ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

implement switch mode

Browse Source
This commit is contained in:
vanhauser-thc
2023-04-05 12:12:05 +02:00
parent e313180e4d
commit a74561b0e7
4 changed files with 42 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/afl-fuzz.h
View File

@ -491,8 +491,7 @@ typedef struct afl_state {
*infoexec; /* Command to execute on a new crash */
u32 hang_tmout, /* Timeout used for hang det (ms) */
stats_update_freq, /* Stats update frequency (execs) */
switch_fuzz_mode; /* auto or fixed fuzz mode */
stats_update_freq; /* Stats update frequency (execs) */
u8 havoc_stack_pow2, /* HAVOC_STACK_POW2 */
no_unlink, /* do not unlink cur_input */
@ -592,7 +591,8 @@ typedef struct afl_state {
last_hang_time, /* Time for most recent hang (ms) */
longest_find_time, /* Longest time taken for a find */
exit_on_time, /* Delay to exit if no new paths */
sync_time; /* Sync time (ms) */
sync_time, /* Sync time (ms) */
switch_fuzz_mode; /* auto or fixed fuzz mode */
u32 slowest_exec_ms, /* Slowest testcase non hang in ms */
subseq_tmouts; /* Number of timeouts in a row */

12
src/afl-fuzz-bitmap.c
View File

@ -529,6 +529,18 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
close(fd);
add_to_queue(afl, queue_fn, len, 0);
if (unlikely(afl->fuzz_mode) && likely(afl->switch_fuzz_mode)) {
if (afl->afl_env.afl_no_ui) {
ACTF("New coverage found, switching back to exploration mode.");
}
afl->fuzz_mode = 0;
}
#ifdef INTROSPECTION
if (afl->custom_mutators_count && afl->current_custom_fuzz) {

2
src/afl-fuzz-state.c
View File

@ -108,7 +108,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->cmplog_lvl = 2;
afl->min_length = 1;
afl->max_length = MAX_FILE;
afl->switch_fuzz_mode = STRATEGY_SWITCH_TIME;
afl->switch_fuzz_mode = STRATEGY_SWITCH_TIME * 1000;
#ifndef NO_SPLICING
afl->use_splicing = 1;
#endif

30
src/afl-fuzz.c
View File

@ -577,7 +577,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (!stricmp(optarg, "explore") || !stricmp(optarg, "exploration")) {
afl->fuzz_mode = 0;
afl->switch_fuzz_mode = 1;
afl->switch_fuzz_mode = 0;
} else if (!stricmp(optarg, "exploit") ||
@ -588,12 +588,16 @@ int main(int argc, char **argv_orig, char **envp) {
} else {
if ((s32)(afl->switch_fuzz_mode = (u32)atoi(optarg)) < 1) {
if ((afl->switch_fuzz_mode = (u32)atoi(optarg)) > INT_MAX) {
FATAL(
"Parameter for option -P must be \"explore\", \"exploit\" or a "
"number!");
} else {
afl->switch_fuzz_mode *= 1000;
}
}
@ -2689,13 +2693,31 @@ int main(int argc, char **argv_orig, char **envp) {
} while (skipped_fuzz && afl->queue_cur && !afl->stop_soon);
u64 cur_time = get_cur_time();
if (likely(afl->switch_fuzz_mode && afl->fuzz_mode == 0) &&
unlikely(cur_time > afl->last_find_time + afl->switch_fuzz_mode)) {
if (afl->afl_env.afl_no_ui) {
ACTF(
"No new coverage found for %llu seconds, switching to exploitation "
"strategy.",
afl->switch_fuzz_mode / 1000);
}
afl->fuzz_mode = 1;
}
if (likely(!afl->stop_soon && afl->sync_id)) {
if (likely(afl->skip_deterministic)) {
if (unlikely(afl->is_main_node)) {
if (unlikely(get_cur_time() >
if (unlikely(cur_time >
(afl->sync_time >> 1) + afl->last_sync_time)) {
if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 3))) {
@ -2708,7 +2730,7 @@ int main(int argc, char **argv_orig, char **envp) {
} else {
if (unlikely(get_cur_time() > afl->sync_time + afl->last_sync_time)) {
if (unlikely(cur_time > afl->sync_time + afl->last_sync_time)) {
if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); }