ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 10:38:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix update_bitmap_score when no current trace is present

Browse Source
This commit is contained in:
vanhauser-thc
2025-04-09 14:21:42 +02:00
parent 891b7f48f0
commit 4ff2673895
8 changed files with 65 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -11,6 +11,7 @@
- memory leak fixes by @kcwu - thanks!
- some more nits and small memory saves thanks to @kcwu
- remove deprecated files from queue/.state
- fix bitmap update function if no current trace is present
- frida_mode:
- fixes for new MacOS + M4 hardware

2
include/afl-fuzz.h
View File

@ -1186,7 +1186,7 @@ void deinit_py(void *);
void mark_as_det_done(afl_state_t *, struct queue_entry *);
void add_to_queue(afl_state_t *, u8 *, u32, u8);
void destroy_queue(afl_state_t *);
void update_bitmap_score(afl_state_t *, struct queue_entry *);
void update_bitmap_score(afl_state_t *, struct queue_entry *, bool);
void cull_queue(afl_state_t *);
u32 calculate_score(afl_state_t *, struct queue_entry *);

6
src/afl-fuzz-bitmap.c
View File

@ -490,8 +490,7 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
u8 fn[PATH_MAX];
u8 *queue_fn = "";
u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0,
need_hash = 1;
u8 new_bits = 0, keeping = 0, res, is_timeout = 0, need_hash = 1;
s32 fd;
u64 cksum = 0;
u32 cksum_simplified = 0, cksum_unique = 0;
@ -508,7 +507,6 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
classify_counts(&afl->fsrv);
classified = 1;
need_hash = 0;
cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
@ -632,7 +630,6 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
afl->san_case_status |= NON_COV_INCREASE_BUG;
fault = san_fault;
classified = new_bits;
goto may_save_fault;
}
@ -640,7 +637,6 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
}
fault = san_fault;
classified = new_bits;
save_to_queue:

2
src/afl-fuzz-mutators.c
View File

@ -636,7 +636,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
q->len = out_len;
memcpy(afl->fsrv.trace_bits, afl->clean_trace_custom, afl->fsrv.map_size);
update_bitmap_score(afl, q);
update_bitmap_score(afl, q, true);
}

104
src/afl-fuzz-queue.c
View File

@ -794,7 +794,8 @@ void destroy_queue(afl_state_t *afl) {
previous contender, or if the contender has a more favorable speed x size
factor. */
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q,
bool have_trace) {
u32 i;
u64 fav_factor;
@ -824,75 +825,80 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
}
/* For every byte set in afl->fsrv.trace_bits[], see if there is a previous
winner, and how it compares to us. */
for (i = 0; i < afl->fsrv.map_size; ++i) {
if (have_trace) {
if (afl->fsrv.trace_bits[i]) {
/* For every byte set in afl->fsrv.trace_bits[], see if there is a previous
winner, and how it compares to us. */
for (i = 0; i < afl->fsrv.map_size; ++i) {
if (afl->top_rated[i]) {
if (afl->fsrv.trace_bits[i]) {
/* Faster-executing or smaller test cases are favored. */
u64 top_rated_fav_factor;
u64 top_rated_fuzz_p2;
if (afl->top_rated[i]) {
if (unlikely(afl->schedule >= FAST && afl->schedule < RARE)) {
/* Faster-executing or smaller test cases are favored. */
u64 top_rated_fav_factor;
u64 top_rated_fuzz_p2;
top_rated_fuzz_p2 = 0; // Skip the fuzz_p2 comparison
if (unlikely(afl->schedule >= FAST && afl->schedule < RARE)) {
} else if (unlikely(afl->schedule == RARE)) {
top_rated_fuzz_p2 = 0; // Skip the fuzz_p2 comparison
top_rated_fuzz_p2 =
next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]);
} else if (unlikely(afl->schedule == RARE)) {
} else {
top_rated_fuzz_p2 =
next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]);
top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level;
} else {
top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level;
}
if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
top_rated_fav_factor = afl->top_rated[i]->len << 2;
} else {
top_rated_fav_factor =
afl->top_rated[i]->exec_us * afl->top_rated[i]->len;
}
if (likely(fuzz_p2 > top_rated_fuzz_p2)) { continue; }
if (likely(fav_factor > top_rated_fav_factor)) { continue; }
/* Looks like we're going to win. Decrease ref count for the
previous winner, discard its afl->fsrv.trace_bits[] if necessary.
*/
if (!--afl->top_rated[i]->tc_ref) {
ck_free(afl->top_rated[i]->trace_mini);
afl->top_rated[i]->trace_mini = NULL;
}
}
if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
/* Insert ourselves as the new winner. */
top_rated_fav_factor = afl->top_rated[i]->len << 2;
afl->top_rated[i] = q;
++q->tc_ref;
} else {
if (!q->trace_mini) {
top_rated_fav_factor =
afl->top_rated[i]->exec_us * afl->top_rated[i]->len;
u32 len = ((afl->fsrv.map_size + 7) >> 3);
q->trace_mini = (u8 *)ck_alloc(len);
minimize_bits(afl, q->trace_mini, afl->fsrv.trace_bits);
}
if (likely(fuzz_p2 > top_rated_fuzz_p2)) { continue; }
if (likely(fav_factor > top_rated_fav_factor)) { continue; }
/* Looks like we're going to win. Decrease ref count for the
previous winner, discard its afl->fsrv.trace_bits[] if necessary. */
if (!--afl->top_rated[i]->tc_ref) {
ck_free(afl->top_rated[i]->trace_mini);
afl->top_rated[i]->trace_mini = NULL;
}
afl->score_changed = 1;
}
/* Insert ourselves as the new winner. */
afl->top_rated[i] = q;
++q->tc_ref;
if (!q->trace_mini) {
u32 len = ((afl->fsrv.map_size + 7) >> 3);
q->trace_mini = (u8 *)ck_alloc(len);
minimize_bits(afl, q->trace_mini, afl->fsrv.trace_bits);
}
afl->score_changed = 1;
}
}

4
src/afl-fuzz-run.c
View File

@ -652,7 +652,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
afl->total_bitmap_size += q->bitmap_size;
++afl->total_bitmap_entries;
update_bitmap_score(afl, q);
update_bitmap_score(afl, q, true);
/* If this case didn't result in new output from the instrumentation, tell
parent. This is a non-critical problem, but something to warn the user
@ -1161,7 +1161,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
queue_testcase_retake_mem(afl, q, in_buf, q->len, orig_len);
memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size);
update_bitmap_score(afl, q);
update_bitmap_score(afl, q, true);
}

4
src/afl-fuzz.c
View File

@ -2857,7 +2857,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->total_bitmap_size += q->bitmap_size;
++afl->total_bitmap_entries;
update_bitmap_score(afl, q);
update_bitmap_score(afl, q, false);
if (q->was_fuzzed) { --afl->pending_not_fuzzed; }
@ -3231,7 +3231,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (likely(!afl->queue_buf[i]->disabled)) {
update_bitmap_score(afl, afl->queue_buf[i]);
update_bitmap_score(afl, afl->queue_buf[i], false);
}

3
src/afl-showmap.c
View File

@ -159,10 +159,11 @@ void show_stats(afl_state_t *afl) {
}
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q, bool x) {
(void)afl;
(void)q;
(void)x;
}