AFLplusplus/src/afl-fuzz-one.c

*08b48e0bSAndroid Build Coastguard Worker/*
*08b48e0bSAndroid Build Coastguard Worker   american fuzzy lop++ - fuzze_one routines in different flavours
*08b48e0bSAndroid Build Coastguard Worker   ---------------------------------------------------------------
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   Originally written by Michal Zalewski
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   Now maintained by Marc Heuse <[email protected]>,
*08b48e0bSAndroid Build Coastguard Worker                        Heiko Eißfeldt <[email protected]> and
*08b48e0bSAndroid Build Coastguard Worker                        Andrea Fioraldi <[email protected]>
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   Copyright 2016, 2017 Google Inc. All rights reserved.
*08b48e0bSAndroid Build Coastguard Worker   Copyright 2019-2024 AFLplusplus Project. All rights reserved.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   Licensed under the Apache License, Version 2.0 (the "License");
*08b48e0bSAndroid Build Coastguard Worker   you may not use this file except in compliance with the License.
*08b48e0bSAndroid Build Coastguard Worker   You may obtain a copy of the License at:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker     https://www.apache.org/licenses/LICENSE-2.0
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   This is the real deal: the program takes an instrumented binary and
*08b48e0bSAndroid Build Coastguard Worker   attempts a variety of basic fuzzing tricks, paying close attention to
*08b48e0bSAndroid Build Coastguard Worker   how they affect the execution path.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#include "afl-fuzz.h"
*08b48e0bSAndroid Build Coastguard Worker#include <string.h>
*08b48e0bSAndroid Build Coastguard Worker#include <limits.h>
*08b48e0bSAndroid Build Coastguard Worker#include "cmplog.h"
*08b48e0bSAndroid Build Coastguard Worker#include "afl-mutations.h"
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* MOpt */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic int select_algorithm(afl_state_t *afl, u32 max_algorithm) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  int i_puppet, j_puppet = 0, operator_number = max_algorithm;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  double range_sele =
*08b48e0bSAndroid Build Coastguard Worker      (double)afl->probability_now[afl->swarm_now][operator_number - 1];
*08b48e0bSAndroid Build Coastguard Worker  double sele = ((double)(rand_below(afl, 10000) * 0.0001 * range_sele));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i_puppet = 0; i_puppet < operator_num; ++i_puppet) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(i_puppet == 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (sele < afl->probability_now[afl->swarm_now][i_puppet]) { break; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (sele < afl->probability_now[afl->swarm_now][i_puppet]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        j_puppet = 1;
*08b48e0bSAndroid Build Coastguard Worker        break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if ((j_puppet == 1 &&
*08b48e0bSAndroid Build Coastguard Worker       sele < afl->probability_now[afl->swarm_now][i_puppet - 1]) ||
*08b48e0bSAndroid Build Coastguard Worker      (i_puppet + 1 < operator_num &&
*08b48e0bSAndroid Build Coastguard Worker       sele > afl->probability_now[afl->swarm_now][i_puppet + 1])) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FATAL("error select_algorithm");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return i_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Helper function to see if a particular change (xor_val = old ^ new) could
*08b48e0bSAndroid Build Coastguard Worker   be a product of deterministic bit flips with the lengths and stepovers
*08b48e0bSAndroid Build Coastguard Worker   attempted by afl-fuzz. This is used to avoid dupes in some of the
*08b48e0bSAndroid Build Coastguard Worker   deterministic fuzzing operations that follow bit flips. We also
*08b48e0bSAndroid Build Coastguard Worker   return 1 if xor_val is zero, which implies that the old and attempted new
*08b48e0bSAndroid Build Coastguard Worker   values are identical and the exec would be a waste of time. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic u8 could_be_bitflip(u32 xor_val) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 sh = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!xor_val) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Shift left until first bit set. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  while (!(xor_val & 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    ++sh;
*08b48e0bSAndroid Build Coastguard Worker    xor_val >>= 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 1-, 2-, and 4-bit patterns are OK anywhere. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (xor_val == 1 || xor_val == 3 || xor_val == 15) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 8-, 16-, and 32-bit patterns are OK only if shift factor is
*08b48e0bSAndroid Build Coastguard Worker     divisible by 8, since that's the stepover for these ops. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (sh & 7) { return 0; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Helper function to see if a particular value is reachable through
*08b48e0bSAndroid Build Coastguard Worker   arithmetic operations. Used for similar purposes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 i, ov = 0, nv = 0, diffs = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (old_val == new_val) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* See if one-byte adjustments to any byte could produce this result. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; (u8)i < blen; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 a = old_val >> (8 * i), b = new_val >> (8 * i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (a != b) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++diffs;
*08b48e0bSAndroid Build Coastguard Worker      ov = a;
*08b48e0bSAndroid Build Coastguard Worker      nv = b;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* If only one byte differs and the values are within range, return 1. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (diffs == 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((u8)(ov - nv) <= ARITH_MAX || (u8)(nv - ov) <= ARITH_MAX) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (blen == 1) { return 0; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* See if two-byte adjustments to any byte would produce this result. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  diffs = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; (u8)i < blen / 2; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u16 a = old_val >> (16 * i), b = new_val >> (16 * i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (a != b) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++diffs;
*08b48e0bSAndroid Build Coastguard Worker      ov = a;
*08b48e0bSAndroid Build Coastguard Worker      nv = b;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* If only one word differs and the values are within range, return 1. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (diffs == 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    ov = SWAP16(ov);
*08b48e0bSAndroid Build Coastguard Worker    nv = SWAP16(nv);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Finally, let's do the same thing for dwords. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (blen == 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((u32)(old_val - new_val) <= ARITH_MAX ||
*08b48e0bSAndroid Build Coastguard Worker        (u32)(new_val - old_val) <= ARITH_MAX) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    new_val = SWAP32(new_val);
*08b48e0bSAndroid Build Coastguard Worker    old_val = SWAP32(old_val);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((u32)(old_val - new_val) <= ARITH_MAX ||
*08b48e0bSAndroid Build Coastguard Worker        (u32)(new_val - old_val) <= ARITH_MAX) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Last but not least, a similar helper to see if insertion of an
*08b48e0bSAndroid Build Coastguard Worker   interesting integer is redundant given the insertions done for
*08b48e0bSAndroid Build Coastguard Worker   shorter blen. The last param (check_le) is set if the caller
*08b48e0bSAndroid Build Coastguard Worker   already executed LE insertion for current blen and wants to see
*08b48e0bSAndroid Build Coastguard Worker   if BE variant passed in new_val is unique. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 i, j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (old_val == new_val) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* See if one-byte insertions from interesting_8 over old_val could
*08b48e0bSAndroid Build Coastguard Worker     produce new_val. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < blen; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_8); ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 tval =
*08b48e0bSAndroid Build Coastguard Worker          (old_val & ~(0xff << (i * 8))) | (((u8)interesting_8[j]) << (i * 8));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (new_val == tval) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Bail out unless we're also asked to examine two-byte LE insertions
*08b48e0bSAndroid Build Coastguard Worker     as a preparation for BE attempts. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (blen == 2 && !check_le) { return 0; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* See if two-byte insertions over old_val could give us new_val. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; (u8)i < blen - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_16) / 2; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 tval = (old_val & ~(0xffff << (i * 8))) |
*08b48e0bSAndroid Build Coastguard Worker                 (((u16)interesting_16[j]) << (i * 8));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (new_val == tval) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Continue here only if blen > 2. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (blen > 2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        tval = (old_val & ~(0xffff << (i * 8))) |
*08b48e0bSAndroid Build Coastguard Worker               (SWAP16(interesting_16[j]) << (i * 8));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (new_val == tval) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (blen == 4 && check_le) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* See if four-byte insertions could produce the same result
*08b48e0bSAndroid Build Coastguard Worker       (LE only). */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_32) / 4; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (new_val == (u32)interesting_32[j]) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifndef IGNORE_FINDS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Helper function to compare buffers; returns first and last differing offset.
*08b48e0bSAndroid Build Coastguard Worker   We use this to find reasonable locations for splicing two files. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerstatic void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  s32 f_loc = -1;
*08b48e0bSAndroid Build Coastguard Worker  s32 l_loc = -1;
*08b48e0bSAndroid Build Coastguard Worker  u32 pos;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (pos = 0; pos < len; ++pos) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (*(ptr1++) != *(ptr2++)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (f_loc == -1) { f_loc = pos; }
*08b48e0bSAndroid Build Coastguard Worker      l_loc = pos;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  *first = f_loc;
*08b48e0bSAndroid Build Coastguard Worker  *last = l_loc;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif                                                     /* !IGNORE_FINDS */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* Take the current entry from the queue, fuzz it for a while. This
*08b48e0bSAndroid Build Coastguard Worker   function is a tad too long... returns 0 if fuzzed successfully, 1 if
*08b48e0bSAndroid Build Coastguard Worker   skipped or bailed out. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru8 fuzz_one_original(afl_state_t *afl) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 len, temp_len;
*08b48e0bSAndroid Build Coastguard Worker  u32 j;
*08b48e0bSAndroid Build Coastguard Worker  u32 i;
*08b48e0bSAndroid Build Coastguard Worker  u8 *in_buf, *out_buf, *orig_in, *ex_tmp;
*08b48e0bSAndroid Build Coastguard Worker  u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0, prev_cksum, _prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker  u32 splice_cycle = 0, perf_score = 100, orig_perf;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 ret_val = 1, doing_det = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8  a_collect[MAX_AUTO_EXTRA];
*08b48e0bSAndroid Build Coastguard Worker  u32 a_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef IGNORE_FINDS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* In IGNORE_FINDS mode, skip any entries that weren't in the
*08b48e0bSAndroid Build Coastguard Worker     initial data set. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->queue_cur->depth > 1) return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->custom_mutators_count)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* The custom mutator will decide to skip this test case or not. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (el->afl_custom_queue_get &&
*08b48e0bSAndroid Build Coastguard Worker          !el->afl_custom_queue_get(el->data, afl->queue_cur->fname)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    });
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(afl->pending_favored)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* If we have any favored, non-fuzzed new arrivals in the queue,
*08b48e0bSAndroid Build Coastguard Worker       possibly skip to them at the expense of already-fuzzed or non-favored
*08b48e0bSAndroid Build Coastguard Worker       cases. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((afl->queue_cur->fuzz_level || !afl->queue_cur->favored) &&
*08b48e0bSAndroid Build Coastguard Worker        likely(rand_below(afl, 100) < SKIP_TO_NEW_PROB)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored &&
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker             afl->queued_items > 10) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Otherwise, still possibly skip non-favored cases, albeit less often.
*08b48e0bSAndroid Build Coastguard Worker       The odds of skipping stuff are higher for already-fuzzed inputs and
*08b48e0bSAndroid Build Coastguard Worker       lower for never-fuzzed entries. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->queue_cycle > 1 && !afl->queue_cur->fuzz_level) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(rand_below(afl, 100) < SKIP_NFAV_NEW_PROB)) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(rand_below(afl, 100) < SKIP_NFAV_OLD_PROB)) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif                                                     /* ^IGNORE_FINDS */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(afl->not_on_tty)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 time_tmp[64];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u_simplestring_time_diff(time_tmp, afl->prev_run_time + get_cur_time(),
*08b48e0bSAndroid Build Coastguard Worker                             afl->start_time);
*08b48e0bSAndroid Build Coastguard Worker    ACTF(
*08b48e0bSAndroid Build Coastguard Worker        "Fuzzing test case #%u (%u total, %llu crashes saved, state: %s, "
*08b48e0bSAndroid Build Coastguard Worker        "mode=%s, "
*08b48e0bSAndroid Build Coastguard Worker        "perf_score=%0.0f, weight=%0.0f, favorite=%u, was_fuzzed=%u, "
*08b48e0bSAndroid Build Coastguard Worker        "exec_us=%llu, hits=%u, map=%u, ascii=%u, run_time=%s)...",
*08b48e0bSAndroid Build Coastguard Worker        afl->current_entry, afl->queued_items, afl->saved_crashes,
*08b48e0bSAndroid Build Coastguard Worker        get_fuzzing_state(afl), afl->fuzz_mode ? "exploit" : "explore",
*08b48e0bSAndroid Build Coastguard Worker        afl->queue_cur->perf_score, afl->queue_cur->weight,
*08b48e0bSAndroid Build Coastguard Worker        afl->queue_cur->favored, afl->queue_cur->was_fuzzed,
*08b48e0bSAndroid Build Coastguard Worker        afl->queue_cur->exec_us,
*08b48e0bSAndroid Build Coastguard Worker        likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0,
*08b48e0bSAndroid Build Coastguard Worker        afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii, time_tmp);
*08b48e0bSAndroid Build Coastguard Worker    fflush(stdout);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_in = in_buf = queue_testcase_get(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker  len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  out_buf = afl_realloc(AFL_BUF_PARAM(out), len);
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->subseq_tmouts = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->cur_depth = afl->queue_cur->depth;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*******************************************
*08b48e0bSAndroid Build Coastguard Worker   * CALIBRATION (only if failed earlier on) *
*08b48e0bSAndroid Build Coastguard Worker   *******************************************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->queue_cur->cal_failed)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 res = FSRV_RUN_TMOUT;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->queue_cur->cal_failed < CAL_CHANCES) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->queue_cur->exec_cksum = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      res =
*08b48e0bSAndroid Build Coastguard Worker          calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (unlikely(res == FSRV_RUN_ERROR)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        FATAL("Unable to execute target application");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(afl->stop_soon) || res != afl->crash_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->cur_skipped_items;
*08b48e0bSAndroid Build Coastguard Worker      goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /************
*08b48e0bSAndroid Build Coastguard Worker   * TRIMMING *
*08b48e0bSAndroid Build Coastguard Worker   ************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!afl->non_instrumented_mode && !afl->queue_cur->trim_done &&
*08b48e0bSAndroid Build Coastguard Worker               !afl->disable_trim)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 old_len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 res = trim_case(afl, afl->queue_cur, in_buf);
*08b48e0bSAndroid Build Coastguard Worker    orig_in = in_buf = queue_testcase_get(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(res == FSRV_RUN_ERROR)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      FATAL("Unable to execute target application");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(afl->stop_soon)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->cur_skipped_items;
*08b48e0bSAndroid Build Coastguard Worker      goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Don't retry trimming, even if it failed. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->queue_cur->trim_done = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* maybe current entry is not ready for splicing anymore */
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(len <= 4 && old_len > 4)) --afl->ready_for_splicing_count;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*********************
*08b48e0bSAndroid Build Coastguard Worker   * PERFORMANCE SCORE *
*08b48e0bSAndroid Build Coastguard Worker   *********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!afl->old_seed_selection))
*08b48e0bSAndroid Build Coastguard Worker    orig_perf = perf_score = afl->queue_cur->perf_score;
*08b48e0bSAndroid Build Coastguard Worker  else
*08b48e0bSAndroid Build Coastguard Worker    afl->queue_cur->perf_score = orig_perf = perf_score =
*08b48e0bSAndroid Build Coastguard Worker        calculate_score(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(perf_score <= 0 && afl->active_items > 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->shm.cmplog_mode &&
*08b48e0bSAndroid Build Coastguard Worker               afl->queue_cur->colorized < afl->cmplog_lvl &&
*08b48e0bSAndroid Build Coastguard Worker               (u32)len <= afl->cmplog_max_filesize)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(len < 4)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->queue_cur->colorized = CMPLOG_LVL_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->queue_cur->favored || afl->cmplog_lvl == 3 ||
*08b48e0bSAndroid Build Coastguard Worker          (afl->cmplog_lvl == 2 &&
*08b48e0bSAndroid Build Coastguard Worker           (afl->queue_cur->tc_ref ||
*08b48e0bSAndroid Build Coastguard Worker            afl->fsrv.total_execs % afl->queued_items <= 10)) ||
*08b48e0bSAndroid Build Coastguard Worker          get_cur_time() - afl->last_find_time > 250000) {  // 250 seconds
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (input_to_state_stage(afl, in_buf, out_buf, len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u64 before_det_time = get_cur_time();
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u64 before_havoc_time;
*08b48e0bSAndroid Build Coastguard Worker  u32 before_det_findings = afl->queued_items,
*08b48e0bSAndroid Build Coastguard Worker      before_det_edges = count_non_255_bytes(afl, afl->virgin_bits),
*08b48e0bSAndroid Build Coastguard Worker      before_havoc_findings, before_havoc_edges;
*08b48e0bSAndroid Build Coastguard Worker  u8 is_logged = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->skip_deterministic) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_deterministic_stage(afl, in_buf, out_buf, len, before_det_time)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 *skip_eff_map = afl->queue_cur->skipdet_e->skip_eff_map;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Skip right away if -d is given, if it has not been chosen sufficiently
*08b48e0bSAndroid Build Coastguard Worker     often to warrant the expensive deterministic stage (fuzz_level), or
*08b48e0bSAndroid Build Coastguard Worker     if it has gone through deterministic testing in earlier, resumed runs
*08b48e0bSAndroid Build Coastguard Worker     (passed_det). */
*08b48e0bSAndroid Build Coastguard Worker  /* if skipdet decide to skip the seed or no interesting bytes found,
*08b48e0bSAndroid Build Coastguard Worker     we skip the whole deterministic stage as well */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(afl->skip_deterministic) || likely(afl->queue_cur->passed_det) ||
*08b48e0bSAndroid Build Coastguard Worker      likely(!afl->queue_cur->skipdet_e->quick_eff_bytes) ||
*08b48e0bSAndroid Build Coastguard Worker      likely(perf_score <
*08b48e0bSAndroid Build Coastguard Worker             (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100
*08b48e0bSAndroid Build Coastguard Worker                  ? afl->queue_cur->depth * 30
*08b48e0bSAndroid Build Coastguard Worker                  : afl->havoc_max_mult * 100))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto custom_mutator_stage;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Skip deterministic fuzzing if exec path checksum puts this out of scope
*08b48e0bSAndroid Build Coastguard Worker     for this main instance. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->main_node_max &&
*08b48e0bSAndroid Build Coastguard Worker               (afl->queue_cur->exec_cksum % afl->main_node_max) !=
*08b48e0bSAndroid Build Coastguard Worker                   afl->main_node_id - 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto custom_mutator_stage;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  doing_det = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*********************************************
*08b48e0bSAndroid Build Coastguard Worker   * SIMPLE BITFLIP (+dictionary construction) *
*08b48e0bSAndroid Build Coastguard Worker   *********************************************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define FLIP_BIT(_ar, _b)                     \
*08b48e0bSAndroid Build Coastguard Worker  do {                                        \
*08b48e0bSAndroid Build Coastguard Worker                                              \
*08b48e0bSAndroid Build Coastguard Worker    u8 *_arf = (u8 *)(_ar);                   \
*08b48e0bSAndroid Build Coastguard Worker    u32 _bf = (_b);                           \
*08b48e0bSAndroid Build Coastguard Worker    _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \
*08b48e0bSAndroid Build Coastguard Worker                                              \
*08b48e0bSAndroid Build Coastguard Worker  } while (0)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Single walking bit. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip1";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len << 3;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 1/1";
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Get a clean cksum. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  prev_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
*08b48e0bSAndroid Build Coastguard Worker  _prev_cksum = prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Now flip bits. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur >> 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[afl->stage_cur_byte]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT1-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* While flipping the least significant bit in every byte, pull of an extra
*08b48e0bSAndroid Build Coastguard Worker       trick to detect possible syntax tokens. In essence, the idea is that if
*08b48e0bSAndroid Build Coastguard Worker       you have a binary blob like this:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       xxxxxxxxIHDRxxxxxxxx
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       ...and changing the leading and trailing bytes causes variable or no
*08b48e0bSAndroid Build Coastguard Worker       changes in program flow, but touching any character in the "IHDR" string
*08b48e0bSAndroid Build Coastguard Worker       always produces the same, distinctive path, it's highly likely that
*08b48e0bSAndroid Build Coastguard Worker       "IHDR" is an atomically-checked magic value of special significance to
*08b48e0bSAndroid Build Coastguard Worker       the fuzzed format.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       We do this here, rather than as a separate stage, because it's a nice
*08b48e0bSAndroid Build Coastguard Worker       way to keep the operation approximately "free" (i.e., no extra execs).
