ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 11:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

rename path

Browse Source
This commit is contained in:
vanhauser-thc
2021-12-09 13:22:10 +01:00
parent 4c6d94ea5f
commit 9063002af2
16 changed files with 377 additions and 376 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/Changelog.md
View File

@ -1566,7 +1566,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted
by G.M. Lime.
- Added last path / crash / hang times to fuzzer_stats, suggested by
- Added last find / crash / hang times to fuzzer_stats, suggested by
Richard Hipp.
- Fixed a typo, thanks to Jakub Wilk.

26
docs/afl-fuzz_approach.md
View File

@ -85,7 +85,7 @@ for parallel fuzzing. Second to last is the power schedule mode being run
```
+----------------------------------------------------+
| run time : 0 days, 8 hrs, 32 min, 43 sec |
| last new path : 0 days, 0 hrs, 6 min, 40 sec |
| last new find : 0 days, 0 hrs, 6 min, 40 sec |
| last uniq crash : none seen yet |
| last uniq hang : 0 days, 1 hrs, 24 min, 32 sec |
+----------------------------------------------------+
@ -485,20 +485,20 @@ directory. This includes:
- `cycles_wo_finds` - number of cycles without any new paths found
- `execs_done` - number of execve() calls attempted
- `execs_per_sec` - overall number of execs per second
- `paths_total` - total number of entries in the queue
- `paths_favored` - number of queue entries that are favored
- `paths_found` - number of entries discovered through local fuzzing
- `paths_imported` - number of entries imported from other instances
- `corpus_count` - total number of entries in the queue
- `corpus_favored` - number of queue entries that are favored
- `corpus_found` - number of entries discovered through local fuzzing
- `corpus_imported` - number of entries imported from other instances
- `max_depth` - number of levels in the generated data set
- `cur_path` - currently processed entry number
- `cur_item` - currently processed entry number
- `pending_favs` - number of favored entries still waiting to be fuzzed
- `pending_total` - number of all entries waiting to be fuzzed
- `variable_paths` - number of test cases showing variable behavior
- `corpus_variable` - number of test cases showing variable behavior
- `stability` - percentage of bitmap bytes that behave consistently
- `bitmap_cvg` - percentage of edge coverage found in the map so far
- `unique_crashes` - number of unique crashes recorded
- `unique_hangs` - number of unique hangs encountered
- `last_path` - seconds since the last path was found
- `saved_crashes` - number of unique crashes recorded
- `saved_hangs` - number of unique hangs encountered
- `last_find` - seconds since the last find was found
- `last_crash` - seconds since the last crash was found
- `last_hang` - seconds since the last hang was found
- `execs_since_crash` - execs since the last crash was found
@ -531,9 +531,9 @@ last crash > X, etc.).
The selected metrics are a subset of all the metrics found in the status and in
the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`,
`execs_done`,`execs_per_sec`, `paths_total`, `paths_favored`, `paths_found`,
`paths_imported`, `max_depth`, `cur_path`, `pending_favs`, `pending_total`,
`variable_paths`, `unique_crashes`, `unique_hangs`, `total_crashes`,
`execs_done`,`execs_per_sec`, `corpus_count`, `corpus_favored`, `corpus_found`,
`corpus_imported`, `max_depth`, `cur_item`, `pending_favs`, `pending_total`,
`corpus_variable`, `saved_crashes`, `saved_hangs`, `total_crashes`,
`slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. Their
definitions can be found in the addendum above.

8
docs/fuzzing_in_depth.md
View File

@ -11,7 +11,7 @@ Fuzzing source code is a three-step process:
2. Prepare the fuzzing by selecting and optimizing the input corpus for the
target.
3. Perform the fuzzing of the target by randomly mutating input and assessing if
a generated input was processed in a new path in the target binary.
that input was processed on a new path in the target binary.
## 0. Common sense risks
@ -354,7 +354,7 @@ You can find many good examples of starting files in the
### b) Making the input corpus unique
Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not
produce a new path in the target.
produce a new path/coverage in the target.
Put all files from step a) into one directory, e.g., INPUTS.
@ -633,7 +633,7 @@ AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- .
### g) Checking the coverage of the fuzzing
The `paths found` value is a bad indicator for checking how good the coverage
The `corpus count` value is a bad indicator for checking how good the coverage
is.
A better indicator - if you use default llvm instrumentation with at least
@ -822,7 +822,7 @@ as these are much shorter runnings.
will impact the speed by ~15% though.
* `AFL_FAST_CAL` - Enable fast calibration, this halves the time the
saturated corpus needs to be loaded.
* `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new found paths, not the
* `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the
initial corpus as this very likely has been done for them already.
* Keep the generated corpus, use afl-cmin and reuse it every time!

12
docs/resources/grafana-afl++.json
View File

@ -926,7 +926,7 @@
"steppedLine": false,
"targets": [
{
"expr": "fuzzing{type=\"cur_path\"}",
"expr": "fuzzing{type=\"cur_item\"}",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -936,7 +936,7 @@
"timeFrom": null,
"timeRegions": [],
"timeShift": null,
"title": "Curent path",
"title": "Current fuzz item",
"tooltip": {
"shared": true,
"sort": 0,
@ -1116,7 +1116,7 @@
"steppedLine": false,
"targets": [
{
"expr": "fuzzing{type=\"paths_favored\"}",
"expr": "fuzzing{type=\"corpus_favored\"}",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -1135,7 +1135,7 @@
}
],
"timeShift": null,
"title": "Path Favored",
"title": "Corpus Favored",
"tooltip": {
"shared": true,
"sort": 0,
@ -1428,7 +1428,7 @@
"steppedLine": false,
"targets": [
{
"expr": "fuzzing{type=\"paths_imported\"}",
"expr": "fuzzing{type=\"corpus_imported\"}",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -1447,7 +1447,7 @@
}
],
"timeShift": null,
"title": "Path Imported",
"title": "Corpus Imported",
"tooltip": {
"shared": true,
"sort": 0,

16
docs/rpc_statsd.md
View File

@ -26,7 +26,7 @@ StatsD allows you to receive and aggregate metrics from a wide range of
applications and retransmit them to a backend of your choice.
