0, SEEK_SET);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_filter_pcs = malloc(__afl_filter_pcs_size * sizeof(FilterPCEntry));
*08b48e0bSAndroid Build Coastguard Worker  if (!__afl_filter_pcs) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    perror("Error allocating PC array");
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (size_t i = 0; i < __afl_filter_pcs_size; i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fscanf(file, "%lx", &(__afl_filter_pcs[i].start));
*08b48e0bSAndroid Build Coastguard Worker    ch = fgetc(file);  // Read tab
*08b48e0bSAndroid Build Coastguard Worker    fscanf(file, "%u", &(__afl_filter_pcs[i].len));
*08b48e0bSAndroid Build Coastguard Worker    ch = fgetc(file);  // Read tab
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!__afl_filter_pcs_module) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // Read the module name and store it.
*08b48e0bSAndroid Build Coastguard Worker      // TODO: We only support one module here right now although
*08b48e0bSAndroid Build Coastguard Worker      // there is technically no reason to support multiple modules
*08b48e0bSAndroid Build Coastguard Worker      // in one go.
*08b48e0bSAndroid Build Coastguard Worker      size_t max_module_len = 255;
*08b48e0bSAndroid Build Coastguard Worker      size_t i = 0;
*08b48e0bSAndroid Build Coastguard Worker      __afl_filter_pcs_module = malloc(max_module_len);
*08b48e0bSAndroid Build Coastguard Worker      while (i < max_module_len - 1 &&
*08b48e0bSAndroid Build Coastguard Worker             (__afl_filter_pcs_module[i] = fgetc(file)) != '\t') {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_filter_pcs_module[i] = '\0';
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUGXXX: Read module name %s\n",
*08b48e0bSAndroid Build Coastguard Worker              __afl_filter_pcs_module);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    while ((ch = fgetc(file)) != '\n' && ch != EOF)
*08b48e0bSAndroid Build Coastguard Worker      ;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  fclose(file);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru32 locate_in_pcs(uintptr_t needle, u32 *index) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  size_t lower_bound = 0;
*08b48e0bSAndroid Build Coastguard Worker  size_t upper_bound = __afl_filter_pcs_size - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  while (lower_bound < __afl_filter_pcs_size && lower_bound <= upper_bound) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    size_t current_index = lower_bound + (upper_bound - lower_bound) / 2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_filter_pcs[current_index].start <= needle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_filter_pcs[current_index].start +
*08b48e0bSAndroid Build Coastguard Worker              __afl_filter_pcs[current_index].len >
*08b48e0bSAndroid Build Coastguard Worker          needle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        // Hit
*08b48e0bSAndroid Build Coastguard Worker        *index = current_index;
*08b48e0bSAndroid Build Coastguard Worker        return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        lower_bound = current_index + 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!current_index) { break; }
*08b48e0bSAndroid Build Coastguard Worker      upper_bound = current_index - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_pcs_init(const uintptr_t *pcs_beg,
*08b48e0bSAndroid Build Coastguard Worker                              const uintptr_t *pcs_end) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // If for whatever reason, we cannot get dlinfo here, then pc_guard_init also
*08b48e0bSAndroid Build Coastguard Worker  // couldn't get it and we'd end up attributing to the wrong module.
*08b48e0bSAndroid Build Coastguard Worker  Dl_info dlinfo;
*08b48e0bSAndroid Build Coastguard Worker  if (!dladdr(__builtin_return_address(0), &dlinfo)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker            "WARNING: Ignoring __sanitizer_cov_pcs_init callback due to "
*08b48e0bSAndroid Build Coastguard Worker            "missing module info\n");
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(
*08b48e0bSAndroid Build Coastguard Worker        stderr,
*08b48e0bSAndroid Build Coastguard Worker        "DEBUG: (%u) __sanitizer_cov_pcs_init called for module %s with %ld "
*08b48e0bSAndroid Build Coastguard Worker        "PCs\n",
*08b48e0bSAndroid Build Coastguard Worker        getpid(), dlinfo.dli_fname, pcs_end - pcs_beg);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl_module_info_t *last_module_info = __afl_module_info;
*08b48e0bSAndroid Build Coastguard Worker  while (last_module_info && last_module_info->next) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    last_module_info = last_module_info->next;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!last_module_info) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker            "ERROR: __sanitizer_cov_pcs_init called with no module info?!\n");
*08b48e0bSAndroid Build Coastguard Worker    abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (strcmp(dlinfo.dli_fname, last_module_info->name)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    // This can happen with modules being loaded after the forkserver
*08b48e0bSAndroid Build Coastguard Worker    // where we decide to not track the module. In that case we must
*08b48e0bSAndroid Build Coastguard Worker    // not track it here either.
