ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

rename path

Browse Source
This commit is contained in:
vanhauser-thc
2021-12-09 13:22:10 +01:00
parent 4c6d94ea5f
commit 9063002af2
16 changed files with 377 additions and 376 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/Changelog.md
View File

@ -1566,7 +1566,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted - Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted
by G.M. Lime. by G.M. Lime.
- Added last path / crash / hang times to fuzzer_stats, suggested by - Added last find / crash / hang times to fuzzer_stats, suggested by
Richard Hipp. Richard Hipp.
- Fixed a typo, thanks to Jakub Wilk. - Fixed a typo, thanks to Jakub Wilk.

26
docs/afl-fuzz_approach.md
View File

@ -85,7 +85,7 @@ for parallel fuzzing. Second to last is the power schedule mode being run
``` ```
+----------------------------------------------------+ +----------------------------------------------------+
| run time : 0 days, 8 hrs, 32 min, 43 sec | | run time : 0 days, 8 hrs, 32 min, 43 sec |
| last new path : 0 days, 0 hrs, 6 min, 40 sec | | last new find : 0 days, 0 hrs, 6 min, 40 sec |
| last uniq crash : none seen yet | | last uniq crash : none seen yet |
| last uniq hang : 0 days, 1 hrs, 24 min, 32 sec | | last uniq hang : 0 days, 1 hrs, 24 min, 32 sec |
+----------------------------------------------------+ +----------------------------------------------------+
@ -485,20 +485,20 @@ directory. This includes:
- `cycles_wo_finds` - number of cycles without any new paths found - `cycles_wo_finds` - number of cycles without any new paths found
- `execs_done` - number of execve() calls attempted - `execs_done` - number of execve() calls attempted
- `execs_per_sec` - overall number of execs per second - `execs_per_sec` - overall number of execs per second
- `paths_total` - total number of entries in the queue - `corpus_count` - total number of entries in the queue
- `paths_favored` - number of queue entries that are favored - `corpus_favored` - number of queue entries that are favored
- `paths_found` - number of entries discovered through local fuzzing - `corpus_found` - number of entries discovered through local fuzzing
- `paths_imported` - number of entries imported from other instances - `corpus_imported` - number of entries imported from other instances
- `max_depth` - number of levels in the generated data set - `max_depth` - number of levels in the generated data set
- `cur_path` - currently processed entry number - `cur_item` - currently processed entry number
- `pending_favs` - number of favored entries still waiting to be fuzzed - `pending_favs` - number of favored entries still waiting to be fuzzed
- `pending_total` - number of all entries waiting to be fuzzed - `pending_total` - number of all entries waiting to be fuzzed
- `variable_paths` - number of test cases showing variable behavior - `corpus_variable` - number of test cases showing variable behavior
- `stability` - percentage of bitmap bytes that behave consistently - `stability` - percentage of bitmap bytes that behave consistently
- `bitmap_cvg` - percentage of edge coverage found in the map so far - `bitmap_cvg` - percentage of edge coverage found in the map so far
- `unique_crashes` - number of unique crashes recorded - `saved_crashes` - number of unique crashes recorded
- `unique_hangs` - number of unique hangs encountered - `saved_hangs` - number of unique hangs encountered
- `last_path` - seconds since the last path was found - `last_find` - seconds since the last find was found
- `last_crash` - seconds since the last crash was found - `last_crash` - seconds since the last crash was found
- `last_hang` - seconds since the last hang was found - `last_hang` - seconds since the last hang was found
- `execs_since_crash` - execs since the last crash was found - `execs_since_crash` - execs since the last crash was found
@ -531,9 +531,9 @@ last crash > X, etc.).
The selected metrics are a subset of all the metrics found in the status and in The selected metrics are a subset of all the metrics found in the status and in
the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`,
`execs_done`,`execs_per_sec`, `paths_total`, `paths_favored`, `paths_found`, `execs_done`,`execs_per_sec`, `corpus_count`, `corpus_favored`, `corpus_found`,
`paths_imported`, `max_depth`, `cur_path`, `pending_favs`, `pending_total`, `corpus_imported`, `max_depth`, `cur_item`, `pending_favs`, `pending_total`,
`variable_paths`, `unique_crashes`, `unique_hangs`, `total_crashes`, `corpus_variable`, `saved_crashes`, `saved_hangs`, `total_crashes`,
`slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. Their `slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. Their
definitions can be found in the addendum above. definitions can be found in the addendum above.

8
docs/fuzzing_in_depth.md
View File

@ -11,7 +11,7 @@ Fuzzing source code is a three-step process:
2. Prepare the fuzzing by selecting and optimizing the input corpus for the 2. Prepare the fuzzing by selecting and optimizing the input corpus for the
target. target.
3. Perform the fuzzing of the target by randomly mutating input and assessing if 3. Perform the fuzzing of the target by randomly mutating input and assessing if
a generated input was processed in a new path in the target binary. that input was processed on a new path in the target binary.
## 0. Common sense risks ## 0. Common sense risks
@ -354,7 +354,7 @@ You can find many good examples of starting files in the
### b) Making the input corpus unique ### b) Making the input corpus unique
Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not
produce a new path in the target. produce a new path/coverage in the target.
Put all files from step a) into one directory, e.g., INPUTS. Put all files from step a) into one directory, e.g., INPUTS.
@ -633,7 +633,7 @@ AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- .
### g) Checking the coverage of the fuzzing ### g) Checking the coverage of the fuzzing
The `paths found` value is a bad indicator for checking how good the coverage The `corpus count` value is a bad indicator for checking how good the coverage
is. is.
A better indicator - if you use default llvm instrumentation with at least A better indicator - if you use default llvm instrumentation with at least
@ -822,7 +822,7 @@ as these are much shorter runnings.
will impact the speed by ~15% though. will impact the speed by ~15% though.
* `AFL_FAST_CAL` - Enable fast calibration, this halves the time the * `AFL_FAST_CAL` - Enable fast calibration, this halves the time the
saturated corpus needs to be loaded. saturated corpus needs to be loaded.
* `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new found paths, not the * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the
initial corpus as this very likely has been done for them already. initial corpus as this very likely has been done for them already.
* Keep the generated corpus, use afl-cmin and reuse it every time! * Keep the generated corpus, use afl-cmin and reuse it every time!

12
docs/resources/grafana-afl++.json
View File

@ -926,7 +926,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "fuzzing{type=\"cur_path\"}", "expr": "fuzzing{type=\"cur_item\"}",
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"refId": "A" "refId": "A"
@ -936,7 +936,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Curent path", "title": "Current fuzz item",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@ -1116,7 +1116,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "fuzzing{type=\"paths_favored\"}", "expr": "fuzzing{type=\"corpus_favored\"}",
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"refId": "A" "refId": "A"
@ -1135,7 +1135,7 @@
} }
], ],
"timeShift": null, "timeShift": null,
"title": "Path Favored", "title": "Corpus Favored",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@ -1428,7 +1428,7 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "fuzzing{type=\"paths_imported\"}", "expr": "fuzzing{type=\"corpus_imported\"}",
"interval": "", "interval": "",
"legendFormat": "", "legendFormat": "",
"refId": "A" "refId": "A"
@ -1447,7 +1447,7 @@
} }
], ],
"timeShift": null, "timeShift": null,
"title": "Path Imported", "title": "Corpus Imported",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,

16
docs/rpc_statsd.md
View File

@ -26,7 +26,7 @@ StatsD allows you to receive and aggregate metrics from a wide range of
applications and retransmit them to a backend of your choice. applications and retransmit them to a backend of your choice.