From AFL++, StatsD can receive the following metrics:
- cur_path
- cur_item
- cycle_done
- cycles_wo_finds
- edges_found
@ -34,18 +34,18 @@ From AFL++, StatsD can receive the following metrics:
- execs_per_sec
- havoc_expansion
- max_depth
- paths_favored
- paths_found
- paths_imported
- paths_total
- corpus_favored
- corpus_found
- corpus_imported
- corpus_count
- pending_favs
- pending_total
- slowest_exec_ms
- total_crashes
- unique_crashes
- unique_hangs
- saved_crashes
- saved_hangs
- var_byte_count
- variable_paths
- corpus_variable
Depending on your StatsD server, you will be able to monitor, trigger alerts, or
perform actions based on these metrics (for example: alert on slow exec/s for a

12
include/afl-fuzz.h
View File

@ -537,7 +537,7 @@ typedef struct afl_state {
volatile u8 stop_soon, /* Ctrl-C pressed? */
clear_screen; /* Window resized? */
u32 queued_paths, /* Total number of queued testcases */
u32 queued_items, /* Total number of queued testcases */
queued_variable, /* Testcases with variable behavior */
queued_at_start, /* Total number of initial inputs */
queued_discovered, /* Items discovered during this run */
@ -546,7 +546,7 @@ typedef struct afl_state {
queued_with_cov, /* Paths with new coverage bytes */
pending_not_fuzzed, /* Queued but not done yet */
pending_favored, /* Pending favored paths */
cur_skipped_paths, /* Abandoned inputs in cur cycle */
cur_skipped_items, /* Abandoned inputs in cur cycle */
cur_depth, /* Current path depth */
max_depth, /* Max path depth */
useless_at_start, /* Number of useless starting paths */
@ -556,10 +556,10 @@ typedef struct afl_state {
max_det_extras; /* deterministic extra count (dicts)*/
u64 total_crashes, /* Total number of crashes */
unique_crashes, /* Crashes with unique signatures */
saved_crashes, /* Crashes with unique signatures */
total_tmouts, /* Total number of timeouts */
unique_tmouts, /* Timeouts with unique signatures */
unique_hangs, /* Hangs with unique signatures */
saved_tmouts, /* Timeouts with unique signatures */
saved_hangs, /* Hangs with unique signatures */
last_crash_execs, /* Exec counter at last crash */
queue_cycle, /* Queue round counter */
cycles_wo_finds, /* Cycles without any new paths */
@ -571,7 +571,7 @@ typedef struct afl_state {
start_time, /* Unix start time (ms) */
last_sync_time, /* Time of last sync */
last_sync_cycle, /* Cycle no. of the last sync */
last_path_time, /* Time for most recent path (ms) */
last_find_time, /* Time for most recent path (ms) */
last_crash_time, /* Time for most recent crash (ms) */
last_hang_time, /* Time for most recent hang (ms) */
exit_on_time; /* Delay to exit if no new paths */

24
src/afl-fuzz-bitmap.c
View File

@ -491,13 +491,13 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES
queue_fn = alloc_printf(
"%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths,
"%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items,
describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,")));
#else
queue_fn =
alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths);
alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_items);
#endif /* ^!SIMPLE_FILES */
fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
@ -586,7 +586,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_tmouts;
if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; }
if (afl->saved_hangs >= KEEP_UNIQUE_HANG) { return keeping; }
if (likely(!afl->non_instrumented_mode)) {
@ -603,7 +603,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
}
++afl->unique_tmouts;
++afl->saved_tmouts;
#ifdef INTROSPECTION
if (afl->custom_mutators_count && afl->current_custom_fuzz) {
@ -661,17 +661,17 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES
snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir,
afl->unique_hangs,
afl->saved_hangs,
describe_op(afl, 0, NAME_MAX - strlen("id:000000,")));
#else
snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir,
afl->unique_hangs);
afl->saved_hangs);
#endif /* ^!SIMPLE_FILES */
++afl->unique_hangs;
++afl->saved_hangs;
afl->last_hang_time = get_cur_time();
@ -687,7 +687,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_crashes;
if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; }
if (afl->saved_crashes >= KEEP_UNIQUE_CRASH) { return keeping; }
if (likely(!afl->non_instrumented_mode)) {
@ -699,22 +699,22 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
}
if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); }
if (unlikely(!afl->saved_crashes)) { write_crash_readme(afl); }
#ifndef SIMPLE_FILES
snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir,
afl->unique_crashes, afl->fsrv.last_kill_signal,
afl->saved_crashes, afl->fsrv.last_kill_signal,
describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,")));
#else
snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
afl->unique_crashes, afl->last_kill_signal);
afl->saved_crashes, afl->last_kill_signal);
#endif /* ^!SIMPLE_FILES */
++afl->unique_crashes;
++afl->saved_crashes;
#ifdef INTROSPECTION
if (afl->custom_mutators_count && afl->current_custom_fuzz) {

4
src/afl-fuzz-cmplog.c
View File

@ -59,7 +59,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->subseq_tmouts++ > TMOUT_LIMIT) {
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
return 1;
}
@ -76,7 +76,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->skip_requested) {
afl->skip_requested = 0;
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
return 1;
}

44
src/afl-fuzz-init.c
View File

@ -638,8 +638,8 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
if (first) {
afl->last_path_time = 0;
afl->queued_at_start = afl->queued_paths;
afl->last_find_time = 0;
afl->queued_at_start = afl->queued_items;
}
@ -812,7 +812,7 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
free(nl); /* not tracked */
if (!afl->queued_paths && directory == NULL) {
if (!afl->queued_items && directory == NULL) {
SAYF("\n" cLRD "[-] " cRST
"Looks like there are no valid test cases in the input directory! The "
@ -841,8 +841,8 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
}
afl->last_path_time = 0;
afl->queued_at_start = afl->queued_paths;
afl->last_find_time = 0;
afl->queued_at_start = afl->queued_items;
}
@ -855,7 +855,7 @@ void perform_dry_run(afl_state_t *afl) {
u32 cal_failures = 0, idx;
u8 * use_mem;
for (idx = 0; idx < afl->queued_paths; idx++) {
for (idx = 0; idx < afl->queued_items; idx++) {
q = afl->queue_buf[idx];
if (unlikely(!q || q->disabled)) { continue; }
@ -1059,14 +1059,14 @@ void perform_dry_run(afl_state_t *afl) {
q->perf_score = 0;
u32 i = 0;
while (unlikely(i < afl->queued_paths && afl->queue_buf[i] &&
while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
afl->queue_buf[i]->disabled)) {
++i;
}
if (i < afl->queued_paths && afl->queue_buf[i]) {
if (i < afl->queued_items && afl->queue_buf[i]) {
afl->queue = afl->queue_buf[i];
@ -1077,7 +1077,7 @@ void perform_dry_run(afl_state_t *afl) {
}
afl->max_depth = 0;
for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) {
for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
if (!afl->queue_buf[i]->disabled &&
afl->queue_buf[i]->depth > afl->max_depth)
@ -1118,16 +1118,16 @@ void perform_dry_run(afl_state_t *afl) {
if (cal_failures) {
if (cal_failures == afl->queued_paths) {
if (cal_failures == afl->queued_items) {
FATAL("All test cases time out or crash, giving up!");
}
WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.",
cal_failures, ((double)cal_failures) * 100 / afl->queued_paths);
cal_failures, ((double)cal_failures) * 100 / afl->queued_items);
if (cal_failures * 5 > afl->queued_paths) {
if (cal_failures * 5 > afl->queued_items) {
WARNF(cLRD "High percentage of rejected test cases, check settings!");
@ -1139,14 +1139,14 @@ void perform_dry_run(afl_state_t *afl) {
u32 duplicates = 0, i;
for (idx = 0; idx < afl->queued_paths; idx++) {
for (idx = 0; idx < afl->queued_items; idx++) {
q = afl->queue_buf[idx];
if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; }
u32 done = 0;
for (i = idx + 1;
i < afl->queued_paths && !done && likely(afl->queue_buf[i]); i++) {
i < afl->queued_items && !done && likely(afl->queue_buf[i]); i++) {
struct queue_entry *p = afl->queue_buf[i];
if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; }
@ -1196,7 +1196,7 @@ void perform_dry_run(afl_state_t *afl) {
afl->max_depth = 0;
for (idx = 0; idx < afl->queued_paths; idx++) {
for (idx = 0; idx < afl->queued_items; idx++) {
if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled &&
afl->queue_buf[idx]->depth > afl->max_depth)
@ -1254,7 +1254,7 @@ void pivot_inputs(afl_state_t *afl) {
ACTF("Creating hard links for all input files...");
for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) {
for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
q = afl->queue_buf[i];
@ -1293,7 +1293,7 @@ void pivot_inputs(afl_state_t *afl) {
if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
if (src_id < afl->queued_paths) {
if (src_id < afl->queued_items) {
struct queue_entry *s = afl->queue_buf[src_id];
@ -1391,11 +1391,11 @@ u32 find_start_position(afl_state_t *afl) {
(void)i; /* Ignore errors */
close(fd);
off = strstr(tmp, "cur_path : ");
off = strstr(tmp, "cur_item : ");
if (!off) { return 0; }
ret = atoi(off + 20);
if (ret >= afl->queued_paths) { ret = 0; }
if (ret >= afl->queued_items) { ret = 0; }
return ret;
}
@ -2040,9 +2040,9 @@ void setup_dirs_fds(afl_state_t *afl) {
fprintf(
afl->fsrv.plot_file,
"# relative_time, cycles_done, cur_path, paths_total, "
"pending_total, pending_favs, map_size, unique_crashes, "
"unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n");
"# relative_time, cycles_done, cur_item, corpus_count, "
"pending_total, pending_favs, map_size, saved_crashes, "
"saved_hangs, max_depth, execs_per_sec, total_execs, edges_found\n");
} else {

146
src/afl-fuzz-one.c
View File

@ -423,7 +423,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
} else if (!afl->non_instrumented_mode && !afl->queue_cur->favored &&
afl->queued_paths > 10) {
afl->queued_items > 10) {
/* Otherwise, still possibly skip non-favored cases, albeit less often.