*08b48e0bSAndroid Build Coastguard Worker    fprintf(
*08b48e0bSAndroid Build Coastguard Worker        stderr,
*08b48e0bSAndroid Build Coastguard Worker        "WARNING: __sanitizer_cov_pcs_init module info mismatch: %s vs %s\n",
*08b48e0bSAndroid Build Coastguard Worker        dlinfo.dli_fname, last_module_info->name);
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  last_module_info->pcs_beg = pcs_beg;
*08b48e0bSAndroid Build Coastguard Worker  last_module_info->pcs_end = pcs_end;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // This is a direct filter based on symbolizing inside the runtime.
*08b48e0bSAndroid Build Coastguard Worker  // It should only be used with smaller binaries to avoid long startup
*08b48e0bSAndroid Build Coastguard Worker  // times. Currently, this only supports a single token to scan for.
*08b48e0bSAndroid Build Coastguard Worker  const char *pc_filter = getenv("AFL_PC_FILTER");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // This is a much faster PC filter based on pre-symbolized input data
*08b48e0bSAndroid Build Coastguard Worker  // that is sorted for fast lookup through binary search. This method
*08b48e0bSAndroid Build Coastguard Worker  // of filtering is suitable even for very large binaries.
*08b48e0bSAndroid Build Coastguard Worker  const char *pc_filter_file = getenv("AFL_PC_FILTER_FILE");
*08b48e0bSAndroid Build Coastguard Worker  if (pc_filter_file && !__afl_filter_pcs) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl_read_pc_filter_file(pc_filter_file);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // Now update the pcmap. If this is the last module coming in, after all
*08b48e0bSAndroid Build Coastguard Worker  // pre-loaded code, then this will also map all of our delayed previous
*08b48e0bSAndroid Build Coastguard Worker  // modules.
*08b48e0bSAndroid Build Coastguard Worker  //
*08b48e0bSAndroid Build Coastguard Worker  for (afl_module_info_t *mod_info = __afl_module_info; mod_info;
*08b48e0bSAndroid Build Coastguard Worker       mod_info = mod_info->next) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (mod_info->mapped) { continue; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!mod_info->start) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker              "ERROR: __sanitizer_cov_pcs_init called with mod_info->start == "
*08b48e0bSAndroid Build Coastguard Worker              "NULL (%s)\n",
*08b48e0bSAndroid Build Coastguard Worker              mod_info->name);
*08b48e0bSAndroid Build Coastguard Worker      abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    PCTableEntry *start = (PCTableEntry *)(mod_info->pcs_beg);
*08b48e0bSAndroid Build Coastguard Worker    PCTableEntry *end = (PCTableEntry *)(mod_info->pcs_end);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!*mod_info->stop) { continue; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 in_module_index = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    while (start < end) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (*mod_info->start + in_module_index >= __afl_map_size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker                "ERROR: __sanitizer_cov_pcs_init out of bounds?! Start: %u "
*08b48e0bSAndroid Build Coastguard Worker                "Stop: %u Map Size: %u (%s)\n",
*08b48e0bSAndroid Build Coastguard Worker                *mod_info->start, *mod_info->stop, __afl_map_size,
*08b48e0bSAndroid Build Coastguard Worker                mod_info->name);
*08b48e0bSAndroid Build Coastguard Worker        abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 orig_start_index = *mod_info->start;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      uintptr_t PC = start->PC;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // This is what `GetPreviousInstructionPc` in sanitizer runtime does
*08b48e0bSAndroid Build Coastguard Worker      // for x86/x86-64. Needs more work for ARM and other archs.
