ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

no more (?) statics

Browse Source
This commit is contained in:
Dominik Maier
2020-03-19 22:54:09 +01:00
parent 0fa47bb867
commit 5b9d306cdf
10 changed files with 209 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
include/afl-fuzz.h
View File

@ -109,8 +109,9 @@
#define CASE_PREFIX "id_" #define CASE_PREFIX "id_"
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \ #define STAGE_BUF_SIZE \
*/ (64) /* usable size of the stage name buf in afl_state \
*/
extern s8 interesting_8[INTERESTING_8_LEN]; extern s8 interesting_8[INTERESTING_8_LEN];
extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
@ -801,10 +802,10 @@ u8 has_new_bits(afl_state_t *, u8 *);
/* Misc */ /* Misc */
u8 * DI(u64); u8 *DI(u8 *, size_t, u64);
u8 * DF(double); u8 *DF(u8 *, size_t, double);
u8 * DMS(u64); u8 *DMS(u8 *, size_t, u64);
void DTD(u8 *, size_t, u64, u64); u8 *DTD(u8 *, size_t, u64, u64);
/* Extras */ /* Extras */

26
src/afl-forkserver.c
View File

@ -55,16 +55,16 @@ static void forkserver_stringify_int(u8 *buf, size_t len, u64 val) {
u8 cur = 0; u8 cur = 0;
#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \
do { \ do { \
\ \
if (val < (_divisor) * (_limit_mult)) { \ if (val < (_divisor) * (_limit_mult)) { \
\ \
snprintf(buf, len, _fmt, ((_cast)val) / (_divisor));\ snprintf(buf, len, _fmt, ((_cast)val) / (_divisor)); \
return; \ return; \
\ \
} \ } \
\ \
} while (0) } while (0)
cur = (cur + 1) % 12; cur = (cur + 1) % 12;
@ -454,7 +454,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) {
} else { } else {
u8 mem_limit_buf[16]; u8 mem_limit_buf[16];
forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), fsrv->mem_limit << 20); forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf),
fsrv->mem_limit << 20);
SAYF("\n" cLRD "[-] " cRST SAYF("\n" cLRD "[-] " cRST
"Whoops, the target binary crashed suddenly, " "Whoops, the target binary crashed suddenly, "
@ -524,7 +525,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) {
} else { } else {
u8 mem_limit_buf[16]; u8 mem_limit_buf[16];
forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), fsrv->mem_limit << 20); forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf),
fsrv->mem_limit << 20);
SAYF( SAYF(
"\n" cLRD "[-] " cRST "\n" cLRD "[-] " cRST

6
src/afl-fuzz-bitmap.c
View File

@ -465,6 +465,8 @@ static void write_crash_readme(afl_state_t *afl) {
s32 fd; s32 fd;
FILE *f; FILE *f;
u8 int_buf[16];
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
ck_free(fn); ck_free(fn);
@ -501,7 +503,9 @@ static void write_crash_readme(afl_state_t *afl) {
" https://github.com/AFLplusplus/AFLplusplus\n\n", " https://github.com/AFLplusplus/AFLplusplus\n\n",
afl->orig_cmdline, DMS(afl->fsrv.mem_limit << 20)); /* ignore errors */ afl->orig_cmdline,
DMS(int_buf, sizeof(int_buf),
afl->fsrv.mem_limit << 20)); /* ignore errors */
fclose(f); fclose(f);

10
src/afl-fuzz-cmplog.c
View File

@ -264,6 +264,8 @@ void init_cmplog_forkserver(afl_state_t *afl) {
} else { } else {
u8 int_buf[16];
SAYF("\n" cLRD "[-] " cRST SAYF("\n" cLRD "[-] " cRST
"Whoops, the target binary crashed suddenly, " "Whoops, the target binary crashed suddenly, "
"before receiving any input\n" "before receiving any input\n"
@ -296,7 +298,8 @@ void init_cmplog_forkserver(afl_state_t *afl) {
"options\n" "options\n"
" fail, poke <afl-users@googlegroups.com> for troubleshooting " " fail, poke <afl-users@googlegroups.com> for troubleshooting "
"tips.\n", "tips.\n",
DMS(afl->fsrv.mem_limit << 20), afl->fsrv.mem_limit - 1); DMS(int_buf, sizeof(int_buf), afl->fsrv.mem_limit << 20),
afl->fsrv.mem_limit - 1);
} }
@ -331,6 +334,8 @@ void init_cmplog_forkserver(afl_state_t *afl) {
} else { } else {
u8 int_buf[16];
SAYF( SAYF(
"\n" cLRD "[-] " cRST "\n" cLRD "[-] " cRST
"Hmm, looks like the target binary terminated " "Hmm, looks like the target binary terminated "
@ -362,7 +367,8 @@ void init_cmplog_forkserver(afl_state_t *afl) {
"never\n" "never\n"
" reached before the program terminates.\n\n" " reached before the program terminates.\n\n"
: "", : "",
DMS(afl->fsrv.mem_limit << 20), afl->fsrv.mem_limit - 1); DMS(int_buf, sizeof(int_buf), afl->fsrv.mem_limit << 20),
afl->fsrv.mem_limit - 1);
} }

