add -z switch

2025-06-14 11:08:06 +00:00 · 2023-04-05 12:59:20 +02:00
parent 5fea071ae9
commit 36127fb197
4 changed files with 14 additions and 2 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -12,6 +12,7 @@
    - fixed a crash in pizza (1st april easter egg) mode. Sorry for
      everyone who was affected!
    - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1
+    - add -z switch to prefer new coverage findings in seed selection
  - afl-cc:
    - add CFI sanitizer variant to gcc targets
    - llvm 16 support (thanks to @devnexen!)
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -501,7 +501,8 @@ typedef struct afl_state {
      custom_splice_optout,             /* Custom mutator no splice buffer  */
      is_main_node,                     /* if this is the main node         */
      is_secondary_node,                /* if this is a secondary instance  */
-      pizza_is_served;                  /* pizza mode                       */
+      pizza_is_served,                  /* pizza mode                       */
+      prefer_new;                       /* prefer new queue entries         */

  u32 stats_update_freq;                /* Stats update frequency (execs)   */

--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@ -74,9 +74,14 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
  if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
  weight *= (log(q->bitmap_size) / avg_bitmap_size);
  weight *= (1 + (q->tc_ref / avg_top_size));
-  if (unlikely(weight < 1.0)) { weight = 1.0; }
+  if (unlikely(weight < 0.1)) { weight = 0.1; }
  if (unlikely(q->favored)) { weight *= 5; }
  if (unlikely(!q->was_fuzzed)) { weight *= 2; }
+  if (unlikely(afl->prefer_new)) {
+
+    weight *= (2.0 * (q->id / (afl->queued_items - 1)));
+
+  }

  return weight;

--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -132,6 +132,7 @@ static void usage(u8 *argv0, int more_help) {
      "                  fast(default), explore, exploit, seek, rare, mmopt, "
      "coe, lin\n"
      "                  quad -- see docs/FAQ.md for more information\n"
+      "  -z            - prefer new coverage findings when fuzzing\n"
      "  -f file       - location read by the fuzzed program (default: stdin "
      "or @@)\n"
      "  -t msec       - timeout for each run (auto-scaled, default %u ms). "
@ -569,6 +570,10 @@ int main(int argc, char **argv_orig, char **envp) {
        afl->max_length = atoi(optarg);
        break;

+      case 'z':
+        afl->prefer_new = 1;
+        break;
+
      case 'Z':
        afl->old_seed_selection = 1;
        break;