From AFL++, StatsD can receive the following metrics: From AFL++, StatsD can receive the following metrics:
- cur_path - cur_item
- cycle_done - cycle_done
- cycles_wo_finds - cycles_wo_finds
- edges_found - edges_found
@ -34,18 +34,18 @@ From AFL++, StatsD can receive the following metrics:
- execs_per_sec - execs_per_sec
- havoc_expansion - havoc_expansion
- max_depth - max_depth
- paths_favored - corpus_favored
- paths_found - corpus_found
- paths_imported - corpus_imported
- paths_total - corpus_count
- pending_favs - pending_favs
- pending_total - pending_total
- slowest_exec_ms - slowest_exec_ms
- total_crashes - total_crashes
- unique_crashes - saved_crashes
- unique_hangs - saved_hangs
- var_byte_count - var_byte_count
- variable_paths - corpus_variable
Depending on your StatsD server, you will be able to monitor, trigger alerts, or Depending on your StatsD server, you will be able to monitor, trigger alerts, or
perform actions based on these metrics (for example: alert on slow exec/s for a perform actions based on these metrics (for example: alert on slow exec/s for a

12
include/afl-fuzz.h
View File

@ -537,7 +537,7 @@ typedef struct afl_state {
volatile u8 stop_soon, /* Ctrl-C pressed? */ volatile u8 stop_soon, /* Ctrl-C pressed? */
clear_screen; /* Window resized? */ clear_screen; /* Window resized? */
u32 queued_paths, /* Total number of queued testcases */ u32 queued_items, /* Total number of queued testcases */
queued_variable, /* Testcases with variable behavior */ queued_variable, /* Testcases with variable behavior */
queued_at_start, /* Total number of initial inputs */ queued_at_start, /* Total number of initial inputs */
queued_discovered, /* Items discovered during this run */ queued_discovered, /* Items discovered during this run */
@ -546,7 +546,7 @@ typedef struct afl_state {
queued_with_cov, /* Paths with new coverage bytes */ queued_with_cov, /* Paths with new coverage bytes */
pending_not_fuzzed, /* Queued but not done yet */ pending_not_fuzzed, /* Queued but not done yet */
pending_favored, /* Pending favored paths */ pending_favored, /* Pending favored paths */
cur_skipped_paths, /* Abandoned inputs in cur cycle */ cur_skipped_items, /* Abandoned inputs in cur cycle */
cur_depth, /* Current path depth */ cur_depth, /* Current path depth */
max_depth, /* Max path depth */ max_depth, /* Max path depth */
useless_at_start, /* Number of useless starting paths */ useless_at_start, /* Number of useless starting paths */
@ -556,10 +556,10 @@ typedef struct afl_state {
max_det_extras; /* deterministic extra count (dicts)*/ max_det_extras; /* deterministic extra count (dicts)*/
u64 total_crashes, /* Total number of crashes */ u64 total_crashes, /* Total number of crashes */
unique_crashes, /* Crashes with unique signatures */ saved_crashes, /* Crashes with unique signatures */
total_tmouts, /* Total number of timeouts */ total_tmouts, /* Total number of timeouts */
unique_tmouts, /* Timeouts with unique signatures */ saved_tmouts, /* Timeouts with unique signatures */
unique_hangs, /* Hangs with unique signatures */ saved_hangs, /* Hangs with unique signatures */
last_crash_execs, /* Exec counter at last crash */ last_crash_execs, /* Exec counter at last crash */
queue_cycle, /* Queue round counter */ queue_cycle, /* Queue round counter */
cycles_wo_finds, /* Cycles without any new paths */ cycles_wo_finds, /* Cycles without any new paths */
@ -571,7 +571,7 @@ typedef struct afl_state {
start_time, /* Unix start time (ms) */ start_time, /* Unix start time (ms) */
last_sync_time, /* Time of last sync */ last_sync_time, /* Time of last sync */
last_sync_cycle, /* Cycle no. of the last sync */ last_sync_cycle, /* Cycle no. of the last sync */
last_path_time, /* Time for most recent path (ms) */ last_find_time, /* Time for most recent path (ms) */
last_crash_time, /* Time for most recent crash (ms) */ last_crash_time, /* Time for most recent crash (ms) */
last_hang_time, /* Time for most recent hang (ms) */ last_hang_time, /* Time for most recent hang (ms) */
exit_on_time; /* Delay to exit if no new paths */ exit_on_time; /* Delay to exit if no new paths */

24
src/afl-fuzz-bitmap.c
View File

@ -491,13 +491,13 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
queue_fn = alloc_printf( queue_fn = alloc_printf(
"%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths, "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items,
describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,")));
#else #else
queue_fn = queue_fn =
alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths); alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_items);
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
@ -586,7 +586,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_tmouts; ++afl->total_tmouts;
if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; } if (afl->saved_hangs >= KEEP_UNIQUE_HANG) { return keeping; }
if (likely(!afl->non_instrumented_mode)) { if (likely(!afl->non_instrumented_mode)) {
@ -603,7 +603,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
} }
++afl->unique_tmouts; ++afl->saved_tmouts;
#ifdef INTROSPECTION #ifdef INTROSPECTION
if (afl->custom_mutators_count && afl->current_custom_fuzz) { if (afl->custom_mutators_count && afl->current_custom_fuzz) {
@ -661,17 +661,17 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir,
afl->unique_hangs, afl->saved_hangs,
describe_op(afl, 0, NAME_MAX - strlen("id:000000,"))); describe_op(afl, 0, NAME_MAX - strlen("id:000000,")));
#else #else
snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir,
afl->unique_hangs); afl->saved_hangs);
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
++afl->unique_hangs; ++afl->saved_hangs;
afl->last_hang_time = get_cur_time(); afl->last_hang_time = get_cur_time();
@ -687,7 +687,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_crashes; ++afl->total_crashes;
if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } if (afl->saved_crashes >= KEEP_UNIQUE_CRASH) { return keeping; }
if (likely(!afl->non_instrumented_mode)) { if (likely(!afl->non_instrumented_mode)) {
@ -699,22 +699,22 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
} }
if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); } if (unlikely(!afl->saved_crashes)) { write_crash_readme(afl); }
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir,
afl->unique_crashes, afl->fsrv.last_kill_signal, afl->saved_crashes, afl->fsrv.last_kill_signal,
describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,"))); describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,")));
#else #else
snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
afl->unique_crashes, afl->last_kill_signal); afl->saved_crashes, afl->last_kill_signal);
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
++afl->unique_crashes; ++afl->saved_crashes;
#ifdef INTROSPECTION #ifdef INTROSPECTION
if (afl->custom_mutators_count && afl->current_custom_fuzz) { if (afl->custom_mutators_count && afl->current_custom_fuzz) {

4
src/afl-fuzz-cmplog.c
View File

@ -59,7 +59,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->subseq_tmouts++ > TMOUT_LIMIT) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) {
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
return 1; return 1;
} }
@ -76,7 +76,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->skip_requested) { if (afl->skip_requested) {
afl->skip_requested = 0; afl->skip_requested = 0;
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
return 1; return 1;
} }

44
src/afl-fuzz-init.c
View File

@ -638,8 +638,8 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
if (first) { if (first) {
afl->last_path_time = 0; afl->last_find_time = 0;
afl->queued_at_start = afl->queued_paths; afl->queued_at_start = afl->queued_items;
} }
@ -812,7 +812,7 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
free(nl); /* not tracked */ free(nl); /* not tracked */
if (!afl->queued_paths && directory == NULL) { if (!afl->queued_items && directory == NULL) {
SAYF("\n" cLRD "[-] " cRST SAYF("\n" cLRD "[-] " cRST
"Looks like there are no valid test cases in the input directory! The " "Looks like there are no valid test cases in the input directory! The "
@ -841,8 +841,8 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
} }
afl->last_path_time = 0; afl->last_find_time = 0;
afl->queued_at_start = afl->queued_paths; afl->queued_at_start = afl->queued_items;
} }
@ -855,7 +855,7 @@ void perform_dry_run(afl_state_t *afl) {
u32 cal_failures = 0, idx; u32 cal_failures = 0, idx;
u8 * use_mem; u8 * use_mem;
for (idx = 0; idx < afl->queued_paths; idx++) { for (idx = 0; idx < afl->queued_items; idx++) {
q = afl->queue_buf[idx]; q = afl->queue_buf[idx];
if (unlikely(!q || q->disabled)) { continue; } if (unlikely(!q || q->disabled)) { continue; }
@ -1059,14 +1059,14 @@ void perform_dry_run(afl_state_t *afl) {
q->perf_score = 0; q->perf_score = 0;
u32 i = 0; u32 i = 0;
while (unlikely(i < afl->queued_paths && afl->queue_buf[i] && while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
afl->queue_buf[i]->disabled)) { afl->queue_buf[i]->disabled)) {
++i; ++i;
} }
if (i < afl->queued_paths && afl->queue_buf[i]) { if (i < afl->queued_items && afl->queue_buf[i]) {
afl->queue = afl->queue_buf[i]; afl->queue = afl->queue_buf[i];
@ -1077,7 +1077,7 @@ void perform_dry_run(afl_state_t *afl) {
} }
afl->max_depth = 0; afl->max_depth = 0;
for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) { for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
if (!afl->queue_buf[i]->disabled && if (!afl->queue_buf[i]->disabled &&
afl->queue_buf[i]->depth > afl->max_depth) afl->queue_buf[i]->depth > afl->max_depth)
@ -1118,16 +1118,16 @@ void perform_dry_run(afl_state_t *afl) {
if (cal_failures) { if (cal_failures) {
if (cal_failures == afl->queued_paths) { if (cal_failures == afl->queued_items) {
FATAL("All test cases time out or crash, giving up!"); FATAL("All test cases time out or crash, giving up!");
} }
WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.", WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.",
cal_failures, ((double)cal_failures) * 100 / afl->queued_paths); cal_failures, ((double)cal_failures) * 100 / afl->queued_items);
if (cal_failures * 5 > afl->queued_paths) { if (cal_failures * 5 > afl->queued_items) {
WARNF(cLRD "High percentage of rejected test cases, check settings!"); WARNF(cLRD "High percentage of rejected test cases, check settings!");
@ -1139,14 +1139,14 @@ void perform_dry_run(afl_state_t *afl) {
u32 duplicates = 0, i; u32 duplicates = 0, i;
for (idx = 0; idx < afl->queued_paths; idx++) { for (idx = 0; idx < afl->queued_items; idx++) {
q = afl->queue_buf[idx]; q = afl->queue_buf[idx];
if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; } if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; }
u32 done = 0; u32 done = 0;
for (i = idx + 1; for (i = idx + 1;
i < afl->queued_paths && !done && likely(afl->queue_buf[i]); i++) { i < afl->queued_items && !done && likely(afl->queue_buf[i]); i++) {
struct queue_entry *p = afl->queue_buf[i]; struct queue_entry *p = afl->queue_buf[i];
if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; } if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; }
@ -1196,7 +1196,7 @@ void perform_dry_run(afl_state_t *afl) {
afl->max_depth = 0; afl->max_depth = 0;
for (idx = 0; idx < afl->queued_paths; idx++) { for (idx = 0; idx < afl->queued_items; idx++) {
if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled && if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled &&
afl->queue_buf[idx]->depth > afl->max_depth) afl->queue_buf[idx]->depth > afl->max_depth)
@ -1254,7 +1254,7 @@ void pivot_inputs(afl_state_t *afl) {
ACTF("Creating hard links for all input files..."); ACTF("Creating hard links for all input files...");
for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) { for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
q = afl->queue_buf[i]; q = afl->queue_buf[i];
@ -1293,7 +1293,7 @@ void pivot_inputs(afl_state_t *afl) {
if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
if (src_id < afl->queued_paths) { if (src_id < afl->queued_items) {
struct queue_entry *s = afl->queue_buf[src_id]; struct queue_entry *s = afl->queue_buf[src_id];
@ -1391,11 +1391,11 @@ u32 find_start_position(afl_state_t *afl) {
(void)i; /* Ignore errors */ (void)i; /* Ignore errors */
close(fd); close(fd);
off = strstr(tmp, "cur_path : "); off = strstr(tmp, "cur_item : ");
if (!off) { return 0; } if (!off) { return 0; }
ret = atoi(off + 20); ret = atoi(off + 20);
if (ret >= afl->queued_paths) { ret = 0; } if (ret >= afl->queued_items) { ret = 0; }
return ret; return ret;
} }
@ -2040,9 +2040,9 @@ void setup_dirs_fds(afl_state_t *afl) {
fprintf( fprintf(
afl->fsrv.plot_file, afl->fsrv.plot_file,
"# relative_time, cycles_done, cur_path, paths_total, " "# relative_time, cycles_done, cur_item, corpus_count, "
"pending_total, pending_favs, map_size, unique_crashes, " "pending_total, pending_favs, map_size, saved_crashes, "
"unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n"); "saved_hangs, max_depth, execs_per_sec, total_execs, edges_found\n");
} else { } else {

146
src/afl-fuzz-one.c
View File

@ -423,7 +423,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored &&
afl->queued_paths > 10) { afl->queued_items > 10) {
/* Otherwise, still possibly skip non-favored cases, albeit less often. /* Otherwise, still possibly skip non-favored cases, albeit less often.