19
src/afl-fuzz-extras.c
View File

@ -55,6 +55,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
u8 * lptr; u8 * lptr;
u32 cur_line = 0; u32 cur_line = 0;
u8 int_bufs[2][16];
f = fopen(fname, "r"); f = fopen(fname, "r");
if (!f) PFATAL("Unable to open '%s'", fname); if (!f) PFATAL("Unable to open '%s'", fname);
@ -170,8 +172,9 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
afl->extras[afl->extras_cnt].len = klen; afl->extras[afl->extras_cnt].len = klen;
if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE) if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE)
FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line, DMS(klen), FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line,
DMS(MAX_DICT_FILE)); DMS(int_bufs[0], sizeof(int_bufs[0]), klen),
DMS(int_bufs[1], sizeof(int_bufs[1]), MAX_DICT_FILE));
if (*min_len > klen) *min_len = klen; if (*min_len > klen) *min_len = klen;
if (*max_len < klen) *max_len = klen; if (*max_len < klen) *max_len = klen;
@ -193,6 +196,8 @@ void load_extras(afl_state_t *afl, u8 *dir) {
u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
u8 * x; u8 * x;
u8 int_bufs[2][16];
/* If the name ends with @, extract level and continue. */ /* If the name ends with @, extract level and continue. */
if ((x = strchr(dir, '@'))) { if ((x = strchr(dir, '@'))) {
@ -238,8 +243,9 @@ void load_extras(afl_state_t *afl, u8 *dir) {
} }
if (st.st_size > MAX_DICT_FILE) if (st.st_size > MAX_DICT_FILE)
FATAL("Extra '%s' is too big (%s, limit is %s)", fn, DMS(st.st_size), FATAL("Extra '%s' is too big (%s, limit is %s)", fn,
DMS(MAX_DICT_FILE)); DMS(int_bufs[0], sizeof(int_bufs[0]), st.st_size),
DMS(int_bufs[1], sizeof(int_bufs[1]), MAX_DICT_FILE));
if (min_len > st.st_size) min_len = st.st_size; if (min_len > st.st_size) min_len = st.st_size;
if (max_len < st.st_size) max_len = st.st_size; if (max_len < st.st_size) max_len = st.st_size;
@ -273,11 +279,12 @@ check_and_sort:
compare_extras_len); compare_extras_len);
OKF("Loaded %u extra tokens, size range %s to %s.", afl->extras_cnt, OKF("Loaded %u extra tokens, size range %s to %s.", afl->extras_cnt,
DMS(min_len), DMS(max_len)); DMS(int_bufs[0], sizeof(int_bufs[0]), min_len),
DMS(int_bufs[1], sizeof(int_bufs[1]), max_len));
if (max_len > 32) if (max_len > 32)
WARNF("Some tokens are relatively large (%s) - consider trimming.", WARNF("Some tokens are relatively large (%s) - consider trimming.",
DMS(max_len)); DMS(int_bufs[0], sizeof(int_bufs[0]), max_len));
if (afl->extras_cnt > MAX_DET_EXTRAS) if (afl->extras_cnt > MAX_DET_EXTRAS)
WARNF("More than %d tokens - will use them probabilistically.", WARNF("More than %d tokens - will use them probabilistically.",