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       Empirically, performing the check when flipping the least significant bit
*08b48e0bSAndroid Build Coastguard Worker       is advantageous, compared to doing it at the time of more disruptive
*08b48e0bSAndroid Build Coastguard Worker       changes, where the program flow may be affected in more violent ways.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       The caveat is that we won't generate dictionaries in the -d mode or -S
*08b48e0bSAndroid Build Coastguard Worker       mode - but that's probably a fair trade-off.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       This won't work particularly well with paths that exhibit variable
*08b48e0bSAndroid Build Coastguard Worker       behavior, but fails gracefully, so we'll carry out the checks anyway.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* If at end of file and we are still collecting a string, grab the
*08b48e0bSAndroid Build Coastguard Worker           final character and force output. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len < MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          a_collect[a_len] = out_buf[afl->stage_cur >> 3];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++a_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          maybe_add_auto(afl, a_collect, a_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else if (cksum != prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Otherwise, if the checksum has changed, see if we have something
*08b48e0bSAndroid Build Coastguard Worker           worthwhile queued up, and collect that if the answer is yes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          maybe_add_auto(afl, a_collect, a_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        a_len = 0;
*08b48e0bSAndroid Build Coastguard Worker        prev_cksum = cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Continue collecting string, but only if the bit flip actually made
*08b48e0bSAndroid Build Coastguard Worker         any difference - we don't want no-op tokens. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (cksum != _prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len < MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          a_collect[a_len] = out_buf[afl->stage_cur >> 3];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++a_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP1] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Two walking bits. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 2/1";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip2";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = (len << 3) - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur >> 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[afl->stage_cur_byte]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT2-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP2] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Four walking bits. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 4/1";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip4";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = (len << 3) - 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur >> 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[afl->stage_cur_byte]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 2);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 3);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT4-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 2);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 3);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP4] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Walking byte. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 8/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  prev_cksum = _prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[afl->stage_cur_byte]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    out_buf[afl->stage_cur] ^= 0xFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT8-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    out_buf[afl->stage_cur] ^= 0xFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* New effective bytes calculation. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len; i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (skip_eff_map[i]) afl->blocks_eff_select += 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->blocks_eff_total += len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP8] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Two walking bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 2) { goto skip_bitflip; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 16/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip16";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u16 *)(out_buf + i) ^= 0xFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT16-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker    ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u16 *)(out_buf + i) ^= 0xFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP16] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 4) { goto skip_bitflip; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Four walking bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 32/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip32";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len - 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 3; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s FLIP_BIT32-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker    ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP32] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_bitflip:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->no_arith) { goto skip_arith; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /**********************
*08b48e0bSAndroid Build Coastguard Worker   * ARITHMETIC INC/DEC *
*08b48e0bSAndroid Build Coastguard Worker   **********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 8-bit arithmetics. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "arith 8/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "arith8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 2 * len * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 orig = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 1; j <= ARITH_MAX; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u8 r = orig ^ (orig + j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Do arithmetic operations only if the result couldn't be a product
*08b48e0bSAndroid Build Coastguard Worker         of a bitflip. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(r)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        out_buf[i] = orig + j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      r = orig ^ (orig - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(r)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        out_buf[i] = orig - j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH8--%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      out_buf[i] = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_ARITH8] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 16-bit arithmetics, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 2) { goto skip_arith; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "arith 16/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "arith16";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 4 * (len - 1) * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u16 orig = *(u16 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 1; j <= ARITH_MAX; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u16 r1 = orig ^ (orig + j), r2 = orig ^ (orig - j),
*08b48e0bSAndroid Build Coastguard Worker          r3 = orig ^ SWAP16(SWAP16(orig) + j),
*08b48e0bSAndroid Build Coastguard Worker          r4 = orig ^ SWAP16(SWAP16(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Try little endian addition and subtraction first. Do it only
*08b48e0bSAndroid Build Coastguard Worker         if the operation would affect more than one byte (hence the
*08b48e0bSAndroid Build Coastguard Worker         & 0xff overflow checks) and if it couldn't be a product of
*08b48e0bSAndroid Build Coastguard Worker         a bitflip. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = orig + j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xff) < j && !could_be_bitflip(r2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = orig - j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16--%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Big endian comes next. Same deal. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16+BE-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig >> 8) < j && !could_be_bitflip(r4)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH16_BE-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      *(u16 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_ARITH16] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 32-bit arithmetics, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 4) { goto skip_arith; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "arith 32/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "arith32";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 4 * (len - 3) * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len - 3; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 orig = *(u32 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 1; j <= ARITH_MAX; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 r1 = orig ^ (orig + j), r2 = orig ^ (orig - j),
*08b48e0bSAndroid Build Coastguard Worker          r3 = orig ^ SWAP32(SWAP32(orig) + j),
*08b48e0bSAndroid Build Coastguard Worker          r4 = orig ^ SWAP32(SWAP32(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Little endian first. Same deal as with 16-bit: we only want to
*08b48e0bSAndroid Build Coastguard Worker         try if the operation would have effect on more than two bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = orig + j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xffff) < (u32)j && !could_be_bitflip(r2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = orig - j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32_-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Big endian next. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32+BE-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((SWAP32(orig) & 0xffff) < (u32)j && !could_be_bitflip(r4)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s ARITH32_BE-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      *(u32 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_ARITH32] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_arith:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /**********************
*08b48e0bSAndroid Build Coastguard Worker   * INTERESTING VALUES *
*08b48e0bSAndroid Build Coastguard Worker   **********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "interest 8/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "int8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len * sizeof(interesting_8);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Setting 8-bit integers. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 orig = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < (u32)sizeof(interesting_8); ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip if the value could be a product of bitflips or arithmetics. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (could_be_bitflip(orig ^ (u8)interesting_8[j]) ||
*08b48e0bSAndroid Build Coastguard Worker          could_be_arith(orig, (u8)interesting_8[j], 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_val = interesting_8[j];
*08b48e0bSAndroid Build Coastguard Worker      out_buf[i] = interesting_8[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation), "%s INTERESTING8_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker               afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      out_buf[i] = orig;
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Setting 16-bit integers, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->no_arith || len < 2) { goto skip_interest; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "interest 16/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "int16";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u16 orig = *(u16 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_16) / 2; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_val = interesting_16[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip if this could be a product of a bitflip, arithmetics,
*08b48e0bSAndroid Build Coastguard Worker         or single-byte interesting value insertion. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, (u16)interesting_16[j], 2) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = interesting_16[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s INTERESTING16_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, SWAP16(interesting_16[j]), 2) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s INTERESTING16BE_%u_%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u16 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 4) { goto skip_interest; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Setting 32-bit integers, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "interest 32/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "int32";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 3; i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 orig = *(u32 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_32) / 4; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_val = interesting_32[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip if this could be a product of a bitflip, arithmetics,
*08b48e0bSAndroid Build Coastguard Worker         or word interesting value insertion. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, interesting_32[j], 4) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, interesting_32[j], 4, 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = interesting_32[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s INTERESTING32_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, SWAP32(interesting_32[j]), 4) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s INTERESTING32BE_%u_%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u32 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_interest:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /********************
*08b48e0bSAndroid Build Coastguard Worker   * DICTIONARY STUFF *
*08b48e0bSAndroid Build Coastguard Worker   ********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->extras_cnt) { goto skip_user_extras; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Overwrite with user-supplied extras. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "user extras (over)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_UO";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = afl->extras_cnt * len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 last_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Extras are sorted by size, from smallest to largest. This means
*08b48e0bSAndroid Build Coastguard Worker       that we don't have to worry about restoring the buffer in
*08b48e0bSAndroid Build Coastguard Worker       between writes at a particular offset determined by the outer
*08b48e0bSAndroid Build Coastguard Worker       loop. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < afl->extras_cnt; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip extras probabilistically if afl->extras_cnt > AFL_MAX_DET_EXTRAS.