The odds of skipping stuff are higher for already-fuzzed inputs and The odds of skipping stuff are higher for already-fuzzed inputs and
@ -449,7 +449,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
ACTF( ACTF(
"Fuzzing test case #%u (%u total, %llu uniq crashes found, " "Fuzzing test case #%u (%u total, %llu uniq crashes found, "
"perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...", "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...",
afl->current_entry, afl->queued_paths, afl->unique_crashes, afl->current_entry, afl->queued_items, afl->saved_crashes,
afl->queue_cur->perf_score, afl->queue_cur->exec_us, afl->queue_cur->perf_score, afl->queue_cur->exec_us,
likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0, likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0,
afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii); afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii);
@ -492,7 +492,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (unlikely(afl->stop_soon) || res != afl->crash_mode) { if (unlikely(afl->stop_soon) || res != afl->crash_mode) {
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
goto abandon_entry; goto abandon_entry;
} }
@ -519,7 +519,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (unlikely(afl->stop_soon)) { if (unlikely(afl->stop_soon)) {
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
goto abandon_entry; goto abandon_entry;
} }
@ -566,8 +566,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (afl->cmplog_lvl == 3 || if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
afl->queue_cur->favored || afl->queue_cur->favored ||
!(afl->fsrv.total_execs % afl->queued_paths) || !(afl->fsrv.total_execs % afl->queued_items) ||
get_cur_time() - afl->last_path_time > 300000) { // 300 seconds get_cur_time() - afl->last_find_time > 300000) { // 300 seconds
if (input_to_state_stage(afl, in_buf, out_buf, len)) { if (input_to_state_stage(afl, in_buf, out_buf, len)) {
@ -630,7 +630,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
afl->stage_val_type = STAGE_VAL_NONE; afl->stage_val_type = STAGE_VAL_NONE;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
prev_cksum = afl->queue_cur->exec_cksum; prev_cksum = afl->queue_cur->exec_cksum;
@ -734,7 +734,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max;
@ -766,7 +766,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max;
@ -802,7 +802,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max;
@ -909,7 +909,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
afl->blocks_eff_total += EFF_ALEN(len); afl->blocks_eff_total += EFF_ALEN(len);
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max;
@ -952,7 +952,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max;
@ -995,7 +995,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max;
@ -1087,7 +1087,7 @@ skip_bitflip:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max;
@ -1217,7 +1217,7 @@ skip_bitflip:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max;
@ -1346,7 +1346,7 @@ skip_bitflip:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max;
@ -1412,7 +1412,7 @@ skip_arith:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max;
@ -1500,7 +1500,7 @@ skip_arith:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max;
@ -1589,7 +1589,7 @@ skip_arith:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max;
@ -1662,7 +1662,7 @@ skip_interest:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max;
@ -1718,7 +1718,7 @@ skip_interest:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max;
@ -1776,7 +1776,7 @@ skip_user_extras:
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
@ -1806,7 +1806,7 @@ custom_mutator_stage:
const u32 max_seed_size = MAX_FILE, saved_max = afl->stage_max; const u32 max_seed_size = MAX_FILE, saved_max = afl->stage_max;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
#ifdef INTROSPECTION #ifdef INTROSPECTION
afl->mutation[0] = 0; afl->mutation[0] = 0;
@ -1850,7 +1850,7 @@ custom_mutator_stage:
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_items);
} while (unlikely(tid == afl->current_entry || } while (unlikely(tid == afl->current_entry ||
@ -1890,7 +1890,7 @@ custom_mutator_stage:
/* If we're finding new stuff, let's run for a bit longer, limits /* If we're finding new stuff, let's run for a bit longer, limits
permitting. */ permitting. */
if (afl->queued_paths != havoc_queued) { if (afl->queued_items != havoc_queued) {
if (perf_score <= afl->havoc_max_mult * 100) { if (perf_score <= afl->havoc_max_mult * 100) {
@ -1899,7 +1899,7 @@ custom_mutator_stage:
} }
havoc_queued = afl->queued_paths; havoc_queued = afl->queued_items;
} }
@ -1926,7 +1926,7 @@ custom_mutator_stage:
if (!has_custom_fuzz) goto havoc_stage; if (!has_custom_fuzz) goto havoc_stage;
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max;
@ -1972,9 +1972,9 @@ havoc_stage:
temp_len = len; temp_len = len;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
havoc_queued = afl->queued_paths; havoc_queued = afl->queued_items;
if (afl->custom_mutators_count) { if (afl->custom_mutators_count) {
@ -2023,7 +2023,7 @@ havoc_stage:
} }
if (unlikely(get_cur_time() - afl->last_path_time > 5000 /* 5 seconds */ && if (unlikely(get_cur_time() - afl->last_find_time > 5000 /* 5 seconds */ &&
afl->ready_for_splicing_count > 1)) { afl->ready_for_splicing_count > 1)) {
/* add expensive havoc cases here if there is no findings in the last 5s */ /* add expensive havoc cases here if there is no findings in the last 5s */
@ -2669,7 +2669,7 @@ havoc_stage:
u32 tid; u32 tid;
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
@ -2757,7 +2757,7 @@ havoc_stage:
/* If we're finding new stuff, let's run for a bit longer, limits /* If we're finding new stuff, let's run for a bit longer, limits
permitting. */ permitting. */
if (afl->queued_paths != havoc_queued) { if (afl->queued_items != havoc_queued) {
if (perf_score <= afl->havoc_max_mult * 100) { if (perf_score <= afl->havoc_max_mult * 100) {
@ -2766,13 +2766,13 @@ havoc_stage:
} }
havoc_queued = afl->queued_paths; havoc_queued = afl->queued_items;
} }
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (!splice_cycle) { if (!splice_cycle) {
@ -2821,7 +2821,7 @@ retry_splicing:
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
@ -2945,7 +2945,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored &&
afl->queued_paths > 10) { afl->queued_items > 10) {
/* Otherwise, still possibly skip non-favored cases, albeit less often. /* Otherwise, still possibly skip non-favored cases, albeit less often.