13
src/afl-fuzz-init.c
View File

@ -323,6 +323,8 @@ void read_testcases(afl_state_t *afl) {
u32 i; u32 i;
u8 * fn1; u8 * fn1;
u8 int_buf[12][16];
/* Auto-detect non-in-place resumption attempts. */ /* Auto-detect non-in-place resumption attempts. */
fn1 = alloc_printf("%s/queue", afl->in_dir); fn1 = alloc_printf("%s/queue", afl->in_dir);
@ -389,8 +391,9 @@ void read_testcases(afl_state_t *afl) {
} }
if (st.st_size > MAX_FILE) if (st.st_size > MAX_FILE)
FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, DMS(st.st_size), FATAL("Test case '%s' is too big (%s, limit is %s)", fn2,
DMS(MAX_FILE)); DMS(int_buf[0], sizeof(int_buf[0]), st.st_size),
DMS(int_buf[1], sizeof(int_buf[1]), MAX_FILE));
/* Check for metadata that indicates that deterministic fuzzing /* Check for metadata that indicates that deterministic fuzzing
is complete for this entry. We don't want to repeat deterministic is complete for this entry. We don't want to repeat deterministic
@ -553,6 +556,8 @@ void perform_dry_run(afl_state_t *afl) {
if (afl->fsrv.mem_limit) { if (afl->fsrv.mem_limit) {
u8 int_tmp[16];
SAYF("\n" cLRD "[-] " cRST SAYF("\n" cLRD "[-] " cRST
"Oops, the program crashed with one of the test cases provided. " "Oops, the program crashed with one of the test cases provided. "
"There are\n" "There are\n"
@ -593,8 +598,8 @@ void perform_dry_run(afl_state_t *afl) {
"other options\n" "other options\n"
" fail, poke <afl-users@googlegroups.com> for " " fail, poke <afl-users@googlegroups.com> for "
"troubleshooting tips.\n", "troubleshooting tips.\n",
DMS(afl->fsrv.mem_limit << 20), afl->fsrv.mem_limit - 1, DMS(int_tmp, sizeof(int_tmp), afl->fsrv.mem_limit << 20),
doc_path); afl->fsrv.mem_limit - 1, doc_path);
} else { } else {

92
src/afl-fuzz-misc.c
View File

@ -25,27 +25,22 @@
#include "afl-fuzz.h" #include "afl-fuzz.h"
/* Describe integer. Uses 12 cyclic static buffers for return values. The value /* Describe integer. The buf should be
returned should be five characters or less for all the integers we reasonably at least 6 bytes to fit all ints we randomly see.
expect to see. */ Will return buf for convenience. */
u8 *DI(u64 val) { u8 *DI(u8 *buf, size_t len, u64 val) {
\
static u8 tmp[12][16]; #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \
static u8 cur; do { \
\
cur = (cur + 1) % 12; if (val < (_divisor) * (_limit_mult)) { \
\
#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ snprintf(buf, len, _fmt, ((_cast)val) / (_divisor)); \
do { \ return buf; \
\ \
if (val < (_divisor) * (_limit_mult)) { \ } \
\ \
sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \
return tmp[cur]; \
\
} \
\
} while (0) } while (0)
/* 0-9999 */ /* 0-9999 */
@ -82,44 +77,38 @@ u8 *DI(u64 val) {
CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double);
/* 100T+ */ /* 100T+ */
strcpy(tmp[cur], "infty"); strncpy(buf, "infty", len);
return tmp[cur]; buf[len - 1] = '\0';
return buf;
} }
/* Describe float. Similar to the above, except with a single /* Describe float. Similar as int. */
static buffer. */
u8 *DF(double val) { u8 *DF(u8 *buf, size_t len, double val) {
static u8 tmp[16];
if (val < 99.995) { if (val < 99.995) {
sprintf(tmp, "%0.02f", val); snprintf(buf, len, "%0.02f", val);
return tmp;
} else if (val < 999.95) {
snprintf(buf, len, "%0.01f", val);
} else {
DI(buf, len, (u64)val);
} }
if (val < 999.95) { return buf;
sprintf(tmp, "%0.01f", val);
return tmp;
}
return DI((u64)val);
} }
/* Describe integer as memory size. */ /* Describe integer as memory size. */
u8 *DMS(u64 val) { u8 *DMS(u8 *buf, size_t len, u64 val) {
static u8 tmp[12][16];
static u8 cur;
cur = (cur + 1) % 12;
/* 0-9999 */ /* 0-9999 */
CHK_FORMAT(1, 10000, "%llu B", u64); CHK_FORMAT(1, 10000, "%llu B", u64);
@ -157,17 +146,21 @@ u8 *DMS(u64 val) {
#undef CHK_FORMAT #undef CHK_FORMAT
/* 100T+ */ /* 100T+ */
strcpy(tmp[cur], "infty"); strncpy(buf, "infty", len - 1);
return tmp[cur]; buf[len - 1] = '\0';
return buf;
} }
/* Describe time delta as string. */ /* Describe time delta as string.
Returns a pointer to buf for convenience. */
void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { u8 *DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) {
u64 delta; u64 delta;
s32 t_d, t_h, t_m, t_s; s32 t_d, t_h, t_m, t_s;
u8 int_buf[16];
if (!event_ms) snprintf(buf, len, "none seen yet"); if (!event_ms) snprintf(buf, len, "none seen yet");
@ -178,7 +171,10 @@ void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) {
t_m = (delta / 1000 / 60) % 60; t_m = (delta / 1000 / 60) % 60;
t_s = (delta / 1000) % 60; t_s = (delta / 1000) % 60;
snprintf(buf, len, "%s days, %d hrs, %d min, %d sec", DI(t_d), t_h, t_m, t_s); DI(int_buf, sizeof(int_buf), t_d);
snprintf(buf, len, "%s days, %d hrs, %d min, %d sec", int_buf, t_h, t_m, t_s);
return buf;
} }