*08b48e0bSAndroid Build Coastguard Worker      PC = PC - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      // Calculate relative offset in module
*08b48e0bSAndroid Build Coastguard Worker      PC = PC - mod_info->base_address;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_pcmap_ptr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        __afl_pcmap_ptr[orig_start_index + in_module_index] = PC;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (pc_filter) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        char PcDescr[1024];
*08b48e0bSAndroid Build Coastguard Worker        // This function is a part of the sanitizer run-time.
*08b48e0bSAndroid Build Coastguard Worker        // To use it, link with AddressSanitizer or other sanitizer.
*08b48e0bSAndroid Build Coastguard Worker        __sanitizer_symbolize_pc((void *)start->PC, "%p %F %L", PcDescr,
*08b48e0bSAndroid Build Coastguard Worker                                 sizeof(PcDescr));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (strstr(PcDescr, pc_filter)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (__afl_debug)
*08b48e0bSAndroid Build Coastguard Worker            fprintf(
*08b48e0bSAndroid Build Coastguard Worker                stderr,
*08b48e0bSAndroid Build Coastguard Worker                "DEBUG: Selective instrumentation match: %s (PC %p Index %u)\n",
*08b48e0bSAndroid Build Coastguard Worker                PcDescr, (void *)start->PC,
*08b48e0bSAndroid Build Coastguard Worker                *(mod_info->start + in_module_index));
*08b48e0bSAndroid Build Coastguard Worker          // No change to guard needed
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          // Null out the guard to disable this edge
*08b48e0bSAndroid Build Coastguard Worker          *(mod_info->start + in_module_index) = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_filter_pcs && strstr(mod_info->name, __afl_filter_pcs_module)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        u32 result_index;
*08b48e0bSAndroid Build Coastguard Worker        if (locate_in_pcs(PC, &result_index)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (__afl_debug)
*08b48e0bSAndroid Build Coastguard Worker            fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker                    "DEBUG: Selective instrumentation match: (PC %lx File "
*08b48e0bSAndroid Build Coastguard Worker                    "Index %u PC Index %u)\n",
*08b48e0bSAndroid Build Coastguard Worker                    PC, result_index, in_module_index);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          // Null out the guard to disable this edge
*08b48e0bSAndroid Build Coastguard Worker          *(mod_info->start + in_module_index) = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      start++;
*08b48e0bSAndroid Build Coastguard Worker      in_module_index++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    mod_info->mapped = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker              "DEBUG: __sanitizer_cov_pcs_init successfully mapped %s with %u "
*08b48e0bSAndroid Build Coastguard Worker              "PCs\n",
*08b48e0bSAndroid Build Coastguard Worker              mod_info->name, in_module_index);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif  // __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Init callback. Populates instrumentation IDs. Note that we're using
*08b48e0bSAndroid Build Coastguard Worker   ID of 0 as a special value to indicate non-instrumented bits. That may
*08b48e0bSAndroid Build Coastguard Worker   still touch the bitmap, but in a fairly harmless way. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32   inst_ratio = 100;
*08b48e0bSAndroid Build Coastguard Worker  char *x;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  _is_sancov = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!getenv("AFL_DUMP_MAP_SIZE")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_auto_first();
*08b48e0bSAndroid Build Coastguard Worker    __afl_auto_second();
*08b48e0bSAndroid Build Coastguard Worker    __afl_auto_early();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(
*08b48e0bSAndroid Build Coastguard Worker        stderr,
*08b48e0bSAndroid Build Coastguard Worker        "DEBUG: Running __sanitizer_cov_trace_pc_guard_init: %p-%p (%lu edges) "
*08b48e0bSAndroid Build Coastguard Worker        "after_fs=%u *start=%u\n",
*08b48e0bSAndroid Build Coastguard Worker        start, stop, (unsigned long)(stop - start),
*08b48e0bSAndroid Build Coastguard Worker        __afl_already_initialized_forkserver, *start);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (start == stop || *start) { return; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker  u32               *orig_start = start;
*08b48e0bSAndroid Build Coastguard Worker  afl_module_info_t *mod_info = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  Dl_info dlinfo;
*08b48e0bSAndroid Build Coastguard Worker  if (dladdr(__builtin_return_address(0), &dlinfo)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_already_initialized_forkserver) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "[pcmap] Error: Module was not preloaded: %s\n",
*08b48e0bSAndroid Build Coastguard Worker              dlinfo.dli_fname);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl_module_info_t *last_module_info = __afl_module_info;
*08b48e0bSAndroid Build Coastguard Worker      while (last_module_info && last_module_info->next) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        last_module_info = last_module_info->next;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      mod_info = malloc(sizeof(afl_module_info_t));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      mod_info->id = last_module_info ? last_module_info->id + 1 : 0;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->name = strdup(dlinfo.dli_fname);