*08b48e0bSAndroid Build Coastguard Worker         Also skip them if there's no room to insert the payload, if the token
*08b48e0bSAndroid Build Coastguard Worker         is redundant, or if its entire span has no bytes set in the effector
*08b48e0bSAndroid Build Coastguard Worker         map. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((afl->extras_cnt > afl->max_det_extras &&
*08b48e0bSAndroid Build Coastguard Worker           rand_below(afl, afl->extras_cnt) >= afl->max_det_extras) ||
*08b48e0bSAndroid Build Coastguard Worker          afl->extras[j].len > len - i ||
*08b48e0bSAndroid Build Coastguard Worker          !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      last_len = afl->extras[j].len;
*08b48e0bSAndroid Build Coastguard Worker      memcpy(out_buf + i, afl->extras[j].data, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s EXTRAS_overwrite-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Restore all the clobbered memory. */
*08b48e0bSAndroid Build Coastguard Worker    memcpy(out_buf + i, in_buf + i, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Insertion of user-supplied extras. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "user extras (insert)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_UI";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = afl->extras_cnt * (len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ex_tmp = afl_realloc(AFL_BUF_PARAM(ex), len + MAX_DICT_FILE);
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!ex_tmp)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i <= (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i % len]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < afl->extras_cnt; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (len + afl->extras[j].len > MAX_FILE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Insert token */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i, afl->extras[j].data, afl->extras[j].len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Copy tail */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i + afl->extras[j].len, out_buf + i, len - i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation), "%s EXTRAS_insert-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker               afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, ex_tmp, len + afl->extras[j].len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Copy head */
*08b48e0bSAndroid Build Coastguard Worker    ex_tmp[i] = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_user_extras:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->a_extras_cnt) { goto skip_extras; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "auto extras (over)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_AO";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = MIN(afl->a_extras_cnt, (u32)USE_AUTO_EXTRAS) * len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 last_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 min_extra_len = MIN(afl->a_extras_cnt, (u32)USE_AUTO_EXTRAS);
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < min_extra_len; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* See the comment in the earlier code; extras are sorted by size. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->a_extras[j].len > len - i ||
*08b48e0bSAndroid Build Coastguard Worker          !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      last_len = afl->a_extras[j].len;
*08b48e0bSAndroid Build Coastguard Worker      memcpy(out_buf + i, afl->a_extras[j].data, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s AUTO_EXTRAS_overwrite-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Restore all the clobbered memory. */
*08b48e0bSAndroid Build Coastguard Worker    memcpy(out_buf + i, in_buf + i, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Insertion of auto extras. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "auto extras (insert)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_AI";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = afl->a_extras_cnt * (len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ex_tmp = afl_realloc(AFL_BUF_PARAM(ex), len + MAX_DICT_FILE);
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!ex_tmp)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i <= (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!skip_eff_map[i % len]) continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (is_det_timeout(before_det_time, 0)) { goto custom_mutator_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < afl->a_extras_cnt; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (len + afl->a_extras[j].len > MAX_FILE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Insert token */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i, afl->a_extras[j].data, afl->a_extras[j].len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Copy tail */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i + afl->a_extras[j].len, out_buf + i, len - i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s AUTO_EXTRAS_insert-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, ex_tmp, len + afl->a_extras[j].len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Copy head */
*08b48e0bSAndroid Build Coastguard Worker    ex_tmp[i] = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_AI] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_AI] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_extras:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* If we made this to here without jumping to havoc_stage or abandon_entry,
*08b48e0bSAndroid Build Coastguard Worker     we're properly done with deterministic steps and can mark it as such
*08b48e0bSAndroid Build Coastguard Worker     in the .state/ directory. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->queue_cur->passed_det) { mark_as_det_done(afl, afl->queue_cur); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workercustom_mutator_stage:
*08b48e0bSAndroid Build Coastguard Worker  /*******************
*08b48e0bSAndroid Build Coastguard Worker   * CUSTOM MUTATORS *
*08b48e0bSAndroid Build Coastguard Worker   *******************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!afl->custom_mutators_count)) { goto havoc_stage; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "custom mutator";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "custom";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker  bool has_custom_fuzz = false;
*08b48e0bSAndroid Build Coastguard Worker  u32  shift = unlikely(afl->custom_only) ? 7 : 8;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = (HAVOC_CYCLES * perf_score / afl->havoc_div) >> shift;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  const u32 max_seed_size = MAX_FILE, saved_max = afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->mutation[0] = 0;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (el->afl_custom_fuzz) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      havoc_queued = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->current_custom_fuzz = el;
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_name = el->name_short;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (el->afl_custom_fuzz_count) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_max = el->afl_custom_fuzz_count(el->data, out_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_max = saved_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      has_custom_fuzz = true;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_short = el->name_short;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->stage_max) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker             ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          struct queue_entry *target = NULL;
*08b48e0bSAndroid Build Coastguard Worker          u32                 tid;
*08b48e0bSAndroid Build Coastguard Worker          u8                 *new_buf = NULL;
*08b48e0bSAndroid Build Coastguard Worker          u32                 target_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* check if splicing makes sense yet (enough entries) */
*08b48e0bSAndroid Build Coastguard Worker          if (likely(!afl->custom_splice_optout &&
*08b48e0bSAndroid Build Coastguard Worker                     afl->ready_for_splicing_count > 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Pick a random other queue entry for passing to external API
*08b48e0bSAndroid Build Coastguard Worker               that has the necessary length */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              tid = rand_below(afl, afl->queued_items);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            } while (unlikely(tid == afl->current_entry ||
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                              afl->queue_buf[tid]->len < 4));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            target = afl->queue_buf[tid];
*08b48e0bSAndroid Build Coastguard Worker            afl->splicing_with = tid;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Read the additional testcase into a new buffer. */
*08b48e0bSAndroid Build Coastguard Worker            new_buf = queue_testcase_get(afl, target);
*08b48e0bSAndroid Build Coastguard Worker            target_len = target->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u8 *mutated_buf = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          size_t mutated_size =
*08b48e0bSAndroid Build Coastguard Worker              el->afl_custom_fuzz(el->data, out_buf, len, &mutated_buf, new_buf,
*08b48e0bSAndroid Build Coastguard Worker                                  target_len, max_seed_size);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!mutated_buf)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            // FATAL("Error in custom_fuzz. Size returned: %zu", mutated_size);
*08b48e0bSAndroid Build Coastguard Worker            break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (mutated_size > 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (!el->afl_custom_fuzz_count) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* If we're finding new stuff, let's run for a bit longer, limits
*08b48e0bSAndroid Build Coastguard Worker                permitting. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (afl->queued_items != havoc_queued) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (perf_score <= afl->havoc_max_mult * 100) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  afl->stage_max *= 2;
*08b48e0bSAndroid Build Coastguard Worker                  perf_score *= 2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                havoc_queued = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* out_buf may have been changed by the call to custom_fuzz */
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  });
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->current_custom_fuzz = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!has_custom_fuzz) goto havoc_stage;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /****************
*08b48e0bSAndroid Build Coastguard Worker   * RANDOM HAVOC *
*08b48e0bSAndroid Build Coastguard Worker   ****************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerhavoc_stage:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!is_logged) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    is_logged = 1;
*08b48e0bSAndroid Build Coastguard Worker    before_havoc_findings = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker    before_havoc_edges = count_non_255_bytes(afl, afl->virgin_bits);
*08b48e0bSAndroid Build Coastguard Worker    before_havoc_time = get_cur_time();
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->custom_only)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Force UI update */
*08b48e0bSAndroid Build Coastguard Worker    show_stats(afl);
*08b48e0bSAndroid Build Coastguard Worker    /* Skip other stages */
*08b48e0bSAndroid Build Coastguard Worker    ret_val = 0;
*08b48e0bSAndroid Build Coastguard Worker    goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur_byte = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* The havoc stage mutation code is also invoked when splicing files; if the
*08b48e0bSAndroid Build Coastguard Worker     splice_cycle variable is set, generate different descriptions and such. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!splice_cycle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_name = "havoc";
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_short = "havoc";
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_max = ((doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
*08b48e0bSAndroid Build Coastguard Worker                      perf_score / afl->havoc_div) >>
*08b48e0bSAndroid Build Coastguard Worker                     8;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    perf_score = orig_perf;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle);
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_name = afl->stage_name_buf;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_short = "splice";
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_max = (SPLICE_HAVOC * perf_score / afl->havoc_div) >> 8;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->stage_max < HAVOC_MIN)) { afl->stage_max = HAVOC_MIN; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  temp_len = len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  havoc_queued = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->custom_mutators_count) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (el->stacked_custom && el->afl_custom_havoc_mutation_probability) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        el->stacked_custom_prob =
*08b48e0bSAndroid Build Coastguard Worker            el->afl_custom_havoc_mutation_probability(el->data);
*08b48e0bSAndroid Build Coastguard Worker        if (el->stacked_custom_prob > 100) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          FATAL(
*08b48e0bSAndroid Build Coastguard Worker              "The probability returned by "
*08b48e0bSAndroid Build Coastguard Worker              "afl_custom_havoc_mutation_propability "
*08b48e0bSAndroid Build Coastguard Worker              "has to be in the range 0-100.");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    });
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* We essentially just do several thousand runs (depending on perf_score)
*08b48e0bSAndroid Build Coastguard Worker     where we take the input file and make random stacked tweaks. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 *mutation_array;
*08b48e0bSAndroid Build Coastguard Worker  u32  stack_max, rand_max;  // stack_max_pow = afl->havoc_stack_pow2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  switch (afl->input_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    case 1: {  // TEXT
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(afl->fuzz_mode == 0)) {  // is exploration?
*08b48e0bSAndroid Build Coastguard Worker        mutation_array = (unsigned int *)&binary_array;
*08b48e0bSAndroid Build Coastguard Worker        rand_max = MUT_BIN_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {  // exploitation mode
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        mutation_array = (unsigned int *)&text_array;
*08b48e0bSAndroid Build Coastguard Worker        rand_max = MUT_TXT_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    case 2: {  // BINARY
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(afl->fuzz_mode == 0)) {  // is exploration?
*08b48e0bSAndroid Build Coastguard Worker        mutation_array = (unsigned int *)&mutation_strategy_exploration_binary;
*08b48e0bSAndroid Build Coastguard Worker        rand_max = MUT_STRATEGY_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {  // exploitation mode
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        mutation_array = (unsigned int *)&mutation_strategy_exploitation_binary;
*08b48e0bSAndroid Build Coastguard Worker        rand_max = MUT_STRATEGY_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker        // or this one? we do not have enough binary bug benchmarks :-(
*08b48e0bSAndroid Build Coastguard Worker        // mutation_array = (unsigned int *)&binary_array;
*08b48e0bSAndroid Build Coastguard Worker        // rand_max = MUT_BIN_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    default: {  // DEFAULT/GENERIC
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(afl->fuzz_mode == 0)) {  // is exploration?
*08b48e0bSAndroid Build Coastguard Worker        mutation_array = (unsigned int *)&binary_array;
*08b48e0bSAndroid Build Coastguard Worker        rand_max = MUT_BIN_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {  // exploitation mode
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        mutation_array = (unsigned int *)&text_array;
*08b48e0bSAndroid Build Coastguard Worker        rand_max = MUT_TXT_ARRAY_SIZE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker  if (temp_len < 64) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    --stack_max_pow;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if (temp_len <= 8096) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    ++stack_max_pow;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    ++stack_max_pow;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  stack_max = 1 << (1 + rand_below(afl, afl->havoc_stack_pow2));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // + (afl->extras_cnt ? 2 : 0) + (afl->a_extras_cnt ? 2 : 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 use_stacking = 1 + rand_below(afl, stack_max);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_val = use_stacking;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s HAVOC-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->queue_cur->is_ascii, use_stacking);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < use_stacking; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->custom_mutators_count) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(el->stacked_custom &&
*08b48e0bSAndroid Build Coastguard Worker                       rand_below(afl, 100) < el->stacked_custom_prob)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            u8    *custom_havoc_buf = NULL;
*08b48e0bSAndroid Build Coastguard Worker            size_t new_len = el->afl_custom_havoc_mutation(
*08b48e0bSAndroid Build Coastguard Worker                el->data, out_buf, temp_len, &custom_havoc_buf, MAX_FILE);
*08b48e0bSAndroid Build Coastguard Worker            if (unlikely(!custom_havoc_buf)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              FATAL("Error in custom_havoc (return %zu)", new_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (likely(new_len > 0 && custom_havoc_buf)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              temp_len = new_len;
*08b48e0bSAndroid Build Coastguard Worker              if (out_buf != custom_havoc_buf) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                out_buf = afl_realloc(AFL_BUF_PARAM(out), temp_len);
*08b48e0bSAndroid Build Coastguard Worker                if (unlikely(!afl->out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker                memcpy(out_buf, custom_havoc_buf, temp_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        });
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    retry_havoc_step: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 r = rand_below(afl, rand_max), item;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      switch (mutation_array[r]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_FLIPBIT: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Flip a single bit somewhere. Spooky! */
*08b48e0bSAndroid Build Coastguard Worker          u8  bit = rand_below(afl, 8);
*08b48e0bSAndroid Build Coastguard Worker          u32 off = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker          out_buf[off] ^= 1 << bit;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP-BIT_%u", bit);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INTERESTING8: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Set byte to interesting value. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = rand_below(afl, sizeof(interesting_8));
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING8_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[rand_below(afl, temp_len)] = interesting_8[item];
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INTERESTING16: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Set word to interesting value, little endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = rand_below(afl, sizeof(interesting_16) >> 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
*08b48e0bSAndroid Build Coastguard Worker              interesting_16[item];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INTERESTING16BE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Set word to interesting value, big endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = rand_below(afl, sizeof(interesting_16) >> 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16BE_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
*08b48e0bSAndroid Build Coastguard Worker              SWAP16(interesting_16[item]);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INTERESTING32: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Set dword to interesting value, little endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = rand_below(afl, sizeof(interesting_32) >> 2);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
*08b48e0bSAndroid Build Coastguard Worker              interesting_32[item];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INTERESTING32BE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Set dword to interesting value, big endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = rand_below(afl, sizeof(interesting_32) >> 2);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32BE_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
*08b48e0bSAndroid Build Coastguard Worker              SWAP32(interesting_32[item]);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH8_: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly subtract from byte. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH8-_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[rand_below(afl, temp_len)] -= item;
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH8: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly add to byte. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH8+_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[rand_below(afl, temp_len)] += item;
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH16_: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly subtract from word, little endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16-_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u16 *)(out_buf + pos) -= item;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH16BE_: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly subtract from word, big endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          u16 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16BE-_%u", num);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u16 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker              SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH16: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly add to word, little endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16+_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u16 *)(out_buf + pos) += item;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH16BE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly add to word, big endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          u16 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16BE+__%u", num);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u16 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker              SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH32_: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly subtract from dword, little endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32-_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u32 *)(out_buf + pos) -= item;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH32BE_: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly subtract from dword, big endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker          u32 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32BE-_%u", num);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u32 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker              SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH32: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly add to dword, little endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32+_%u", item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u32 *)(out_buf + pos) += item;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ARITH32BE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Randomly add to dword, big endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker          u32 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32BE+_%u", num);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          *(u32 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker              SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_RAND8: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Just set a random byte to a random value. Because,
*08b48e0bSAndroid Build Coastguard Worker             why not. We use XOR with 1-255 to eliminate the
*08b48e0bSAndroid Build Coastguard Worker             possibility of a no-op. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker          item = 1 + rand_below(afl, 255);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " RAND8_%u",
*08b48e0bSAndroid Build Coastguard Worker                   out_buf[pos] ^ item);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[pos] ^= item;
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_CLONE_COPY: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (likely(temp_len + HAVOC_BLK_XL < MAX_FILE)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Clone bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            u32 clone_len = choose_block_len(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker            u32 clone_from = rand_below(afl, temp_len - clone_len + 1);
*08b48e0bSAndroid Build Coastguard Worker            u32 clone_to = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker            snprintf(afl->m_tmp, sizeof(afl->m_tmp), " CLONE-%s_%u_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                     "COPY", clone_from, clone_to, clone_len);
*08b48e0bSAndroid Build Coastguard Worker            strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker            u8 *new_buf =
*08b48e0bSAndroid Build Coastguard Worker                afl_realloc(AFL_BUF_PARAM(out_scratch), temp_len + clone_len);
*08b48e0bSAndroid Build Coastguard Worker            if (unlikely(!new_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf, out_buf, clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf + clone_to, out_buf + clone_from, clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Tail */
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                   temp_len - clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            out_buf = new_buf;
*08b48e0bSAndroid Build Coastguard Worker            afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker            temp_len += clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else if (unlikely(temp_len < 8)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_CLONE_FIXED: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (likely(temp_len + HAVOC_BLK_XL < MAX_FILE)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Insert a block of constant bytes (25%). */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            u32 clone_len = choose_block_len(afl, HAVOC_BLK_XL);
*08b48e0bSAndroid Build Coastguard Worker            u32 clone_to = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker            u32 strat = rand_below(afl, 2);
*08b48e0bSAndroid Build Coastguard Worker            u32 clone_from = clone_to ? clone_to - 1 : 0;
*08b48e0bSAndroid Build Coastguard Worker            item = strat ? rand_below(afl, 256) : out_buf[clone_from];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker            snprintf(afl->m_tmp, sizeof(afl->m_tmp), " CLONE-%s_%u_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                     "FIXED", strat, clone_to, clone_len);
*08b48e0bSAndroid Build Coastguard Worker            strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker            u8 *new_buf =
*08b48e0bSAndroid Build Coastguard Worker                afl_realloc(AFL_BUF_PARAM(out_scratch), temp_len + clone_len);
*08b48e0bSAndroid Build Coastguard Worker            if (unlikely(!new_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf, out_buf, clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memset(new_buf + clone_to, item, clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Tail */
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                   temp_len - clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            out_buf = new_buf;
*08b48e0bSAndroid Build Coastguard Worker            afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker            temp_len += clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else if (unlikely(temp_len < 8)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_OVERWRITE_COPY: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Overwrite bytes with a randomly selected chunk bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 copy_from, copy_to,
*08b48e0bSAndroid Build Coastguard Worker              copy_len = choose_block_len(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            copy_from = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker            copy_to = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } while (unlikely(copy_from == copy_to));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " OVERWRITE-COPY_%u_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                   copy_from, copy_to, copy_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_OVERWRITE_FIXED: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Overwrite bytes with fixed bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 copy_len = choose_block_len(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          u32 copy_to = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker          u32 strat = rand_below(afl, 2);
*08b48e0bSAndroid Build Coastguard Worker          u32 copy_from = copy_to ? copy_to - 1 : 0;
*08b48e0bSAndroid Build Coastguard Worker          item = strat ? rand_below(afl, 256) : out_buf[copy_from];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                   " OVERWRITE-FIXED_%u_%u_%u-%u", strat, item, copy_to,
*08b48e0bSAndroid Build Coastguard Worker                   copy_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memset(out_buf + copy_to, item, copy_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_BYTEADD: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Increase byte by 1. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " BYTEADD_");