5
src/afl-fuzz-mutators.c
View File

@ -196,6 +196,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
u32 trim_exec = 0; u32 trim_exec = 0;
u32 orig_len = q->len; u32 orig_len = q->len;
u8 int_buf[16];
if (afl->stage_name != afl->stage_name_buf) if (afl->stage_name != afl->stage_name_buf)
afl->stage_name = afl->stage_name_buf; afl->stage_name = afl->stage_name_buf;
afl->bytes_trim_in += q->len; afl->bytes_trim_in += q->len;
@ -210,7 +212,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
while (afl->stage_cur < afl->stage_max) { while (afl->stage_cur < afl->stage_max) {
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "ptrim %s", DI(trim_exec)); snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "ptrim %s",
DI(int_buf, sizeof(int_buf), trim_exec));
u32 cksum; u32 cksum;

7
src/afl-fuzz-run.c
View File

@ -603,6 +603,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
u32 remove_len; u32 remove_len;
u32 len_p2; u32 len_p2;
u8 int_bufs[2][16];
/* Although the trimmer will be less useful when variable behavior is /* Although the trimmer will be less useful when variable behavior is
detected, it will still work to some extent, so we don't check for detected, it will still work to some extent, so we don't check for
this. */ this. */
@ -626,8 +628,9 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
u32 remove_pos = remove_len; u32 remove_pos = remove_len;
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s",
DI(remove_len)); DI(int_bufs[0], sizeof(int_bufs[0]), remove_len),
DI(int_bufs[1], sizeof(int_bufs[1]), remove_len));
afl->stage_cur = 0; afl->stage_cur = 0;
afl->stage_max = q->len / remove_len; afl->stage_max = q->len / remove_len;

