mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-12 01:58:17 +00:00
improved seed selection algorithm
This commit is contained in:
vanhauser-thc
3
TODO.md
3
TODO.md
@ -2,8 +2,7 @@
|
|||||||
|
|
||||||
## Must
|
## Must
|
||||||
|
|
||||||
- fast resume:
|
- docs: AFL_DISABLE_REDUNDANT (large/slow/LAF)
|
||||||
use gzopen(fn, "rb"/"wb9-/f/h", gzwrite, gzread and gzclose
|
|
||||||
- check for null ptr for xml/curl/g_ string transform functions
|
- check for null ptr for xml/curl/g_ string transform functions
|
||||||
- hardened_usercopy=0 page_alloc.shuffle=0
|
- hardened_usercopy=0 page_alloc.shuffle=0
|
||||||
- add value_profile but only enable after 15 minutes without finds
|
- add value_profile but only enable after 15 minutes without finds
|
||||||
|
|||||||
Submodule custom_mutators/gramatron/json-c updated: 11546bfd07...af8dd4a307
@ -10,6 +10,7 @@
|
|||||||
then a dump will be loaded and the calibration phase skipped.
|
then a dump will be loaded and the calibration phase skipped.
|
||||||
to disable this feature set `AFL_NO_FASTRESUME=1`
|
to disable this feature set `AFL_NO_FASTRESUME=1`
|
||||||
zlib compression is used if zlib is found at compile time
|
zlib compression is used if zlib is found at compile time
|
||||||
|
- improved seed selection algorithm
|
||||||
- frida_mode:
|
- frida_mode:
|
||||||
- AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
|
- AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
|
||||||
a function entry
|
a function entry
|
||||||
|
|||||||
@ -463,7 +463,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
|
|||||||
|
|
||||||
if (unlikely(fault == FSRV_RUN_TMOUT && afl->afl_env.afl_ignore_timeouts)) {
|
if (unlikely(fault == FSRV_RUN_TMOUT && afl->afl_env.afl_ignore_timeouts)) {
|
||||||
|
|
||||||
if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
|
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
|
||||||
|
|
||||||
classify_counts(&afl->fsrv);
|
classify_counts(&afl->fsrv);
|
||||||
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
|
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
|
||||||
@ -489,7 +489,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
|
|||||||
|
|
||||||
/* Generating a hash on every input is super expensive. Bad idea and should
|
/* Generating a hash on every input is super expensive. Bad idea and should
|
||||||
only be used for special schedules */
|
only be used for special schedules */
|
||||||
if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
|
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
|
||||||
|
|
||||||
classify_counts(&afl->fsrv);
|
classify_counts(&afl->fsrv);
|
||||||
classified = 1;
|
classified = 1;
|
||||||
|
|||||||
@ -123,7 +123,7 @@ void create_alias_table(afl_state_t *afl) {
|
|||||||
double weight = 1.0;
|
double weight = 1.0;
|
||||||
{ // inline does result in a compile error with LTO, weird
|
{ // inline does result in a compile error with LTO, weird
|
||||||
|
|
||||||
if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
|
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
|
||||||
|
|
||||||
u32 hits = afl->n_fuzz[q->n_fuzz_entry];
|
u32 hits = afl->n_fuzz[q->n_fuzz_entry];
|
||||||
if (likely(hits)) { weight /= (log10(hits) + 1); }
|
if (likely(hits)) { weight /= (log10(hits) + 1); }
|
||||||
@ -133,39 +133,127 @@ void create_alias_table(afl_state_t *afl) {
|
|||||||
if (likely(afl->schedule < RARE)) {
|
if (likely(afl->schedule < RARE)) {
|
||||||
|
|
||||||
double t = q->exec_us / avg_exec_us;
|
double t = q->exec_us / avg_exec_us;
|
||||||
|
|
||||||
if (likely(t < 0.1)) {
|
if (likely(t < 0.1)) {
|
||||||
|
|
||||||
// nothing
|
// nothing
|
||||||
|
|
||||||
} else if (likely(t <= 0.25))
|
} else if (likely(t <= 0.25)) {
|
||||||
|
|
||||||
weight *= 0.9;
|
weight *= 0.95;
|
||||||
else if (likely(t <= 0.5)) {
|
|
||||||
|
} else if (likely(t <= 0.5)) {
|
||||||
|
|
||||||
// nothing
|
// nothing
|
||||||
|
|
||||||
} else if (likely(t < 1.0))
|