The odds of skipping stuff are higher for already-fuzzed inputs and The odds of skipping stuff are higher for already-fuzzed inputs and
@ -2969,7 +2969,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (afl->not_on_tty) { if (afl->not_on_tty) {
ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...",
afl->current_entry, afl->queued_paths, afl->unique_crashes); afl->current_entry, afl->queued_items, afl->saved_crashes);
fflush(stdout); fflush(stdout);
} }
@ -3010,7 +3010,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (afl->stop_soon || res != afl->crash_mode) { if (afl->stop_soon || res != afl->crash_mode) {
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
goto abandon_entry; goto abandon_entry;
} }
@ -3037,7 +3037,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (unlikely(afl->stop_soon)) { if (unlikely(afl->stop_soon)) {
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
goto abandon_entry; goto abandon_entry;
} }
@ -3082,8 +3082,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (afl->cmplog_lvl == 3 || if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) || !(afl->fsrv.total_execs % afl->queued_items) ||
get_cur_time() - afl->last_path_time > 300000) { // 300 seconds get_cur_time() - afl->last_find_time > 300000) { // 300 seconds
if (input_to_state_stage(afl, in_buf, out_buf, len)) { if (input_to_state_stage(afl, in_buf, out_buf, len)) {
@ -3101,10 +3101,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
cur_ms_lv = get_cur_time(); cur_ms_lv = get_cur_time();
if (!(afl->key_puppet == 0 && if (!(afl->key_puppet == 0 &&
((cur_ms_lv - afl->last_path_time < (u32)afl->limit_time_puppet) || ((cur_ms_lv - afl->last_find_time < (u32)afl->limit_time_puppet) ||
(afl->last_crash_time != 0 && (afl->last_crash_time != 0 &&
cur_ms_lv - afl->last_crash_time < (u32)afl->limit_time_puppet) || cur_ms_lv - afl->last_crash_time < (u32)afl->limit_time_puppet) ||
afl->last_path_time == 0))) { afl->last_find_time == 0))) {
afl->key_puppet = 1; afl->key_puppet = 1;
goto pacemaker_fuzzing; goto pacemaker_fuzzing;
@ -3156,7 +3156,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
afl->stage_val_type = STAGE_VAL_NONE; afl->stage_val_type = STAGE_VAL_NONE;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
prev_cksum = afl->queue_cur->exec_cksum; prev_cksum = afl->queue_cur->exec_cksum;
@ -3259,7 +3259,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for afl->stage_cur */ } /* for afl->stage_cur */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max;
@ -3290,7 +3290,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for afl->stage_cur */ } /* for afl->stage_cur */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max;
@ -3325,7 +3325,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for afl->stage_cur */ } /* for afl->stage_cur */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max;
@ -3431,7 +3431,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
afl->blocks_eff_total += EFF_ALEN(len); afl->blocks_eff_total += EFF_ALEN(len);
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max;
@ -3473,7 +3473,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for i = 0; i < len */ } /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max;
@ -3515,7 +3515,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for i = 0; i < len - 3 */ } /* for i = 0; i < len - 3 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max;
@ -3605,7 +3605,7 @@ skip_bitflip:
} /* for i = 0; i < len */ } /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max;
@ -3731,7 +3731,7 @@ skip_bitflip:
} /* for i = 0; i < len - 1 */ } /* for i = 0; i < len - 1 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max;
@ -3856,7 +3856,7 @@ skip_bitflip:
} /* for i = 0; i < len - 3 */ } /* for i = 0; i < len - 3 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max;
@ -3921,7 +3921,7 @@ skip_arith:
} /* for i = 0; i < len */ } /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max;
@ -4007,7 +4007,7 @@ skip_arith:
} /* for i = 0; i < len - 1 */ } /* for i = 0; i < len - 1 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max;
@ -4094,7 +4094,7 @@ skip_arith:
} /* for i = 0; i < len - 3 */ } /* for i = 0; i < len - 3 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max;
@ -4167,7 +4167,7 @@ skip_interest:
} /* for i = 0; i < len */ } /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max;
@ -4223,7 +4223,7 @@ skip_interest:
} /* for i = 0; i <= len */ } /* for i = 0; i <= len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max;
@ -4282,7 +4282,7 @@ skip_user_extras:
} /* for i = 0; i < len */ } /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
@ -4335,7 +4335,7 @@ pacemaker_fuzzing:
if (unlikely(afl->orig_hit_cnt_puppet == 0)) { if (unlikely(afl->orig_hit_cnt_puppet == 0)) {
afl->orig_hit_cnt_puppet = afl->queued_paths + afl->unique_crashes; afl->orig_hit_cnt_puppet = afl->queued_items + afl->saved_crashes;
afl->last_limit_time_start = get_cur_time(); afl->last_limit_time_start = get_cur_time();
afl->SPLICE_CYCLES_puppet = afl->SPLICE_CYCLES_puppet =
(rand_below( (rand_below(
@ -4380,9 +4380,9 @@ pacemaker_fuzzing:
temp_len = len; temp_len = len;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
havoc_queued = afl->queued_paths; havoc_queued = afl->queued_items;
u32 r_max; u32 r_max;
@ -4948,7 +4948,7 @@ pacemaker_fuzzing:
u32 tid; u32 tid;
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || } while (tid == afl->current_entry ||
@ -5029,7 +5029,7 @@ pacemaker_fuzzing:
++*MOpt_globals.pTime; ++*MOpt_globals.pTime;
u64 temp_total_found = afl->queued_paths + afl->unique_crashes; u64 temp_total_found = afl->queued_items + afl->saved_crashes;
if (common_fuzz_stuff(afl, out_buf, temp_len)) { if (common_fuzz_stuff(afl, out_buf, temp_len)) {
@ -5048,7 +5048,7 @@ pacemaker_fuzzing:
/* If we're finding new stuff, let's run for a bit longer, limits /* If we're finding new stuff, let's run for a bit longer, limits
permitting. */ permitting. */
if (afl->queued_paths != havoc_queued) { if (afl->queued_items != havoc_queued) {
if (perf_score <= afl->havoc_max_mult * 100) { if (perf_score <= afl->havoc_max_mult * 100) {
@ -5057,15 +5057,15 @@ pacemaker_fuzzing:
} }
havoc_queued = afl->queued_paths; havoc_queued = afl->queued_items;
} }
if (unlikely(afl->queued_paths + afl->unique_crashes > if (unlikely(afl->queued_items + afl->saved_crashes >
temp_total_found)) { temp_total_found)) {
u64 temp_temp_puppet = u64 temp_temp_puppet =
afl->queued_paths + afl->unique_crashes - temp_total_found; afl->queued_items + afl->saved_crashes - temp_total_found;
afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet; afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet;
if (MOpt_globals.is_pilot_mode) { if (MOpt_globals.is_pilot_mode) {
@ -5099,7 +5099,7 @@ pacemaker_fuzzing:
++afl->stage_cur) { */ ++afl->stage_cur) { */
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (MOpt_globals.is_pilot_mode) { if (MOpt_globals.is_pilot_mode) {
@ -5149,7 +5149,7 @@ pacemaker_fuzzing:
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
@ -5235,8 +5235,8 @@ pacemaker_fuzzing:
if (afl->key_puppet == 1) { if (afl->key_puppet == 1) {
if (unlikely( if (unlikely(
afl->queued_paths + afl->unique_crashes > afl->queued_items + afl->saved_crashes >
((afl->queued_paths + afl->unique_crashes) * limit_time_bound + ((afl->queued_items + afl->saved_crashes) * limit_time_bound +
afl->orig_hit_cnt_puppet))) { afl->orig_hit_cnt_puppet))) {
afl->key_puppet = 0; afl->key_puppet = 0;
@ -5251,7 +5251,7 @@ pacemaker_fuzzing:
afl->total_pacemaker_time += *MOpt_globals.pTime; afl->total_pacemaker_time += *MOpt_globals.pTime;
*MOpt_globals.pTime = 0; *MOpt_globals.pTime = 0;
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (MOpt_globals.is_pilot_mode) { if (MOpt_globals.is_pilot_mode) {

34
src/afl-fuzz-queue.c
View File

@ -31,7 +31,7 @@
inline u32 select_next_queue_entry(afl_state_t *afl) { inline u32 select_next_queue_entry(afl_state_t *afl) {
u32 s = rand_below(afl, afl->queued_paths); u32 s = rand_below(afl, afl->queued_items);
double p = rand_next_percent(afl); double p = rand_next_percent(afl);
/* /*
fprintf(stderr, "select: p=%f s=%u ... p < prob[s]=%f ? s=%u : alias[%u]=%u" fprintf(stderr, "select: p=%f s=%u ... p < prob[s]=%f ? s=%u : alias[%u]=%u"
@ -69,7 +69,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
void create_alias_table(afl_state_t *afl) { void create_alias_table(afl_state_t *afl) {
u32 n = afl->queued_paths, i = 0, a, g; u32 n = afl->queued_items, i = 0, a, g;
double sum = 0; double sum = 0;
afl->alias_table = afl->alias_table =
@ -547,19 +547,19 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
if (likely(q->len > 4)) afl->ready_for_splicing_count++; if (likely(q->len > 4)) afl->ready_for_splicing_count++;
++afl->queued_paths; ++afl->queued_items;
++afl->active_paths; ++afl->active_paths;
++afl->pending_not_fuzzed; ++afl->pending_not_fuzzed;
afl->cycles_wo_finds = 0; afl->cycles_wo_finds = 0;
struct queue_entry **queue_buf = afl_realloc( struct queue_entry **queue_buf = afl_realloc(
AFL_BUF_PARAM(queue), afl->queued_paths * sizeof(struct queue_entry *)); AFL_BUF_PARAM(queue), afl->queued_items * sizeof(struct queue_entry *));
if (unlikely(!queue_buf)) { PFATAL("alloc"); } if (unlikely(!queue_buf)) { PFATAL("alloc"); }
queue_buf[afl->queued_paths - 1] = q; queue_buf[afl->queued_items - 1] = q;
q->id = afl->queued_paths - 1; q->id = afl->queued_items - 1;
afl->last_path_time = get_cur_time(); afl->last_find_time = get_cur_time();
if (afl->custom_mutators_count) { if (afl->custom_mutators_count) {
@ -583,7 +583,7 @@ void destroy_queue(afl_state_t *afl) {
u32 i; u32 i;
for (i = 0; i < afl->queued_paths; i++) { for (i = 0; i < afl->queued_items; i++) {
struct queue_entry *q; struct queue_entry *q;
@ -737,7 +737,7 @@ void cull_queue(afl_state_t *afl) {
afl->queued_favored = 0; afl->queued_favored = 0;
afl->pending_favored = 0; afl->pending_favored = 0;
for (i = 0; i < afl->queued_paths; i++) { for (i = 0; i < afl->queued_items; i++) {
afl->queue_buf[i]->favored = 0; afl->queue_buf[i]->favored = 0;
@ -782,7 +782,7 @@ void cull_queue(afl_state_t *afl) {
} }
for (i = 0; i < afl->queued_paths; i++) { for (i = 0; i < afl->queued_items; i++) {
if (likely(!afl->queue_buf[i]->disabled)) { if (likely(!afl->queue_buf[i]->disabled)) {
@ -915,7 +915,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
} }
u32 n_paths; u32 n_items;
double factor = 1.0; double factor = 1.0;
long double fuzz_mu; long double fuzz_mu;
@ -933,26 +933,26 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
case COE: case COE:
fuzz_mu = 0.0; fuzz_mu = 0.0;
n_paths = 0; n_items = 0;
// Don't modify perf_score for unfuzzed seeds // Don't modify perf_score for unfuzzed seeds
if (q->fuzz_level == 0) break; if (q->fuzz_level == 0) break;
u32 i; u32 i;
for (i = 0; i < afl->queued_paths; i++) { for (i = 0; i < afl->queued_items; i++) {
if (likely(!afl->queue_buf[i]->disabled)) { if (likely(!afl->queue_buf[i]->disabled)) {
fuzz_mu += log2(afl->n_fuzz[afl->queue_buf[i]->n_fuzz_entry]); fuzz_mu += log2(afl->n_fuzz[afl->queue_buf[i]->n_fuzz_entry]);
n_paths++; n_items++;
} }
} }
if (unlikely(!n_paths)) { FATAL("Queue state corrupt"); } if (unlikely(!n_items)) { FATAL("Queue state corrupt"); }
fuzz_mu = fuzz_mu / n_paths; fuzz_mu = fuzz_mu / n_items;
if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) { if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) {
@ -1018,7 +1018,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
-- rare. the simpler algo however is good when rare is not. -- rare. the simpler algo however is good when rare is not.