*08b48e0bSAndroid Build Coastguard Worker      mod_info->base_address = (uintptr_t)dlinfo.dli_fbase;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->start = NULL;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->stop = NULL;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->pcs_beg = NULL;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->pcs_end = NULL;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->mapped = 0;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->next = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (last_module_info) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        last_module_info->next = mod_info;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        __afl_module_info = mod_info;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        fprintf(stderr, "[pcmap] Module: %s Base Address: %p\n",
*08b48e0bSAndroid Build Coastguard Worker                dlinfo.dli_fname, dlinfo.dli_fbase);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "[pcmap] dladdr call failed\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif  // __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  x = getenv("AFL_INST_RATIO");
*08b48e0bSAndroid Build Coastguard Worker  if (x) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    inst_ratio = (u32)atoi(x);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!inst_ratio || inst_ratio > 100) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
*08b48e0bSAndroid Build Coastguard Worker      abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // If a dlopen of an instrumented library happens after the forkserver then
*08b48e0bSAndroid Build Coastguard Worker  // we have a problem as we cannot increase the coverage map anymore.
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_forkserver) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!getenv("AFL_IGNORE_PROBLEMS")) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(
*08b48e0bSAndroid Build Coastguard Worker          stderr,
*08b48e0bSAndroid Build Coastguard Worker          "[-] FATAL: forkserver is already up, but an instrumented dlopen() "
*08b48e0bSAndroid Build Coastguard Worker          "library loaded afterwards. You must AFL_PRELOAD such libraries to "
*08b48e0bSAndroid Build Coastguard Worker          "be able to fuzz them or LD_PRELOAD to run outside of afl-fuzz.\n"
*08b48e0bSAndroid Build Coastguard Worker          "To ignore this set AFL_IGNORE_PROBLEMS=1 but this will lead to "
*08b48e0bSAndroid Build Coastguard Worker          "ambiguous coverage data.\n"
*08b48e0bSAndroid Build Coastguard Worker          "In addition, you can set AFL_IGNORE_PROBLEMS_COVERAGE=1 to "
*08b48e0bSAndroid Build Coastguard Worker          "ignore the additional coverage instead (use with caution!).\n");
*08b48e0bSAndroid Build Coastguard Worker      abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u8 ignore_dso_after_fs = !!getenv("AFL_IGNORE_PROBLEMS_COVERAGE");
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_debug && ignore_dso_after_fs) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker                "DEBUG: Ignoring coverage from dynamically loaded code\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      static u32 offset = 5;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      while (start < stop) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (!ignore_dso_after_fs &&
*08b48e0bSAndroid Build Coastguard Worker            (likely(inst_ratio == 100) || R(100) < inst_ratio)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          *(start++) = offset;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          *(start++) = 0;  // write to map[0]
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (unlikely(++offset >= __afl_final_loc)) { offset = 5; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return;  // we are done for this special case
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Make sure that the first element in the range is always set - we use that
*08b48e0bSAndroid Build Coastguard Worker     to avoid duplicate calls (which can happen as an artifact of the underlying
*08b48e0bSAndroid Build Coastguard Worker     implementation in LLVM). */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_final_loc < 5) __afl_final_loc = 5;  // we skip the first 5 entries
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  *(start++) = ++__afl_final_loc;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  while (start < stop) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (likely(inst_ratio == 100) || R(100) < inst_ratio) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      *(start++) = ++__afl_final_loc;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      *(start++) = 0;  // write to map[0]
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker  if (mod_info) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!mod_info->start) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      mod_info->start = orig_start;
*08b48e0bSAndroid Build Coastguard Worker      mod_info->stop = stop - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "DEBUG: [pcmap] Start Index: %u Stop Index: %u\n",
*08b48e0bSAndroid Build Coastguard Worker              *(mod_info->start), *(mod_info->stop));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif  // __AFL_CODE_COVERAGE
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr,
*08b48e0bSAndroid Build Coastguard Worker            "DEBUG: Done __sanitizer_cov_trace_pc_guard_init: __afl_final_loc "
*08b48e0bSAndroid Build Coastguard Worker            "= %u\n",
*08b48e0bSAndroid Build Coastguard Worker            __afl_final_loc);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_already_initialized_shm) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_final_loc > __afl_map_size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_debug) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        fprintf(stderr, "DEBUG: Reinit shm necessary (+%u)\n",