The odds of skipping stuff are higher for already-fuzzed inputs and
@ -449,7 +449,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
ACTF(
"Fuzzing test case #%u (%u total, %llu uniq crashes found, "
"perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...",
afl->current_entry, afl->queued_paths, afl->unique_crashes,
afl->current_entry, afl->queued_items, afl->saved_crashes,
afl->queue_cur->perf_score, afl->queue_cur->exec_us,
likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0,
afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii);
@ -492,7 +492,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (unlikely(afl->stop_soon) || res != afl->crash_mode) {
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
goto abandon_entry;
}
@ -519,7 +519,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (unlikely(afl->stop_soon)) {
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
goto abandon_entry;
}
@ -566,8 +566,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
afl->queue_cur->favored ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 300000) { // 300 seconds
!(afl->fsrv.total_execs % afl->queued_items) ||
get_cur_time() - afl->last_find_time > 300000) { // 300 seconds
if (input_to_state_stage(afl, in_buf, out_buf, len)) {
@ -630,7 +630,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
afl->stage_val_type = STAGE_VAL_NONE;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
prev_cksum = afl->queue_cur->exec_cksum;
@ -734,7 +734,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP1] += afl->stage_max;
@ -766,7 +766,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP2] += afl->stage_max;
@ -802,7 +802,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP4] += afl->stage_max;
@ -909,7 +909,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
afl->blocks_eff_total += EFF_ALEN(len);
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP8] += afl->stage_max;
@ -952,7 +952,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP16] += afl->stage_max;
@ -995,7 +995,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP32] += afl->stage_max;
@ -1087,7 +1087,7 @@ skip_bitflip:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH8] += afl->stage_max;
@ -1217,7 +1217,7 @@ skip_bitflip:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH16] += afl->stage_max;
@ -1346,7 +1346,7 @@ skip_bitflip:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH32] += afl->stage_max;
@ -1412,7 +1412,7 @@ skip_arith:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max;
@ -1500,7 +1500,7 @@ skip_arith:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max;
@ -1589,7 +1589,7 @@ skip_arith:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max;
@ -1662,7 +1662,7 @@ skip_interest:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max;
@ -1718,7 +1718,7 @@ skip_interest:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max;
@ -1776,7 +1776,7 @@ skip_user_extras:
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
@ -1806,7 +1806,7 @@ custom_mutator_stage:
const u32 max_seed_size = MAX_FILE, saved_max = afl->stage_max;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
#ifdef INTROSPECTION
afl->mutation[0] = 0;
@ -1850,7 +1850,7 @@ custom_mutator_stage:
do {
tid = rand_below(afl, afl->queued_paths);
tid = rand_below(afl, afl->queued_items);
} while (unlikely(tid == afl->current_entry ||
@ -1890,7 +1890,7 @@ custom_mutator_stage:
/* If we're finding new stuff, let's run for a bit longer, limits
permitting. */
if (afl->queued_paths != havoc_queued) {
if (afl->queued_items != havoc_queued) {
if (perf_score <= afl->havoc_max_mult * 100) {
@ -1899,7 +1899,7 @@ custom_mutator_stage:
}
havoc_queued = afl->queued_paths;
havoc_queued = afl->queued_items;
}
@ -1926,7 +1926,7 @@ custom_mutator_stage:
if (!has_custom_fuzz) goto havoc_stage;
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max;
@ -1972,9 +1972,9 @@ havoc_stage:
temp_len = len;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
havoc_queued = afl->queued_paths;
havoc_queued = afl->queued_items;
if (afl->custom_mutators_count) {
@ -2023,7 +2023,7 @@ havoc_stage:
}
if (unlikely(get_cur_time() - afl->last_path_time > 5000 /* 5 seconds */ &&
if (unlikely(get_cur_time() - afl->last_find_time > 5000 /* 5 seconds */ &&
afl->ready_for_splicing_count > 1)) {
/* add expensive havoc cases here if there is no findings in the last 5s */
@ -2669,7 +2669,7 @@ havoc_stage:
u32 tid;
do {
tid = rand_below(afl, afl->queued_paths);
tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
@ -2757,7 +2757,7 @@ havoc_stage:
/* If we're finding new stuff, let's run for a bit longer, limits
permitting. */
if (afl->queued_paths != havoc_queued) {
if (afl->queued_items != havoc_queued) {
if (perf_score <= afl->havoc_max_mult * 100) {
@ -2766,13 +2766,13 @@ havoc_stage:
}
havoc_queued = afl->queued_paths;
havoc_queued = afl->queued_items;
}
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (!splice_cycle) {
@ -2821,7 +2821,7 @@ retry_splicing:
do {
tid = rand_below(afl, afl->queued_paths);
tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
@ -2945,7 +2945,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} else if (!afl->non_instrumented_mode && !afl->queue_cur->favored &&
afl->queued_paths > 10) {
afl->queued_items > 10) {
/* Otherwise, still possibly skip non-favored cases, albeit less often.
The odds of skipping stuff are higher for already-fuzzed inputs and
@ -2969,7 +2969,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (afl->not_on_tty) {
ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...",
afl->current_entry, afl->queued_paths, afl->unique_crashes);
afl->current_entry, afl->queued_items, afl->saved_crashes);
fflush(stdout);
}
@ -3010,7 +3010,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (afl->stop_soon || res != afl->crash_mode) {
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
goto abandon_entry;
}
@ -3037,7 +3037,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (unlikely(afl->stop_soon)) {
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
goto abandon_entry;
}
@ -3082,8 +3082,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 300000) { // 300 seconds
!(afl->fsrv.total_execs % afl->queued_items) ||
get_cur_time() - afl->last_find_time > 300000) { // 300 seconds
if (input_to_state_stage(afl, in_buf, out_buf, len)) {
@ -3101,10 +3101,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
cur_ms_lv = get_cur_time();
if (!(afl->key_puppet == 0 &&
((cur_ms_lv - afl->last_path_time < (u32)afl->limit_time_puppet) ||
((cur_ms_lv - afl->last_find_time < (u32)afl->limit_time_puppet) ||
(afl->last_crash_time != 0 &&
cur_ms_lv - afl->last_crash_time < (u32)afl->limit_time_puppet) ||
afl->last_path_time == 0))) {
afl->last_find_time == 0))) {
afl->key_puppet = 1;
goto pacemaker_fuzzing;
@ -3156,7 +3156,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
afl->stage_val_type = STAGE_VAL_NONE;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
prev_cksum = afl->queue_cur->exec_cksum;
@ -3259,7 +3259,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for afl->stage_cur */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP1] += afl->stage_max;