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[rand_below(afl, temp_len)]++;
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_BYTESUB: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Decrease byte by 1. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " BYTESUB_");
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[rand_below(afl, temp_len)]--;
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_FLIP8: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Flip byte with a XOR 0xff. This is the same as NEG. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP8_");
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          out_buf[rand_below(afl, temp_len)] ^= 0xff;
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_SWITCH: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Switch bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 to_end, switch_to, switch_len, switch_from;
*08b48e0bSAndroid Build Coastguard Worker          switch_from = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker          do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            switch_to = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } while (unlikely(switch_from == switch_to));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (switch_from < switch_to) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            switch_len = switch_to - switch_from;
*08b48e0bSAndroid Build Coastguard Worker            to_end = temp_len - switch_to;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            switch_len = switch_from - switch_to;
*08b48e0bSAndroid Build Coastguard Worker            to_end = temp_len - switch_from;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          switch_len = choose_block_len(afl, MIN(switch_len, to_end));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SWITCH-%s_%u_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                   "switch", switch_from, switch_to, switch_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          u8 *new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch), switch_len);
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!new_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Backup */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memcpy(new_buf, out_buf + switch_from, switch_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Switch 1 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + switch_from, out_buf + switch_to, switch_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Switch 2 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + switch_to, new_buf, switch_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_DEL: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Delete bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Don't delete too much. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 del_len = choose_block_len(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          u32 del_from = rand_below(afl, temp_len - del_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " DEL_%u_%u", del_from,
*08b48e0bSAndroid Build Coastguard Worker                   del_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memmove(out_buf + del_from, out_buf + del_from + del_len,
*08b48e0bSAndroid Build Coastguard Worker                  temp_len - del_from - del_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          temp_len -= del_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_SHUFFLE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Shuffle bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 len = choose_block_len(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          u32 off = rand_below(afl, temp_len - len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SHUFFLE_%u", len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          for (u32 i = len - 1; i > 0; i--) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            u32 j;
*08b48e0bSAndroid Build Coastguard Worker            do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              j = rand_below(afl, i + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            } while (unlikely(i == j));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            unsigned char temp = out_buf[off + i];
*08b48e0bSAndroid Build Coastguard Worker            out_buf[off + i] = out_buf[off + j];
*08b48e0bSAndroid Build Coastguard Worker            out_buf[off + j] = temp;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_DELONE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Delete bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Don't delete too much. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 del_len = 1;
*08b48e0bSAndroid Build Coastguard Worker          u32 del_from = rand_below(afl, temp_len - del_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " DELONE_%u", del_from);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memmove(out_buf + del_from, out_buf + del_from + del_len,
*08b48e0bSAndroid Build Coastguard Worker                  temp_len - del_from - del_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          temp_len -= del_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INSERTONE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 2)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 clone_len = 1;
*08b48e0bSAndroid Build Coastguard Worker          u32 clone_to = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker          u32 strat = rand_below(afl, 2);
*08b48e0bSAndroid Build Coastguard Worker          u32 clone_from = clone_to ? clone_to - 1 : 0;
*08b48e0bSAndroid Build Coastguard Worker          item = strat ? rand_below(afl, 256) : out_buf[clone_from];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INSERTONE_%u_%u", strat,
*08b48e0bSAndroid Build Coastguard Worker                   clone_to);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          u8 *new_buf =
*08b48e0bSAndroid Build Coastguard Worker              afl_realloc(AFL_BUF_PARAM(out_scratch), temp_len + clone_len);
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!new_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memcpy(new_buf, out_buf, clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memset(new_buf + clone_to, item, clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Tail */
*08b48e0bSAndroid Build Coastguard Worker          memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                 temp_len - clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          out_buf = new_buf;
*08b48e0bSAndroid Build Coastguard Worker          afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker          temp_len += clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_ASCIINUM: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < 4)) { break; }  // no retry
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 off = rand_below(afl, temp_len), off2 = off, cnt = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          while (off2 + cnt < temp_len && !isdigit(out_buf[off2 + cnt])) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            ++cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          // none found, wrap
*08b48e0bSAndroid Build Coastguard Worker          if (off2 + cnt == temp_len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            off2 = 0;
*08b48e0bSAndroid Build Coastguard Worker            cnt = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            while (cnt < off && !isdigit(out_buf[off2 + cnt])) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              ++cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (cnt == off) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          off = off2 + cnt;
*08b48e0bSAndroid Build Coastguard Worker          off2 = off + 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          while (off2 < temp_len && isdigit(out_buf[off2])) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            ++off2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          s64 val = out_buf[off] - '0';
*08b48e0bSAndroid Build Coastguard Worker          for (u32 i = off + 1; i < off2; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            val = (val * 10) + out_buf[i] - '0';
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (off && out_buf[off - 1] == '-') { val = -val; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 strat = rand_below(afl, 8);
*08b48e0bSAndroid Build Coastguard Worker          switch (strat) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 0:
*08b48e0bSAndroid Build Coastguard Worker              val++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 1:
*08b48e0bSAndroid Build Coastguard Worker              val--;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 2:
*08b48e0bSAndroid Build Coastguard Worker              val *= 2;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 3:
*08b48e0bSAndroid Build Coastguard Worker              val /= 2;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 4:
*08b48e0bSAndroid Build Coastguard Worker              if (likely(val && (u64)val < 0x19999999)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                val = (u64)rand_next(afl) % (u64)((u64)val * 10);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                val = rand_below(afl, 256);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 5:
*08b48e0bSAndroid Build Coastguard Worker              val += rand_below(afl, 256);
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 6:
*08b48e0bSAndroid Build Coastguard Worker              val -= rand_below(afl, 256);
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker            case 7:
*08b48e0bSAndroid Build Coastguard Worker              val = ~(val);
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ASCIINUM_%u_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                   afl->queue_cur->is_ascii, strat, off);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          // fprintf(stderr, "val: %u-%u = %ld\n", off, off2, val);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          char buf[20];
*08b48e0bSAndroid Build Coastguard Worker          snprintf(buf, sizeof(buf), "%" PRId64, val);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          // fprintf(stderr, "BEFORE: %s\n", out_buf);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 old_len = off2 - off;
*08b48e0bSAndroid Build Coastguard Worker          u32 new_len = strlen(buf);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (old_len == new_len) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memcpy(out_buf + off, buf, new_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            u8 *new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch),
*08b48e0bSAndroid Build Coastguard Worker                                      temp_len + new_len - old_len);
*08b48e0bSAndroid Build Coastguard Worker            if (unlikely(!new_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf, out_buf, off);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf + off, buf, new_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            /* Tail */
*08b48e0bSAndroid Build Coastguard Worker            memcpy(new_buf + off + new_len, out_buf + off2, temp_len - off2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            out_buf = new_buf;
*08b48e0bSAndroid Build Coastguard Worker            afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker            temp_len += (new_len - old_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          // fprintf(stderr, "AFTER : %s\n", out_buf);
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_INSERTASCIINUM: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 len = 1 + rand_below(afl, 8);
*08b48e0bSAndroid Build Coastguard Worker          u32 pos = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker          /* Insert ascii number. */
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len < pos + len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (unlikely(temp_len < 8)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INSERTASCIINUM_");
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          u64  val = rand_next(afl);
*08b48e0bSAndroid Build Coastguard Worker          char buf[20];
*08b48e0bSAndroid Build Coastguard Worker          snprintf(buf, sizeof(buf), "%llu", val);
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + pos, buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_EXTRA_OVERWRITE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!afl->extras_cnt)) { goto retry_havoc_step; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Use the dictionary. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 use_extra = rand_below(afl, afl->extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker          u32 extra_len = afl->extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(extra_len > temp_len)) { goto retry_havoc_step; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " EXTRA-OVERWRITE_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                   insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + insert_at, afl->extras[use_extra].data, extra_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_EXTRA_INSERT: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!afl->extras_cnt)) { goto retry_havoc_step; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 use_extra = rand_below(afl, afl->extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker          u32 extra_len = afl->extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len + extra_len >= MAX_FILE)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u8 *ptr = afl->extras[use_extra].data;
*08b48e0bSAndroid Build Coastguard Worker          u32 insert_at = rand_below(afl, temp_len + 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " EXTRA-INSERT_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                   insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          out_buf = afl_realloc(AFL_BUF_PARAM(out), temp_len + extra_len);
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Tail */
*08b48e0bSAndroid Build Coastguard Worker          memmove(out_buf + insert_at + extra_len, out_buf + insert_at,
*08b48e0bSAndroid Build Coastguard Worker                  temp_len - insert_at);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + insert_at, ptr, extra_len);
*08b48e0bSAndroid Build Coastguard Worker          temp_len += extra_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_AUTO_EXTRA_OVERWRITE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!afl->a_extras_cnt)) { goto retry_havoc_step; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Use the dictionary. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 use_extra = rand_below(afl, afl->a_extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker          u32 extra_len = afl->a_extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(extra_len > temp_len)) { goto retry_havoc_step; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                   " AUTO-EXTRA-OVERWRITE_%u_%u", insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, extra_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_AUTO_EXTRA_INSERT: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!afl->a_extras_cnt)) { goto retry_havoc_step; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 use_extra = rand_below(afl, afl->a_extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker          u32 extra_len = afl->a_extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len + extra_len >= MAX_FILE)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u8 *ptr = afl->a_extras[use_extra].data;
*08b48e0bSAndroid Build Coastguard Worker          u32 insert_at = rand_below(afl, temp_len + 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " AUTO-EXTRA-INSERT_%u_%u",
*08b48e0bSAndroid Build Coastguard Worker                   insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          out_buf = afl_realloc(AFL_BUF_PARAM(out), temp_len + extra_len);
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Tail */
*08b48e0bSAndroid Build Coastguard Worker          memmove(out_buf + insert_at + extra_len, out_buf + insert_at,
*08b48e0bSAndroid Build Coastguard Worker                  temp_len - insert_at);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker          memcpy(out_buf + insert_at, ptr, extra_len);
*08b48e0bSAndroid Build Coastguard Worker          temp_len += extra_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_SPLICE_OVERWRITE: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(afl->ready_for_splicing_count <= 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Pick a random queue entry and seek to it. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 tid;
*08b48e0bSAndroid Build Coastguard Worker          do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            tid = rand_below(afl, afl->queued_items);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } while (unlikely(tid == afl->current_entry ||
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                            afl->queue_buf[tid]->len < 4));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Get the testcase for splicing. */
*08b48e0bSAndroid Build Coastguard Worker          struct queue_entry *target = afl->queue_buf[tid];
*08b48e0bSAndroid Build Coastguard Worker          u32                 new_len = target->len;
*08b48e0bSAndroid Build Coastguard Worker          u8                 *new_buf = queue_testcase_get(afl, target);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* overwrite mode */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 copy_from, copy_to, copy_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          copy_len = choose_block_len(afl, new_len - 1);
*08b48e0bSAndroid Build Coastguard Worker          if (copy_len > temp_len) copy_len = temp_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          copy_from = rand_below(afl, new_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker          copy_to = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                   " SPLICE-OVERWRITE_%u_%u_%u_%s", copy_from, copy_to,
*08b48e0bSAndroid Build Coastguard Worker                   copy_len, target->fname);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          memmove(out_buf + copy_to, new_buf + copy_from, copy_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        case MUT_SPLICE_INSERT: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(afl->ready_for_splicing_count <= 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(temp_len + HAVOC_BLK_XL >= MAX_FILE)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            goto retry_havoc_step;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Pick a random queue entry and seek to it. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 tid;
*08b48e0bSAndroid Build Coastguard Worker          do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            tid = rand_below(afl, afl->queued_items);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } while (unlikely(tid == afl->current_entry ||
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                            afl->queue_buf[tid]->len < 4));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Get the testcase for splicing. */
*08b48e0bSAndroid Build Coastguard Worker          struct queue_entry *target = afl->queue_buf[tid];
*08b48e0bSAndroid Build Coastguard Worker          u32                 new_len = target->len;
*08b48e0bSAndroid Build Coastguard Worker          u8                 *new_buf = queue_testcase_get(afl, target);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* insert mode */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u32 clone_from, clone_to, clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          clone_len = choose_block_len(afl, new_len);
*08b48e0bSAndroid Build Coastguard Worker          clone_from = rand_below(afl, new_len - clone_len + 1);
*08b48e0bSAndroid Build Coastguard Worker          clone_to = rand_below(afl, temp_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u8 *temp_buf =
*08b48e0bSAndroid Build Coastguard Worker              afl_realloc(AFL_BUF_PARAM(out_scratch), temp_len + clone_len + 1);
*08b48e0bSAndroid Build Coastguard Worker          if (unlikely(!temp_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SPLICE-INSERT_%u_%u_%u_%s",
*08b48e0bSAndroid Build Coastguard Worker                   clone_from, clone_to, clone_len, target->fname);
*08b48e0bSAndroid Build Coastguard Worker          strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker          /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memcpy(temp_buf, out_buf, clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* Tail */
*08b48e0bSAndroid Build Coastguard Worker          memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                 temp_len - clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          out_buf = temp_buf;
*08b48e0bSAndroid Build Coastguard Worker          afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker          temp_len += clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, temp_len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* out_buf might have been mangled a bit, so let's restore it to its
*08b48e0bSAndroid Build Coastguard Worker       original size and shape. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    out_buf = afl_realloc(AFL_BUF_PARAM(out), len);
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker    temp_len = len;
*08b48e0bSAndroid Build Coastguard Worker    memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* If we're finding new stuff, let's run for a bit longer, limits
*08b48e0bSAndroid Build Coastguard Worker       permitting. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->queued_items != havoc_queued) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (perf_score <= afl->havoc_max_mult * 100) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_max *= 2;
*08b48e0bSAndroid Build Coastguard Worker        perf_score *= 2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      havoc_queued = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!splice_cycle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cycles[STAGE_HAVOC] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cycles[STAGE_SPLICE] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifndef IGNORE_FINDS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /************
*08b48e0bSAndroid Build Coastguard Worker   * SPLICING *
*08b48e0bSAndroid Build Coastguard Worker   ************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* This is a last-resort strategy triggered by a full round with no findings.
*08b48e0bSAndroid Build Coastguard Worker     It takes the current input file, randomly selects another input, and
*08b48e0bSAndroid Build Coastguard Worker     splices them together at some offset, then relies on the havoc
*08b48e0bSAndroid Build Coastguard Worker     code to mutate that blob. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerretry_splicing:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES &&
*08b48e0bSAndroid Build Coastguard Worker      afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    struct queue_entry *target;
*08b48e0bSAndroid Build Coastguard Worker    u32                 tid, split_at;
*08b48e0bSAndroid Build Coastguard Worker    u8                 *new_buf;
*08b48e0bSAndroid Build Coastguard Worker    s32                 f_diff, l_diff;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* First of all, if we've modified in_buf for havoc, let's clean that
*08b48e0bSAndroid Build Coastguard Worker       up... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (in_buf != orig_in) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      in_buf = orig_in;
*08b48e0bSAndroid Build Coastguard Worker      len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Pick a random queue entry and seek to it. Don't splice with yourself. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      tid = rand_below(afl, afl->queued_items);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } while (
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        unlikely(tid == afl->current_entry || afl->queue_buf[tid]->len < 4));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Get the testcase */
*08b48e0bSAndroid Build Coastguard Worker    afl->splicing_with = tid;
*08b48e0bSAndroid Build Coastguard Worker    target = afl->queue_buf[tid];
*08b48e0bSAndroid Build Coastguard Worker    new_buf = queue_testcase_get(afl, target);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Find a suitable splicing location, somewhere between the first and
*08b48e0bSAndroid Build Coastguard Worker       the last differing byte. Bail out if the difference is just a single
*08b48e0bSAndroid Build Coastguard Worker       byte or so. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    locate_diffs(in_buf, new_buf, MIN(len, (s64)target->len), &f_diff, &l_diff);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { goto retry_splicing; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Split somewhere between the first and last differing byte. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    split_at = f_diff + rand_below(afl, l_diff - f_diff);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Do the thing. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    len = target->len;
*08b48e0bSAndroid Build Coastguard Worker    afl->in_scratch_buf = afl_realloc(AFL_BUF_PARAM(in_scratch), len);
*08b48e0bSAndroid Build Coastguard Worker    memcpy(afl->in_scratch_buf, in_buf, split_at);
*08b48e0bSAndroid Build Coastguard Worker    memcpy(afl->in_scratch_buf + split_at, new_buf, len - split_at);
*08b48e0bSAndroid Build Coastguard Worker    in_buf = afl->in_scratch_buf;
*08b48e0bSAndroid Build Coastguard Worker    afl_swap_bufs(AFL_BUF_PARAM(in), AFL_BUF_PARAM(in_scratch));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    out_buf = afl_realloc(AFL_BUF_PARAM(out), len);
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker    memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto custom_mutator_stage;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif                                                     /* !IGNORE_FINDS */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ret_val = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->queued_det_stage =
*08b48e0bSAndroid Build Coastguard Worker      before_havoc_findings - before_det_findings;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->queued_havoc_stage =
*08b48e0bSAndroid Build Coastguard Worker      afl->queued_items - before_havoc_findings;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->total_queued_det += afl->havoc_prof->queued_det_stage;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->edge_det_stage = before_havoc_edges - before_det_edges;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->edge_havoc_stage =
*08b48e0bSAndroid Build Coastguard Worker      count_non_255_bytes(afl, afl->virgin_bits) - before_havoc_edges;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->total_det_edge += afl->havoc_prof->edge_det_stage;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->det_stage_time = before_havoc_time - before_det_time;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->havoc_stage_time = get_cur_time() - before_havoc_time;
*08b48e0bSAndroid Build Coastguard Worker  afl->havoc_prof->total_det_time += afl->havoc_prof->det_stage_time;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  plot_profile_data(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* we are through with this queue entry - for this iteration */
*08b48e0bSAndroid Build Coastguard Workerabandon_entry:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->splicing_with = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Update afl->pending_not_fuzzed count if we made it through the calibration
*08b48e0bSAndroid Build Coastguard Worker     cycle and have not seen this entry before. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->stop_soon && !afl->queue_cur->cal_failed &&
*08b48e0bSAndroid Build Coastguard Worker      !afl->queue_cur->was_fuzzed && !afl->queue_cur->disabled) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    --afl->pending_not_fuzzed;
*08b48e0bSAndroid Build Coastguard Worker    afl->queue_cur->was_fuzzed = 1;
*08b48e0bSAndroid Build Coastguard Worker    afl->reinit_table = 1;
*08b48e0bSAndroid Build Coastguard Worker    if (afl->queue_cur->favored) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      --afl->pending_favored;
*08b48e0bSAndroid Build Coastguard Worker      afl->smallest_favored = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ++afl->queue_cur->fuzz_level;
*08b48e0bSAndroid Build Coastguard Worker  orig_in = NULL;
*08b48e0bSAndroid Build Coastguard Worker  return ret_val;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#undef FLIP_BIT
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* MOpt mode */
*08b48e0bSAndroid Build Coastguard Workerstatic u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!MOpt_globals.is_pilot_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (swarm_num == 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->key_module = 2;
*08b48e0bSAndroid Build Coastguard Worker      return 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u32 len, temp_len;
*08b48e0bSAndroid Build Coastguard Worker  u32 i;
*08b48e0bSAndroid Build Coastguard Worker  u32 j;
*08b48e0bSAndroid Build Coastguard Worker  u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0;
*08b48e0bSAndroid Build Coastguard Worker  u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0, cur_ms_lv, prev_cksum,
*08b48e0bSAndroid Build Coastguard Worker      _prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker  u32 splice_cycle = 0, perf_score = 100, orig_perf, eff_cnt = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 ret_val = 1, doing_det = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8  a_collect[MAX_AUTO_EXTRA];
*08b48e0bSAndroid Build Coastguard Worker  u32 a_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef IGNORE_FINDS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* In IGNORE_FINDS mode, skip any entries that weren't in the
*08b48e0bSAndroid Build Coastguard Worker     initial data set. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->queue_cur->depth > 1) return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#else
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(afl->pending_favored)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* If we have any favored, non-fuzzed new arrivals in the queue,
*08b48e0bSAndroid Build Coastguard Worker       possibly skip to them at the expense of already-fuzzed or non-favored
*08b48e0bSAndroid Build Coastguard Worker       cases. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if ((afl->queue_cur->fuzz_level || !afl->queue_cur->favored) &&
*08b48e0bSAndroid Build Coastguard Worker        rand_below(afl, 100) < SKIP_TO_NEW_PROB) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      return 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored &&
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker             afl->queued_items > 10) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Otherwise, still possibly skip non-favored cases, albeit less often.