*08b48e0bSAndroid Build Coastguard Worker                __afl_final_loc - __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_unmap_shm();
*08b48e0bSAndroid Build Coastguard Worker      __afl_map_shm();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_map_size = __afl_final_loc + 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker///// CmpLog instrumentation
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n",
*08b48e0bSAndroid Build Coastguard Worker  //         (u8) arg1, (u8) arg2, attr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->headers[k].attribute = attr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0 = arg1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1 = arg2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!__afl_cmp_map->headers[k].shape) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->headers[k].attribute = attr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0 = arg1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1 = arg2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "hook4 arg0=%x arg1=%x attr=%u\n", arg1, arg2, attr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < 3) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->headers[k].attribute = attr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0 = arg1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1 = arg2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "hook8 arg0=%lx arg1=%lx attr=%u\n", arg1, arg2, attr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = 7;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < 7) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = 7;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->headers[k].attribute = attr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0 = arg1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1 = arg2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef WORD_SIZE_64
*08b48e0bSAndroid Build Coastguard Worker// support for u24 to u120 via llvm _ExitInt(). size is in bytes minus 1
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr,
*08b48e0bSAndroid Build Coastguard Worker                        uint8_t size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "hookN arg0=%llx:%llx arg1=%llx:%llx bytes=%u attr=%u\n",
*08b48e0bSAndroid Build Coastguard Worker  // (u64)(arg1 >> 64), (u64)arg1, (u64)(arg2 >> 64), (u64)arg2, size + 1,
*08b48e0bSAndroid Build Coastguard Worker  // attr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!__afl_cmp_map || arg1 == arg2)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = size;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = size;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->headers[k].attribute = attr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0 = (u64)arg1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1 = (u64)arg2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (size > 7) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->log[k][hits].v0_128 = (u64)(arg1 >> 64);
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->log[k][hits].v1_128 = (u64)(arg2 >> 64);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = 15;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < 15) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = 15;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->headers[k].attribute = attr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0 = (u64)arg1;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1 = (u64)arg2;
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v0_128 = (u64)(arg1 >> 64);
*08b48e0bSAndroid Build Coastguard Worker  __afl_cmp_map->log[k][hits].v1_128 = (u64)(arg2 >> 64);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  //__cmplog_ins_hook1(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  //__cmplog_ins_hook1(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook2(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook2(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook4(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook4(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook8(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook8(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef WORD_SIZE_64
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_cmp16(uint128_t arg1, uint128_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook16(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_const_cmp16(uint128_t arg1, uint128_t arg2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_ins_hook16(arg1, arg2, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (uint64_t i = 0; i < cases[0]; i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    uintptr_t k = (uintptr_t)__builtin_return_address(0) + i;
*08b48e0bSAndroid Build Coastguard Worker    k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) &
*08b48e0bSAndroid Build Coastguard Worker                    (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].type = CMP_TYPE_INS;
*08b48e0bSAndroid Build Coastguard Worker      hits = 0;
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = 7;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (__afl_cmp_map->headers[k].shape < 7) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        __afl_cmp_map->headers[k].shape = 7;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].attribute = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits &= CMP_MAP_H - 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->log[k][hits].v0 = val;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->log[k][hits].v1 = cases[i + 2];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker__attribute__((weak)) void *__asan_region_is_poisoned(void *beg, size_t size) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// POSIX shenanigan to see if an area is mapped.