@ -3290,7 +3290,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for afl->stage_cur */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP2] += afl->stage_max;
@ -3325,7 +3325,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for afl->stage_cur */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP4] += afl->stage_max;
@ -3431,7 +3431,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
afl->blocks_eff_total += EFF_ALEN(len);
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP8] += afl->stage_max;
@ -3473,7 +3473,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP16] += afl->stage_max;
@ -3515,7 +3515,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
} /* for i = 0; i < len - 3 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_FLIP32] += afl->stage_max;
@ -3605,7 +3605,7 @@ skip_bitflip:
} /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH8] += afl->stage_max;
@ -3731,7 +3731,7 @@ skip_bitflip:
} /* for i = 0; i < len - 1 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH16] += afl->stage_max;
@ -3856,7 +3856,7 @@ skip_bitflip:
} /* for i = 0; i < len - 3 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ARITH32] += afl->stage_max;
@ -3921,7 +3921,7 @@ skip_arith:
} /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max;
@ -4007,7 +4007,7 @@ skip_arith:
} /* for i = 0; i < len - 1 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max;
@ -4094,7 +4094,7 @@ skip_arith:
} /* for i = 0; i < len - 3 */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max;
@ -4167,7 +4167,7 @@ skip_interest:
} /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max;
@ -4223,7 +4223,7 @@ skip_interest:
} /* for i = 0; i <= len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max;
@ -4282,7 +4282,7 @@ skip_user_extras:
} /* for i = 0; i < len */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
@ -4335,7 +4335,7 @@ pacemaker_fuzzing:
if (unlikely(afl->orig_hit_cnt_puppet == 0)) {
afl->orig_hit_cnt_puppet = afl->queued_paths + afl->unique_crashes;
afl->orig_hit_cnt_puppet = afl->queued_items + afl->saved_crashes;
afl->last_limit_time_start = get_cur_time();
afl->SPLICE_CYCLES_puppet =
(rand_below(
@ -4380,9 +4380,9 @@ pacemaker_fuzzing:
temp_len = len;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
havoc_queued = afl->queued_paths;
havoc_queued = afl->queued_items;
u32 r_max;
@ -4948,7 +4948,7 @@ pacemaker_fuzzing:
u32 tid;
do {
tid = rand_below(afl, afl->queued_paths);
tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry ||
@ -5029,7 +5029,7 @@ pacemaker_fuzzing:
++*MOpt_globals.pTime;
u64 temp_total_found = afl->queued_paths + afl->unique_crashes;
u64 temp_total_found = afl->queued_items + afl->saved_crashes;
if (common_fuzz_stuff(afl, out_buf, temp_len)) {
@ -5048,7 +5048,7 @@ pacemaker_fuzzing:
/* If we're finding new stuff, let's run for a bit longer, limits
permitting. */
if (afl->queued_paths != havoc_queued) {
if (afl->queued_items != havoc_queued) {
if (perf_score <= afl->havoc_max_mult * 100) {
@ -5057,15 +5057,15 @@ pacemaker_fuzzing:
}
havoc_queued = afl->queued_paths;
havoc_queued = afl->queued_items;
}
if (unlikely(afl->queued_paths + afl->unique_crashes >
if (unlikely(afl->queued_items + afl->saved_crashes >
temp_total_found)) {
u64 temp_temp_puppet =
afl->queued_paths + afl->unique_crashes - temp_total_found;
afl->queued_items + afl->saved_crashes - temp_total_found;
afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet;
if (MOpt_globals.is_pilot_mode) {
@ -5099,7 +5099,7 @@ pacemaker_fuzzing:
++afl->stage_cur) { */
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (MOpt_globals.is_pilot_mode) {
@ -5149,7 +5149,7 @@ pacemaker_fuzzing:
do {
tid = rand_below(afl, afl->queued_paths);
tid = rand_below(afl, afl->queued_items);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
@ -5235,8 +5235,8 @@ pacemaker_fuzzing:
if (afl->key_puppet == 1) {
if (unlikely(
afl->queued_paths + afl->unique_crashes >
((afl->queued_paths + afl->unique_crashes) * limit_time_bound +
afl->queued_items + afl->saved_crashes >
((afl->queued_items + afl->saved_crashes) * limit_time_bound +
afl->orig_hit_cnt_puppet))) {
afl->key_puppet = 0;
@ -5251,7 +5251,7 @@ pacemaker_fuzzing:
afl->total_pacemaker_time += *MOpt_globals.pTime;
*MOpt_globals.pTime = 0;
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (MOpt_globals.is_pilot_mode) {

34
src/afl-fuzz-queue.c
View File

@ -31,7 +31,7 @@
inline u32 select_next_queue_entry(afl_state_t *afl) {
u32 s = rand_below(afl, afl->queued_paths);
u32 s = rand_below(afl, afl->queued_items);
double p = rand_next_percent(afl);
/*
fprintf(stderr, "select: p=%f s=%u ... p < prob[s]=%f ? s=%u : alias[%u]=%u"
@ -69,7 +69,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
void create_alias_table(afl_state_t *afl) {
u32 n = afl->queued_paths, i = 0, a, g;
u32 n = afl->queued_items, i = 0, a, g;
double sum = 0;
afl->alias_table =
@ -547,19 +547,19 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
if (likely(q->len > 4)) afl->ready_for_splicing_count++;
++afl->queued_paths;
++afl->queued_items;
++afl->active_paths;
++afl->pending_not_fuzzed;
afl->cycles_wo_finds = 0;
struct queue_entry **queue_buf = afl_realloc(
AFL_BUF_PARAM(queue), afl->queued_paths * sizeof(struct queue_entry *));
AFL_BUF_PARAM(queue), afl->queued_items * sizeof(struct queue_entry *));
if (unlikely(!queue_buf)) { PFATAL("alloc"); }
queue_buf[afl->queued_paths - 1] = q;
q->id = afl->queued_paths - 1;
queue_buf[afl->queued_items - 1] = q;
q->id = afl->queued_items - 1;
afl->last_path_time = get_cur_time();
afl->last_find_time = get_cur_time();
if (afl->custom_mutators_count) {
@ -583,7 +583,7 @@ void destroy_queue(afl_state_t *afl) {
u32 i;
for (i = 0; i < afl->queued_paths; i++) {
for (i = 0; i < afl->queued_items; i++) {
struct queue_entry *q;
@ -737,7 +737,7 @@ void cull_queue(afl_state_t *afl) {
afl->queued_favored = 0;
afl->pending_favored = 0;
for (i = 0; i < afl->queued_paths; i++) {
for (i = 0; i < afl->queued_items; i++) {
afl->queue_buf[i]->favored = 0;
@ -782,7 +782,7 @@ void cull_queue(afl_state_t *afl) {
}
for (i = 0; i < afl->queued_paths; i++) {
for (i = 0; i < afl->queued_items; i++) {
if (likely(!afl->queue_buf[i]->disabled)) {
@ -915,7 +915,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
}
u32 n_paths;
u32 n_items;
double factor = 1.0;
long double fuzz_mu;
@ -933,26 +933,26 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
case COE:
fuzz_mu = 0.0;
n_paths = 0;
n_items = 0;
// Don't modify perf_score for unfuzzed seeds
if (q->fuzz_level == 0) break;
u32 i;
for (i = 0; i < afl->queued_paths; i++) {
for (i = 0; i < afl->queued_items; i++) {
if (likely(!afl->queue_buf[i]->disabled)) {
fuzz_mu += log2(afl->n_fuzz[afl->queue_buf[i]->n_fuzz_entry]);
n_paths++;
n_items++;
}
}
if (unlikely(!n_paths)) { FATAL("Queue state corrupt"); }
if (unlikely(!n_items)) { FATAL("Queue state corrupt"); }
fuzz_mu = fuzz_mu / n_paths;
fuzz_mu = fuzz_mu / n_items;
if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) {
@ -1018,7 +1018,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
-- rare. the simpler algo however is good when rare is not.