*08b48e0bSAndroid Build Coastguard Worker       The odds of skipping stuff are higher for already-fuzzed inputs and
*08b48e0bSAndroid Build Coastguard Worker       lower for never-fuzzed entries. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->queue_cycle > 1 && !afl->queue_cur->fuzz_level) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(rand_below(afl, 100) < SKIP_NFAV_NEW_PROB)) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (likely(rand_below(afl, 100) < SKIP_NFAV_OLD_PROB)) { return 1; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif                                                     /* ^IGNORE_FINDS */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->not_on_tty) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    ACTF("Fuzzing test case #%u (%u total, %llu crashes saved)...",
*08b48e0bSAndroid Build Coastguard Worker         afl->current_entry, afl->queued_items, afl->saved_crashes);
*08b48e0bSAndroid Build Coastguard Worker    fflush(stdout);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Map the test case into memory. */
*08b48e0bSAndroid Build Coastguard Worker  orig_in = in_buf = queue_testcase_get(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker  len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  out_buf = afl_realloc(AFL_BUF_PARAM(out), len);
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->subseq_tmouts = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->cur_depth = afl->queue_cur->depth;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*******************************************
*08b48e0bSAndroid Build Coastguard Worker   * CALIBRATION (only if failed earlier on) *
*08b48e0bSAndroid Build Coastguard Worker   *******************************************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->queue_cur->cal_failed)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 res = FSRV_RUN_TMOUT;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->queue_cur->cal_failed < CAL_CHANCES) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->queue_cur->exec_cksum = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      res =
*08b48e0bSAndroid Build Coastguard Worker          calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (res == FSRV_RUN_ERROR) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        FATAL("Unable to execute target application");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->stop_soon || res != afl->crash_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->cur_skipped_items;
*08b48e0bSAndroid Build Coastguard Worker      goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /************
*08b48e0bSAndroid Build Coastguard Worker   * TRIMMING *
*08b48e0bSAndroid Build Coastguard Worker   ************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!afl->non_instrumented_mode && !afl->queue_cur->trim_done &&
*08b48e0bSAndroid Build Coastguard Worker               !afl->disable_trim)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 old_len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 res = trim_case(afl, afl->queue_cur, in_buf);
*08b48e0bSAndroid Build Coastguard Worker    orig_in = in_buf = queue_testcase_get(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(res == FSRV_RUN_ERROR)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      FATAL("Unable to execute target application");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(afl->stop_soon)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->cur_skipped_items;
*08b48e0bSAndroid Build Coastguard Worker      goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Don't retry trimming, even if it failed. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->queue_cur->trim_done = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* maybe current entry is not ready for splicing anymore */
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(len <= 4 && old_len > 4)) --afl->ready_for_splicing_count;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*********************
*08b48e0bSAndroid Build Coastguard Worker   * PERFORMANCE SCORE *
*08b48e0bSAndroid Build Coastguard Worker   *********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(!afl->old_seed_selection))
*08b48e0bSAndroid Build Coastguard Worker    orig_perf = perf_score = afl->queue_cur->perf_score;
*08b48e0bSAndroid Build Coastguard Worker  else
*08b48e0bSAndroid Build Coastguard Worker    orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(perf_score <= 0 && afl->active_items > 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->shm.cmplog_mode &&
*08b48e0bSAndroid Build Coastguard Worker               afl->queue_cur->colorized < afl->cmplog_lvl &&
*08b48e0bSAndroid Build Coastguard Worker               (u32)len <= afl->cmplog_max_filesize)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (unlikely(len < 4)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->queue_cur->colorized = CMPLOG_LVL_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->cmplog_lvl == 3 ||
*08b48e0bSAndroid Build Coastguard Worker          (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
*08b48e0bSAndroid Build Coastguard Worker          !(afl->fsrv.total_execs % afl->queued_items) ||
*08b48e0bSAndroid Build Coastguard Worker          get_cur_time() - afl->last_find_time > 300000) {  // 300 seconds
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (input_to_state_stage(afl, in_buf, out_buf, len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Go to pacemker fuzzing if MOpt is doing well */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  cur_ms_lv = get_cur_time();
*08b48e0bSAndroid Build Coastguard Worker  if (!(afl->key_puppet == 0 &&
*08b48e0bSAndroid Build Coastguard Worker        ((cur_ms_lv - afl->last_find_time < (u32)afl->limit_time_puppet) ||
*08b48e0bSAndroid Build Coastguard Worker         (afl->last_crash_time != 0 &&
*08b48e0bSAndroid Build Coastguard Worker          cur_ms_lv - afl->last_crash_time < (u32)afl->limit_time_puppet) ||
*08b48e0bSAndroid Build Coastguard Worker         afl->last_find_time == 0))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->key_puppet = 1;
*08b48e0bSAndroid Build Coastguard Worker    goto pacemaker_fuzzing;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Skip right away if -d is given, if we have done deterministic fuzzing on
*08b48e0bSAndroid Build Coastguard Worker     this entry ourselves (was_fuzzed), or if it has gone through deterministic
*08b48e0bSAndroid Build Coastguard Worker     testing in earlier, resumed runs (passed_det). */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (likely(afl->skip_deterministic || afl->queue_cur->was_fuzzed ||
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->passed_det)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto havoc_stage;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Skip deterministic fuzzing if exec path checksum puts this out of scope
*08b48e0bSAndroid Build Coastguard Worker     for this main instance. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(afl->main_node_max &&
*08b48e0bSAndroid Build Coastguard Worker               (afl->queue_cur->exec_cksum % afl->main_node_max) !=
*08b48e0bSAndroid Build Coastguard Worker                   afl->main_node_id - 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    goto havoc_stage;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  doing_det = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*********************************************
*08b48e0bSAndroid Build Coastguard Worker   * SIMPLE BITFLIP (+dictionary construction) *
*08b48e0bSAndroid Build Coastguard Worker   *********************************************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define FLIP_BIT(_ar, _b)                     \
*08b48e0bSAndroid Build Coastguard Worker  do {                                        \
*08b48e0bSAndroid Build Coastguard Worker                                              \
*08b48e0bSAndroid Build Coastguard Worker    u8 *_arf = (u8 *)(_ar);                   \
*08b48e0bSAndroid Build Coastguard Worker    u32 _bf = (_b);                           \
*08b48e0bSAndroid Build Coastguard Worker    _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \
*08b48e0bSAndroid Build Coastguard Worker                                              \
*08b48e0bSAndroid Build Coastguard Worker  } while (0)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Single walking bit. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip1";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len << 3;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 1/1";
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Get a clean cksum. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  prev_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
*08b48e0bSAndroid Build Coastguard Worker  _prev_cksum = prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Now flip bits. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur >> 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT1-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* While flipping the least significant bit in every byte, pull of an extra
*08b48e0bSAndroid Build Coastguard Worker       trick to detect possible syntax tokens. In essence, the idea is that if
*08b48e0bSAndroid Build Coastguard Worker       you have a binary blob like this:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       xxxxxxxxIHDRxxxxxxxx
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       ...and changing the leading and trailing bytes causes variable or no
*08b48e0bSAndroid Build Coastguard Worker       changes in program flow, but touching any character in the "IHDR" string
*08b48e0bSAndroid Build Coastguard Worker       always produces the same, distinctive path, it's highly likely that
*08b48e0bSAndroid Build Coastguard Worker       "IHDR" is an atomically-checked magic value of special significance to
*08b48e0bSAndroid Build Coastguard Worker       the fuzzed format.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       We do this here, rather than as a separate stage, because it's a nice
*08b48e0bSAndroid Build Coastguard Worker       way to keep the operation approximately "free" (i.e., no extra execs).
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       Empirically, performing the check when flipping the least significant bit
*08b48e0bSAndroid Build Coastguard Worker       is advantageous, compared to doing it at the time of more disruptive
*08b48e0bSAndroid Build Coastguard Worker       changes, where the program flow may be affected in more violent ways.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       The caveat is that we won't generate dictionaries in the -d mode or -S
*08b48e0bSAndroid Build Coastguard Worker       mode - but that's probably a fair trade-off.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker       This won't work particularly well with paths that exhibit variable
*08b48e0bSAndroid Build Coastguard Worker       behavior, but fails gracefully, so we'll carry out the checks anyway.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* If at end of file and we are still collecting a string, grab the
*08b48e0bSAndroid Build Coastguard Worker           final character and force output. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len < MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          a_collect[a_len] = out_buf[afl->stage_cur >> 3];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++a_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          maybe_add_auto(afl, a_collect, a_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else if (cksum != prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Otherwise, if the checksum has changed, see if we have something
*08b48e0bSAndroid Build Coastguard Worker           worthwhile queued up, and collect that if the answer is yes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          maybe_add_auto(afl, a_collect, a_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        a_len = 0;
*08b48e0bSAndroid Build Coastguard Worker        prev_cksum = cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Continue collecting string, but only if the bit flip actually made
*08b48e0bSAndroid Build Coastguard Worker         any difference - we don't want no-op tokens. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (cksum != _prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (a_len < MAX_AUTO_EXTRA) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          a_collect[a_len] = out_buf[afl->stage_cur >> 3];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++a_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }                                       /* if (afl->stage_cur & 7) == 7 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for afl->stage_cur */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP1] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Two walking bits. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 2/1";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip2";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = (len << 3) - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur >> 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT2-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for afl->stage_cur */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP2] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Four walking bits. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 4/1";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip4";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = (len << 3) - 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur >> 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 2);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 3);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT4-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 1);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 2);
*08b48e0bSAndroid Build Coastguard Worker    FLIP_BIT(out_buf, afl->stage_cur + 3);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for afl->stage_cur */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP4] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Effector map setup. These macros calculate:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker     EFF_APOS      - position of a particular file offset in the map.
*08b48e0bSAndroid Build Coastguard Worker     EFF_ALEN      - length of a map with a particular number of bytes.
*08b48e0bSAndroid Build Coastguard Worker     EFF_SPAN_ALEN - map span for a sequence of bytes.