*08b48e0bSAndroid Build Coastguard Worker// If it is mapped as X-only, we have a problem, so maybe we should add a check
*08b48e0bSAndroid Build Coastguard Worker// to avoid to call it on .text addresses
*08b48e0bSAndroid Build Coastguard Workerstatic int area_is_valid(void *ptr, size_t len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!ptr || __asan_region_is_poisoned(ptr, len))) { return 0; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef __HAIKU__
*08b48e0bSAndroid Build Coastguard Worker  long r = _kern_write(__afl_dummy_fd[1], -1, ptr, len);
*08b48e0bSAndroid Build Coastguard Worker#elif defined(__OpenBSD__)
*08b48e0bSAndroid Build Coastguard Worker  long r = write(__afl_dummy_fd[1], ptr, len);
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker  long r = syscall(SYS_write, __afl_dummy_fd[1], ptr, len);
*08b48e0bSAndroid Build Coastguard Worker#endif  // HAIKU, OPENBSD
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (r <= 0 || r > len) return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // even if the write succeed this can be a false positive if we cross
*08b48e0bSAndroid Build Coastguard Worker  // a page boundary. who knows why.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  char *p = (char *)ptr;
*08b48e0bSAndroid Build Coastguard Worker  long  page_size = sysconf(_SC_PAGE_SIZE);
*08b48e0bSAndroid Build Coastguard Worker  char *page = (char *)((uintptr_t)p & ~(page_size - 1)) + page_size;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (page > p + len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    // no, not crossing a page boundary
*08b48e0bSAndroid Build Coastguard Worker    return (int)r;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    // yes it crosses a boundary, hence we can only return the length of
*08b48e0bSAndroid Build Coastguard Worker    // rest of the first page, we cannot detect if the next page is valid
*08b48e0bSAndroid Build Coastguard Worker    // or not, neither by SYS_write nor msync() :-(
*08b48e0bSAndroid Build Coastguard Worker    return (int)(page - p);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* hook for string with length functions, eg. strncmp, strncasecmp etc.
*08b48e0bSAndroid Build Coastguard Worker   Note that we ignore the len parameter and take longer strings if present. */
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len);
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!len)) return;
*08b48e0bSAndroid Build Coastguard Worker  int len0 = MIN(len, 31);
*08b48e0bSAndroid Build Coastguard Worker  int len1 = strnlen(ptr1, len0);
*08b48e0bSAndroid Build Coastguard Worker  if (len1 < 31) len1 = area_is_valid(ptr1, len1 + 1);
*08b48e0bSAndroid Build Coastguard Worker  int len2 = strnlen(ptr2, len0);
*08b48e0bSAndroid Build Coastguard Worker  if (len2 < 31) len2 = area_is_valid(ptr2, len2 + 1);
*08b48e0bSAndroid Build Coastguard Worker  int l = MAX(len1, len2);
*08b48e0bSAndroid Build Coastguard Worker  if (l < 2) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = l - 1;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < l) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = l - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_RTN_H - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v0_len = 0x80 + l;
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v1_len = 0x80 + l;
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v0, ptr1, len1);
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v1, ptr2, len2);
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN3\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* hook for string functions, eg. strcmp, strcasecmp etc. */
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2);
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!ptr1 || !ptr2)) return;
*08b48e0bSAndroid Build Coastguard Worker  int len1 = strnlen(ptr1, 30) + 1;
*08b48e0bSAndroid Build Coastguard Worker  int len2 = strnlen(ptr2, 30) + 1;
*08b48e0bSAndroid Build Coastguard Worker  int l = MAX(len1, len2);
*08b48e0bSAndroid Build Coastguard Worker  if (l < 3) return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = l - 1;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < l) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = l - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_RTN_H - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v0_len = 0x80 + len1;
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v1_len = 0x80 + len2;
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v0, ptr1, len1);
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v1, ptr2, len2);
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN3\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* hook function for all other func(ptr, ptr, ...) variants */
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker    u32 i;
*08b48e0bSAndroid Build Coastguard Worker    if (area_is_valid(ptr1, 31) <= 0 || area_is_valid(ptr2, 31) <= 0) return;
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "rtn arg0=");
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < 32; i++)
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "%02x", ptr1[i]);
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, " arg1=");
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < 32; i++)
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "%02x", ptr2[i]);
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "\n");
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2);
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  int l1, l2;
*08b48e0bSAndroid Build Coastguard Worker  if ((l1 = area_is_valid(ptr1, 31)) <= 0 ||
*08b48e0bSAndroid Build Coastguard Worker      (l2 = area_is_valid(ptr2, 31)) <= 0)
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker  int len = MIN(31, MIN(l1, l2));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN2 %u\n", len);
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = len - 1;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = len - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_RTN_H - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v0_len = len;
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v1_len = len;
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v0, ptr1, len);
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v1, ptr2, len);
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN3\n");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* hook for func(ptr, ptr, len, ...) looking functions.
