correct map size for small targets

TODO.md

@@ -2,13 +2,11 @@
 
 ## Roadmap 3.00+
 
- - align map to 64 bytes but keep real IDs
  - Update afl->pending_not_fuzzed for MOpt
  - put fuzz target in top line of UI
  - afl-plot to support multiple plot_data
  - afl_custom_fuzz_splice_optin()
  - afl_custom_splice()
- - intel-pt tracer
  - better autodetection of shifting runtime timeout values
  - cmplog: use colorization input for havoc?
  - parallel builds for source-only targets

include/forkserver.h

@@ -54,6 +54,7 @@ typedef struct afl_forkserver {
   u32 exec_tmout;                       /* Configurable exec timeout (ms)   */
   u32 init_tmout;                       /* Configurable init timeout (ms)   */
   u32 map_size;                         /* map size used by the target      */
+  u32 real_map_size;                    /* real map size, unaligned         */
   u32 snapshot;                         /* is snapshot feature used         */
   u64 mem_limit;                        /* Memory cap for child (MB)        */
 

instrumentation/afl-compiler-rt.o.c

@@ -271,12 +271,6 @@ static void __afl_map_shm(void) {
 
   if (__afl_final_loc) {
 
-    if (__afl_final_loc % 64) {
-
-      __afl_final_loc = (((__afl_final_loc + 63) >> 6) << 6);
-
-    }
-
     __afl_map_size = __afl_final_loc;
 
     if (__afl_final_loc > MAP_SIZE) {

src/afl-forkserver.c

@@ -90,6 +90,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
   /* exec related stuff */
   fsrv->child_pid = -1;
   fsrv->map_size = get_map_size();
+  fsrv->real_map_size = fsrv->map_size;
   fsrv->use_fauxsrv = false;
   fsrv->last_run_timed_out = false;
   fsrv->debug = false;
@@ -110,6 +111,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
   fsrv_to->init_tmout = from->init_tmout;
   fsrv_to->mem_limit = from->mem_limit;
   fsrv_to->map_size = from->map_size;
+  fsrv_to->real_map_size = from->real_map_size;
   fsrv_to->support_shmem_fuzz = from->support_shmem_fuzz;
   fsrv_to->out_file = from->out_file;
   fsrv_to->dev_urandom_fd = from->dev_urandom_fd;
@@ -691,15 +693,15 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
         if (!fsrv->map_size) { fsrv->map_size = MAP_SIZE; }
 
-        if (unlikely(tmp_map_size % 64)) {
+        fsrv->real_map_size = tmp_map_size;
+
+        if (tmp_map_size % 64) {
 
-          // should not happen
-          WARNF("Target reported non-aligned map size of %u", tmp_map_size);
           tmp_map_size = (((tmp_map_size + 63) >> 6) << 6);
 
         }
 
-        if (!be_quiet) { ACTF("Target map size: %u", tmp_map_size); }
+        if (!be_quiet) { ACTF("Target map size: %u", fsrv->real_map_size); }
         if (tmp_map_size > fsrv->map_size) {
 
           FATAL(

src/afl-fuzz-run.c

@@ -424,8 +424,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
         }
 
         var_detected = 1;
-        afl->stage_max =
+        afl->stage_max = afl->afl_env.afl_cal_fast ? CAL_CYCLES : CAL_CYCLES_LONG;
-            afl->afl_env.afl_cal_fast ? CAL_CYCLES : CAL_CYCLES_LONG;
 
       } else {
 

src/afl-fuzz-stats.c

@@ -264,6 +264,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
           "peak_rss_mb       : %lu\n"
           "cpu_affinity      : %d\n"
           "edges_found       : %u\n"
+          "total_edges       : %u\n"
           "var_byte_count    : %u\n"
           "havoc_expansion   : %u\n"
           "testcache_size    : %llu\n"
@@ -303,10 +304,10 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
 #else
           -1,
 #endif
-          t_bytes, afl->var_byte_count, afl->expand_havoc,
+          t_bytes, afl->fsrv.real_map_size, afl->var_byte_count,
-          afl->q_testcase_cache_size, afl->q_testcase_cache_count,
+          afl->expand_havoc, afl->q_testcase_cache_size,
-          afl->q_testcase_evictions, afl->use_banner,
+          afl->q_testcase_cache_count, afl->q_testcase_evictions,
-          afl->unicorn_mode ? "unicorn" : "",
+          afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
           afl->fsrv.qemu_mode ? "qemu " : "",
           afl->non_instrumented_mode ? " non_instrumented " : "",
           afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
@@ -326,7 +327,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
 
     u32 i = 0;
     fprintf(f, "virgin_bytes     :");
-    for (i = 0; i < afl->fsrv.map_size; i++) {
+    for (i = 0; i < afl->fsrv.real_map_size; i++) {
 
       if (afl->virgin_bits[i] != 0xff) {
 
@@ -338,7 +339,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
 
     fprintf(f, "\n");
     fprintf(f, "var_bytes        :");
-    for (i = 0; i < afl->fsrv.map_size; i++) {
+    for (i = 0; i < afl->fsrv.real_map_size; i++) {
 
       if (afl->var_bytes[i]) { fprintf(f, " %u", i); }
 
@@ -520,7 +521,7 @@ void show_stats(afl_state_t *afl) {
   /* Do some bitmap stats. */
 
   t_bytes = count_non_255_bytes(afl, afl->virgin_bits);
-  t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.map_size;
+  t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size;
 
   if (likely(t_bytes) && unlikely(afl->var_byte_count)) {
 
@@ -781,7 +782,7 @@ void show_stats(afl_state_t *afl) {
   SAYF(bV bSTOP "  now processing : " cRST "%-18s " bSTG bV bSTOP, tmp);
 
   sprintf(tmp, "%0.02f%% / %0.02f%%",
-          ((double)afl->queue_cur->bitmap_size) * 100 / afl->fsrv.map_size,
+          ((double)afl->queue_cur->bitmap_size) * 100 / afl->fsrv.real_map_size,
           t_byte_ratio);
 
   SAYF("    map density : %s%-19s" bSTG bV "\n",