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker   */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2)
*08b48e0bSAndroid Build Coastguard Worker#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1))
*08b48e0bSAndroid Build Coastguard Worker#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l))
*08b48e0bSAndroid Build Coastguard Worker#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l)-1) - EFF_APOS(_p) + 1)
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Initialize effector map for the next step (see comments below). Always
*08b48e0bSAndroid Build Coastguard Worker         flag first and last byte as doing something. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  eff_map = afl_realloc(AFL_BUF_PARAM(eff), EFF_ALEN(len));
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!eff_map)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker  memset(eff_map, 0, EFF_ALEN(len));
*08b48e0bSAndroid Build Coastguard Worker  eff_map[0] = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (EFF_APOS(len - 1) != 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    eff_map[EFF_APOS(len - 1)] = 1;
*08b48e0bSAndroid Build Coastguard Worker    ++eff_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Walking byte. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 8/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  prev_cksum = _prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    out_buf[afl->stage_cur] ^= 0xFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT8-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* We also use this stage to pull off a simple trick: we identify
*08b48e0bSAndroid Build Coastguard Worker       bytes that seem to have no effect on the current execution path
*08b48e0bSAndroid Build Coastguard Worker       even when fully flipped - and we skip them during more expensive
*08b48e0bSAndroid Build Coastguard Worker       deterministic stages, such as arithmetics or known ints. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(afl->stage_cur)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u64 cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* If in non-instrumented mode or if the file is very short, just flag
*08b48e0bSAndroid Build Coastguard Worker         everything without wasting time on checksums. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        cksum = ~prev_cksum;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (cksum != prev_cksum) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        eff_map[EFF_APOS(afl->stage_cur)] = 1;
*08b48e0bSAndroid Build Coastguard Worker        ++eff_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    out_buf[afl->stage_cur] ^= 0xFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for afl->stage_cur */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* If the effector map is more than EFF_MAX_PERC dense, just flag the
*08b48e0bSAndroid Build Coastguard Worker     whole thing as worth fuzzing, since we wouldn't be saving much time
*08b48e0bSAndroid Build Coastguard Worker     anyway. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (eff_cnt != (u32)EFF_ALEN(len) &&
*08b48e0bSAndroid Build Coastguard Worker      eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    memset(eff_map, 1, EFF_ALEN(len));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->blocks_eff_select += EFF_ALEN(len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->blocks_eff_select += eff_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->blocks_eff_total += EFF_ALEN(len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP8] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Two walking bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 2) { goto skip_bitflip; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 16/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip16";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len - 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u16 *)(out_buf + i) ^= 0xFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT16-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker    ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u16 *)(out_buf + i) ^= 0xFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for i = 0; i < len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP16] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 4) { goto skip_bitflip; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Four walking bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "bitflip 32/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "flip32";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len - 3;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 3; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
*08b48e0bSAndroid Build Coastguard Worker        !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_FLIP_BIT32-%u",
*08b48e0bSAndroid Build Coastguard Worker             afl->queue_cur->fname, afl->stage_cur);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker    if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker    ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                               /* for i = 0; i < len - 3 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_FLIP32] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_bitflip:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->no_arith) { goto skip_arith; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /**********************
*08b48e0bSAndroid Build Coastguard Worker   * ARITHMETIC INC/DEC *
*08b48e0bSAndroid Build Coastguard Worker   **********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 8-bit arithmetics. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "arith 8/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "arith8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 2 * len * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 orig = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_max -= 2 * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 1; j <= ARITH_MAX; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u8 r = orig ^ (orig + j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Do arithmetic operations only if the result couldn't be a product
*08b48e0bSAndroid Build Coastguard Worker         of a bitflip. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(r)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        out_buf[i] = orig + j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH8+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      r = orig ^ (orig - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(r)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        out_buf[i] = orig - j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH8_-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      out_buf[i] = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for i = 0; i < len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_ARITH8] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 16-bit arithmetics, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 2) { goto skip_arith; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "arith 16/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "arith16";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 4 * (len - 1) * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u16 orig = *(u16 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_max -= 4 * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 1; j <= ARITH_MAX; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u16 r1 = orig ^ (orig + j), r2 = orig ^ (orig - j),
*08b48e0bSAndroid Build Coastguard Worker          r3 = orig ^ SWAP16(SWAP16(orig) + j),
*08b48e0bSAndroid Build Coastguard Worker          r4 = orig ^ SWAP16(SWAP16(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Try little endian addition and subtraction first. Do it only
*08b48e0bSAndroid Build Coastguard Worker         if the operation would affect more than one byte (hence the
*08b48e0bSAndroid Build Coastguard Worker         & 0xff overflow checks) and if it couldn't be a product of
*08b48e0bSAndroid Build Coastguard Worker         a bitflip. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = orig + j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH16+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xff) < j && !could_be_bitflip(r2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = orig - j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH16_-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Big endian comes next. Same deal. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_ARITH16+BE-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig >> 8) < j && !could_be_bitflip(r4)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_ARITH16_BE+%u+%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      *(u16 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                               /* for i = 0; i < len - 1 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_ARITH16] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* 32-bit arithmetics, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 4) { goto skip_arith; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "arith 32/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "arith32";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 4 * (len - 3) * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 3; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 orig = *(u32 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
*08b48e0bSAndroid Build Coastguard Worker        !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_max -= 4 * ARITH_MAX;
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 1; j <= ARITH_MAX; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 r1 = orig ^ (orig + j), r2 = orig ^ (orig - j),
*08b48e0bSAndroid Build Coastguard Worker          r3 = orig ^ SWAP32(SWAP32(orig) + j),
*08b48e0bSAndroid Build Coastguard Worker          r4 = orig ^ SWAP32(SWAP32(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Little endian first. Same deal as with 16-bit: we only want to
*08b48e0bSAndroid Build Coastguard Worker         try if the operation would have effect on more than two bytes. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = orig + j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH32+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((orig & 0xffff) < j && !could_be_bitflip(r2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = orig - j;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_ARITH32_-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Big endian next. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_ARITH32+BE-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = -j;
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_ARITH32_BE-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      *(u32 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                               /* for i = 0; i < len - 3 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_ARITH32] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_arith:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /**********************
*08b48e0bSAndroid Build Coastguard Worker   * INTERESTING VALUES *
*08b48e0bSAndroid Build Coastguard Worker   **********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "interest 8/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "int8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = len * sizeof(interesting_8);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Setting 8-bit integers. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u8 orig = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_max -= sizeof(interesting_8);
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_8); ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip if the value could be a product of bitflips or arithmetics. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (could_be_bitflip(orig ^ (u8)interesting_8[j]) ||
*08b48e0bSAndroid Build Coastguard Worker          could_be_arith(orig, (u8)interesting_8[j], 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_val = interesting_8[j];
*08b48e0bSAndroid Build Coastguard Worker      out_buf[i] = interesting_8[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s MOPT_INTERESTING8-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      out_buf[i] = orig;
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for i = 0; i < len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Setting 16-bit integers, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->no_arith || len < 2) { goto skip_interest; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "interest 16/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "int16";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 1; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u16 orig = *(u16 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_max -= sizeof(interesting_16);
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_16) / 2; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_val = interesting_16[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip if this could be a product of a bitflip, arithmetics,
*08b48e0bSAndroid Build Coastguard Worker         or single-byte interesting value insertion. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, (u16)interesting_16[j], 2) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = interesting_16[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_INTERESTING16-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, SWAP16(interesting_16[j]), 2) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_INTERESTING16BE-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u16 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                               /* for i = 0; i < len - 1 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (len < 4) { goto skip_interest; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Setting 32-bit integers, both endians. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "interest 32/8";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "int32";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < len - 3; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 orig = *(u32 *)(out_buf + i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Let's consult the effector map... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
*08b48e0bSAndroid Build Coastguard Worker        !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_max -= sizeof(interesting_32) >> 1;
*08b48e0bSAndroid Build Coastguard Worker      continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < sizeof(interesting_32) / 4; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_val = interesting_32[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip if this could be a product of a bitflip, arithmetics,
*08b48e0bSAndroid Build Coastguard Worker         or word interesting value insertion. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, interesting_32[j], 4) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, interesting_32[j], 4, 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_LE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = interesting_32[j];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_INTERESTING32-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_arith(orig, SWAP32(interesting_32[j]), 4) &&
*08b48e0bSAndroid Build Coastguard Worker          !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_val_type = STAGE_VAL_BE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker                 "%s MOPT_INTERESTING32BE-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker        *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker        ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    *(u32 *)(out_buf + i) = orig;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                               /* for i = 0; i < len - 3 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_interest:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /********************
*08b48e0bSAndroid Build Coastguard Worker   * DICTIONARY STUFF *
*08b48e0bSAndroid Build Coastguard Worker   ********************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->extras_cnt) { goto skip_user_extras; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Overwrite with user-supplied extras. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "user extras (over)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_UO";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = afl->extras_cnt * len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 last_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Extras are sorted by size, from smallest to largest. This means
*08b48e0bSAndroid Build Coastguard Worker       that we don't have to worry about restoring the buffer in
*08b48e0bSAndroid Build Coastguard Worker       between writes at a particular offset determined by the outer
*08b48e0bSAndroid Build Coastguard Worker       loop. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < afl->extras_cnt; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Skip extras probabilistically if afl->extras_cnt > AFL_MAX_DET_EXTRAS.
*08b48e0bSAndroid Build Coastguard Worker         Also skip them if there's no room to insert the payload, if the token
*08b48e0bSAndroid Build Coastguard Worker         is redundant, or if its entire span has no bytes set in the effector
*08b48e0bSAndroid Build Coastguard Worker         map. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((afl->extras_cnt > afl->max_det_extras &&
*08b48e0bSAndroid Build Coastguard Worker           rand_below(afl, afl->extras_cnt) >= afl->max_det_extras) ||
*08b48e0bSAndroid Build Coastguard Worker          afl->extras[j].len > len - i ||
*08b48e0bSAndroid Build Coastguard Worker          !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
*08b48e0bSAndroid Build Coastguard Worker          !memchr(eff_map + EFF_APOS(i), 1,
*08b48e0bSAndroid Build Coastguard Worker                  EFF_SPAN_ALEN(i, afl->extras[j].len))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      last_len = afl->extras[j].len;
*08b48e0bSAndroid Build Coastguard Worker      memcpy(out_buf + i, afl->extras[j].data, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s MOPT_EXTRAS_overwrite-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Restore all the clobbered memory. */
*08b48e0bSAndroid Build Coastguard Worker    memcpy(out_buf + i, in_buf + i, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for i = 0; i < len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Insertion of user-supplied extras. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "user extras (insert)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_UI";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = afl->extras_cnt * (len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ex_tmp = afl_realloc(AFL_BUF_PARAM(ex), len + MAX_DICT_FILE);
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!ex_tmp)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i <= (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < afl->extras_cnt; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (len + afl->extras[j].len > MAX_FILE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Insert token */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i, afl->extras[j].data, afl->extras[j].len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Copy tail */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i + afl->extras[j].len, out_buf + i, len - i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s MOPT_EXTRAS_insert-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, ex_tmp, len + afl->extras[j].len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Copy head */
*08b48e0bSAndroid Build Coastguard Worker    ex_tmp[i] = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                  /* for i = 0; i <= len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_user_extras:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->a_extras_cnt) { goto skip_extras; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "auto extras (over)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_AO";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = MIN(afl->a_extras_cnt, (u32)USE_AUTO_EXTRAS) * len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_val_type = STAGE_VAL_NONE;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 last_len = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    u32 min_extra_len = MIN(afl->a_extras_cnt, (u32)USE_AUTO_EXTRAS);
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < min_extra_len; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* See the comment in the earlier code; extras are sorted by size. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((afl->a_extras[j].len) > (len - i) ||
*08b48e0bSAndroid Build Coastguard Worker          !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) ||
*08b48e0bSAndroid Build Coastguard Worker          !memchr(eff_map + EFF_APOS(i), 1,
*08b48e0bSAndroid Build Coastguard Worker                  EFF_SPAN_ALEN(i, afl->a_extras[j].len))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      last_len = afl->a_extras[j].len;
*08b48e0bSAndroid Build Coastguard Worker      memcpy(out_buf + i, afl->a_extras[j].data, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s MOPT_AUTO_EXTRAS_overwrite-%u-%u", afl->queue_cur->fname, i,
*08b48e0bSAndroid Build Coastguard Worker               j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, out_buf, len)) { goto abandon_entry; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Restore all the clobbered memory. */
*08b48e0bSAndroid Build Coastguard Worker    memcpy(out_buf + i, in_buf + i, last_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                   /* for i = 0; i < len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* Insertion of auto extras. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_name = "auto extras (insert)";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_short = "ext_AI";
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_max = afl->a_extras_cnt * (len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  orig_hit_cnt = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ex_tmp = afl_realloc(AFL_BUF_PARAM(ex), len + MAX_DICT_FILE);
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(!ex_tmp)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i <= (u32)len; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_cur_byte = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < afl->a_extras_cnt; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (len + afl->a_extras[j].len > MAX_FILE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        --afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker        continue;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Insert token */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i, afl->a_extras[j].data, afl->a_extras[j].len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Copy tail */
*08b48e0bSAndroid Build Coastguard Worker      memcpy(ex_tmp + i + afl->a_extras[j].len, out_buf + i, len - i);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker      snprintf(afl->mutation, sizeof(afl->mutation),
*08b48e0bSAndroid Build Coastguard Worker               "%s MOPT_AUTO_EXTRAS_insert-%u-%u", afl->queue_cur->fname, i, j);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (common_fuzz_stuff(afl, ex_tmp, len + afl->a_extras[j].len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        goto abandon_entry;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ++afl->stage_cur;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    /* Copy head */
*08b48e0bSAndroid Build Coastguard Worker    ex_tmp[i] = out_buf[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                  /* for i = 0; i <= len */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_finds[STAGE_EXTRAS_AI] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cycles[STAGE_EXTRAS_AI] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker  afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerskip_extras:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* If we made this to here without jumping to havoc_stage or abandon_entry,
*08b48e0bSAndroid Build Coastguard Worker     we're properly done with deterministic steps and can mark it as such
*08b48e0bSAndroid Build Coastguard Worker     in the .state/ directory. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!afl->queue_cur->passed_det) { mark_as_det_done(afl, afl->queue_cur); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /****************
*08b48e0bSAndroid Build Coastguard Worker   * RANDOM HAVOC *
*08b48e0bSAndroid Build Coastguard Worker   ****************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workerhavoc_stage:
*08b48e0bSAndroid Build Coastguard Workerpacemaker_fuzzing:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->stage_cur_byte = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /* The havoc stage mutation code is also invoked when splicing files; if the
*08b48e0bSAndroid Build Coastguard Worker     splice_cycle variable is set, generate different descriptions and such. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (!splice_cycle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_name = MOpt_globals.havoc_stagename;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_short = MOpt_globals.havoc_stagenameshort;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_max = ((doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
*08b48e0bSAndroid Build Coastguard Worker                      perf_score / afl->havoc_div) >>
*08b48e0bSAndroid Build Coastguard Worker                     7;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    perf_score = orig_perf;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    snprintf(afl->stage_name_buf, STAGE_BUF_SIZE,
*08b48e0bSAndroid Build Coastguard Worker             MOpt_globals.splice_stageformat, splice_cycle);
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_name = afl->stage_name_buf;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_short = MOpt_globals.splice_stagenameshort;
*08b48e0bSAndroid Build Coastguard Worker    afl->stage_max = (SPLICE_HAVOC * perf_score / afl->havoc_div) >> 8;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  s32 temp_len_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  // for (; afl->swarm_now < swarm_num; ++afl->swarm_now)
*08b48e0bSAndroid Build Coastguard Worker  {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->key_puppet == 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (unlikely(afl->orig_hit_cnt_puppet == 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->orig_hit_cnt_puppet = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker        afl->last_limit_time_start = get_cur_time();
*08b48e0bSAndroid Build Coastguard Worker        afl->SPLICE_CYCLES_puppet =
*08b48e0bSAndroid Build Coastguard Worker            (rand_below(
*08b48e0bSAndroid Build Coastguard Worker                 afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) +
*08b48e0bSAndroid Build Coastguard Worker             SPLICE_CYCLES_puppet_low);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }                                            /* if afl->key_puppet == 1 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifndef IGNORE_FINDS
*08b48e0bSAndroid Build Coastguard Worker    havoc_stage_puppet:
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->stage_cur_byte = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* The havoc stage mutation code is also invoked when splicing files; if
*08b48e0bSAndroid Build Coastguard Worker         the splice_cycle variable is set, generate different descriptions and
*08b48e0bSAndroid Build Coastguard Worker         such. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (!splice_cycle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_name = MOpt_globals.havoc_stagename;
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_short = MOpt_globals.havoc_stagenameshort;
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
*08b48e0bSAndroid Build Coastguard Worker                         perf_score / afl->havoc_div / 100;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        perf_score = orig_perf;
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->stage_name_buf, STAGE_BUF_SIZE,
*08b48e0bSAndroid Build Coastguard Worker                 MOpt_globals.splice_stageformat, splice_cycle);
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_name = afl->stage_name_buf;
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_short = MOpt_globals.splice_stagenameshort;
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      temp_len = len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      orig_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      havoc_queued = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      u32 r_max, r;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      r_max = 16 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (unlikely(afl->expand_havoc && afl->ready_for_splicing_count > 1)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* add expensive havoc cases here, they are activated after a full
*08b48e0bSAndroid Build Coastguard Worker           cycle without any finds happened */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++r_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker           ++afl->stage_cur) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        u32 use_stacking = 1 << (1 + rand_below(afl, afl->havoc_stack_pow2));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->stage_cur_val = use_stacking;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          MOpt_globals.cycles_v3[i] = MOpt_globals.cycles_v2[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker        snprintf(afl->mutation, sizeof(afl->mutation), "%s MOPT_HAVOC-%u",
*08b48e0bSAndroid Build Coastguard Worker                 afl->queue_cur->fname, use_stacking);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        for (i = 0; i < use_stacking; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          switch (r = (select_algorithm(afl, r_max))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 0:
*08b48e0bSAndroid Build Coastguard Worker              /* Flip a single bit somewhere. Spooky! */
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, rand_below(afl, temp_len << 3));
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_FLIP1]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT1");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 1:
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 2) { break; }
*08b48e0bSAndroid Build Coastguard Worker              temp_len_puppet = rand_below(afl, (temp_len << 3) - 1);
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, temp_len_puppet);
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, temp_len_puppet + 1);
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_FLIP2]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT2");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 2:
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 2) { break; }
*08b48e0bSAndroid Build Coastguard Worker              temp_len_puppet = rand_below(afl, (temp_len << 3) - 3);
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, temp_len_puppet);
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, temp_len_puppet + 1);
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, temp_len_puppet + 2);
*08b48e0bSAndroid Build Coastguard Worker              FLIP_BIT(out_buf, temp_len_puppet + 3);
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_FLIP4]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT4");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 3:
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 4) { break; }
*08b48e0bSAndroid Build Coastguard Worker              out_buf[rand_below(afl, temp_len)] ^= 0xFF;
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_FLIP8]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT8");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 4:
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) { break; }
*08b48e0bSAndroid Build Coastguard Worker              *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) ^= 0xFFFF;
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_FLIP16]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT16");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 5:
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) { break; }
*08b48e0bSAndroid Build Coastguard Worker              *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) ^= 0xFFFFFFFF;
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_FLIP32]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP_BIT32");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 6:
*08b48e0bSAndroid Build Coastguard Worker              out_buf[rand_below(afl, temp_len)] -=
*08b48e0bSAndroid Build Coastguard Worker                  1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker              out_buf[rand_below(afl, temp_len)] +=
*08b48e0bSAndroid Build Coastguard Worker                  1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_ARITH8]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH8");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 7:
*08b48e0bSAndroid Build Coastguard Worker              /* Randomly subtract from word, random endian. */
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) { break; }
*08b48e0bSAndroid Build Coastguard Worker              if (rand_below(afl, 2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker                *(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16-%u", pos);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker                u16 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16BE-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                         pos, num);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u16 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker                    SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Randomly add to word, random endian. */
*08b48e0bSAndroid Build Coastguard Worker              if (rand_below(afl, 2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16+-%u", pos);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker                u16 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH16BE+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                         pos, num);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u16 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker                    SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_ARITH16]++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 8:
*08b48e0bSAndroid Build Coastguard Worker              /* Randomly subtract from dword, random endian. */
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) { break; }
*08b48e0bSAndroid Build Coastguard Worker              if (rand_below(afl, 2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32_-%u", pos);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker                u32 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32BE_-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                         pos, num);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u32 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker                    SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Randomly add to dword, random endian. */
*08b48e0bSAndroid Build Coastguard Worker              // if (temp_len < 4) break;
*08b48e0bSAndroid Build Coastguard Worker              if (rand_below(afl, 2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32+-%u", pos);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 pos = rand_below(afl, temp_len - 3);
*08b48e0bSAndroid Build Coastguard Worker                u32 num = 1 + rand_below(afl, ARITH_MAX);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ARITH32BE+-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                         pos, num);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u32 *)(out_buf + pos) =
*08b48e0bSAndroid Build Coastguard Worker                    SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_ARITH32]++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 9:
*08b48e0bSAndroid Build Coastguard Worker              /* Set byte to interesting value. */
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 4) { break; }
*08b48e0bSAndroid Build Coastguard Worker              out_buf[rand_below(afl, temp_len)] =
*08b48e0bSAndroid Build Coastguard Worker                  interesting_8[rand_below(afl, sizeof(interesting_8))];
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_INTEREST8]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING8");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 10:
*08b48e0bSAndroid Build Coastguard Worker              /* Set word to interesting value, randomly choosing endian. */
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) { break; }
*08b48e0bSAndroid Build Coastguard Worker              if (rand_below(afl, 2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16");
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
*08b48e0bSAndroid Build Coastguard Worker                    interesting_16[rand_below(afl,
*08b48e0bSAndroid Build Coastguard Worker                                              sizeof(interesting_16) >> 1)];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING16BE");
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
*08b48e0bSAndroid Build Coastguard Worker                    SWAP16(interesting_16[rand_below(
*08b48e0bSAndroid Build Coastguard Worker                        afl, sizeof(interesting_16) >> 1)]);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_INTEREST16]++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 11:
*08b48e0bSAndroid Build Coastguard Worker              /* Set dword to interesting value, randomly choosing endian. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 8) { break; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (rand_below(afl, 2)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32");
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
*08b48e0bSAndroid Build Coastguard Worker                    interesting_32[rand_below(afl,
*08b48e0bSAndroid Build Coastguard Worker                                              sizeof(interesting_32) >> 2)];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " INTERESTING32BE");
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
*08b48e0bSAndroid Build Coastguard Worker                    SWAP32(interesting_32[rand_below(
*08b48e0bSAndroid Build Coastguard Worker                        afl, sizeof(interesting_32) >> 2)]);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_INTEREST32]++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 12:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Just set a random byte to a random value. Because,
*08b48e0bSAndroid Build Coastguard Worker                 why not. We use XOR with 1-255 to eliminate the
*08b48e0bSAndroid Build Coastguard Worker                 possibility of a no-op. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              out_buf[rand_below(afl, temp_len)] ^= 1 + rand_below(afl, 255);
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_RANDOMBYTE]++;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " RAND8");
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 13: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Delete bytes. We're making this a bit more likely
*08b48e0bSAndroid Build Coastguard Worker                 than insertion (the next option) in hopes of keeping
*08b48e0bSAndroid Build Coastguard Worker                 files reasonably small. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              u32 del_from, del_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 2) { break; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Don't delete too much. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              del_len = choose_block_len(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              del_from = rand_below(afl, temp_len - del_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker              snprintf(afl->m_tmp, sizeof(afl->m_tmp), " DEL-%u%u", del_from,
*08b48e0bSAndroid Build Coastguard Worker                       del_len);
*08b48e0bSAndroid Build Coastguard Worker              strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker              memmove(out_buf + del_from, out_buf + del_from + del_len,
*08b48e0bSAndroid Build Coastguard Worker                      temp_len - del_from - del_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              temp_len -= del_len;
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_DELETEBYTE]++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 14:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len + HAVOC_BLK_XL < MAX_FILE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Clone bytes (75%) or insert a block of constant bytes (25%).