*08b48e0bSAndroid Build Coastguard Worker   Note that for the time being we ignore len as this could be wrong
*08b48e0bSAndroid Build Coastguard Worker   information and pass it on to the standard binary rtn hook */
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  (void)(len);
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_rtn_hook(ptr1, ptr2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#if 0
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker    u32 i;
*08b48e0bSAndroid Build Coastguard Worker    if (area_is_valid(ptr1, 31) <= 0 || area_is_valid(ptr2, 31) <= 0) return;
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "rtn_n len=%u arg0=", len);
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < len; i++)
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "%02x", ptr1[i]);
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, " arg1=");
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < len; i++)
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "%02x", ptr2[i]);
*08b48e0bSAndroid Build Coastguard Worker    fprintf(stderr, "\n");
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len);
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!len)) return;
*08b48e0bSAndroid Build Coastguard Worker  int l = MIN(31, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if ((l = area_is_valid(ptr1, l)) <= 0 || (l = area_is_valid(ptr2, l)) <= 0)
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN2 %u\n", l);
*08b48e0bSAndroid Build Coastguard Worker  uintptr_t k = (uintptr_t)__builtin_return_address(0);
*08b48e0bSAndroid Build Coastguard Worker  k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 hits;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map->headers[k].type != CMP_TYPE_RTN) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].type = CMP_TYPE_RTN;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].hits = 1;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map->headers[k].shape = l - 1;
*08b48e0bSAndroid Build Coastguard Worker    hits = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    hits = __afl_cmp_map->headers[k].hits++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map->headers[k].shape < l) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      __afl_cmp_map->headers[k].shape = l - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  struct cmpfn_operands *cmpfn = (struct cmpfn_operands *)__afl_cmp_map->log[k];
*08b48e0bSAndroid Build Coastguard Worker  hits &= CMP_MAP_RTN_H - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v0_len = l;
*08b48e0bSAndroid Build Coastguard Worker  cmpfn[hits].v1_len = l;
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v0, ptr1, l);
*08b48e0bSAndroid Build Coastguard Worker  __builtin_memcpy(cmpfn[hits].v1, ptr2, l);
*08b48e0bSAndroid Build Coastguard Worker  // fprintf(stderr, "RTN3\n");
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// gcc libstdc++
*08b48e0bSAndroid Build Coastguard Worker// _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE7compareEPKc
*08b48e0bSAndroid Build Coastguard Workerstatic u8 *get_gcc_stdstring(u8 *string) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 *len = (u32 *)(string + 8);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (*len < 16) {  // in structure
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return (string + 16);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {  // in memory
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 **ptr = (u8 **)string;
*08b48e0bSAndroid Build Coastguard Worker    return (*ptr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// llvm libc++ _ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocator
*08b48e0bSAndroid Build Coastguard Worker//             IcEEE7compareEmmPKcm
*08b48e0bSAndroid Build Coastguard Workerstatic u8 *get_llvm_stdstring(u8 *string) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // length is in: if ((string[0] & 1) == 0) u8 len = (string[0] >> 1);
*08b48e0bSAndroid Build Coastguard Worker  // or: if (string[0] & 1) u32 *len = (u32 *) (string + 8);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (string[0] & 1) {  // in memory
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 **ptr = (u8 **)(string + 16);
*08b48e0bSAndroid Build Coastguard Worker    return (*ptr);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {  // in structure
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return (string + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_gcc_stdstring_cstring(u8 *stdstring, u8 *cstring) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (area_is_valid(stdstring, 32) <= 0 || area_is_valid(cstring, 32) <= 0)
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_rtn_hook(get_gcc_stdstring(stdstring), cstring);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_gcc_stdstring_stdstring(u8 *stdstring1, u8 *stdstring2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (area_is_valid(stdstring1, 32) <= 0 || area_is_valid(stdstring2, 32) <= 0)
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_rtn_hook(get_gcc_stdstring(stdstring1),