// the newer the entry, the higher the pref_score
perf_score *= (1 + (double)((double)q->depth /
(double)afl->queued_paths));
(double)afl->queued_items));
// with special focus on the last 8 entries
if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 -
(afl->max_depth - q->depth)) / 5));

14
src/afl-fuzz-redqueen.c
View File

@ -276,7 +276,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
#endif
u64 orig_hit_cnt, new_hit_cnt, exec_cksum;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_name = "colorization";
afl->stage_short = "colorization";
@ -424,7 +424,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
#if defined(_DEBUG) || defined(CMPLOG_INTROSPECTION)
FILE *f = stderr;
@ -517,7 +517,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
u64 orig_hit_cnt, new_hit_cnt;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
#ifdef _DEBUG
dump("DATA", buf, len);
@ -525,7 +525,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; }
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
if (unlikely(new_hit_cnt != orig_hit_cnt)) {
@ -2720,7 +2720,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
u64 orig_hit_cnt, new_hit_cnt;
u64 orig_execs = afl->fsrv.total_execs;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
orig_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_name = "input-to-state";
afl->stage_short = "its";
@ -2845,7 +2845,7 @@ exit_its:
}
#ifdef CMPLOG_COMBINE
if (afl->queued_paths + afl->unique_crashes > orig_hit_cnt + 1) {
if (afl->queued_items + afl->saved_crashes > orig_hit_cnt + 1) {
// copy the current virgin bits so we can recover the information
u8 *virgin_save = afl_realloc((void **)&afl->eff_buf, afl->shm.map_size);
@ -2897,7 +2897,7 @@ exit_its:
#endif
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
new_hit_cnt = afl->queued_items + afl->saved_crashes;
afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs;

4
src/afl-fuzz-run.c
View File

@ -953,7 +953,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->subseq_tmouts++ > TMOUT_LIMIT) {
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
return 1;
}
@ -970,7 +970,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
if (afl->skip_requested) {
afl->skip_requested = 0;
++afl->cur_skipped_paths;
++afl->cur_skipped_items;
return 1;
}

279
src/afl-fuzz-stats.c
View File

@ -147,10 +147,10 @@ void load_stats_file(afl_state_t *afl) {
afl->fsrv.total_execs = strtoull(lptr, &nptr, 10);
break;
case 10:
if (!strcmp(keystring, "paths_total ")) {
if (!strcmp(keystring, "corpus_count ")) {
u32 paths_total = strtoul(lptr, &nptr, 10);
if (paths_total != afl->queued_paths) {
u32 corpus_count = strtoul(lptr, &nptr, 10);
if (corpus_count != afl->queued_items) {
WARNF(
"queue/ has been modified -- things might not work, you're "
@ -162,11 +162,11 @@ void load_stats_file(afl_state_t *afl) {
break;
case 12:
if (!strcmp(keystring, "paths_found "))
if (!strcmp(keystring, "corpus_found "))
afl->queued_discovered = strtoul(lptr, &nptr, 10);
break;
case 13:
if (!strcmp(keystring, "paths_imported "))
if (!strcmp(keystring, "corpus_imported "))
afl->queued_imported = strtoul(lptr, &nptr, 10);
break;
case 14:
@ -174,12 +174,12 @@ void load_stats_file(afl_state_t *afl) {
afl->max_depth = strtoul(lptr, &nptr, 10);
break;
case 21:
if (!strcmp(keystring, "unique_crashes "))
afl->unique_crashes = strtoull(lptr, &nptr, 10);
if (!strcmp(keystring, "saved_crashes "))
afl->saved_crashes = strtoull(lptr, &nptr, 10);
break;
case 22:
if (!strcmp(keystring, "unique_hangs "))
afl->unique_hangs = strtoull(lptr, &nptr, 10);
if (!strcmp(keystring, "saved_hangs "))
afl->saved_hangs = strtoull(lptr, &nptr, 10);
break;
default:
break;
@ -190,7 +190,7 @@ void load_stats_file(afl_state_t *afl) {
}
if (afl->unique_crashes) { write_crash_readme(afl); }
if (afl->saved_crashes) { write_crash_readme(afl); }
return;
@ -243,96 +243,95 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; }
#endif
fprintf(f,
"start_time : %llu\n"
"last_update : %llu\n"
"run_time : %llu\n"
"fuzzer_pid : %u\n"
"cycles_done : %llu\n"
"cycles_wo_finds : %llu\n"
"execs_done : %llu\n"
"execs_per_sec : %0.02f\n"
"execs_ps_last_min : %0.02f\n"
"paths_total : %u\n"
"paths_favored : %u\n"
"paths_found : %u\n"
"paths_imported : %u\n"
"max_depth : %u\n"
"cur_path : %u\n" /* Must match find_start_position() */
"pending_favs : %u\n"
"pending_total : %u\n"
"variable_paths : %u\n"
"stability : %0.02f%%\n"
"bitmap_cvg : %0.02f%%\n"
"unique_crashes : %llu\n"
"unique_hangs : %llu\n"
"last_path : %llu\n"
"last_crash : %llu\n"
"last_hang : %llu\n"
"execs_since_crash : %llu\n"
"exec_timeout : %u\n"
"slowest_exec_ms : %u\n"
"peak_rss_mb : %lu\n"
"cpu_affinity : %d\n"
"edges_found : %u\n"
"total_edges : %u\n"
"var_byte_count : %u\n"
"havoc_expansion : %u\n"
"auto_dict_entries : %u\n"
"testcache_size : %llu\n"
"testcache_count : %u\n"
"testcache_evict : %u\n"
"afl_banner : %s\n"
"afl_version : " VERSION
"\n"
"target_mode : %s%s%s%s%s%s%s%s%s%s\n"
"command_line : %s\n",
(afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000,
(afl->prev_run_time + cur_time - afl->start_time) / 1000,
(u32)getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0,
afl->cycles_wo_finds, afl->fsrv.total_execs,
afl->fsrv.total_execs /
((double)(afl->prev_run_time + get_cur_time() - afl->start_time) /
1000),
afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored,
afl->queued_discovered, afl->queued_imported, afl->max_depth,
afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed,
afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes,
afl->unique_hangs, afl->last_path_time / 1000,
afl->last_crash_time / 1000, afl->last_hang_time / 1000,
afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout,
afl->slowest_exec_ms,
fprintf(
f,
"start_time : %llu\n"
"last_update : %llu\n"
"run_time : %llu\n"
"fuzzer_pid : %u\n"
"cycles_done : %llu\n"
"cycles_wo_finds : %llu\n"
"execs_done : %llu\n"
"execs_per_sec : %0.02f\n"
"execs_ps_last_min : %0.02f\n"
"corpus_count : %u\n"
"corpus_favored : %u\n"
"corpus_found : %u\n"
"corpus_imported : %u\n"
"corpus_variable : %u\n"
"max_depth : %u\n"
"cur_item : %u\n"
"pending_favs : %u\n"
"pending_total : %u\n"
"stability : %0.02f%%\n"
"bitmap_cvg : %0.02f%%\n"
"saved_crashes : %llu\n"
"saved_hangs : %llu\n"
"last_find : %llu\n"
"last_crash : %llu\n"
"last_hang : %llu\n"
"execs_since_crash : %llu\n"
"exec_timeout : %u\n"
"slowest_exec_ms : %u\n"
"peak_rss_mb : %lu\n"
"cpu_affinity : %d\n"
"edges_found : %u\n"
"total_edges : %u\n"
"var_byte_count : %u\n"
"havoc_expansion : %u\n"
"auto_dict_entries : %u\n"
"testcache_size : %llu\n"
"testcache_count : %u\n"
"testcache_evict : %u\n"
"afl_banner : %s\n"
"afl_version : " VERSION
"\n"
"target_mode : %s%s%s%s%s%s%s%s%s%s\n"
"command_line : %s\n",
(afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000,
(afl->prev_run_time + cur_time - afl->start_time) / 1000, (u32)getpid(),
afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds,
afl->fsrv.total_execs,
afl->fsrv.total_execs /
((double)(afl->prev_run_time + get_cur_time() - afl->start_time) /
1000),
afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored,
afl->queued_discovered, afl->queued_imported, afl->max_depth,
afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed,
afl->queued_variable, stability, bitmap_cvg, afl->saved_crashes,
afl->saved_hangs, afl->last_find_time / 1000, afl->last_crash_time / 1000,
afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs,
afl->fsrv.exec_tmout, afl->slowest_exec_ms,
#ifndef __HAIKU__
#ifdef __APPLE__
(unsigned long int)(rus.ru_maxrss >> 20),
(unsigned long int)(rus.ru_maxrss >> 20),
#else
(unsigned long int)(rus.ru_maxrss >> 10),
(unsigned long int)(rus.ru_maxrss >> 10),
#endif
#else
-1UL,
-1UL,
#endif
#ifdef HAVE_AFFINITY
afl->cpu_aff,
afl->cpu_aff,
#else
-1,
-1,
#endif
t_bytes, afl->fsrv.real_map_size, afl->var_byte_count,
afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size,
afl->q_testcase_cache_count, afl->q_testcase_evictions,
afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
afl->fsrv.qemu_mode ? "qemu " : "",
afl->fsrv.cs_mode ? "coresight" : "",
afl->non_instrumented_mode ? " non_instrumented " : "",
afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
afl->persistent_mode ? "persistent " : "",
afl->shmem_testcase_mode ? "shmem_testcase " : "",
afl->deferred_mode ? "deferred " : "",
(afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode ||
afl->non_instrumented_mode || afl->no_forkserver ||
afl->crash_mode || afl->persistent_mode || afl->deferred_mode)
? ""
: "default",
afl->orig_cmdline);
t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, afl->expand_havoc,
afl->a_extras_cnt, afl->q_testcase_cache_size,
afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner,
afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "",
afl->fsrv.cs_mode ? "coresight" : "",
afl->non_instrumented_mode ? " non_instrumented " : "",
afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
afl->persistent_mode ? "persistent " : "",
afl->shmem_testcase_mode ? "shmem_testcase " : "",
afl->deferred_mode ? "deferred " : "",
(afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode ||
afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode ||
afl->persistent_mode || afl->deferred_mode)
? ""
: "default",
afl->orig_cmdline);
/* ignore errors */
@ -373,13 +372,13 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
if (unlikely(!afl->force_ui_update &&
(afl->stop_soon ||
(afl->plot_prev_qp == afl->queued_paths &&
(afl->plot_prev_qp == afl->queued_items &&
afl->plot_prev_pf == afl->pending_favored &&
afl->plot_prev_pnf == afl->pending_not_fuzzed &&
afl->plot_prev_ce == afl->current_entry &&
afl->plot_prev_qc == afl->queue_cycle &&
afl->plot_prev_uc == afl->unique_crashes &&
afl->plot_prev_uh == afl->unique_hangs &&
afl->plot_prev_uc == afl->saved_crashes &&
afl->plot_prev_uh == afl->saved_hangs &&
afl->plot_prev_md == afl->max_depth &&
afl->plot_prev_ed == afl->fsrv.total_execs) ||
!afl->queue_cycle ||
@ -389,29 +388,29 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
}
afl->plot_prev_qp = afl->queued_paths;
afl->plot_prev_qp = afl->queued_items;
afl->plot_prev_pf = afl->pending_favored;
afl->plot_prev_pnf = afl->pending_not_fuzzed;
afl->plot_prev_ce = afl->current_entry;
afl->plot_prev_qc = afl->queue_cycle;
afl->plot_prev_uc = afl->unique_crashes;
afl->plot_prev_uh = afl->unique_hangs;
afl->plot_prev_uc = afl->saved_crashes;
afl->plot_prev_uh = afl->saved_hangs;
afl->plot_prev_md = afl->max_depth;
afl->plot_prev_ed = afl->fsrv.total_execs;
/* Fields in the file:
relative_time, afl->cycles_done, cur_path, paths_total, paths_not_fuzzed,
favored_not_fuzzed, unique_crashes, unique_hangs, max_depth,
relative_time, afl->cycles_done, cur_item, corpus_count, corpus_not_fuzzed,
favored_not_fuzzed, saved_crashes, saved_hangs, max_depth,
execs_per_sec, edges_found */
fprintf(afl->fsrv.plot_file,
"%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, "
"%u\n",
((afl->prev_run_time + get_cur_time() - afl->start_time) / 1000),
afl->queue_cycle - 1, afl->current_entry, afl->queued_paths,
afl->queue_cycle - 1, afl->current_entry, afl->queued_items,
afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg,
afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps,
afl->saved_crashes, afl->saved_hangs, afl->max_depth, eps,
afl->plot_prev_ed, t_bytes); /* ignore errors */
fflush(afl->fsrv.plot_file);
@ -611,9 +610,9 @@ void show_stats(afl_state_t *afl) {
/* AFL_EXIT_ON_TIME. */
if (unlikely(afl->last_path_time && !afl->non_instrumented_mode &&
if (unlikely(afl->last_find_time && !afl->non_instrumented_mode &&
afl->afl_env.afl_exit_on_time &&
(cur_ms - afl->last_path_time) > afl->exit_on_time)) {
(cur_ms - afl->last_find_time) > afl->exit_on_time)) {
afl->stop_soon = 2;
@ -704,10 +703,10 @@ void show_stats(afl_state_t *afl) {
/* Since `total_crashes` does not get reloaded from disk on restart,
it indicates if we found crashes this round already -> paint red.
If it's 0, but `unique_crashes` is set from a past run, paint in yellow. */
char *crash_color = afl->total_crashes ? cLRD
: afl->unique_crashes ? cYEL
: cRST;
If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */
char *crash_color = afl->total_crashes ? cLRD
: afl->saved_crashes ? cYEL
: cRST;
/* Lord, forgive me this. */
@ -721,7 +720,7 @@ void show_stats(afl_state_t *afl) {
} else {
u64 min_wo_finds = (cur_ms - afl->last_path_time) / 1000 / 60;
u64 min_wo_finds = (cur_ms - afl->last_find_time) / 1000 / 60;
/* First queue cycle: don't stop now! */
if (afl->queue_cycle == 1 || min_wo_finds < 15) {
@ -762,48 +761,48 @@ void show_stats(afl_state_t *afl) {
except when resuming fuzzing or running in non-instrumented mode. */
if (!afl->non_instrumented_mode &&
(afl->last_path_time || afl->resuming_fuzz || afl->queue_cycle == 1 ||
(afl->last_find_time || afl->resuming_fuzz || afl->queue_cycle == 1 ||
afl->in_bitmap || afl->crash_mode)) {
u_stringify_time_diff(time_tmp, cur_ms, afl->last_path_time);
SAYF(bV bSTOP " last new path : " cRST "%-33s ", time_tmp);
u_stringify_time_diff(time_tmp, cur_ms, afl->last_find_time);
SAYF(bV bSTOP " last new find : " cRST "%-33s ", time_tmp);
} else {
if (afl->non_instrumented_mode) {
SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST
SAYF(bV bSTOP " last new find : " cPIN "n/a" cRST
" (non-instrumented mode) ");
} else {
SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD
SAYF(bV bSTOP " last new find : " cRST "none yet " cLRD
"(odd, check syntax!) ");
}
}
SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n",
u_stringify_int(IB(0), afl->queued_paths));
SAYF(bSTG bV bSTOP " corpus count : " cRST "%-5s " bSTG bV "\n",
u_stringify_int(IB(0), afl->queued_items));
/* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH
limit with a '+' appended to the count. */
sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_crashes),
(afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_crashes),
(afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time);
SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP
" uniq crashes : %s%-6s" bSTG bV "\n",
SAYF(bV bSTOP "last saved crash : " cRST "%-33s " bSTG bV bSTOP
"saved crashes : %s%-6s" bSTG bV "\n",
time_tmp, crash_color, tmp);
sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_hangs),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_hangs),
(afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time);
SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP
" uniq hangs : " cRST "%-6s" bSTG bV "\n",
SAYF(bV bSTOP " last saved hang : " cRST "%-33s " bSTG bV bSTOP
" saved hangs : " cRST "%-6s" bSTG bV "\n",
time_tmp, tmp);
SAYF(bVR bH bSTOP cCYA
@ -816,7 +815,7 @@ void show_stats(afl_state_t *afl) {
sprintf(tmp, "%s%s%u (%0.01f%%)", u_stringify_int(IB(0), afl->current_entry),
afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level,
((double)afl->current_entry * 100) / afl->queued_paths);
((double)afl->current_entry * 100) / afl->queued_items);
SAYF(bV bSTOP " now processing : " cRST "%-18s " bSTG bV bSTOP, tmp);
@ -830,10 +829,10 @@ void show_stats(afl_state_t *afl) {
: ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST),
tmp);
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths),
((double)afl->cur_skipped_paths * 100) / afl->queued_paths);
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_items),
((double)afl->cur_skipped_items * 100) / afl->queued_items);
SAYF(bV bSTOP " paths timed out : " cRST "%-18s " bSTG bV, tmp);
SAYF(bV bSTOP " items timed out : " cRST "%-18s " bSTG bV, tmp);
sprintf(tmp, "%0.02f bits/tuple", t_bytes ? (((double)t_bits) / t_bytes) : 0);
@ -844,12 +843,12 @@ void show_stats(afl_state_t *afl) {
" findings in depth " bSTG bH10 bH5 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths);
((double)afl->queued_favored) * 100 / afl->queued_items);
/* Yeah... it's still going on... halp? */
SAYF(bV bSTOP " now trying : " cRST "%-22s " bSTG bV bSTOP
" favored paths : " cRST "%-20s" bSTG bV "\n",
" favored items : " cRST "%-20s" bSTG bV "\n",
afl->stage_name, tmp);
if (!afl->stage_max) {
@ -867,13 +866,13 @@ void show_stats(afl_state_t *afl) {
SAYF(bV bSTOP " stage execs : " cRST "%-23s" bSTG bV bSTOP, tmp);
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_with_cov),
((double)afl->queued_with_cov) * 100 / afl->queued_paths);
((double)afl->queued_with_cov) * 100 / afl->queued_items);
SAYF(" new edges on : " cRST "%-20s" bSTG bV "\n", tmp);
sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_crashes),
u_stringify_int(IB(1), afl->unique_crashes),
(afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
u_stringify_int(IB(1), afl->saved_crashes),
(afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : "");
if (afl->crash_mode) {
@ -906,15 +905,15 @@ void show_stats(afl_state_t *afl) {
}
sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_tmouts),
u_stringify_int(IB(1), afl->unique_tmouts),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
u_stringify_int(IB(1), afl->saved_tmouts),
(afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-20s" bSTG bV "\n", tmp);
/* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH2 bHT bH10 bH2
bH bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n");
bH bHB bH bSTOP cCYA " item geometry " bSTG bH5 bH2 bVL "\n");
if (unlikely(afl->custom_only)) {
@ -1222,7 +1221,7 @@ void show_init_stats(afl_state_t *afl) {
}
for (i = 0; i < afl->queued_paths; i++) {
for (i = 0; i < afl->queued_items; i++) {
q = afl->queue_buf[i];
if (unlikely(q->disabled)) { continue; }
@ -1290,13 +1289,13 @@ void show_init_stats(afl_state_t *afl) {
}
if (afl->queued_paths > 100) {
if (afl->queued_items > 100) {
WARNF(cLRD
"You probably have far too many input files! Consider trimming "
"down.");
} else if (afl->queued_paths > 20) {
} else if (afl->queued_items > 20) {
WARNF("You have lots of input files; try starting small.");
@ -1311,8 +1310,8 @@ void show_init_stats(afl_state_t *afl) {
" Bitmap range : " cRST
"%u to %u bits (average: %0.02f bits)\n" cGRA
" Exec timing : " cRST "%s to %s us (average: %s us)\n",
afl->queued_favored, afl->queued_variable, afl->queued_paths - count,
afl->queued_paths, min_bits, max_bits,
afl->queued_favored, afl->queued_variable, afl->queued_items - count,
afl->queued_items, min_bits, max_bits,
((double)afl->total_bitmap_size) /
(afl->total_bitmap_entries ? afl->total_bitmap_entries : 1),
stringify_int(IB(0), min_us), stringify_int(IB(1), max_us),

82
src/afl-fuzz-statsd.c
View File

@ -42,46 +42,48 @@
// For DogstatsD
#define STATSD_TAGS_TYPE_SUFFIX 1
#define STATSD_TAGS_SUFFIX_METRICS \
METRIC_PREFIX \
".cycle_done:%llu|g%s\n" METRIC_PREFIX \
".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \
".execs_done:%llu|g%s\n" METRIC_PREFIX \
".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \
".paths_total:%u|g%s\n" METRIC_PREFIX \
".paths_favored:%u|g%s\n" METRIC_PREFIX \
".paths_found:%u|g%s\n" METRIC_PREFIX \
".paths_imported:%u|g%s\n" METRIC_PREFIX ".max_depth:%u|g%s\n" METRIC_PREFIX \
".cur_path:%u|g%s\n" METRIC_PREFIX ".pending_favs:%u|g%s\n" METRIC_PREFIX \
".pending_total:%u|g%s\n" METRIC_PREFIX \
".variable_paths:%u|g%s\n" METRIC_PREFIX \
".unique_crashes:%llu|g%s\n" METRIC_PREFIX \
".unique_hangs:%llu|g%s\n" METRIC_PREFIX \
".total_crashes:%llu|g%s\n" METRIC_PREFIX \
".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \
".edges_found:%u|g%s\n" METRIC_PREFIX \
#define STATSD_TAGS_SUFFIX_METRICS \
METRIC_PREFIX \
".cycle_done:%llu|g%s\n" METRIC_PREFIX \
".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \
".execs_done:%llu|g%s\n" METRIC_PREFIX \
".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \
".corpus_count:%u|g%s\n" METRIC_PREFIX \
".corpus_favored:%u|g%s\n" METRIC_PREFIX \
".corpus_found:%u|g%s\n" METRIC_PREFIX \
".corpus_imported:%u|g%s\n" METRIC_PREFIX \
".max_depth:%u|g%s\n" METRIC_PREFIX ".cur_item:%u|g%s\n" METRIC_PREFIX \
".pending_favs:%u|g%s\n" METRIC_PREFIX \
".pending_total:%u|g%s\n" METRIC_PREFIX \
".corpus_variable:%u|g%s\n" METRIC_PREFIX \
".saved_crashes:%llu|g%s\n" METRIC_PREFIX \
".saved_hangs:%llu|g%s\n" METRIC_PREFIX \
".total_crashes:%llu|g%s\n" METRIC_PREFIX \
".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \
".edges_found:%u|g%s\n" METRIC_PREFIX \
".var_byte_count:%u|g%s\n" METRIC_PREFIX ".havoc_expansion:%u|g%s\n"
// For Librato, InfluxDB, SignalFX
#define STATSD_TAGS_TYPE_MID 2
#define STATSD_TAGS_MID_METRICS \
METRIC_PREFIX \
".cycle_done%s:%llu|g\n" METRIC_PREFIX \
".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \
".execs_done%s:%llu|g\n" METRIC_PREFIX \
".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \
".paths_total%s:%u|g\n" METRIC_PREFIX \
".paths_favored%s:%u|g\n" METRIC_PREFIX \
".paths_found%s:%u|g\n" METRIC_PREFIX \
".paths_imported%s:%u|g\n" METRIC_PREFIX ".max_depth%s:%u|g\n" METRIC_PREFIX \
".cur_path%s:%u|g\n" METRIC_PREFIX ".pending_favs%s:%u|g\n" METRIC_PREFIX \
".pending_total%s:%u|g\n" METRIC_PREFIX \
".variable_paths%s:%u|g\n" METRIC_PREFIX \
".unique_crashes%s:%llu|g\n" METRIC_PREFIX \
".unique_hangs%s:%llu|g\n" METRIC_PREFIX \
".total_crashes%s:%llu|g\n" METRIC_PREFIX \
".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \
".edges_found%s:%u|g\n" METRIC_PREFIX \
#define STATSD_TAGS_MID_METRICS \
METRIC_PREFIX \
".cycle_done%s:%llu|g\n" METRIC_PREFIX \
".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \
".execs_done%s:%llu|g\n" METRIC_PREFIX \
".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \
".corpus_count%s:%u|g\n" METRIC_PREFIX \
".corpus_favored%s:%u|g\n" METRIC_PREFIX \
".corpus_found%s:%u|g\n" METRIC_PREFIX \
".corpus_imported%s:%u|g\n" METRIC_PREFIX \
".max_depth%s:%u|g\n" METRIC_PREFIX ".cur_item%s:%u|g\n" METRIC_PREFIX \
".pending_favs%s:%u|g\n" METRIC_PREFIX \
".pending_total%s:%u|g\n" METRIC_PREFIX \
".corpus_variable%s:%u|g\n" METRIC_PREFIX \
".saved_crashes%s:%llu|g\n" METRIC_PREFIX \
".saved_hangs%s:%llu|g\n" METRIC_PREFIX \
".total_crashes%s:%llu|g\n" METRIC_PREFIX \
".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \
".edges_found%s:%u|g\n" METRIC_PREFIX \
".var_byte_count%s:%u|g\n" METRIC_PREFIX ".havoc_expansion%s:%u|g\n"
void statsd_setup_format(afl_state_t *afl) {
