diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 2380b289..a098ff07 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -201,6 +201,7 @@ struct queue_entry { u32 len; /* Input length */ u32 id; /* entry number in queue_buf */ u32 found; + s32 cmp, fcmp, rtn; u8 colorized, /* Do not run redqueen stage again */ cal_failed; /* Calibration failed? */ diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc index ab9834f2..85aea005 100644 --- a/instrumentation/afl-llvm-common.cc +++ b/instrumentation/afl-llvm-common.cc @@ -342,7 +342,12 @@ bool isIgnoreFunction(const llvm::Function *F) { for (auto const &ignoreListFunc : ignoreList) { + +#if LLVM_VERSION_MAJOR < 19 if (F->getName().startswith(ignoreListFunc)) { return true; } +#else + if (F->getName().starts_with(ignoreListFunc)) { return true; } +#endif } diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 496d69fc..8628c477 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -531,11 +531,17 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, } +#if LLVM_VERSION_MAJOR < 19 + #define FUCKLLVM startswith +#else + #define FUCKLLVM starts_with +#endif + if (!isSizedcmp) needs_null = true; - if (Callee->getName().startswith("g_") || - Callee->getName().startswith("curl_") || - Callee->getName().startswith("Curl_") || - Callee->getName().startswith("xml")) + if (Callee->getName().FUCKLLVM("g_") || + Callee->getName().FUCKLLVM("curl_") || + Callee->getName().FUCKLLVM("Curl_") || + Callee->getName().FUCKLLVM("xml")) nullCheck = true; Value *sizedValue = isSizedcmp ? callInst->getArgOperand(2) : NULL; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 4dacd1c0..77629ef2 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -107,7 +107,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q, fprintf(stderr, " after step 6: %.2f (favored)\n", weight); #endif */ - if (unlikely(!q->was_fuzzed)) { weight *= 3; } + if (unlikely(!q->was_fuzzed)) { weight *= 5; } #ifdef DEBUG_QUEUE fprintf(stderr, " after step 7: %.2f (was_fuzzed)\n", weight); #endif @@ -635,6 +635,8 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { q->trace_mini = NULL; q->testcase_buf = NULL; q->mother = afl->queue_cur; + q->cmp = q->fcmp = q->rtn = -1; + afl->queue_cur->found++; q->score = afl->current_score; if (unlikely(!q->score)) { q->score = 1; } diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 9316da71..b21c46b4 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -3072,6 +3072,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_max = 0; afl->stage_cur = 0; + afl->queue_cur->cmp = afl->queue_cur->fcmp = afl->queue_cur->rtn = 0; + u32 lvl = (afl->queue_cur->colorized ? 0 : LVL1) + (afl->cmplog_lvl == CMPLOG_LVL_MAX ? LVL3 : 0); @@ -3087,6 +3089,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u32 k; for (k = 0; k < CMP_MAP_W; ++k) { + if (afl->shm.cmp_map->headers[k].type != CMP_TYPE_INS) + afl->queue_cur->rtn++; + else if (unlikely((afl->shm.cmp_map->headers[k].attribute & 8) == 8)) + afl->queue_cur->fcmp++; + else + afl->queue_cur->cmp++; + if (!afl->shm.cmp_map->headers[k].hits) { continue; } if (afl->pass_stats[k].faileds >= CMPLOG_FAIL_MAX || diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f2df8e55..3e00dce5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -3085,10 +3085,12 @@ stop_fuzzing: "has_new_cov=%u " "var_behavior=%u favored=%u fs_redundant=%u disabled=%u " "bitmap_size=%u tc_ref=%u fuzz_level=%u was_fuzzed=%u " + "cmp=%d fcmp=%d rtn=%d " "mother=%d found=%u perf_score=%.2f weight=%.2f score=%u\n", k, q->fname, q->len, q->exec_us, q->total_execs, q->has_new_cov, q->var_behavior, q->favored, q->fs_redundant, q->disabled, q->bitmap_size, q->tc_ref, q->fuzz_level, q->was_fuzzed, + q->cmp, q->fcmp, q->rtn, q->mother == NULL ? -1 : (int)q->mother->id, q->found, q->perf_score, q->weight, q->score);