added corpus introspection

2025-06-14 19:08:08 +00:00 · 2020-12-28 14:01:48 +01:00
parent 108e28ff10
commit 688f4ffb89
4 changed files with 40 additions and 0 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -10,6 +10,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.


 ### Version ++3.01a (release)
+  - Mac OS ARM64 support
  - afl-fuzz
    - fix crash for very, very fast targets+systems (thanks to mhlakhani
      for reporting)
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -174,6 +174,10 @@ struct queue_entry {
  u8 *trace_mini;                       /* Trace bytes, if kept             */
  u32 tc_ref;                           /* Trace bytes ref count            */

+#ifdef INTROSPECTION
+  u32 bitsmap_size;
+#endif
+
  double perf_score,                    /* performance score                */
      weight;

@ -734,6 +738,7 @@ typedef struct afl_state {
  char  mutation[8072];
  char  m_tmp[4096];
  FILE *introspection_file;
+  u32   bitsmap_size;
 #endif

 } afl_state_t;
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@ -190,6 +190,32 @@ void create_alias_table(afl_state_t *afl) {
  while (nS)
    afl->alias_probability[S[--nS]] = 1;

+#ifdef INTROSPECTION
+  u8 fn[PATH_MAX];
+  snprintf(fn, PATH_MAX, "%s/introspection_corpus.txt", afl->out_dir);
+  FILE *f = fopen(fn, "a");
+  if (f) {
+
+    for (i = 0; i < n; i++) {
+
+      struct queue_entry *q = afl->queue_buf[i];
+      fprintf(
+          f,
+          "entry=%u name=%s variable=%s disabled=%s len=%u exec_us=%u "
+          "bitmap_size=%u bitsmap_size=%u tops=%u weight=%f perf_score=%f\n",
+          i, q->fname, q->var_behavior ? "true" : "false",
+          q->disabled ? "true" : "false", q->len, (u32)q->exec_us,
+          q->bitmap_size, q->bitsmap_size, q->tc_ref, q->weight, q->perf_score);
+
+    }
+
+    fprintf(f, "\n");
+    fclose(f);
+
+  }
+
+#endif
+
  /*
  fprintf(stderr, "  entry  alias  probability  perf_score   filename\n");
  for (u32 i = 0; i < n; ++i)
@ -398,6 +424,10 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
  q->trace_mini = NULL;
  q->testcase_buf = NULL;

+#ifdef INTROSPECTION
+  q->bitsmap_size = afl->bitsmap_size;
+#endif
+
  if (q->depth > afl->max_depth) { afl->max_depth = q->depth; }

  if (afl->queue_top) {
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -380,6 +380,10 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,

    }

+#ifdef INTROSPECTION
+    if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
+#endif
+
    classify_counts(&afl->fsrv);
    cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
    if (q->exec_cksum != cksum) {