} else if (likely(t <= 0.75)) {
|
||||||
|
|
||||||
|
weight *= 1.05;
|
||||||
|
|
||||||
|
} else if (likely(t <= 1.0)) {
|
||||||
|
|
||||||
|
weight *= 1.1;
|
||||||
|
|
||||||
|
} else if (likely(t < 1.25)) {
|
||||||
|
|
||||||
|
weight *= 0.2; // WTF ??? makes no sense
|
||||||
|
|
||||||
|
} else if (likely(t <= 1.5)) {
|
||||||
|
|
||||||
|
// nothing
|
||||||
|
|
||||||
|
} else if (likely(t <= 2.0)) {
|
||||||
|
|
||||||
|
weight *= 1.1;
|
||||||
|
|
||||||
|
} else if (likely(t <= 2.5)) {
|
||||||
|
|
||||||
|
} else if (likely(t <= 5.0)) {
|
||||||
|
|
||||||
weight *= 1.15;
|
weight *= 1.15;
|
||||||
else if (unlikely(t > 2.5 && t < 5.0))
|
|
||||||
|
} else if (likely(t <= 20.0)) {
|
||||||
|
|
||||||
weight *= 1.1;
|
weight *= 1.1;
|
||||||
// else nothing
|
// else nothing
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
double l = q->len / avg_len;
|
double l = q->len / avg_len;
|
||||||
if (likely(l < 0.1))
|
if (likely(l < 0.1)) {
|
||||||
weight *= 0.75;
|
|
||||||
else if (likely(l < 0.25))
|
weight *= 0.5;
|
||||||
weight *= 1.1;
|
|
||||||
else if (unlikely(l >= 10))
|
} else if (likely(l <= 0.5)) {
|
||||||
weight *= 1.1;
|
|
||||||
|
// nothing
|
||||||
|
|
||||||
|
} else if (likely(l <= 1.25)) {
|
||||||
|
|
||||||
|
weight *= 1.05;
|
||||||
|
|
||||||
|
} else if (likely(l <= 1.75)) {
|
||||||
|
|
||||||
|
// nothing
|
||||||
|
|
||||||
|
} else if (likely(l <= 2.0)) {
|
||||||
|
|
||||||
|
weight *= 0.95;
|
||||||
|
|
||||||
|
} else if (likely(l <= 5.0)) {
|
||||||
|
|
||||||
|
// nothing
|
||||||
|
|
||||||
|
} else if (likely(l <= 10.0)) {
|
||||||
|
|
||||||
|
weight *= 1.05;
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
weight *= 1.15;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
double bms = q->bitmap_size / avg_bitmap_size;
|
double bms = q->bitmap_size / avg_bitmap_size;
|
||||||
if (likely(bms < 0.5))
|
if (likely(bms < 0.1)) {
|
||||||
weight *= (1.0 + ((bms - 0.5) / 2));
|
|
||||||
else if (unlikely(bms > 1.33))
|
weight *= 0.01;
|
||||||
weight *= 1.1;
|
|
||||||
|
} else if (likely(bms <= 0.25)) {
|
||||||
|
|
||||||
|
weight *= 0.55;
|
||||||
|
|
||||||
|
} else if (likely(bms <= 0.5)) {
|
||||||
|
|
||||||
|
// nothing
|
||||||
|
|
||||||
|
} else if (likely(bms <= 0.75)) {
|
||||||
|
|
||||||
|
weight *= 1.2;
|
||||||
|
|
||||||
|
} else if (likely(bms <= 1.25)) {
|
||||||
|
|
||||||
|
weight *= 1.3;
|
||||||
|
|
||||||
|
} else if (likely(bms <= 1.75)) {
|
||||||
|
|
||||||
|
weight *= 1.25;
|
||||||
|
|
||||||
|
} else if (likely(bms <= 2.0)) {
|
||||||
|
|
||||||
|
// nothing
|
||||||
|
|
||||||
|
} else if (likely(bms <= 2.5)) {
|
||||||
|
|
||||||
|
weight *= 1.3;
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
weight *= 0.75;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
if (unlikely(!q->was_fuzzed)) { weight *= 2.5; }
|
if (unlikely(!q->was_fuzzed)) { weight *= 2.5; }
|
||||||
if (unlikely(q->fs_redundant)) { weight *= 0.75; }
|
if (unlikely(q->fs_redundant)) { weight *= 0.75; }
|
||||||
@ -741,7 +829,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
|
|||||||
u64 fav_factor;
|
u64 fav_factor;
|
||||||
u64 fuzz_p2;
|
u64 fuzz_p2;
|
||||||
|
|
||||||
if (likely(afl->schedule >= FAST && afl->schedule < RARE)) {
|
if (unlikely(afl->schedule >= FAST && afl->schedule < RARE)) {
|
||||||
|
|
||||||
fuzz_p2 = 0; // Skip the fuzz_p2 comparison
|
fuzz_p2 = 0; // Skip the fuzz_p2 comparison
|
||||||
|
|
||||||
@ -777,7 +865,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
|
|||||||
u64 top_rated_fav_factor;
|
u64 top_rated_fav_factor;
|
||||||
u64 top_rated_fuzz_p2;
|
u64 top_rated_fuzz_p2;
|
||||||
|
|
||||||
if (likely(afl->schedule >= FAST && afl->schedule < RARE)) {
|
if (unlikely(afl->schedule >= FAST && afl->schedule < RARE)) {
|
||||||
|
|
||||||
top_rated_fuzz_p2 = 0; // Skip the fuzz_p2 comparison
|
top_rated_fuzz_p2 = 0; // Skip the fuzz_p2 comparison
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user