improving on splice candidate check patch

include/afl-fuzz.h

@@ -483,7 +483,7 @@ typedef struct afl_state {
       disable_trim,                     /* Never trim in fuzz_one           */
       shmem_testcase_mode,              /* If sharedmem testcases are used  */
       expand_havoc,                /* perform expensive havoc after no find */
-      cycle_schedules;                  /* cycle power schedules ?          */
+      cycle_schedules;                  /* cycle power schedules?           */
 
   u8 *virgin_bits,                      /* Regions yet untouched by fuzzing */
       *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
@@ -657,7 +657,7 @@ typedef struct afl_state {
    * they do not call another function */
   u8 *map_tmp_buf;
 
-  /* queue entries ready for splicing count (len > 1) */
+  /* queue entries ready for splicing count (len > 4) */
   u32 ready_for_splicing_count;
 
 } afl_state_t;

src/afl-fuzz-one.c

@@ -1699,36 +1699,22 @@ custom_mutator_stage:
           u8 *                new_buf = NULL;
           u32                 target_len = 0;
 
-          /* check if splicing is possible (if the only entry has len > 1
+          /* check if splicing makes sense yet (enough entries) */
-           * check it is not current entry)
+          if (likely(afl->ready_for_splicing_count > 1)) {
-           */
-          if (afl->ready_for_splicing_count > 1 ||
-              (afl->ready_for_splicing_count == 1 &&
-               afl->queue_cur->len == 1)) {
 
-          retry_external_pick:
+            /* Pick a random other queue entry for passing to external API
-            /* Pick a random other queue entry for passing to external API */
+               that has the necessary length */
 
             do {
 
               tid = rand_below(afl, afl->queued_paths);
 
-            } while (tid == afl->current_entry && afl->queued_paths > 1);
+            } while (unlikely(tid == afl->current_entry &&
+
+                              afl->queue_buf[tid]->len >= 4));
 
-            afl->splicing_with = tid;
             target = afl->queue_buf[tid];
-
+            afl->splicing_with = tid;
-            /* Make sure that the target has a reasonable length. */
-
-            while (target && (target->len < 2 || target == afl->queue_cur) &&
-                   afl->queued_paths > 2) {
-
-              target = target->next;
-              ++afl->splicing_with;
-
-            }
-
-            if (!target) { goto retry_external_pick; }
 
             /* Read the additional testcase into a new buffer. */
             fd = open(target->fname, O_RDONLY);
@@ -2773,8 +2759,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
     len = afl->queue_cur->len;
 
     /* maybe current entry is not ready for splicing anymore */
-    if (old_len > 1 && afl->queue_cur->len == 1)
+    if (unlikely(len <= 4 && old_len > 4)) afl->ready_for_splicing_count--;
-      afl->ready_for_splicing_count--;
 
   }
 

src/afl-fuzz-queue.c

@@ -234,7 +234,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
 
   }
 
-  if (q->len > 1) afl->ready_for_splicing_count++;
+  if (likely(q->len > 4)) afl->ready_for_splicing_count++;
 
   ++afl->queued_paths;
   ++afl->pending_not_fuzzed;

src/afl-fuzz-state.c

@@ -95,6 +95,11 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   afl->stage_name = "init";             /* Name of the current fuzz stage   */
   afl->splicing_with = -1;              /* Splicing with which test case?   */
   afl->cpu_to_bind = -1;
+  afl->cal_cycles = CAL_CYCLES;
+  afl->cal_cycles_long = CAL_CYCLES_LONG;
+  afl->hang_tmout = EXEC_TIMEOUT;
+  afl->stats_update_freq = 1;
+  afl->stats_avg_exec = -1;
 
 #ifdef HAVE_AFFINITY
   afl->cpu_aff = -1;                    /* Selected CPU core                */
@@ -115,48 +120,13 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   // afl_state_t is not available in forkserver.c
   afl->fsrv.afl_ptr = (void *)afl;
   afl->fsrv.add_extra_func = (void (*)(void *, u8 *, u32)) & add_extra;
-
-  afl->cal_cycles = CAL_CYCLES;
-  afl->cal_cycles_long = CAL_CYCLES_LONG;
-
   afl->fsrv.exec_tmout = EXEC_TIMEOUT;
-  afl->hang_tmout = EXEC_TIMEOUT;
-
   afl->fsrv.mem_limit = MEM_LIMIT;
-
-  afl->stats_update_freq = 1;
-
   afl->fsrv.dev_urandom_fd = -1;
   afl->fsrv.dev_null_fd = -1;
-
   afl->fsrv.child_pid = -1;
   afl->fsrv.out_dir_fd = -1;
 
-  afl->cmplog_prev_timed_out = 0;
-
-  /* statis file */
-  afl->last_bitmap_cvg = 0;
-  afl->last_stability = 0;
-  afl->last_eps = 0;
-
-  /* plot file saves from last run */
-  afl->plot_prev_qp = 0;
-  afl->plot_prev_pf = 0;
-  afl->plot_prev_pnf = 0;
-  afl->plot_prev_ce = 0;
-  afl->plot_prev_md = 0;
-  afl->plot_prev_qc = 0;
-  afl->plot_prev_uc = 0;
-  afl->plot_prev_uh = 0;
-
-  afl->stats_last_stats_ms = 0;
-  afl->stats_last_plot_ms = 0;
-  afl->stats_last_ms = 0;
-  afl->stats_last_execs = 0;
-  afl->stats_avg_exec = -1;
-
-  afl->ready_for_splicing_count = 0;
-
   init_mopt_globals(afl);
 
   list_append(&afl_states, afl);
@@ -177,6 +147,14 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
       WARNF("Potentially mistyped AFL environment variable: %s", env);
       issue_detected = 1;
 
+    } else if (strncmp(env, "USE_", 4) == 0) {
+
+      WARNF(
+          "Potentially mistyped AFL environment variable: %s, did you mean "
+          "AFL_%s?",
+          env, env);
+      issue_detected = 1;
+
     } else if (strncmp(env, "AFL_", 4) == 0) {
 
       int i = 0, match = 0;