*08b48e0bSAndroid Build Coastguard Worker                    get_gcc_stdstring(stdstring2));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_llvm_stdstring_cstring(u8 *stdstring, u8 *cstring) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (area_is_valid(stdstring, 32) <= 0 || area_is_valid(cstring, 32) <= 0)
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_rtn_hook(get_llvm_stdstring(stdstring), cstring);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __cmplog_rtn_llvm_stdstring_stdstring(u8 *stdstring1, u8 *stdstring2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!__afl_cmp_map)) return;
*08b48e0bSAndroid Build Coastguard Worker  if (area_is_valid(stdstring1, 32) <= 0 || area_is_valid(stdstring2, 32) <= 0)
*08b48e0bSAndroid Build Coastguard Worker    return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __cmplog_rtn_hook(get_llvm_stdstring(stdstring1),
*08b48e0bSAndroid Build Coastguard Worker                    get_llvm_stdstring(stdstring2));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* COVERAGE manipulation features */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// this variable is then used in the shm setup to create an additional map
*08b48e0bSAndroid Build Coastguard Worker// if __afl_map_size > MAP_SIZE or cmplog is used.
*08b48e0bSAndroid Build Coastguard Worker// Especially with cmplog this would result in a ~260MB mem increase per
*08b48e0bSAndroid Build Coastguard Worker// target run.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// disable coverage from this point onwards until turned on again
*08b48e0bSAndroid Build Coastguard Workervoid __afl_coverage_off() {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(__afl_selective_coverage)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = __afl_area_ptr_dummy;
*08b48e0bSAndroid Build Coastguard Worker    __afl_cmp_map = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// enable coverage
*08b48e0bSAndroid Build Coastguard Workervoid __afl_coverage_on() {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(__afl_selective_coverage && __afl_selective_coverage_temp)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_area_ptr = __afl_area_ptr_backup;
*08b48e0bSAndroid Build Coastguard Worker    if (__afl_cmp_map_backup) { __afl_cmp_map = __afl_cmp_map_backup; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// discard all coverage up to this point
*08b48e0bSAndroid Build Coastguard Workervoid __afl_coverage_discard() {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  memset(__afl_area_ptr_backup, 0, __afl_map_size);
*08b48e0bSAndroid Build Coastguard Worker  __afl_area_ptr_backup[0] = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (__afl_cmp_map) { memset(__afl_cmp_map, 0, sizeof(struct cmp_map)); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// discard the testcase
*08b48e0bSAndroid Build Coastguard Workervoid __afl_coverage_skip() {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_coverage_discard();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(is_persistent && __afl_selective_coverage)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    __afl_coverage_off();
*08b48e0bSAndroid Build Coastguard Worker    __afl_selective_coverage_temp = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    exit(0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// mark this area as especially interesting
*08b48e0bSAndroid Build Coastguard Workervoid __afl_coverage_interesting(u8 val, u32 id) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  __afl_area_ptr[id] = val;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __afl_set_persistent_mode(u8 mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  is_persistent = mode;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker// Marker: ADD_TO_INJECTIONS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __afl_injection_sql(u8 *buf) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(buf)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(strstr((char *)buf, "'\"\"'"))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "ALERT: Detected SQL injection in query: %s\n", buf);
*08b48e0bSAndroid Build Coastguard Worker      abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __afl_injection_ldap(u8 *buf) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(buf)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(strstr((char *)buf, "*)(1=*))(|"))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "ALERT: Detected LDAP injection in query: %s\n", buf);
*08b48e0bSAndroid Build Coastguard Worker      abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid __afl_injection_xss(u8 *buf) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(buf)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(strstr((char *)buf, "1\"><\""))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      fprintf(stderr, "ALERT: Detected XSS injection in content: %s\n", buf);
*08b48e0bSAndroid Build Coastguard Worker      abort();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#undef write_error
*08b48e0bSAndroid Build Coastguard Worker