add cmplog stats to experiment

include/afl-fuzz.h

@@ -201,6 +201,7 @@ struct queue_entry {
   u32 len;                              /* Input length                     */
   u32 id;                               /* entry number in queue_buf        */
   u32 found;
+  s32 cmp, fcmp, rtn;
 
   u8 colorized,                         /* Do not run redqueen stage again  */
       cal_failed;                       /* Calibration failed?              */

instrumentation/afl-llvm-common.cc

@@ -342,7 +342,12 @@ bool isIgnoreFunction(const llvm::Function *F) {
 
   for (auto const &ignoreListFunc : ignoreList) {
 
+
+#if LLVM_VERSION_MAJOR < 19
     if (F->getName().startswith(ignoreListFunc)) { return true; }
+#else
+    if (F->getName().starts_with(ignoreListFunc)) { return true; }
+#endif
 
   }
 

instrumentation/compare-transform-pass.so.cc

@@ -531,11 +531,17 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
 
     }
 
+#if LLVM_VERSION_MAJOR < 19
+  #define FUCKLLVM startswith
+#else
+  #define FUCKLLVM starts_with
+#endif
+
     if (!isSizedcmp) needs_null = true;
-    if (Callee->getName().startswith("g_") ||
+    if (Callee->getName().FUCKLLVM("g_") ||
-        Callee->getName().startswith("curl_") ||
+        Callee->getName().FUCKLLVM("curl_") ||
-        Callee->getName().startswith("Curl_") ||
+        Callee->getName().FUCKLLVM("Curl_") ||
-        Callee->getName().startswith("xml"))
+        Callee->getName().FUCKLLVM("xml"))
       nullCheck = true;
 
     Value *sizedValue = isSizedcmp ? callInst->getArgOperand(2) : NULL;

src/afl-fuzz-queue.c

@@ -107,7 +107,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
     fprintf(stderr, "  after step 6: %.2f (favored)\n", weight);
   #endif
   */
-  if (unlikely(!q->was_fuzzed)) { weight *= 3; }
+  if (unlikely(!q->was_fuzzed)) { weight *= 5; }
 #ifdef DEBUG_QUEUE
   fprintf(stderr, "  after step 7: %.2f (was_fuzzed)\n", weight);
 #endif
@@ -635,6 +635,8 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
   q->trace_mini = NULL;
   q->testcase_buf = NULL;
   q->mother = afl->queue_cur;
+  q->cmp = q->fcmp = q->rtn = -1;
+
   afl->queue_cur->found++;
   q->score = afl->current_score;
   if (unlikely(!q->score)) { q->score = 1; }

src/afl-fuzz-redqueen.c

@@ -3072,6 +3072,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
   afl->stage_max = 0;
   afl->stage_cur = 0;
 
+  afl->queue_cur->cmp = afl->queue_cur->fcmp = afl->queue_cur->rtn = 0;
+
   u32 lvl = (afl->queue_cur->colorized ? 0 : LVL1) +
             (afl->cmplog_lvl == CMPLOG_LVL_MAX ? LVL3 : 0);
 
@@ -3087,6 +3089,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
   u32 k;
   for (k = 0; k < CMP_MAP_W; ++k) {
 
+    if (afl->shm.cmp_map->headers[k].type != CMP_TYPE_INS)
+      afl->queue_cur->rtn++;
+    else if (unlikely((afl->shm.cmp_map->headers[k].attribute & 8) == 8))
+      afl->queue_cur->fcmp++;
+    else
+      afl->queue_cur->cmp++;
+
     if (!afl->shm.cmp_map->headers[k].hits) { continue; }
 
     if (afl->pass_stats[k].faileds >= CMPLOG_FAIL_MAX ||

src/afl-fuzz.c

@@ -3085,10 +3085,12 @@ stop_fuzzing:
                 "has_new_cov=%u "
                 "var_behavior=%u favored=%u fs_redundant=%u disabled=%u "
                 "bitmap_size=%u tc_ref=%u fuzz_level=%u was_fuzzed=%u "
+                "cmp=%d fcmp=%d rtn=%d "
                 "mother=%d found=%u perf_score=%.2f weight=%.2f score=%u\n",
                 k, q->fname, q->len, q->exec_us, q->total_execs, q->has_new_cov,
                 q->var_behavior, q->favored, q->fs_redundant, q->disabled,
                 q->bitmap_size, q->tc_ref, q->fuzz_level, q->was_fuzzed,
+                q->cmp, q->fcmp, q->rtn,
                 q->mother == NULL ? -1 : (int)q->mother->id, q->found,
                 q->perf_score, q->weight, q->score);