178
src/afl-fuzz-stats.c
View File

@ -201,6 +201,9 @@ void show_stats(afl_state_t *afl) {
u8 tmp[256]; u8 tmp[256];
u8 time_tmp[64]; u8 time_tmp[64];
u8 int_buf[16][16];
#define IB(i) int_buf[(i)], sizeof(int_buf[(i)])
cur_ms = get_cur_time(); cur_ms = get_cur_time();
/* If not enough time has passed since last UI update, bail out. */ /* If not enough time has passed since last UI update, bail out. */
@ -390,7 +393,7 @@ void show_stats(afl_state_t *afl) {
DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time);
SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP
" cycles done : %s%-5s " bSTG bV "\n", " cycles done : %s%-5s " bSTG bV "\n",
time_tmp, tmp, DI(afl->queue_cycle - 1)); time_tmp, tmp, DI(IB(0), afl->queue_cycle - 1));
/* We want to warn people about not seeing new paths after a full cycle, /* We want to warn people about not seeing new paths after a full cycle,
except when resuming fuzzing or running in non-instrumented mode. */ except when resuming fuzzing or running in non-instrumented mode. */
@ -417,12 +420,12 @@ void show_stats(afl_state_t *afl) {
} }
SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n",
DI(afl->queued_paths)); DI(IB(0), afl->queued_paths));
/* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH
limit with a '+' appended to the count. */ limit with a '+' appended to the count. */
sprintf(tmp, "%s%s", DI(afl->unique_crashes), sprintf(tmp, "%s%s", DI(IB(0), afl->unique_crashes),
(afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time);
@ -430,7 +433,7 @@ void show_stats(afl_state_t *afl) {
" uniq crashes : %s%-6s" bSTG bV "\n", " uniq crashes : %s%-6s" bSTG bV "\n",
time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); time_tmp, afl->unique_crashes ? cLRD : cRST, tmp);
sprintf(tmp, "%s%s", DI(afl->unique_hangs), sprintf(tmp, "%s%s", DI(IB(0), afl->unique_hangs),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time);
@ -446,7 +449,7 @@ void show_stats(afl_state_t *afl) {
together, but then cram them into a fixed-width field - so we need to together, but then cram them into a fixed-width field - so we need to
put them in a temporary buffer first. */ put them in a temporary buffer first. */
sprintf(tmp, "%s%s%u (%0.01f%%)", DI(afl->current_entry), sprintf(tmp, "%s%s%u (%0.01f%%)", DI(IB(0), afl->current_entry),
afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level, afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level,
((double)afl->current_entry * 100) / afl->queued_paths); ((double)afl->current_entry * 100) / afl->queued_paths);
@ -460,7 +463,7 @@ void show_stats(afl_state_t *afl) {
: ((t_bytes < 200 && !afl->dumb_mode) ? cPIN : cRST), : ((t_bytes < 200 && !afl->dumb_mode) ? cPIN : cRST),
tmp); tmp);
sprintf(tmp, "%s (%0.02f%%)", DI(afl->cur_skipped_paths), sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->cur_skipped_paths),
((double)afl->cur_skipped_paths * 100) / afl->queued_paths); ((double)afl->cur_skipped_paths * 100) / afl->queued_paths);
SAYF(bV bSTOP " paths timed out : " cRST "%-16s " bSTG bV, tmp); SAYF(bV bSTOP " paths timed out : " cRST "%-16s " bSTG bV, tmp);
@ -473,7 +476,7 @@ void show_stats(afl_state_t *afl) {
" stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths); ((double)afl->queued_favored) * 100 / afl->queued_paths);
/* Yeah... it's still going on... halp? */ /* Yeah... it's still going on... halp? */
@ -484,37 +487,38 @@ void show_stats(afl_state_t *afl) {
if (!afl->stage_max) { if (!afl->stage_max) {
sprintf(tmp, "%s/-", DI(afl->stage_cur)); sprintf(tmp, "%s/-", DI(IB(0), afl->stage_cur));
} else { } else {
sprintf(tmp, "%s/%s (%0.02f%%)", DI(afl->stage_cur), DI(afl->stage_max), sprintf(tmp, "%s/%s (%0.02f%%)", DI(IB(0), afl->stage_cur),
DI(IB(1), afl->stage_max),
((double)afl->stage_cur) * 100 / afl->stage_max); ((double)afl->stage_cur) * 100 / afl->stage_max);
} }
SAYF(bV bSTOP " stage execs : " cRST "%-21s" bSTG bV bSTOP, tmp); SAYF(bV bSTOP " stage execs : " cRST "%-21s" bSTG bV bSTOP, tmp);
sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_with_cov), sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->queued_with_cov),
