Fix sand due to default schedule change

2025-06-11 17:51:32 +00:00 · 2025-04-09 20:18:14 +08:00
parent 4ff2673895
commit 920c7fe71a
3 changed files with 19 additions and 31 deletions
--- a/include/coverage-32.h
+++ b/include/coverage-32.h
@ -69,20 +69,7 @@ void simplify_trace(afl_state_t *afl, u8 *bytes) {
 }

 inline void classify_counts(afl_forkserver_t *fsrv) {
-
-  u32 *mem = (u32 *)fsrv->trace_bits;
-  u32  i = (fsrv->map_size >> 2);
-
-  while (i--) {
-
-    /* Optimize for sparse bitmaps. */
-
-    if (unlikely(*mem)) { *mem = classify_word(*mem); }
-
-    mem++;
-
-  }
-
+  classify_counts_mem((u32 *)fsrv->trace_bits, fsrv->map_size);
 }

 /* Updates the virgin bits, then reflects whether a new count or a new tuple is
--- a/include/coverage-64.h
+++ b/include/coverage-64.h
@ -63,20 +63,7 @@ void simplify_trace(afl_state_t *afl, u8 *bytes) {
 }

 inline void classify_counts(afl_forkserver_t *fsrv) {
-
-  u64 *mem = (u64 *)fsrv->trace_bits;
-  u32  i = (fsrv->map_size >> 3);
-
-  while (i--) {
-
-    /* Optimize for sparse bitmaps. */
-
-    if (unlikely(*mem)) { *mem = classify_word(*mem); }
-
-    mem++;
-
-  }
-
+  classify_counts_mem((u64 *)fsrv->trace_bits, afl->map_size);
 }

 inline void classify_counts_mem(u64 *mem, u32 size) {
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -552,7 +552,17 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,

    if (unlikely(afl->san_binary_length) &&
        likely(afl->san_abstraction == UNIQUE_TRACE)) {
-
+      
+      // If schedule is not FAST..EXPLORE, we need to classify here
+      // Note: SAND was evaluated under FAST schedule but should also work
+      //       with other scedules.
+      if (!classified) {
+        classify_counts_mem(
+        (u64*)afl->fsrv.trace_bits,
+          afl->fsrv.map_size
+        );
+        classified = 1;
+      }
      cksum_unique =
          hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
      if (unlikely(!bitmap_read(afl->n_fuzz_dup, cksum) &&
@ -615,8 +625,12 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,

      /* If we are in coverage increasing abstraction and have fed input to
         sanitizers, we are sure it has new bits.*/
-      new_bits = has_new_bits_unclassified(afl, afl->virgin_bits);
-
+      if (classified) {
+        /* We could have classified the bits in SAND with UNIQUE_TRACE */
+        new_bits = has_new_bits(afl, afl->virgin_bits);
+      } else {
+        new_bits = has_new_bits_unclassified(afl, afl->virgin_bits);
+      }
    }

    if (likely(!new_bits)) {