added AFL_CMPLOG_ONLY_NEW feature

docs/Changelog.md

@@ -20,6 +20,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
       transformations (e.g. toupper, tolower, to/from hex, xor,
       arithmetics, etc.). this is costly hence new command line option
       -l that sets the intensity (values 1 to 3). recommended is 1 or 2.
+    - added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial testcases from
+      `-i` or resumes (as these have most likely already been done)
     - fix crash for very, very fast targets+systems (thanks to mhlakhani
       for reporting)
     - if determinstic mode is active (-D, or -M without -d) then we sync

docs/env_variables.md

@@ -287,6 +287,11 @@ checks or alter some of the more exotic semantics of the tool:
     the target. This must be equal or larger than the size the target was
     compiled with.
 
+  - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for
+    newly found testcases and not for testcases that are loaded on startup
+    (`-i in`). This is an important feature to set when resuming a fuzzing
+    session.
+
   - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE`
     in config.h. Recommended values are 50-250MB - or more if your fuzzing
     finds a huge amount of paths for large inputs.

include/afl-fuzz.h

@@ -384,7 +384,7 @@ typedef struct afl_env_vars {
       afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
       afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
       afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
-      afl_cycle_schedules, afl_expand_havoc, afl_statsd;
+      afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload,

include/envs.h

@@ -28,6 +28,7 @@ static char *afl_environment_variables[] = {
     "AFL_CC",
     "AFL_CMIN_ALLOW_ANY",
     "AFL_CMIN_CRASHES_ONLY",
+    "AFL_CMPLOG_ONLY_NEW",
     "AFL_CODE_END",
     "AFL_CODE_START",
     "AFL_COMPCOV_BINNAME",

src/afl-common.c

@@ -364,11 +364,7 @@ u8 *get_libqasan_path(u8 *own_loc) {
     cp = alloc_printf("%s/libqasan.so", own_copy);
     ck_free(own_copy);
 
-    if (!access(cp, X_OK)) {
+    if (!access(cp, X_OK)) { return cp; }
-
-      return cp;
-
-    }
 
   } else {
 

src/afl-fuzz-init.c

@@ -25,6 +25,7 @@
 
 #include "afl-fuzz.h"
 #include <limits.h>
+#include "cmplog.h"
 
 #ifdef HAVE_AFFINITY
 
@@ -833,6 +834,8 @@ void perform_dry_run(afl_state_t *afl) {
 
     }
 
+    if (afl->afl_env.afl_cmplog_only_new) { q->colorized = CMPLOG_LVL_MAX; }
+
     u8 *fn = strrchr(q->fname, '/') + 1;
 
     ACTF("Attempting dry run with '%s'...", fn);

src/afl-fuzz-one.c

@@ -26,6 +26,7 @@
 #include "afl-fuzz.h"
 #include <string.h>
 #include <limits.h>
+#include "cmplog.h"
 
 /* MOpt */
 
@@ -553,7 +554,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
     if (unlikely(len < 4)) {
 
-      afl->queue_cur->colorized = 0xff;
+      afl->queue_cur->colorized = CMPLOG_LVL_MAX;
 
     } else {
 
@@ -2981,7 +2982,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
     if (unlikely(len < 4)) {
 
-      afl->queue_cur->colorized = 0xff;
+      afl->queue_cur->colorized = CMPLOG_LVL_MAX;
 
     } else {
 

src/afl-fuzz-redqueen.c

@@ -1118,7 +1118,11 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
 #ifdef ARITHMETIC_LESSER_GREATER
   if (lvl < LVL3 || attr == IS_TRANSFORM) { return 0; }
 
-  if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) { return 0; }
+  if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) {
+
+    return 0;
+
+  }
 
   // transform >= to < and <= to >
   if ((attr & IS_EQUAL) && (attr & (IS_GREATER | IS_LESSER))) {
@@ -1707,6 +1711,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
           try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape));
 
         } else
+
 #endif
         {
 

src/afl-fuzz-state.c

@@ -236,6 +236,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_custom_mutator_only =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_CMPLOG_ONLY_NEW",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_cmplog_only_new =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
 
             afl->afl_env.afl_no_ui =

src/afl-fuzz.c

@@ -181,6 +181,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n"
       "AFL_BENCH_JUST_ONE: run the target just once\n"
       "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n"
+      "AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)\n"
       "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
       "AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n"
       "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n"
@@ -326,6 +327,7 @@ int main(int argc, char **argv_orig, char **envp) {
         "compile time)");
 
   }
+
   #endif
 
   char **argv = argv_cpy_dup(argc, argv_orig);
@@ -356,8 +358,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
   while ((opt = getopt(
               argc, argv,
-              "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:RQs:S:t:T:UV:Wx:Z")) >
+              "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:RQs:S:t:T:UV:Wx:Z")) > 0) {
-         0) {
 
     switch (opt) {