((double)afl->queued_with_cov) * 100 / afl->queued_paths); ((double)afl->queued_with_cov) * 100 / afl->queued_paths);
SAYF(" new edges on : " cRST "%-22s" bSTG bV "\n", tmp); SAYF(" new edges on : " cRST "%-22s" bSTG bV "\n", tmp);
sprintf(tmp, "%s (%s%s unique)", DI(afl->total_crashes), sprintf(tmp, "%s (%s%s unique)", DI(IB(0), afl->total_crashes),
DI(afl->unique_crashes), DI(IB(1), afl->unique_crashes),
(afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
if (afl->crash_mode) { if (afl->crash_mode) {
SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP
" new crashes : %s%-22s" bSTG bV "\n", " new crashes : %s%-22s" bSTG bV "\n",
DI(afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp); DI(IB(0), afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp);
} else { } else {
SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP
" total crashes : %s%-22s" bSTG bV "\n", " total crashes : %s%-22s" bSTG bV "\n",
DI(afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp); DI(IB(0), afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp);
} }
@ -522,21 +526,21 @@ void show_stats(afl_state_t *afl) {
if (afl->stats_avg_exec < 100) { if (afl->stats_avg_exec < 100) {
sprintf(tmp, "%s/sec (%s)", DF(afl->stats_avg_exec), snprintf(tmp, sizeof(tmp), "%s/sec (%s)", DF(IB(0), afl->stats_avg_exec),
afl->stats_avg_exec < 20 ? "zzzz..." : "slow!"); afl->stats_avg_exec < 20 ? "zzzz..." : "slow!");
SAYF(bV bSTOP " exec speed : " cLRD "%-20s ", tmp); SAYF(bV bSTOP " exec speed : " cLRD "%-20s ", tmp);
} else { } else {
sprintf(tmp, "%s/sec", DF(afl->stats_avg_exec)); snprintf(tmp, sizeof(tmp), "%s/sec", DF(IB(0), afl->stats_avg_exec));
SAYF(bV bSTOP " exec speed : " cRST "%-20s ", tmp); SAYF(bV bSTOP " exec speed : " cRST "%-20s ", tmp);
} }
sprintf(tmp, "%s (%s%s unique)", DI(afl->total_tmouts), snprintf(tmp, sizeof(tmp), "%s (%s%s unique)", DI(IB(0), afl->total_tmouts),
DI(afl->unique_tmouts), DI(IB(1), afl->unique_tmouts),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp);
@ -548,74 +552,84 @@ void show_stats(afl_state_t *afl) {
if (afl->skip_deterministic) { if (afl->skip_deterministic) {
strcpy(tmp, "n/a, n/a, n/a"); strncpy(tmp, "n/a, n/a, n/a", sizeof(tmp) - 1);
tmp[sizeof(tmp) - 1] = '\0';
} else { } else {
sprintf( snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s",
tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_FLIP1]), DI(IB(0), afl->stage_finds[STAGE_FLIP1]),
DI(afl->stage_cycles[STAGE_FLIP1]), DI(afl->stage_finds[STAGE_FLIP2]), DI(IB(1), afl->stage_cycles[STAGE_FLIP1]),
DI(afl->stage_cycles[STAGE_FLIP2]), DI(afl->stage_finds[STAGE_FLIP4]), DI(IB(2), afl->stage_finds[STAGE_FLIP2]),
DI(afl->stage_cycles[STAGE_FLIP4])); DI(IB(3), afl->stage_cycles[STAGE_FLIP2]),
DI(IB(3), afl->stage_finds[STAGE_FLIP4]),
DI(IB(5), afl->stage_cycles[STAGE_FLIP4]));
} }
SAYF(bV bSTOP " bit flips : " cRST "%-36s " bSTG bV bSTOP SAYF(bV bSTOP " bit flips : " cRST "%-36s " bSTG bV bSTOP
" levels : " cRST "%-10s" bSTG bV "\n", " levels : " cRST "%-10s" bSTG bV "\n",
tmp, DI(afl->max_depth)); tmp, DI(IB(0), afl->max_depth));
if (!afl->skip_deterministic) if (!afl->skip_deterministic)
sprintf( snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s",
tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_FLIP8]), DI(IB(0), afl->stage_finds[STAGE_FLIP8]),
DI(afl->stage_cycles[STAGE_FLIP8]), DI(afl->stage_finds[STAGE_FLIP16]), DI(IB(1), afl->stage_cycles[STAGE_FLIP8]),
DI(afl->stage_cycles[STAGE_FLIP16]), DI(afl->stage_finds[STAGE_FLIP32]), DI(IB(2), afl->stage_finds[STAGE_FLIP16]),
DI(afl->stage_cycles[STAGE_FLIP32])); DI(IB(3), afl->stage_cycles[STAGE_FLIP16]),
DI(IB(4), afl->stage_finds[STAGE_FLIP32]),
DI(IB(5), afl->stage_cycles[STAGE_FLIP32]));
SAYF(bV bSTOP " byte flips : " cRST "%-36s " bSTG bV bSTOP SAYF(bV bSTOP " byte flips : " cRST "%-36s " bSTG bV bSTOP
" pending : " cRST "%-10s" bSTG bV "\n", " pending : " cRST "%-10s" bSTG bV "\n",
tmp, DI(afl->pending_not_fuzzed)); tmp, DI(IB(0), afl->pending_not_fuzzed));
if (!afl->skip_deterministic) if (!afl->skip_deterministic)
sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_ARITH8]), snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s",
DI(afl->stage_cycles[STAGE_ARITH8]), DI(IB(0), afl->stage_finds[STAGE_ARITH8]),
DI(afl->stage_finds[STAGE_ARITH16]), DI(IB(1), afl->stage_cycles[STAGE_ARITH8]),
DI(afl->stage_cycles[STAGE_ARITH16]), DI(IB(2), afl->stage_finds[STAGE_ARITH16]),
DI(afl->stage_finds[STAGE_ARITH32]), DI(IB(3), afl->stage_cycles[STAGE_ARITH16]),
DI(afl->stage_cycles[STAGE_ARITH32])); DI(IB(4), afl->stage_finds[STAGE_ARITH32]),
DI(IB(5), afl->stage_cycles[STAGE_ARITH32]));
SAYF(bV bSTOP " arithmetics : " cRST "%-36s " bSTG bV bSTOP SAYF(bV bSTOP " arithmetics : " cRST "%-36s " bSTG bV bSTOP
" pend fav : " cRST "%-10s" bSTG bV "\n", " pend fav : " cRST "%-10s" bSTG bV "\n",
tmp, DI(afl->pending_favored)); tmp, DI(IB(0), afl->pending_favored));
if (!afl->skip_deterministic) if (!afl->skip_deterministic)
sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_INTEREST8]), sprintf(tmp, "%s/%s, %s/%s, %s/%s",
DI(afl->stage_cycles[STAGE_INTEREST8]), DI(IB(0), afl->stage_finds[STAGE_INTEREST8]),
DI(afl->stage_finds[STAGE_INTEREST16]), DI(IB(1), afl->stage_cycles[STAGE_INTEREST8]),
DI(afl->stage_cycles[STAGE_INTEREST16]), DI(IB(2), afl->stage_finds[STAGE_INTEREST16]),
DI(afl->stage_finds[STAGE_INTEREST32]), DI(IB(3), afl->stage_cycles[STAGE_INTEREST16]),
DI(afl->stage_cycles[STAGE_INTEREST32])); DI(IB(4), afl->stage_finds[STAGE_INTEREST32]),
DI(IB(5), afl->stage_cycles[STAGE_INTEREST32]));
SAYF(bV bSTOP " known ints : " cRST "%-36s " bSTG bV bSTOP SAYF(bV bSTOP " known ints : " cRST "%-36s " bSTG bV bSTOP
" own finds : " cRST "%-10s" bSTG bV "\n", " own finds : " cRST "%-10s" bSTG bV "\n",
tmp, DI(afl->queued_discovered)); tmp, DI(IB(0), afl->queued_discovered));
if (!afl->skip_deterministic) if (!afl->skip_deterministic)
sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_EXTRAS_UO]), snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s",
DI(afl->stage_cycles[STAGE_EXTRAS_UO]), DI(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]),
DI(afl->stage_finds[STAGE_EXTRAS_UI]), DI(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]),
DI(afl->stage_cycles[STAGE_EXTRAS_UI]), DI(IB(2), afl->stage_finds[STAGE_EXTRAS_UI]),
DI(afl->stage_finds[STAGE_EXTRAS_AO]), DI(IB(3), afl->stage_cycles[STAGE_EXTRAS_UI]),
DI(afl->stage_cycles[STAGE_EXTRAS_AO])); DI(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]),
DI(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO]));
SAYF(bV bSTOP " dictionary : " cRST "%-36s " bSTG bV bSTOP SAYF(bV bSTOP " dictionary : " cRST "%-36s " bSTG bV bSTOP
" imported : " cRST "%-10s" bSTG bV "\n", " imported : " cRST "%-10s" bSTG bV "\n",
tmp, afl->sync_id ? DI(afl->queued_imported) : (u8 *)"n/a"); tmp, afl->sync_id ? DI(IB(0), afl->queued_imported) : (u8 *)"n/a");
sprintf( snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s",
tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_HAVOC]), DI(IB(0), afl->stage_finds[STAGE_HAVOC]),
DI(afl->stage_cycles[STAGE_HAVOC]), DI(afl->stage_finds[STAGE_SPLICE]), DI(IB(2), afl->stage_cycles[STAGE_HAVOC]),
DI(afl->stage_cycles[STAGE_SPLICE]), DI(afl->stage_finds[STAGE_RADAMSA]), DI(IB(3), afl->stage_finds[STAGE_SPLICE]),
DI(afl->stage_cycles[STAGE_RADAMSA])); DI(IB(4), afl->stage_cycles[STAGE_SPLICE]),
DI(IB(5), afl->stage_finds[STAGE_RADAMSA]),
DI(IB(6), afl->stage_cycles[STAGE_RADAMSA]));
SAYF(bV bSTOP " havoc/rad : " cRST "%-36s " bSTG bV bSTOP, tmp); SAYF(bV bSTOP " havoc/rad : " cRST "%-36s " bSTG bV bSTOP, tmp);
@ -635,24 +649,26 @@ void show_stats(afl_state_t *afl) {
if (afl->shm.cmplog_mode) { if (afl->shm.cmplog_mode) {
sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s, %s/%s",
DI(afl->stage_finds[STAGE_PYTHON]), DI(IB(0), afl->stage_finds[STAGE_PYTHON]),
DI(afl->stage_cycles[STAGE_PYTHON]), DI(IB(1), afl->stage_cycles[STAGE_PYTHON]),
DI(afl->stage_finds[STAGE_CUSTOM_MUTATOR]), DI(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]),
DI(afl->stage_cycles[STAGE_CUSTOM_MUTATOR]), DI(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]),
DI(afl->stage_finds[STAGE_COLORIZATION]), DI(IB(4), afl->stage_finds[STAGE_COLORIZATION]),