// the newer the entry, the higher the pref_score // the newer the entry, the higher the pref_score
perf_score *= (1 + (double)((double)q->depth / perf_score *= (1 + (double)((double)q->depth /
(double)afl->queued_paths)); (double)afl->queued_items));
// with special focus on the last 8 entries // with special focus on the last 8 entries
if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 - if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 -
(afl->max_depth - q->depth)) / 5)); (afl->max_depth - q->depth)) / 5));

14
src/afl-fuzz-redqueen.c
View File

@ -276,7 +276,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
#endif #endif
u64 orig_hit_cnt, new_hit_cnt, exec_cksum; u64 orig_hit_cnt, new_hit_cnt, exec_cksum;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_name = "colorization"; afl->stage_name = "colorization";
afl->stage_short = "colorization"; afl->stage_short = "colorization";
@ -424,7 +424,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
} }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
#if defined(_DEBUG) || defined(CMPLOG_INTROSPECTION) #if defined(_DEBUG) || defined(CMPLOG_INTROSPECTION)
FILE *f = stderr; FILE *f = stderr;
@ -517,7 +517,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
u64 orig_hit_cnt, new_hit_cnt; u64 orig_hit_cnt, new_hit_cnt;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
#ifdef _DEBUG #ifdef _DEBUG
dump("DATA", buf, len); dump("DATA", buf, len);
@ -525,7 +525,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; }
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (unlikely(new_hit_cnt != orig_hit_cnt)) { if (unlikely(new_hit_cnt != orig_hit_cnt)) {
@ -2720,7 +2720,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
u64 orig_hit_cnt, new_hit_cnt; u64 orig_hit_cnt, new_hit_cnt;
u64 orig_execs = afl->fsrv.total_execs; u64 orig_execs = afl->fsrv.total_execs;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_name = "input-to-state"; afl->stage_name = "input-to-state";
afl->stage_short = "its"; afl->stage_short = "its";
@ -2845,7 +2845,7 @@ exit_its:
} }
#ifdef CMPLOG_COMBINE #ifdef CMPLOG_COMBINE
if (afl->queued_paths + afl->unique_crashes > orig_hit_cnt + 1) { if (afl->queued_items + afl->saved_crashes > orig_hit_cnt + 1) {
// copy the current virgin bits so we can recover the information // copy the current virgin bits so we can recover the information
u8 *virgin_save = afl_realloc((void **)&afl->eff_buf, afl->shm.map_size); u8 *virgin_save = afl_realloc((void **)&afl->eff_buf, afl->shm.map_size);
@ -2897,7 +2897,7 @@ exit_its:
#endif #endif
new_hit_cnt = afl->queued_paths + afl->unique_crashes; new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs; afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs;

4
src/afl-fuzz-run.c
View File

@ -953,7 +953,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->subseq_tmouts++ > TMOUT_LIMIT) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) {
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
return 1; return 1;
} }
@ -970,7 +970,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->skip_requested) { if (afl->skip_requested) {
afl->skip_requested = 0; afl->skip_requested = 0;
++afl->cur_skipped_paths; ++afl->cur_skipped_items;
return 1; return 1;
} }

165
src/afl-fuzz-stats.c
View File

@ -147,10 +147,10 @@ void load_stats_file(afl_state_t *afl) {
afl->fsrv.total_execs = strtoull(lptr, &nptr, 10); afl->fsrv.total_execs = strtoull(lptr, &nptr, 10);
break; break;
case 10: case 10:
if (!strcmp(keystring, "paths_total ")) { if (!strcmp(keystring, "corpus_count ")) {
u32 paths_total = strtoul(lptr, &nptr, 10); u32 corpus_count = strtoul(lptr, &nptr, 10);
if (paths_total != afl->queued_paths) { if (corpus_count != afl->queued_items) {
WARNF( WARNF(
"queue/ has been modified -- things might not work, you're " "queue/ has been modified -- things might not work, you're "
@ -162,11 +162,11 @@ void load_stats_file(afl_state_t *afl) {
break; break;
case 12: case 12:
if (!strcmp(keystring, "paths_found ")) if (!strcmp(keystring, "corpus_found "))
afl->queued_discovered = strtoul(lptr, &nptr, 10); afl->queued_discovered = strtoul(lptr, &nptr, 10);
break; break;
case 13: case 13:
if (!strcmp(keystring, "paths_imported ")) if (!strcmp(keystring, "corpus_imported "))
afl->queued_imported = strtoul(lptr, &nptr, 10); afl->queued_imported = strtoul(lptr, &nptr, 10);
break; break;
case 14: case 14:
@ -174,12 +174,12 @@ void load_stats_file(afl_state_t *afl) {
afl->max_depth = strtoul(lptr, &nptr, 10); afl->max_depth = strtoul(lptr, &nptr, 10);
break; break;
case 21: case 21:
if (!strcmp(keystring, "unique_crashes ")) if (!strcmp(keystring, "saved_crashes "))
afl->unique_crashes = strtoull(lptr, &nptr, 10); afl->saved_crashes = strtoull(lptr, &nptr, 10);
break; break;
case 22: case 22:
if (!strcmp(keystring, "unique_hangs ")) if (!strcmp(keystring, "saved_hangs "))
afl->unique_hangs = strtoull(lptr, &nptr, 10); afl->saved_hangs = strtoull(lptr, &nptr, 10);
break; break;
default: default:
break; break;
@ -190,7 +190,7 @@ void load_stats_file(afl_state_t *afl) {
} }
if (afl->unique_crashes) { write_crash_readme(afl); } if (afl->saved_crashes) { write_crash_readme(afl); }
return; return;
@ -243,7 +243,8 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; }
#endif #endif
fprintf(f, fprintf(
f,
"start_time : %llu\n" "start_time : %llu\n"
"last_update : %llu\n" "last_update : %llu\n"
"run_time : %llu\n" "run_time : %llu\n"
@ -253,20 +254,20 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
"execs_done : %llu\n" "execs_done : %llu\n"
"execs_per_sec : %0.02f\n" "execs_per_sec : %0.02f\n"
"execs_ps_last_min : %0.02f\n" "execs_ps_last_min : %0.02f\n"
"paths_total : %u\n" "corpus_count : %u\n"
"paths_favored : %u\n" "corpus_favored : %u\n"
"paths_found : %u\n" "corpus_found : %u\n"
"paths_imported : %u\n" "corpus_imported : %u\n"
"corpus_variable : %u\n"
"max_depth : %u\n" "max_depth : %u\n"
"cur_path : %u\n" /* Must match find_start_position() */ "cur_item : %u\n"
"pending_favs : %u\n" "pending_favs : %u\n"
"pending_total : %u\n" "pending_total : %u\n"
"variable_paths : %u\n"
"stability : %0.02f%%\n" "stability : %0.02f%%\n"
"bitmap_cvg : %0.02f%%\n" "bitmap_cvg : %0.02f%%\n"
"unique_crashes : %llu\n" "saved_crashes : %llu\n"
"unique_hangs : %llu\n" "saved_hangs : %llu\n"
"last_path : %llu\n" "last_find : %llu\n"
"last_crash : %llu\n" "last_crash : %llu\n"
"last_hang : %llu\n" "last_hang : %llu\n"
"execs_since_crash : %llu\n" "execs_since_crash : %llu\n"
@ -288,20 +289,19 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
"target_mode : %s%s%s%s%s%s%s%s%s%s\n" "target_mode : %s%s%s%s%s%s%s%s%s%s\n"
"command_line : %s\n", "command_line : %s\n",
(afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000,
(afl->prev_run_time + cur_time - afl->start_time) / 1000, (afl->prev_run_time + cur_time - afl->start_time) / 1000, (u32)getpid(),
(u32)getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds,
afl->cycles_wo_finds, afl->fsrv.total_execs, afl->fsrv.total_execs,
afl->fsrv.total_execs / afl->fsrv.total_execs /
((double)(afl->prev_run_time + get_cur_time() - afl->start_time) / ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) /
1000), 1000),
afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored, afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored,
afl->queued_discovered, afl->queued_imported, afl->max_depth, afl->queued_discovered, afl->queued_imported, afl->max_depth,
afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed,
afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, afl->queued_variable, stability, bitmap_cvg, afl->saved_crashes,
afl->unique_hangs, afl->last_path_time / 1000, afl->saved_hangs, afl->last_find_time / 1000, afl->last_crash_time / 1000,
afl->last_crash_time / 1000, afl->last_hang_time / 1000, afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs,
afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->fsrv.exec_tmout, afl->slowest_exec_ms,
afl->slowest_exec_ms,
#ifndef __HAIKU__ #ifndef __HAIKU__
#ifdef __APPLE__ #ifdef __APPLE__
(unsigned long int)(rus.ru_maxrss >> 20), (unsigned long int)(rus.ru_maxrss >> 20),
@ -316,11 +316,10 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
#else #else
-1, -1,
#endif #endif
t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, afl->expand_havoc,
afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size, afl->a_extras_cnt, afl->q_testcase_cache_size,
afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner,
afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "",
afl->fsrv.qemu_mode ? "qemu " : "",
afl->fsrv.cs_mode ? "coresight" : "", afl->fsrv.cs_mode ? "coresight" : "",
afl->non_instrumented_mode ? " non_instrumented " : "", afl->non_instrumented_mode ? " non_instrumented " : "",
afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
@ -328,8 +327,8 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->shmem_testcase_mode ? "shmem_testcase " : "",
afl->deferred_mode ? "deferred " : "", afl->deferred_mode ? "deferred " : "",
(afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode ||
afl->non_instrumented_mode || afl->no_forkserver || afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode ||
afl->crash_mode || afl->persistent_mode || afl->deferred_mode) afl->persistent_mode || afl->deferred_mode)
? "" ? ""
: "default", : "default",
afl->orig_cmdline); afl->orig_cmdline);
@ -373,13 +372,13 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
if (unlikely(!afl->force_ui_update && if (unlikely(!afl->force_ui_update &&
(afl->stop_soon || (afl->stop_soon ||