*08b48e0bSAndroid Build Coastguard Worker                 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u8  actually_clone = rand_below(afl, 4);
*08b48e0bSAndroid Build Coastguard Worker                u32 clone_from, clone_to, clone_len;
*08b48e0bSAndroid Build Coastguard Worker                u8 *new_buf;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (likely(actually_clone)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  clone_len = choose_block_len(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker                  clone_from = rand_below(afl, temp_len - clone_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  clone_len = choose_block_len(afl, HAVOC_BLK_XL);
*08b48e0bSAndroid Build Coastguard Worker                  clone_from = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                clone_to = rand_below(afl, temp_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp), " CLONE_%s-%u-%u-%u",
*08b48e0bSAndroid Build Coastguard Worker                         actually_clone ? "clone" : "insert", clone_from,
*08b48e0bSAndroid Build Coastguard Worker                         clone_to, clone_len);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch),
*08b48e0bSAndroid Build Coastguard Worker                                      temp_len + clone_len);
*08b48e0bSAndroid Build Coastguard Worker                if (unlikely(!new_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                memcpy(new_buf, out_buf, clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (actually_clone) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  memcpy(new_buf + clone_to, out_buf + clone_from, clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  memset(new_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                         rand_below(afl, 2)
*08b48e0bSAndroid Build Coastguard Worker                             ? rand_below(afl, 256)
*08b48e0bSAndroid Build Coastguard Worker                             : out_buf[rand_below(afl, temp_len)],
*08b48e0bSAndroid Build Coastguard Worker                         clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Tail */
*08b48e0bSAndroid Build Coastguard Worker                memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                       temp_len - clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                out_buf = new_buf;
*08b48e0bSAndroid Build Coastguard Worker                afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker                temp_len += clone_len;
*08b48e0bSAndroid Build Coastguard Worker                MOpt_globals.cycles_v2[STAGE_Clone75]++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            case 15: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Overwrite bytes with a randomly selected chunk (75%) or fixed
*08b48e0bSAndroid Build Coastguard Worker                 bytes (25%). */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              u32 copy_from, copy_to, copy_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (temp_len < 2) { break; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              copy_len = choose_block_len(afl, temp_len - 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              copy_from = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker              copy_to = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (likely(rand_below(afl, 4))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (likely(copy_from != copy_to)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " OVERWRITE_COPY-%u-%u-%u", copy_from, copy_to,
*08b48e0bSAndroid Build Coastguard Worker                           copy_len);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                  memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                         " OVERWRITE_FIXED-%u-%u-%u", copy_from, copy_to,
*08b48e0bSAndroid Build Coastguard Worker                         copy_len);
*08b48e0bSAndroid Build Coastguard Worker                strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                memset(out_buf + copy_to,
*08b48e0bSAndroid Build Coastguard Worker                       rand_below(afl, 2) ? rand_below(afl, 256)
*08b48e0bSAndroid Build Coastguard Worker                                          : out_buf[rand_below(afl, temp_len)],
*08b48e0bSAndroid Build Coastguard Worker                       copy_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              MOpt_globals.cycles_v2[STAGE_OverWrite75]++;
*08b48e0bSAndroid Build Coastguard Worker              break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }                                                    /* case 15 */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            default: {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Values 16 and 17 can be selected only if there are any extras
*08b48e0bSAndroid Build Coastguard Worker                 present in the dictionaries. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              r -= 16;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (r == 0 && (afl->extras_cnt || afl->a_extras_cnt)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Overwrite bytes with an extra. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (!afl->extras_cnt ||
*08b48e0bSAndroid Build Coastguard Worker                    (afl->a_extras_cnt && rand_below(afl, 2))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  /* No user-specified extras or odds in our favor. Let's use an
*08b48e0bSAndroid Build Coastguard Worker                    auto-detected one. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u32 use_extra = rand_below(afl, afl->a_extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker                  u32 extra_len = afl->a_extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  if (extra_len > (u32)temp_len) break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " AUTO_EXTRA_OVERWRITE-%u-%u", insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                  memcpy(out_buf + insert_at, afl->a_extras[use_extra].data,
*08b48e0bSAndroid Build Coastguard Worker                         extra_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  /* No auto extras or odds in our favor. Use the dictionary. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u32 use_extra = rand_below(afl, afl->extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker                  u32 extra_len = afl->extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  if (extra_len > (u32)temp_len) break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " EXTRA_OVERWRITE-%u-%u", insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                  memcpy(out_buf + insert_at, afl->extras[use_extra].data,
*08b48e0bSAndroid Build Coastguard Worker                         extra_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                MOpt_globals.cycles_v2[STAGE_OverWriteExtra]++;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              /* Insert an extra. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              else if (r == 1 && (afl->extras_cnt || afl->a_extras_cnt)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 use_extra, extra_len,
*08b48e0bSAndroid Build Coastguard Worker                    insert_at = rand_below(afl, temp_len + 1);
*08b48e0bSAndroid Build Coastguard Worker                u8 *ptr;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Insert an extra. Do the same dice-rolling stuff as for the
*08b48e0bSAndroid Build Coastguard Worker                  previous case. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (!afl->extras_cnt ||
*08b48e0bSAndroid Build Coastguard Worker                    (afl->a_extras_cnt && rand_below(afl, 2))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  use_extra = rand_below(afl, afl->a_extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker                  extra_len = afl->a_extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker                  ptr = afl->a_extras[use_extra].data;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " AUTO_EXTRA_INSERT-%u-%u", insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  use_extra = rand_below(afl, afl->extras_cnt);
*08b48e0bSAndroid Build Coastguard Worker                  extra_len = afl->extras[use_extra].len;
*08b48e0bSAndroid Build Coastguard Worker                  ptr = afl->extras[use_extra].data;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " EXTRA_INSERT-%u-%u", insert_at, extra_len);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (temp_len + extra_len >= MAX_FILE) break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                out_buf = afl_realloc(AFL_BUF_PARAM(out), temp_len + extra_len);
*08b48e0bSAndroid Build Coastguard Worker                if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Tail */
*08b48e0bSAndroid Build Coastguard Worker                memmove(out_buf + insert_at + extra_len, out_buf + insert_at,
*08b48e0bSAndroid Build Coastguard Worker                        temp_len - insert_at);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker                memcpy(out_buf + insert_at, ptr, extra_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                temp_len += extra_len;
*08b48e0bSAndroid Build Coastguard Worker                MOpt_globals.cycles_v2[STAGE_InsertExtra]++;
*08b48e0bSAndroid Build Coastguard Worker                break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if (unlikely(afl->ready_for_splicing_count < 2)) break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                u32 tid;
*08b48e0bSAndroid Build Coastguard Worker                do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  tid = rand_below(afl, afl->queued_items);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                } while (tid == afl->current_entry ||
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                         afl->queue_buf[tid]->len < 4);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                /* Get the testcase for splicing. */
*08b48e0bSAndroid Build Coastguard Worker                struct queue_entry *target = afl->queue_buf[tid];
*08b48e0bSAndroid Build Coastguard Worker                u32                 new_len = target->len;
*08b48e0bSAndroid Build Coastguard Worker                u8                 *new_buf = queue_testcase_get(afl, target);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                if ((temp_len >= 2 && rand_below(afl, 2)) ||
*08b48e0bSAndroid Build Coastguard Worker                    temp_len + HAVOC_BLK_XL >= MAX_FILE) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  /* overwrite mode */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u32 copy_from, copy_to, copy_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  copy_len = choose_block_len(afl, new_len - 1);
*08b48e0bSAndroid Build Coastguard Worker                  if (copy_len > temp_len) copy_len = temp_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  copy_from = rand_below(afl, new_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker                  copy_to = rand_below(afl, temp_len - copy_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " SPLICE_OVERWRITE-%u-%u-%u-%s", copy_from, copy_to,
*08b48e0bSAndroid Build Coastguard Worker                           copy_len, target->fname);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                  memmove(out_buf + copy_to, new_buf + copy_from, copy_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  /* insert mode */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u32 clone_from, clone_to, clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  clone_len = choose_block_len(afl, new_len);
*08b48e0bSAndroid Build Coastguard Worker                  clone_from = rand_below(afl, new_len - clone_len + 1);
*08b48e0bSAndroid Build Coastguard Worker                  clone_to = rand_below(afl, temp_len + 1);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  u8 *temp_buf = afl_realloc(AFL_BUF_PARAM(out_scratch),
*08b48e0bSAndroid Build Coastguard Worker                                             temp_len + clone_len + 1);
*08b48e0bSAndroid Build Coastguard Worker                  if (unlikely(!temp_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker                  snprintf(afl->m_tmp, sizeof(afl->m_tmp),
*08b48e0bSAndroid Build Coastguard Worker                           " SPLICE_INSERT-%u-%u-%u-%s", clone_from, clone_to,
*08b48e0bSAndroid Build Coastguard Worker                           clone_len, target->fname);
*08b48e0bSAndroid Build Coastguard Worker                  strcat(afl->mutation, afl->m_tmp);
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker                  /* Head */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  memcpy(temp_buf, out_buf, clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  /* Inserted part */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  memcpy(temp_buf + clone_to, new_buf + clone_from, clone_len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  /* Tail */
*08b48e0bSAndroid Build Coastguard Worker                  memcpy(temp_buf + clone_to + clone_len, out_buf + clone_to,
*08b48e0bSAndroid Build Coastguard Worker                         temp_len - clone_to);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                  out_buf = temp_buf;
*08b48e0bSAndroid Build Coastguard Worker                  afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
*08b48e0bSAndroid Build Coastguard Worker                  temp_len += clone_len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                MOpt_globals.cycles_v2[STAGE_Splice]++;
*08b48e0bSAndroid Build Coastguard Worker                break;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }  // end of default:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }                                    /* switch select_algorithm() */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }                                      /* for i=0; i < use_stacking */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        ++*MOpt_globals.pTime;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        u64 temp_total_found = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (common_fuzz_stuff(afl, out_buf, temp_len)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          goto abandon_entry_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* out_buf might have been mangled a bit, so let's restore it to its
*08b48e0bSAndroid Build Coastguard Worker           original size and shape. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        out_buf = afl_realloc(AFL_BUF_PARAM(out), len);
*08b48e0bSAndroid Build Coastguard Worker        if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker        temp_len = len;
*08b48e0bSAndroid Build Coastguard Worker        memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* If we're finding new stuff, let's run for a bit longer, limits
*08b48e0bSAndroid Build Coastguard Worker           permitting. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (afl->queued_items != havoc_queued) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (perf_score <= afl->havoc_max_mult * 100) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            afl->stage_max *= 2;
*08b48e0bSAndroid Build Coastguard Worker            perf_score *= 2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          havoc_queued = afl->queued_items;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (unlikely(afl->queued_items + afl->saved_crashes >
*08b48e0bSAndroid Build Coastguard Worker                     temp_total_found)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          u64 temp_temp_puppet =
*08b48e0bSAndroid Build Coastguard Worker              afl->queued_items + afl->saved_crashes - temp_total_found;
*08b48e0bSAndroid Build Coastguard Worker          afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (MOpt_globals.is_pilot_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                MOpt_globals.finds_v2[i] += temp_temp_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            for (i = 0; i < operator_num; i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (afl->core_operator_cycles_puppet_v2[i] >
*08b48e0bSAndroid Build Coastguard Worker                  afl->core_operator_cycles_puppet_v3[i])
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                afl->core_operator_finds_puppet_v2[i] += temp_temp_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }                                                             /* if */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } /* for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker           ++afl->stage_cur) { */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (MOpt_globals.is_pilot_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (!splice_cycle) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker          afl->stage_cycles[STAGE_HAVOC] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker          afl->stage_cycles[STAGE_SPLICE] += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#ifdef INTROSPECTION
*08b48e0bSAndroid Build Coastguard Worker          afl->queue_cur->stats_mutated += afl->stage_max;
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifndef IGNORE_FINDS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /************
*08b48e0bSAndroid Build Coastguard Worker       * SPLICING *
*08b48e0bSAndroid Build Coastguard Worker       ************/
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    retry_splicing_puppet:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->use_splicing &&
*08b48e0bSAndroid Build Coastguard Worker          splice_cycle++ < (u32)afl->SPLICE_CYCLES_puppet &&
*08b48e0bSAndroid Build Coastguard Worker          afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        struct queue_entry *target;
*08b48e0bSAndroid Build Coastguard Worker        u32                 tid, split_at;
*08b48e0bSAndroid Build Coastguard Worker        u8                 *new_buf;
*08b48e0bSAndroid Build Coastguard Worker        s32                 f_diff, l_diff;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* First of all, if we've modified in_buf for havoc, let's clean that
*08b48e0bSAndroid Build Coastguard Worker           up... */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (in_buf != orig_in) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          in_buf = orig_in;
*08b48e0bSAndroid Build Coastguard Worker          len = afl->queue_cur->len;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Pick a random queue entry and seek to it. Don't splice with yourself.