@ -238,11 +240,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) {
afl->fsrv.total_execs /
((double)(get_cur_time() + afl->prev_run_time - afl->start_time) /
1000),
tags, afl->queued_paths, tags, afl->queued_favored, tags,
tags, afl->queued_items, tags, afl->queued_favored, tags,
afl->queued_discovered, tags, afl->queued_imported, tags,
afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored,
tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags,
afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes,
afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes,
tags, afl->slowest_exec_ms, tags,
count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count,
tags, afl->expand_havoc, tags);
@ -256,11 +258,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) {
afl->fsrv.total_execs /
((double)(get_cur_time() + afl->prev_run_time - afl->start_time) /
1000),
tags, afl->queued_paths, tags, afl->queued_favored, tags,
tags, afl->queued_items, tags, afl->queued_favored, tags,
afl->queued_discovered, tags, afl->queued_imported, tags,
afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored,
tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags,
afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes,
afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes,
tags, afl->slowest_exec_ms, tags,
count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count,
tags, afl->expand_havoc);

46
src/afl-fuzz.c
View File

@ -129,7 +129,7 @@ static void usage(u8 *argv0, int more_help) {
" -D - enable deterministic fuzzing (once per queue entry)\n"
" -L minutes - use MOpt(imize) mode and set the time limit for "
"entering the\n"
" pacemaker mode (minutes of no new paths). 0 = "
" pacemaker mode (minutes of no new finds). 0 = "
"immediately,\n"
" -1 = immediately and together with normal mutation.\n"
" See docs/README.MOpt.md\n"
@ -214,7 +214,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_DISABLE_TRIM: disable the trimming of test cases\n"
"AFL_DUMB_FORKSRV: use fork server without feedback from target\n"
"AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n"
"AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period\n"
"AFL_EXIT_ON_TIME: exit when no new coverage finds are made within the specified time period\n"
"AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n"
"AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
"AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n"
@ -1607,7 +1607,7 @@ int main(int argc, char **argv_orig, char **envp) {
read_testcases(afl, NULL);
// read_foreign_testcases(afl, 1); for the moment dont do this
OKF("Loaded a total of %u seeds.", afl->queued_paths);
OKF("Loaded a total of %u seeds.", afl->queued_items);
pivot_inputs(afl);
@ -1929,7 +1929,7 @@ int main(int argc, char **argv_orig, char **envp) {
// ensure we have at least one seed that is not disabled.
u32 entry, valid_seeds = 0;
for (entry = 0; entry < afl->queued_paths; ++entry)
for (entry = 0; entry < afl->queued_items; ++entry)
if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; }
if (!afl->pending_not_fuzzed || !valid_seeds) {
@ -1951,7 +1951,7 @@ int main(int argc, char **argv_orig, char **envp) {
u64 max_ms = 0;
for (entry = 0; entry < afl->queued_paths; ++entry)
for (entry = 0; entry < afl->queued_items; ++entry)
if (!afl->queue_buf[entry]->disabled)
if (afl->queue_buf[entry]->exec_us > max_ms)
max_ms = afl->queue_buf[entry]->exec_us;
@ -1993,7 +1993,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->start_time = get_cur_time();
u32 runs_in_current_cycle = (u32)-1;
u32 prev_queued_paths = 0;
u32 prev_queued_items = 0;
u8 skipped_fuzz;
#ifdef INTROSPECTION
@ -2014,7 +2014,7 @@ int main(int argc, char **argv_orig, char **envp) {
cull_queue(afl);
if (unlikely((!afl->old_seed_selection &&
runs_in_current_cycle > afl->queued_paths) ||
runs_in_current_cycle > afl->queued_items) ||
(afl->old_seed_selection && !afl->queue_cur))) {
if (unlikely((afl->last_sync_cycle < afl->queue_cycle ||
@ -2027,25 +2027,25 @@ int main(int argc, char **argv_orig, char **envp) {
++afl->queue_cycle;
runs_in_current_cycle = (u32)-1;
afl->cur_skipped_paths = 0;
afl->cur_skipped_items = 0;
if (unlikely(afl->old_seed_selection)) {
afl->current_entry = 0;
while (unlikely(afl->current_entry < afl->queued_paths &&
while (unlikely(afl->current_entry < afl->queued_items &&
afl->queue_buf[afl->current_entry]->disabled)) {
++afl->current_entry;
}
if (afl->current_entry >= afl->queued_paths) { afl->current_entry = 0; }
if (afl->current_entry >= afl->queued_items) { afl->current_entry = 0; }
afl->queue_cur = afl->queue_buf[afl->current_entry];
if (unlikely(seek_to)) {
if (unlikely(seek_to >= afl->queued_paths)) {
if (unlikely(seek_to >= afl->queued_items)) {
// This should never happen.
FATAL("BUG: seek_to location out of bounds!\n");
@ -2070,7 +2070,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* If we had a full queue cycle with no new finds, try
recombination strategies next. */
if (unlikely(afl->queued_paths == prev_queued
if (unlikely(afl->queued_items == prev_queued
/* FIXME TODO BUG: && (get_cur_time() - afl->start_time) >=
3600 */
)) {
@ -2148,7 +2148,7 @@ int main(int argc, char **argv_orig, char **envp) {
fprintf(afl->introspection_file,
"CYCLE cycle=%llu cycle_wo_finds=%llu expand_havoc=%u queue=%u\n",
afl->queue_cycle, afl->cycles_wo_finds, afl->expand_havoc,
afl->queued_paths);
afl->queued_items);
#endif
if (afl->cycle_schedules) {
@ -2188,7 +2188,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
// we must recalculate the scores of all queue entries
for (u32 i = 0; i < afl->queued_paths; i++) {
for (u32 i = 0; i < afl->queued_items; i++) {
if (likely(!afl->queue_buf[i]->disabled)) {
@ -2200,7 +2200,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
prev_queued = afl->queued_paths;
prev_queued = afl->queued_items;
}
@ -2210,11 +2210,11 @@ int main(int argc, char **argv_orig, char **envp) {
if (likely(!afl->old_seed_selection)) {
if (unlikely(prev_queued_paths < afl->queued_paths ||
if (unlikely(prev_queued_items < afl->queued_items ||
afl->reinit_table)) {
// we have new queue entries since the last run, recreate alias table
prev_queued_paths = afl->queued_paths;
prev_queued_items = afl->queued_items;
create_alias_table(afl);
}
@ -2230,10 +2230,10 @@ int main(int argc, char **argv_orig, char **envp) {
if (unlikely(afl->old_seed_selection)) {
while (++afl->current_entry < afl->queued_paths &&
while (++afl->current_entry < afl->queued_items &&
afl->queue_buf[afl->current_entry]->disabled)
;
if (unlikely(afl->current_entry >= afl->queued_paths ||
if (unlikely(afl->current_entry >= afl->queued_items ||
afl->queue_buf[afl->current_entry] == NULL ||
afl->queue_buf[afl->current_entry]->disabled))
afl->queue_cur = NULL;
@ -2321,11 +2321,11 @@ stop_fuzzing:
u8 time_tmp[64];
u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time);
ACTF(
"Statistics: %u new paths found, %.02f%% coverage achieved, %llu "
"crashes found, %llu timeouts found, total runtime %s",
"Statistics: %u new corpus items found, %.02f%% coverage achieved, "
"%llu crashes saved, %llu timeouts saved, total runtime %s",
afl->queued_discovered,
((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->unique_crashes,
afl->unique_hangs, time_tmp);
((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->saved_crashes,
afl->saved_hangs, time_tmp);
}