(afl->plot_prev_qp == afl->queued_paths && (afl->plot_prev_qp == afl->queued_items &&
afl->plot_prev_pf == afl->pending_favored && afl->plot_prev_pf == afl->pending_favored &&
afl->plot_prev_pnf == afl->pending_not_fuzzed && afl->plot_prev_pnf == afl->pending_not_fuzzed &&
afl->plot_prev_ce == afl->current_entry && afl->plot_prev_ce == afl->current_entry &&
afl->plot_prev_qc == afl->queue_cycle && afl->plot_prev_qc == afl->queue_cycle &&
afl->plot_prev_uc == afl->unique_crashes && afl->plot_prev_uc == afl->saved_crashes &&
afl->plot_prev_uh == afl->unique_hangs && afl->plot_prev_uh == afl->saved_hangs &&
afl->plot_prev_md == afl->max_depth && afl->plot_prev_md == afl->max_depth &&
afl->plot_prev_ed == afl->fsrv.total_execs) || afl->plot_prev_ed == afl->fsrv.total_execs) ||
!afl->queue_cycle || !afl->queue_cycle ||
@ -389,29 +388,29 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
} }
afl->plot_prev_qp = afl->queued_paths; afl->plot_prev_qp = afl->queued_items;
afl->plot_prev_pf = afl->pending_favored; afl->plot_prev_pf = afl->pending_favored;
afl->plot_prev_pnf = afl->pending_not_fuzzed; afl->plot_prev_pnf = afl->pending_not_fuzzed;
afl->plot_prev_ce = afl->current_entry; afl->plot_prev_ce = afl->current_entry;
afl->plot_prev_qc = afl->queue_cycle; afl->plot_prev_qc = afl->queue_cycle;
afl->plot_prev_uc = afl->unique_crashes; afl->plot_prev_uc = afl->saved_crashes;
afl->plot_prev_uh = afl->unique_hangs; afl->plot_prev_uh = afl->saved_hangs;
afl->plot_prev_md = afl->max_depth; afl->plot_prev_md = afl->max_depth;
afl->plot_prev_ed = afl->fsrv.total_execs; afl->plot_prev_ed = afl->fsrv.total_execs;
/* Fields in the file: /* Fields in the file:
relative_time, afl->cycles_done, cur_path, paths_total, paths_not_fuzzed, relative_time, afl->cycles_done, cur_item, corpus_count, corpus_not_fuzzed,
favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, favored_not_fuzzed, saved_crashes, saved_hangs, max_depth,
execs_per_sec, edges_found */ execs_per_sec, edges_found */
fprintf(afl->fsrv.plot_file, fprintf(afl->fsrv.plot_file,
"%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, " "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, "
"%u\n", "%u\n",
((afl->prev_run_time + get_cur_time() - afl->start_time) / 1000), ((afl->prev_run_time + get_cur_time() - afl->start_time) / 1000),
afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, afl->queue_cycle - 1, afl->current_entry, afl->queued_items,
afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg,
afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps, afl->saved_crashes, afl->saved_hangs, afl->max_depth, eps,
afl->plot_prev_ed, t_bytes); /* ignore errors */ afl->plot_prev_ed, t_bytes); /* ignore errors */
fflush(afl->fsrv.plot_file); fflush(afl->fsrv.plot_file);
@ -611,9 +610,9 @@ void show_stats(afl_state_t *afl) {
/* AFL_EXIT_ON_TIME. */ /* AFL_EXIT_ON_TIME. */
if (unlikely(afl->last_path_time && !afl->non_instrumented_mode && if (unlikely(afl->last_find_time && !afl->non_instrumented_mode &&
afl->afl_env.afl_exit_on_time && afl->afl_env.afl_exit_on_time &&
(cur_ms - afl->last_path_time) > afl->exit_on_time)) { (cur_ms - afl->last_find_time) > afl->exit_on_time)) {
afl->stop_soon = 2; afl->stop_soon = 2;
@ -704,9 +703,9 @@ void show_stats(afl_state_t *afl) {
/* Since `total_crashes` does not get reloaded from disk on restart, /* Since `total_crashes` does not get reloaded from disk on restart,
it indicates if we found crashes this round already -> paint red. it indicates if we found crashes this round already -> paint red.
If it's 0, but `unique_crashes` is set from a past run, paint in yellow. */ If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */
char *crash_color = afl->total_crashes ? cLRD char *crash_color = afl->total_crashes ? cLRD
: afl->unique_crashes ? cYEL : afl->saved_crashes ? cYEL
: cRST; : cRST;
/* Lord, forgive me this. */ /* Lord, forgive me this. */
@ -721,7 +720,7 @@ void show_stats(afl_state_t *afl) {
} else { } else {
u64 min_wo_finds = (cur_ms - afl->last_path_time) / 1000 / 60; u64 min_wo_finds = (cur_ms - afl->last_find_time) / 1000 / 60;
/* First queue cycle: don't stop now! */ /* First queue cycle: don't stop now! */
if (afl->queue_cycle == 1 || min_wo_finds < 15) { if (afl->queue_cycle == 1 || min_wo_finds < 15) {
@ -762,48 +761,48 @@ void show_stats(afl_state_t *afl) {
except when resuming fuzzing or running in non-instrumented mode. */ except when resuming fuzzing or running in non-instrumented mode. */
if (!afl->non_instrumented_mode && if (!afl->non_instrumented_mode &&
(afl->last_path_time || afl->resuming_fuzz || afl->queue_cycle == 1 || (afl->last_find_time || afl->resuming_fuzz || afl->queue_cycle == 1 ||
afl->in_bitmap || afl->crash_mode)) { afl->in_bitmap || afl->crash_mode)) {
u_stringify_time_diff(time_tmp, cur_ms, afl->last_path_time); u_stringify_time_diff(time_tmp, cur_ms, afl->last_find_time);
SAYF(bV bSTOP " last new path : " cRST "%-33s ", time_tmp); SAYF(bV bSTOP " last new find : " cRST "%-33s ", time_tmp);
} else { } else {
if (afl->non_instrumented_mode) { if (afl->non_instrumented_mode) {
SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST SAYF(bV bSTOP " last new find : " cPIN "n/a" cRST
" (non-instrumented mode) "); " (non-instrumented mode) ");
} else { } else {
SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD SAYF(bV bSTOP " last new find : " cRST "none yet " cLRD
"(odd, check syntax!) "); "(odd, check syntax!) ");
} }
} }
SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", SAYF(bSTG bV bSTOP " corpus count : " cRST "%-5s " bSTG bV "\n",
u_stringify_int(IB(0), afl->queued_paths)); u_stringify_int(IB(0), afl->queued_items));
/* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH
limit with a '+' appended to the count. */ limit with a '+' appended to the count. */
sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_crashes), sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_crashes),
(afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time); u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time);
SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP SAYF(bV bSTOP "last saved crash : " cRST "%-33s " bSTG bV bSTOP
" uniq crashes : %s%-6s" bSTG bV "\n", "saved crashes : %s%-6s" bSTG bV "\n",
time_tmp, crash_color, tmp); time_tmp, crash_color, tmp);
sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_hangs), sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_hangs),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time); u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time);
SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP SAYF(bV bSTOP " last saved hang : " cRST "%-33s " bSTG bV bSTOP
" uniq hangs : " cRST "%-6s" bSTG bV "\n", " saved hangs : " cRST "%-6s" bSTG bV "\n",
time_tmp, tmp); time_tmp, tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
@ -816,7 +815,7 @@ void show_stats(afl_state_t *afl) {
sprintf(tmp, "%s%s%u (%0.01f%%)", u_stringify_int(IB(0), afl->current_entry), sprintf(tmp, "%s%s%u (%0.01f%%)", u_stringify_int(IB(0), afl->current_entry),
afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level, afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level,
((double)afl->current_entry * 100) / afl->queued_paths); ((double)afl->current_entry * 100) / afl->queued_items);
SAYF(bV bSTOP " now processing : " cRST "%-18s " bSTG bV bSTOP, tmp); SAYF(bV bSTOP " now processing : " cRST "%-18s " bSTG bV bSTOP, tmp);
@ -830,10 +829,10 @@ void show_stats(afl_state_t *afl) {
: ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST),
tmp); tmp);
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_items),
((double)afl->cur_skipped_paths * 100) / afl->queued_paths); ((double)afl->cur_skipped_items * 100) / afl->queued_items);
SAYF(bV bSTOP " paths timed out : " cRST "%-18s " bSTG bV, tmp); SAYF(bV bSTOP " items timed out : " cRST "%-18s " bSTG bV, tmp);
sprintf(tmp, "%0.02f bits/tuple", t_bytes ? (((double)t_bits) / t_bytes) : 0); sprintf(tmp, "%0.02f bits/tuple", t_bytes ? (((double)t_bits) / t_bytes) : 0);
@ -844,12 +843,12 @@ void show_stats(afl_state_t *afl) {
" findings in depth " bSTG bH10 bH5 bH2 bVL "\n"); " findings in depth " bSTG bH10 bH5 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths); ((double)afl->queued_favored) * 100 / afl->queued_items);
/* Yeah... it's still going on... halp? */ /* Yeah... it's still going on... halp? */
SAYF(bV bSTOP " now trying : " cRST "%-22s " bSTG bV bSTOP SAYF(bV bSTOP " now trying : " cRST "%-22s " bSTG bV bSTOP
" favored paths : " cRST "%-20s" bSTG bV "\n", " favored items : " cRST "%-20s" bSTG bV "\n",
afl->stage_name, tmp); afl->stage_name, tmp);
if (!afl->stage_max) { if (!afl->stage_max) {
@ -867,13 +866,13 @@ void show_stats(afl_state_t *afl) {
SAYF(bV bSTOP " stage execs : " cRST "%-23s" bSTG bV bSTOP, tmp); SAYF(bV bSTOP " stage execs : " cRST "%-23s" bSTG bV bSTOP, tmp);
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_with_cov), sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_with_cov),
((double)afl->queued_with_cov) * 100 / afl->queued_paths); ((double)afl->queued_with_cov) * 100 / afl->queued_items);
SAYF(" new edges on : " cRST "%-20s" bSTG bV "\n", tmp); SAYF(" new edges on : " cRST "%-20s" bSTG bV "\n", tmp);
sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_crashes), sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_crashes),
u_stringify_int(IB(1), afl->unique_crashes), u_stringify_int(IB(1), afl->saved_crashes),
(afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
if (afl->crash_mode) { if (afl->crash_mode) {