*08b48e0bSAndroid Build Coastguard Worker         */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        do {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          tid = rand_below(afl, afl->queued_items);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->splicing_with = tid;
*08b48e0bSAndroid Build Coastguard Worker        target = afl->queue_buf[tid];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Read the testcase into a new buffer. */
*08b48e0bSAndroid Build Coastguard Worker        new_buf = queue_testcase_get(afl, target);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Find a suitable splicin g location, somewhere between the first and
*08b48e0bSAndroid Build Coastguard Worker           the last differing byte. Bail out if the difference is just a single
*08b48e0bSAndroid Build Coastguard Worker           byte or so. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          goto retry_splicing_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Split somewhere between the first and last differing byte. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        split_at = f_diff + rand_below(afl, l_diff - f_diff);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        /* Do the thing. */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        len = target->len;
*08b48e0bSAndroid Build Coastguard Worker        afl->in_scratch_buf = afl_realloc(AFL_BUF_PARAM(in_scratch), len);
*08b48e0bSAndroid Build Coastguard Worker        memcpy(afl->in_scratch_buf, in_buf, split_at);
*08b48e0bSAndroid Build Coastguard Worker        memcpy(afl->in_scratch_buf + split_at, new_buf, len - split_at);
*08b48e0bSAndroid Build Coastguard Worker        in_buf = afl->in_scratch_buf;
*08b48e0bSAndroid Build Coastguard Worker        afl_swap_bufs(AFL_BUF_PARAM(in), AFL_BUF_PARAM(in_scratch));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        out_buf = afl_realloc(AFL_BUF_PARAM(out), len);
*08b48e0bSAndroid Build Coastguard Worker        if (unlikely(!out_buf)) { PFATAL("alloc"); }
*08b48e0bSAndroid Build Coastguard Worker        memcpy(out_buf, in_buf, len);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        goto havoc_stage_puppet;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }                                                  /* if splice_cycle */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif                                                     /* !IGNORE_FINDS */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      ret_val = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    abandon_entry:
*08b48e0bSAndroid Build Coastguard Worker    abandon_entry_puppet:
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if ((s64)splice_cycle >= afl->SPLICE_CYCLES_puppet) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->SPLICE_CYCLES_puppet =
*08b48e0bSAndroid Build Coastguard Worker            (rand_below(
*08b48e0bSAndroid Build Coastguard Worker                 afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) +
*08b48e0bSAndroid Build Coastguard Worker             SPLICE_CYCLES_puppet_low);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->splicing_with = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      /* Update afl->pending_not_fuzzed count if we made it through the
*08b48e0bSAndroid Build Coastguard Worker         calibration cycle and have not seen this entry before. */
*08b48e0bSAndroid Build Coastguard Worker      /*
*08b48e0bSAndroid Build Coastguard Worker        // TODO FIXME: I think we need this plus need an -L -1 check
*08b48e0bSAndroid Build Coastguard Worker        if (!afl->stop_soon && !afl->queue_cur->cal_failed &&
*08b48e0bSAndroid Build Coastguard Worker            (afl->queue_cur->was_fuzzed == 0 || afl->queue_cur->fuzz_level == 0)
*08b48e0bSAndroid Build Coastguard Worker        && !afl->queue_cur->disabled) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (!afl->queue_cur->was_fuzzed) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            --afl->pending_not_fuzzed;
*08b48e0bSAndroid Build Coastguard Worker            afl->queue_cur->was_fuzzed = 1;
*08b48e0bSAndroid Build Coastguard Worker            afl->reinit_table = 1
*08b48e0bSAndroid Build Coastguard Worker            if (afl->queue_cur->favored) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              --afl->pending_favored;
*08b48e0bSAndroid Build Coastguard Worker              afl->smallest_favored = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      orig_in = NULL;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (afl->key_puppet == 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (unlikely(
*08b48e0bSAndroid Build Coastguard Worker                afl->queued_items + afl->saved_crashes >
*08b48e0bSAndroid Build Coastguard Worker                ((afl->queued_items + afl->saved_crashes) * limit_time_bound +
*08b48e0bSAndroid Build Coastguard Worker                 afl->orig_hit_cnt_puppet))) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->key_puppet = 0;
*08b48e0bSAndroid Build Coastguard Worker          afl->orig_hit_cnt_puppet = 0;
*08b48e0bSAndroid Build Coastguard Worker          afl->last_limit_time_start = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      if (unlikely(*MOpt_globals.pTime > MOpt_globals.period)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->total_pacemaker_time += *MOpt_globals.pTime;
*08b48e0bSAndroid Build Coastguard Worker        *MOpt_globals.pTime = 0;
*08b48e0bSAndroid Build Coastguard Worker        new_hit_cnt = afl->queued_items + afl->saved_crashes;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (MOpt_globals.is_pilot_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->swarm_fitness[afl->swarm_now] =
*08b48e0bSAndroid Build Coastguard Worker              (double)(afl->total_puppet_find - afl->temp_puppet_find) /
*08b48e0bSAndroid Build Coastguard Worker              ((double)(afl->tmp_pilot_time) / afl->period_pilot_tmp);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->temp_puppet_find = afl->total_puppet_find;
*08b48e0bSAndroid Build Coastguard Worker        for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          if (MOpt_globals.is_pilot_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            double temp_eff = 0.0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles[i]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              temp_eff =
*08b48e0bSAndroid Build Coastguard Worker                  (double)(MOpt_globals.finds_v2[i] - MOpt_globals.finds[i]) /
*08b48e0bSAndroid Build Coastguard Worker                  (double)(MOpt_globals.cycles_v2[i] - MOpt_globals.cycles[i]);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (afl->eff_best[afl->swarm_now][i] < temp_eff) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              afl->eff_best[afl->swarm_now][i] = temp_eff;
*08b48e0bSAndroid Build Coastguard Worker              afl->L_best[afl->swarm_now][i] = afl->x_now[afl->swarm_now][i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          MOpt_globals.finds[i] = MOpt_globals.finds_v2[i];
*08b48e0bSAndroid Build Coastguard Worker          MOpt_globals.cycles[i] = MOpt_globals.cycles_v2[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }                                    /* for i = 0; i < operator_num */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        if (MOpt_globals.is_pilot_mode) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->swarm_now = afl->swarm_now + 1;
*08b48e0bSAndroid Build Coastguard Worker          if (afl->swarm_now == swarm_num) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            afl->key_module = 1;
*08b48e0bSAndroid Build Coastguard Worker            for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              afl->core_operator_cycles_puppet_v2[i] =
*08b48e0bSAndroid Build Coastguard Worker                  afl->core_operator_cycles_puppet[i];
*08b48e0bSAndroid Build Coastguard Worker              afl->core_operator_cycles_puppet_v3[i] =
*08b48e0bSAndroid Build Coastguard Worker                  afl->core_operator_cycles_puppet[i];
*08b48e0bSAndroid Build Coastguard Worker              afl->core_operator_finds_puppet_v2[i] =
*08b48e0bSAndroid Build Coastguard Worker                  afl->core_operator_finds_puppet[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            double swarm_eff = 0.0;
*08b48e0bSAndroid Build Coastguard Worker            afl->swarm_now = 0;
*08b48e0bSAndroid Build Coastguard Worker            for (i = 0; i < swarm_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              if (afl->swarm_fitness[i] > swarm_eff) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker                swarm_eff = afl->swarm_fitness[i];
*08b48e0bSAndroid Build Coastguard Worker                afl->swarm_now = i;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            if (afl->swarm_now < 0 || afl->swarm_now > swarm_num - 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker              PFATAL("swarm_now error number  %d", afl->swarm_now);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }                               /* if afl->swarm_now == swarm_num */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          /* adjust pointers dependent on 'afl->swarm_now' */
*08b48e0bSAndroid Build Coastguard Worker          afl->mopt_globals_pilot.finds =
*08b48e0bSAndroid Build Coastguard Worker              afl->stage_finds_puppet[afl->swarm_now];
*08b48e0bSAndroid Build Coastguard Worker          afl->mopt_globals_pilot.finds_v2 =
*08b48e0bSAndroid Build Coastguard Worker              afl->stage_finds_puppet_v2[afl->swarm_now];
*08b48e0bSAndroid Build Coastguard Worker          afl->mopt_globals_pilot.cycles =
*08b48e0bSAndroid Build Coastguard Worker              afl->stage_cycles_puppet[afl->swarm_now];
*08b48e0bSAndroid Build Coastguard Worker          afl->mopt_globals_pilot.cycles_v2 =
*08b48e0bSAndroid Build Coastguard Worker              afl->stage_cycles_puppet_v2[afl->swarm_now];
*08b48e0bSAndroid Build Coastguard Worker          afl->mopt_globals_pilot.cycles_v3 =
*08b48e0bSAndroid Build Coastguard Worker              afl->stage_cycles_puppet_v3[afl->swarm_now];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          for (i = 0; i < operator_num; i++) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker            afl->core_operator_finds_puppet[i] =
*08b48e0bSAndroid Build Coastguard Worker                afl->core_operator_finds_puppet_v2[i];
*08b48e0bSAndroid Build Coastguard Worker            afl->core_operator_cycles_puppet[i] =
*08b48e0bSAndroid Build Coastguard Worker                afl->core_operator_cycles_puppet_v2[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->key_module = 2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker          afl->old_hit_count = new_hit_cnt;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        }                                                  /* if pilot_mode */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }         /* if (unlikely(*MOpt_globals.pTime > MOpt_globals.period)) */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }                                                              /* block */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }                                                                /* block */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  ++afl->queue_cur->fuzz_level;
*08b48e0bSAndroid Build Coastguard Worker  return ret_val;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#undef FLIP_BIT
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru8 core_fuzzing(afl_state_t *afl) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return mopt_common_fuzzing(afl, afl->mopt_globals_core);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workeru8 pilot_fuzzing(afl_state_t *afl) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return mopt_common_fuzzing(afl, afl->mopt_globals_pilot);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Workervoid pso_updating(afl_state_t *afl) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->g_now++;
*08b48e0bSAndroid Build Coastguard Worker  if (afl->g_now > afl->g_max) { afl->g_now = 0; }
*08b48e0bSAndroid Build Coastguard Worker  afl->w_now =
*08b48e0bSAndroid Build Coastguard Worker      (afl->w_init - afl->w_end) * (afl->g_max - afl->g_now) / (afl->g_max) +
*08b48e0bSAndroid Build Coastguard Worker      afl->w_end;
*08b48e0bSAndroid Build Coastguard Worker  int tmp_swarm, i, j;
*08b48e0bSAndroid Build Coastguard Worker  u64 temp_operator_finds_puppet = 0;
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->operator_finds_puppet[i] = afl->core_operator_finds_puppet[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (j = 0; j < swarm_num; ++j) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->operator_finds_puppet[i] =
*08b48e0bSAndroid Build Coastguard Worker          afl->operator_finds_puppet[i] + afl->stage_finds_puppet[j][i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    temp_operator_finds_puppet =
*08b48e0bSAndroid Build Coastguard Worker        temp_operator_finds_puppet + afl->operator_finds_puppet[i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->operator_finds_puppet[i]) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->G_best[i] = (double)((double)(afl->operator_finds_puppet[i]) /
*08b48e0bSAndroid Build Coastguard Worker                                (double)(temp_operator_finds_puppet));
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  for (tmp_swarm = 0; tmp_swarm < swarm_num; ++tmp_swarm) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    double x_temp = 0.0;
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->probability_now[tmp_swarm][i] = 0.0;
*08b48e0bSAndroid Build Coastguard Worker      afl->v_now[tmp_swarm][i] =
*08b48e0bSAndroid Build Coastguard Worker          afl->w_now * afl->v_now[tmp_swarm][i] +
*08b48e0bSAndroid Build Coastguard Worker          RAND_C * (afl->L_best[tmp_swarm][i] - afl->x_now[tmp_swarm][i]) +
*08b48e0bSAndroid Build Coastguard Worker          RAND_C * (afl->G_best[i] - afl->x_now[tmp_swarm][i]);
*08b48e0bSAndroid Build Coastguard Worker      afl->x_now[tmp_swarm][i] += afl->v_now[tmp_swarm][i];
*08b48e0bSAndroid Build Coastguard Worker      if (afl->x_now[tmp_swarm][i] > v_max) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->x_now[tmp_swarm][i] = v_max;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else if (afl->x_now[tmp_swarm][i] < v_min) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->x_now[tmp_swarm][i] = v_min;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      x_temp += afl->x_now[tmp_swarm][i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    for (i = 0; i < operator_num; ++i) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      afl->x_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i] / x_temp;
*08b48e0bSAndroid Build Coastguard Worker      if (likely(i != 0)) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->probability_now[tmp_swarm][i] =
*08b48e0bSAndroid Build Coastguard Worker            afl->probability_now[tmp_swarm][i - 1] + afl->x_now[tmp_swarm][i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker        afl->probability_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i];
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->probability_now[tmp_swarm][operator_num - 1] < 0.99 ||
*08b48e0bSAndroid Build Coastguard Worker        afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      FATAL("ERROR probability");
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  afl->swarm_now = 0;
*08b48e0bSAndroid Build Coastguard Worker  afl->key_module = 0;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker/* The entry point for the mutator, choosing the default mutator, and/or MOpt
*08b48e0bSAndroid Build Coastguard Worker   depending on the configuration. */
*08b48e0bSAndroid Build Coastguard Workeru8 fuzz_one(afl_state_t *afl) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  int key_val_lv_1 = -1, key_val_lv_2 = -1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#ifdef _AFL_DOCUMENT_MUTATIONS
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  u8 path_buf[PATH_MAX];
*08b48e0bSAndroid Build Coastguard Worker  if (afl->do_document == 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    snprintf(path_buf, PATH_MAX, "%s/mutations", afl->out_dir);
*08b48e0bSAndroid Build Coastguard Worker    afl->do_document = mkdir(path_buf, 0700);  // if it exists we do not care
*08b48e0bSAndroid Build Coastguard Worker    afl->do_document = 1;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  } else {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    afl->do_document = 2;
*08b48e0bSAndroid Build Coastguard Worker    afl->stop_soon = 2;
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker#endif
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  /*
*08b48e0bSAndroid Build Coastguard Worker     -L command line paramter => limit_time_sig value
*08b48e0bSAndroid Build Coastguard Worker       limit_time_sig == 0 then run the default mutator
*08b48e0bSAndroid Build Coastguard Worker       limit_time_sig  > 0 then run MOpt
*08b48e0bSAndroid Build Coastguard Worker       limit_time_sig  < 0 both are run
*08b48e0bSAndroid Build Coastguard Worker  */
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (afl->limit_time_sig != 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    if (afl->key_module == 0) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      key_val_lv_2 = pilot_fuzzing(afl);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else if (afl->key_module == 1) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      key_val_lv_2 = core_fuzzing(afl);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    } else if (afl->key_module == 2) {
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker      pso_updating(afl);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker    }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  if (unlikely(key_val_lv_1 == -1)) { key_val_lv_1 = 0; }
*08b48e0bSAndroid Build Coastguard Worker  if (likely(key_val_lv_2 == -1)) { key_val_lv_2 = 0; }
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker  return (key_val_lv_1 | key_val_lv_2);
*08b48e0bSAndroid Build Coastguard Worker
*08b48e0bSAndroid Build Coastguard Worker}
*08b48e0bSAndroid Build Coastguard Worker