DI(afl->stage_cycles[STAGE_COLORIZATION]), DI(IB(5), afl->stage_cycles[STAGE_COLORIZATION]),
DI(afl->stage_finds[STAGE_ITS]), DI(afl->stage_cycles[STAGE_ITS])); DI(IB(6), afl->stage_finds[STAGE_ITS]),
DI(IB(7), afl->stage_cycles[STAGE_ITS]));
SAYF(bV bSTOP " custom/rq : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n", SAYF(bV bSTOP " custom/rq : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",
tmp); tmp);
} else { } else {
sprintf(tmp, "%s/%s, %s/%s", DI(afl->stage_finds[STAGE_PYTHON]), snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s",
DI(afl->stage_cycles[STAGE_PYTHON]), DI(IB(0), afl->stage_finds[STAGE_PYTHON]),
DI(afl->stage_finds[STAGE_CUSTOM_MUTATOR]), DI(IB(1), afl->stage_cycles[STAGE_PYTHON]),
DI(afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); DI(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]),
DI(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]));
SAYF(bV bSTOP " py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n", SAYF(bV bSTOP " py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n",
tmp); tmp);
@ -668,7 +684,7 @@ void show_stats(afl_state_t *afl) {
sprintf(tmp, "%0.02f%%/%s, ", sprintf(tmp, "%0.02f%%/%s, ",
((double)(afl->bytes_trim_in - afl->bytes_trim_out)) * 100 / ((double)(afl->bytes_trim_in - afl->bytes_trim_out)) * 100 /
afl->bytes_trim_in, afl->bytes_trim_in,
DI(afl->trim_execs)); DI(IB(0), afl->trim_execs));
} }
@ -693,8 +709,8 @@ void show_stats(afl_state_t *afl) {
if (afl->mutator) { if (afl->mutator) {
sprintf(tmp, "%s/%s", DI(afl->stage_finds[STAGE_CUSTOM_MUTATOR]), sprintf(tmp, "%s/%s", DI(IB(0), afl->stage_finds[STAGE_CUSTOM_MUTATOR]),
DI(afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); DI(IB(1), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]));
SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bV RESET_G1, tmp); SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bV RESET_G1, tmp);
} else { } else {
@ -749,6 +765,8 @@ void show_stats(afl_state_t *afl) {
/* Last line */ /* Last line */
SAYF(SET_G1 "\n" bSTG bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1); SAYF(SET_G1 "\n" bSTG bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1);
#undef IB
/* Hallelujah! */ /* Hallelujah! */
fflush(0); fflush(0);
@ -767,6 +785,9 @@ void show_init_stats(afl_state_t *afl) {
u64 avg_us = 0; u64 avg_us = 0;
u32 max_len = 0; u32 max_len = 0;
u8 int_buf[12][16];
#define IB(i) int_buf[(i)], sizeof(int_buf[(i)])
if (afl->total_cal_cycles) avg_us = afl->total_cal_us / afl->total_cal_cycles; if (afl->total_cal_cycles) avg_us = afl->total_cal_us / afl->total_cal_cycles;
while (q) { while (q) {
@ -802,10 +823,10 @@ void show_init_stats(afl_state_t *afl) {
if (max_len > 50 * 1024) if (max_len > 50 * 1024)
WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.md!", WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.md!",
DMS(max_len), doc_path); DMS(IB(0), max_len), doc_path);
else if (max_len > 10 * 1024) else if (max_len > 10 * 1024)
WARNF("Some test cases are big (%s) - see %s/perf_tips.md.", DMS(max_len), WARNF("Some test cases are big (%s) - see %s/perf_tips.md.",
doc_path); DMS(IB(0), max_len), doc_path);
if (afl->useless_at_start && !afl->in_bitmap) if (afl->useless_at_start && !afl->in_bitmap)
WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); WARNF(cLRD "Some test cases look useless. Consider using a smaller set.");
@ -829,7 +850,7 @@ void show_init_stats(afl_state_t *afl) {
max_bits, max_bits,
((double)afl->total_bitmap_size) / ((double)afl->total_bitmap_size) /
(afl->total_bitmap_entries ? afl->total_bitmap_entries : 1), (afl->total_bitmap_entries ? afl->total_bitmap_entries : 1),
DI(min_us), DI(max_us), DI(avg_us)); DI(IB(0), min_us), DI(IB(1), max_us), DI(IB(2), avg_us));
if (!afl->timeout_given) { if (!afl->timeout_given) {
@ -873,6 +894,7 @@ void show_init_stats(afl_state_t *afl) {
afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100); afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100);
OKF("All set and ready to roll!"); OKF("All set and ready to roll!");
#undef IB
} }