@ -906,15 +905,15 @@ void show_stats(afl_state_t *afl) {
} }
sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_tmouts), sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_tmouts),
u_stringify_int(IB(1), afl->unique_tmouts), u_stringify_int(IB(1), afl->saved_tmouts),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-20s" bSTG bV "\n", tmp); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-20s" bSTG bV "\n", tmp);
/* Aaaalmost there... hold on! */ /* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH2 bHT bH10 bH2 SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH2 bHT bH10 bH2
bH bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); bH bHB bH bSTOP cCYA " item geometry " bSTG bH5 bH2 bVL "\n");
if (unlikely(afl->custom_only)) { if (unlikely(afl->custom_only)) {
@ -1222,7 +1221,7 @@ void show_init_stats(afl_state_t *afl) {
} }
for (i = 0; i < afl->queued_paths; i++) { for (i = 0; i < afl->queued_items; i++) {
q = afl->queue_buf[i]; q = afl->queue_buf[i];
if (unlikely(q->disabled)) { continue; } if (unlikely(q->disabled)) { continue; }
@ -1290,13 +1289,13 @@ void show_init_stats(afl_state_t *afl) {
} }
if (afl->queued_paths > 100) { if (afl->queued_items > 100) {
WARNF(cLRD WARNF(cLRD
"You probably have far too many input files! Consider trimming " "You probably have far too many input files! Consider trimming "
"down."); "down.");
} else if (afl->queued_paths > 20) { } else if (afl->queued_items > 20) {
WARNF("You have lots of input files; try starting small."); WARNF("You have lots of input files; try starting small.");
@ -1311,8 +1310,8 @@ void show_init_stats(afl_state_t *afl) {
" Bitmap range : " cRST " Bitmap range : " cRST
"%u to %u bits (average: %0.02f bits)\n" cGRA "%u to %u bits (average: %0.02f bits)\n" cGRA
" Exec timing : " cRST "%s to %s us (average: %s us)\n", " Exec timing : " cRST "%s to %s us (average: %s us)\n",
afl->queued_favored, afl->queued_variable, afl->queued_paths - count, afl->queued_favored, afl->queued_variable, afl->queued_items - count,
afl->queued_paths, min_bits, max_bits, afl->queued_items, min_bits, max_bits,
((double)afl->total_bitmap_size) / ((double)afl->total_bitmap_size) /
(afl->total_bitmap_entries ? afl->total_bitmap_entries : 1), (afl->total_bitmap_entries ? afl->total_bitmap_entries : 1),
stringify_int(IB(0), min_us), stringify_int(IB(1), max_us), stringify_int(IB(0), min_us), stringify_int(IB(1), max_us),

42
src/afl-fuzz-statsd.c
View File

@ -48,15 +48,16 @@
".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \ ".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \
".execs_done:%llu|g%s\n" METRIC_PREFIX \ ".execs_done:%llu|g%s\n" METRIC_PREFIX \
".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \ ".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \
".paths_total:%u|g%s\n" METRIC_PREFIX \ ".corpus_count:%u|g%s\n" METRIC_PREFIX \
".paths_favored:%u|g%s\n" METRIC_PREFIX \ ".corpus_favored:%u|g%s\n" METRIC_PREFIX \
".paths_found:%u|g%s\n" METRIC_PREFIX \ ".corpus_found:%u|g%s\n" METRIC_PREFIX \
".paths_imported:%u|g%s\n" METRIC_PREFIX ".max_depth:%u|g%s\n" METRIC_PREFIX \ ".corpus_imported:%u|g%s\n" METRIC_PREFIX \
".cur_path:%u|g%s\n" METRIC_PREFIX ".pending_favs:%u|g%s\n" METRIC_PREFIX \ ".max_depth:%u|g%s\n" METRIC_PREFIX ".cur_item:%u|g%s\n" METRIC_PREFIX \
".pending_favs:%u|g%s\n" METRIC_PREFIX \
".pending_total:%u|g%s\n" METRIC_PREFIX \ ".pending_total:%u|g%s\n" METRIC_PREFIX \
".variable_paths:%u|g%s\n" METRIC_PREFIX \ ".corpus_variable:%u|g%s\n" METRIC_PREFIX \
".unique_crashes:%llu|g%s\n" METRIC_PREFIX \ ".saved_crashes:%llu|g%s\n" METRIC_PREFIX \
".unique_hangs:%llu|g%s\n" METRIC_PREFIX \ ".saved_hangs:%llu|g%s\n" METRIC_PREFIX \
".total_crashes:%llu|g%s\n" METRIC_PREFIX \ ".total_crashes:%llu|g%s\n" METRIC_PREFIX \
".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \ ".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \
".edges_found:%u|g%s\n" METRIC_PREFIX \ ".edges_found:%u|g%s\n" METRIC_PREFIX \
@ -70,15 +71,16 @@
".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \ ".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \
".execs_done%s:%llu|g\n" METRIC_PREFIX \ ".execs_done%s:%llu|g\n" METRIC_PREFIX \
".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \ ".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \
".paths_total%s:%u|g\n" METRIC_PREFIX \ ".corpus_count%s:%u|g\n" METRIC_PREFIX \
".paths_favored%s:%u|g\n" METRIC_PREFIX \ ".corpus_favored%s:%u|g\n" METRIC_PREFIX \
".paths_found%s:%u|g\n" METRIC_PREFIX \ ".corpus_found%s:%u|g\n" METRIC_PREFIX \
".paths_imported%s:%u|g\n" METRIC_PREFIX ".max_depth%s:%u|g\n" METRIC_PREFIX \ ".corpus_imported%s:%u|g\n" METRIC_PREFIX \
".cur_path%s:%u|g\n" METRIC_PREFIX ".pending_favs%s:%u|g\n" METRIC_PREFIX \ ".max_depth%s:%u|g\n" METRIC_PREFIX ".cur_item%s:%u|g\n" METRIC_PREFIX \
".pending_favs%s:%u|g\n" METRIC_PREFIX \
".pending_total%s:%u|g\n" METRIC_PREFIX \ ".pending_total%s:%u|g\n" METRIC_PREFIX \
".variable_paths%s:%u|g\n" METRIC_PREFIX \ ".corpus_variable%s:%u|g\n" METRIC_PREFIX \
".unique_crashes%s:%llu|g\n" METRIC_PREFIX \ ".saved_crashes%s:%llu|g\n" METRIC_PREFIX \
".unique_hangs%s:%llu|g\n" METRIC_PREFIX \ ".saved_hangs%s:%llu|g\n" METRIC_PREFIX \
".total_crashes%s:%llu|g\n" METRIC_PREFIX \ ".total_crashes%s:%llu|g\n" METRIC_PREFIX \
".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \ ".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \
".edges_found%s:%u|g\n" METRIC_PREFIX \ ".edges_found%s:%u|g\n" METRIC_PREFIX \
@ -238,11 +240,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) {
afl->fsrv.total_execs / afl->fsrv.total_execs /
((double)(get_cur_time() + afl->prev_run_time - afl->start_time) / ((double)(get_cur_time() + afl->prev_run_time - afl->start_time) /
1000), 1000),
tags, afl->queued_paths, tags, afl->queued_favored, tags, tags, afl->queued_items, tags, afl->queued_favored, tags,
afl->queued_discovered, tags, afl->queued_imported, tags, afl->queued_discovered, tags, afl->queued_imported, tags,
afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored, afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored,
tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags, tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags,
afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes, afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes,
tags, afl->slowest_exec_ms, tags, tags, afl->slowest_exec_ms, tags,
count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count, count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count,
tags, afl->expand_havoc, tags); tags, afl->expand_havoc, tags);
@ -256,11 +258,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) {
afl->fsrv.total_execs / afl->fsrv.total_execs /
((double)(get_cur_time() + afl->prev_run_time - afl->start_time) / ((double)(get_cur_time() + afl->prev_run_time - afl->start_time) /
1000), 1000),
tags, afl->queued_paths, tags, afl->queued_favored, tags, tags, afl->queued_items, tags, afl->queued_favored, tags,
afl->queued_discovered, tags, afl->queued_imported, tags, afl->queued_discovered, tags, afl->queued_imported, tags,
afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored, afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored,
tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags, tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags,
afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes, afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes,
tags, afl->slowest_exec_ms, tags, tags, afl->slowest_exec_ms, tags,
count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count, count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count,
tags, afl->expand_havoc); tags, afl->expand_havoc);

46
src/afl-fuzz.c
View File

@ -129,7 +129,7 @@ static void usage(u8 *argv0, int more_help) {
" -D - enable deterministic fuzzing (once per queue entry)\n" " -D - enable deterministic fuzzing (once per queue entry)\n"
" -L minutes - use MOpt(imize) mode and set the time limit for " " -L minutes - use MOpt(imize) mode and set the time limit for "
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths). 0 = " " pacemaker mode (minutes of no new finds). 0 = "
"immediately,\n" "immediately,\n"
" -1 = immediately and together with normal mutation.\n" " -1 = immediately and together with normal mutation.\n"
" See docs/README.MOpt.md\n" " See docs/README.MOpt.md\n"
@ -214,7 +214,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DISABLE_TRIM: disable the trimming of test cases\n"
"AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n"
"AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n"
"AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period\n" "AFL_EXIT_ON_TIME: exit when no new coverage finds are made within the specified time period\n"
"AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n"
"AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
"AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n"
@ -1607,7 +1607,7 @@ int main(int argc, char **argv_orig, char **envp) {
read_testcases(afl, NULL); read_testcases(afl, NULL);
// read_foreign_testcases(afl, 1); for the moment dont do this // read_foreign_testcases(afl, 1); for the moment dont do this
OKF("Loaded a total of %u seeds.", afl->queued_paths); OKF("Loaded a total of %u seeds.", afl->queued_items);
pivot_inputs(afl); pivot_inputs(afl);
@ -1929,7 +1929,7 @@ int main(int argc, char **argv_orig, char **envp) {
// ensure we have at least one seed that is not disabled. // ensure we have at least one seed that is not disabled.
