| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 american fuzzy lop - LLVM instrumentation bootstrap | 2 american fuzzy lop - LLVM instrumentation bootstrap |
| 3 --------------------------------------------------- | 3 --------------------------------------------------- |
| 4 | 4 |
| 5 Written by Laszlo Szekeres <lszekeres@google.com> and | 5 Written by Laszlo Szekeres <lszekeres@google.com> and |
| 6 Michal Zalewski <lcamtuf@google.com> | 6 Michal Zalewski <lcamtuf@google.com> |
| 7 | 7 |
| 8 LLVM integration design comes from Laszlo Szekeres. | 8 LLVM integration design comes from Laszlo Szekeres. |
| 9 | 9 |
| 10 Copyright 2015, 2016 Google Inc. All rights reserved. | 10 Copyright 2015, 2016 Google Inc. All rights reserved. |
| 11 | 11 |
| 12 Licensed under the Apache License, Version 2.0 (the "License"); | 12 Licensed under the Apache License, Version 2.0 (the "License"); |
| 13 you may not use this file except in compliance with the License. | 13 you may not use this file except in compliance with the License. |
| 14 You may obtain a copy of the License at: | 14 You may obtain a copy of the License at: |
| 15 | 15 |
| 16 http://www.apache.org/licenses/LICENSE-2.0 | 16 http://www.apache.org/licenses/LICENSE-2.0 |
| 17 | 17 |
| 18 This code is the rewrite of afl-as.h's main_payload. | 18 This code is the rewrite of afl-as.h's main_payload. |
| 19 | 19 |
| 20 */ | 20 */ |
| 21 | 21 |
| 22 #include "../config.h" | 22 #include "../config.h" |
| 23 #include "../types.h" | 23 #include "../types.h" |
| 24 | 24 |
| 25 #include <stdio.h> | 25 #include <stdio.h> |
| 26 #include <stdlib.h> | 26 #include <stdlib.h> |
| 27 #include <signal.h> | 27 #include <signal.h> |
| 28 #include <unistd.h> | 28 #include <unistd.h> |
| 29 #include <string.h> |
| 29 #include <assert.h> | 30 #include <assert.h> |
| 30 | 31 |
| 31 #include <sys/mman.h> | 32 #include <sys/mman.h> |
| 32 #include <sys/shm.h> | 33 #include <sys/shm.h> |
| 33 #include <sys/wait.h> | 34 #include <sys/wait.h> |
| 34 #include <sys/types.h> | 35 #include <sys/types.h> |
| 35 | 36 |
| 36 | 37 |
| 37 /* Globals needed by the injected instrumentation. The __afl_area_initial region | 38 /* Globals needed by the injected instrumentation. The __afl_area_initial region |
| 38 is used for instrumentation output before __afl_map_shm() has a chance to run
. | 39 is used for instrumentation output before __afl_map_shm() has a chance to run
. |
| (...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 162 | 163 |
| 163 /* A simplified persistent mode handler, used as explained in README.llvm. */ | 164 /* A simplified persistent mode handler, used as explained in README.llvm. */ |
| 164 | 165 |
| 165 int __afl_persistent_loop(unsigned int max_cnt) { | 166 int __afl_persistent_loop(unsigned int max_cnt) { |
| 166 | 167 |
| 167 static u8 first_pass = 1; | 168 static u8 first_pass = 1; |
| 168 static u32 cycle_cnt; | 169 static u32 cycle_cnt; |
| 169 | 170 |
| 170 if (first_pass) { | 171 if (first_pass) { |
| 171 | 172 |
| 173 /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate. |
| 174 On subsequent calls, the parent will take care of that, but on the first |
| 175 iteration, it's our job to erase any trace of whatever happened |
| 176 before the loop. */ |
| 177 |
| 178 if (is_persistent) { |
| 179 |
| 180 memset(__afl_area_ptr, 0, MAP_SIZE); |
| 181 __afl_area_ptr[0] = 1; |
| 182 __afl_prev_loc = 0; |
| 183 } |
| 184 |
| 172 cycle_cnt = max_cnt; | 185 cycle_cnt = max_cnt; |
| 173 first_pass = 0; | 186 first_pass = 0; |
| 174 return 1; | 187 return 1; |
| 175 | 188 |
| 176 } | 189 } |
| 177 | 190 |
| 178 if (is_persistent && --cycle_cnt) { | 191 if (is_persistent) { |
| 179 | 192 |
| 180 raise(SIGSTOP); | 193 if (--cycle_cnt) { |
| 181 return 1; | |
| 182 | 194 |
| 183 } else return 0; | 195 raise(SIGSTOP); |
| 196 |
| 197 __afl_area_ptr[0] = 1; |
| 198 __afl_prev_loc = 0; |
| 199 |
| 200 return 1; |
| 201 |
| 202 } else { |
| 203 |
| 204 /* When exiting __AFL_LOOP(), make sure that the subsequent code that |
| 205 follows the loop is not traced. We do that by pivoting back to the |
| 206 dummy output region. */ |
| 207 |
| 208 __afl_area_ptr = __afl_area_initial; |
| 209 |
| 210 } |
| 211 |
| 212 } |
| 213 |
| 214 return 0; |
| 184 | 215 |
| 185 } | 216 } |
| 186 | 217 |
| 187 | 218 |
| 188 /* This one can be called from user code when deferred forkserver mode | 219 /* This one can be called from user code when deferred forkserver mode |
| 189 is enabled. */ | 220 is enabled. */ |
| 190 | 221 |
| 191 void __afl_manual_init(void) { | 222 void __afl_manual_init(void) { |
| 192 | 223 |
| 193 static u8 init_done; | 224 static u8 init_done; |
| (...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 274 inst_ratio_scaled = inst_ratio_scaled * MIN(4096, MAP_SIZE) / 100; | 305 inst_ratio_scaled = inst_ratio_scaled * MIN(4096, MAP_SIZE) / 100; |
| 275 | 306 |
| 276 } | 307 } |
| 277 | 308 |
| 278 | 309 |
| 279 /* Work around a short-lived bug in LLVM with -fsanitize-coverage=trace-pc. */ | 310 /* Work around a short-lived bug in LLVM with -fsanitize-coverage=trace-pc. */ |
| 280 | 311 |
| 281 void __sanitizer_cov_module_init(void) __attribute__((weak)); | 312 void __sanitizer_cov_module_init(void) __attribute__((weak)); |
| 282 void __sanitizer_cov_module_init(void) { } | 313 void __sanitizer_cov_module_init(void) { } |
| 283 | 314 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2238013002:
Roll src/third_party/afl/src/ 2.14b..2.30b (16 versions). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master