u32 entry, valid_seeds = 0; u32 entry, valid_seeds = 0;
for (entry = 0; entry < afl->queued_paths; ++entry) for (entry = 0; entry < afl->queued_items; ++entry)
if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; } if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; }
if (!afl->pending_not_fuzzed || !valid_seeds) { if (!afl->pending_not_fuzzed || !valid_seeds) {
@ -1951,7 +1951,7 @@ int main(int argc, char **argv_orig, char **envp) {
u64 max_ms = 0; u64 max_ms = 0;
for (entry = 0; entry < afl->queued_paths; ++entry) for (entry = 0; entry < afl->queued_items; ++entry)
if (!afl->queue_buf[entry]->disabled) if (!afl->queue_buf[entry]->disabled)
if (afl->queue_buf[entry]->exec_us > max_ms) if (afl->queue_buf[entry]->exec_us > max_ms)
max_ms = afl->queue_buf[entry]->exec_us; max_ms = afl->queue_buf[entry]->exec_us;
@ -1993,7 +1993,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->start_time = get_cur_time(); afl->start_time = get_cur_time();
u32 runs_in_current_cycle = (u32)-1; u32 runs_in_current_cycle = (u32)-1;
u32 prev_queued_paths = 0; u32 prev_queued_items = 0;
u8 skipped_fuzz; u8 skipped_fuzz;
#ifdef INTROSPECTION #ifdef INTROSPECTION
@ -2014,7 +2014,7 @@ int main(int argc, char **argv_orig, char **envp) {
cull_queue(afl); cull_queue(afl);
if (unlikely((!afl->old_seed_selection && if (unlikely((!afl->old_seed_selection &&
runs_in_current_cycle > afl->queued_paths) || runs_in_current_cycle > afl->queued_items) ||
(afl->old_seed_selection && !afl->queue_cur))) { (afl->old_seed_selection && !afl->queue_cur))) {
if (unlikely((afl->last_sync_cycle < afl->queue_cycle || if (unlikely((afl->last_sync_cycle < afl->queue_cycle ||
@ -2027,25 +2027,25 @@ int main(int argc, char **argv_orig, char **envp) {
++afl->queue_cycle; ++afl->queue_cycle;
runs_in_current_cycle = (u32)-1; runs_in_current_cycle = (u32)-1;
afl->cur_skipped_paths = 0; afl->cur_skipped_items = 0;
if (unlikely(afl->old_seed_selection)) { if (unlikely(afl->old_seed_selection)) {
afl->current_entry = 0; afl->current_entry = 0;
while (unlikely(afl->current_entry < afl->queued_paths && while (unlikely(afl->current_entry < afl->queued_items &&
afl->queue_buf[afl->current_entry]->disabled)) { afl->queue_buf[afl->current_entry]->disabled)) {
++afl->current_entry; ++afl->current_entry;
} }
if (afl->current_entry >= afl->queued_paths) { afl->current_entry = 0; } if (afl->current_entry >= afl->queued_items) { afl->current_entry = 0; }
afl->queue_cur = afl->queue_buf[afl->current_entry]; afl->queue_cur = afl->queue_buf[afl->current_entry];
if (unlikely(seek_to)) { if (unlikely(seek_to)) {
if (unlikely(seek_to >= afl->queued_paths)) { if (unlikely(seek_to >= afl->queued_items)) {
// This should never happen. // This should never happen.
FATAL("BUG: seek_to location out of bounds!\n"); FATAL("BUG: seek_to location out of bounds!\n");
@ -2070,7 +2070,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* If we had a full queue cycle with no new finds, try /* If we had a full queue cycle with no new finds, try
recombination strategies next. */ recombination strategies next. */
if (unlikely(afl->queued_paths == prev_queued if (unlikely(afl->queued_items == prev_queued
/* FIXME TODO BUG: && (get_cur_time() - afl->start_time) >= /* FIXME TODO BUG: && (get_cur_time() - afl->start_time) >=
3600 */ 3600 */
)) { )) {
@ -2148,7 +2148,7 @@ int main(int argc, char **argv_orig, char **envp) {
fprintf(afl->introspection_file, fprintf(afl->introspection_file,
"CYCLE cycle=%llu cycle_wo_finds=%llu expand_havoc=%u queue=%u\n", "CYCLE cycle=%llu cycle_wo_finds=%llu expand_havoc=%u queue=%u\n",
afl->queue_cycle, afl->cycles_wo_finds, afl->expand_havoc, afl->queue_cycle, afl->cycles_wo_finds, afl->expand_havoc,
afl->queued_paths); afl->queued_items);
#endif #endif
if (afl->cycle_schedules) { if (afl->cycle_schedules) {
@ -2188,7 +2188,7 @@ int main(int argc, char **argv_orig, char **envp) {
} }
// we must recalculate the scores of all queue entries // we must recalculate the scores of all queue entries
for (u32 i = 0; i < afl->queued_paths; i++) { for (u32 i = 0; i < afl->queued_items; i++) {
if (likely(!afl->queue_buf[i]->disabled)) { if (likely(!afl->queue_buf[i]->disabled)) {
@ -2200,7 +2200,7 @@ int main(int argc, char **argv_orig, char **envp) {
} }
prev_queued = afl->queued_paths; prev_queued = afl->queued_items;
} }
@ -2210,11 +2210,11 @@ int main(int argc, char **argv_orig, char **envp) {
if (likely(!afl->old_seed_selection)) { if (likely(!afl->old_seed_selection)) {
if (unlikely(prev_queued_paths < afl->queued_paths || if (unlikely(prev_queued_items < afl->queued_items ||
afl->reinit_table)) { afl->reinit_table)) {
// we have new queue entries since the last run, recreate alias table // we have new queue entries since the last run, recreate alias table
prev_queued_paths = afl->queued_paths; prev_queued_items = afl->queued_items;
create_alias_table(afl); create_alias_table(afl);
} }
@ -2230,10 +2230,10 @@ int main(int argc, char **argv_orig, char **envp) {
if (unlikely(afl->old_seed_selection)) { if (unlikely(afl->old_seed_selection)) {
while (++afl->current_entry < afl->queued_paths && while (++afl->current_entry < afl->queued_items &&
afl->queue_buf[afl->current_entry]->disabled) afl->queue_buf[afl->current_entry]->disabled)
; ;
if (unlikely(afl->current_entry >= afl->queued_paths || if (unlikely(afl->current_entry >= afl->queued_items ||
afl->queue_buf[afl->current_entry] == NULL || afl->queue_buf[afl->current_entry] == NULL ||
afl->queue_buf[afl->current_entry]->disabled)) afl->queue_buf[afl->current_entry]->disabled))
afl->queue_cur = NULL; afl->queue_cur = NULL;
@ -2321,11 +2321,11 @@ stop_fuzzing:
u8 time_tmp[64]; u8 time_tmp[64];
u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time); u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time);
ACTF( ACTF(
"Statistics: %u new paths found, %.02f%% coverage achieved, %llu " "Statistics: %u new corpus items found, %.02f%% coverage achieved, "
"crashes found, %llu timeouts found, total runtime %s", "%llu crashes saved, %llu timeouts saved, total runtime %s",
afl->queued_discovered, afl->queued_discovered,
((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->unique_crashes, ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->saved_crashes,
afl->unique_hangs, time_tmp); afl->saved_hangs, time_tmp);
} }