code format, small improvements

docs/status_screen.md

@@ -400,6 +400,8 @@ directory. This includes:
   - `exec_timeout`      - the -t command line value
   - `slowest_exec_ms`   - real time of the slowest execution in ms
   - `peak_rss_mb`       - max rss usage reached during fuzzing in MB
+  - `edges_found`       - how many edges have been found
+  - `var_byte_count`    - how many edges are non-deterministic
   - `afl_banner`        - banner text (e.g. the target name)
   - `afl_version`       - the version of afl used
   - `target_mode`       - default, persistent, qemu, unicorn, dumb

src/afl-fuzz-bitmap.c

@@ -177,8 +177,6 @@ u32 count_bits(u8 *mem) {
 
 }
 
-#define FF(_b) (0xff << ((_b) << 3))
-
 /* Count the number of bytes set in the bitmap. Called fairly sporadically,
    mostly to update the status screen or calibrate and examine confirmed
    new paths. */
@@ -194,10 +192,10 @@ u32 count_bytes(u8 *mem) {
     u32 v = *(ptr++);
 
     if (!v) continue;
-    if (v & FF(0)) ++ret;
+    if (v & 0x000000ff) ++ret;
-    if (v & FF(1)) ++ret;
+    if (v & 0x0000ff00) ++ret;
-    if (v & FF(2)) ++ret;
+    if (v & 0x00ff0000) ++ret;
-    if (v & FF(3)) ++ret;
+    if (v & 0xff000000) ++ret;
 
   }
 
@@ -222,10 +220,10 @@ u32 count_non_255_bytes(u8 *mem) {
        case. */
 
     if (v == 0xffffffff) continue;
-    if ((v & FF(0)) != FF(0)) ++ret;
+    if ((v & 0x000000ff) != 0x000000ff) ++ret;
-    if ((v & FF(1)) != FF(1)) ++ret;
+    if ((v & 0x0000ff00) != 0x0000ff00) ++ret;
-    if ((v & FF(2)) != FF(2)) ++ret;
+    if ((v & 0x00ff0000) != 0x00ff0000) ++ret;
-    if ((v & FF(3)) != FF(3)) ++ret;
+    if ((v & 0xff000000) != 0xff000000) ++ret;
 
   }
 

src/afl-fuzz-queue.c

@@ -186,7 +186,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
   u64 fav_factor;
   u64 fuzz_p2 = next_pow2(q->n_fuzz);
 
-  if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed))
+  if (afl->schedule == MMOPT || afl->schedule == RARE ||
+      unlikely(afl->fixed_seed))
     fav_factor = q->len << 2;
   else
     fav_factor = q->exec_us * q->len;
@@ -203,7 +204,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
         u64 top_rated_fav_factor;
         u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz);
 
-        if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed))
+        if (afl->schedule == MMOPT || afl->schedule == RARE ||
+            unlikely(afl->fixed_seed))
           top_rated_fav_factor = afl->top_rated[i]->len << 2;
         else
           top_rated_fav_factor =
@@ -214,16 +216,16 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
         else if (fuzz_p2 == top_rated_fuzz_p2)
           if (fav_factor > top_rated_fav_factor) continue;
 
-        if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) {
+        if (afl->schedule == MMOPT || afl->schedule == RARE ||
+            unlikely(afl->fixed_seed)) {
 
-          if (fav_factor > afl->top_rated[i]->len << 2)
+          if (fav_factor > afl->top_rated[i]->len << 2) continue;
-            continue;
 
-        } else {        
+        } else {
 
           if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len)
             continue;
-        
+
         }
 
         /* Looks like we're going to win. Decrease ref count for the
@@ -339,7 +341,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
   // Longer execution time means longer work on the input, the deeper in
   // coverage, the better the fuzzing, right? -mh
 
-  if (afl->schedule != MMOPT && afl->schedule != RARE && likely(!afl->fixed_seed)) {
+  if (afl->schedule != MMOPT && afl->schedule != RARE &&
+      likely(!afl->fixed_seed)) {
 
     if (q->exec_us * 0.1 > avg_exec_us)
       perf_score = 10;

src/afl-fuzz-run.c

@@ -354,17 +354,14 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
         for (i = 0; i < MAP_SIZE; ++i) {
 
-          if (!afl->var_bytes[i] &&
+          if (unlikely(!afl->var_bytes[i]) &&
-              afl->first_trace[i] != afl->fsrv.trace_bits[i]) {
+              unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i]))
-
             afl->var_bytes[i] = 1;
-            afl->stage_max = CAL_CYCLES_LONG;
-
-          }
 
         }
 
         var_detected = 1;
+        afl->stage_max = CAL_CYCLES_LONG;
 
       } else {
 

src/afl-fuzz-stats.c

@@ -98,8 +98,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
       "exec_timeout      : %u\n"
       "slowest_exec_ms   : %u\n"
       "peak_rss_mb       : %lu\n"
+      "edges_found       : %u\n"
       "var_byte_count    : %u\n"
-      "found_edges       : %u\n"
       "afl_banner        : %s\n"
       "afl_version       : " VERSION
       "\n"
@@ -122,7 +122,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
 #else
       (unsigned long int)(rus.ru_maxrss >> 10),
 #endif
-      afl->var_byte_count, t_bytes, afl->use_banner,
+      t_bytes, afl->var_byte_count, afl->use_banner,
       afl->unicorn_mode ? "unicorn" : "", afl->qemu_mode ? "qemu " : "",
       afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "",
       afl->crash_mode ? "crash " : "",
@@ -260,8 +260,8 @@ void show_stats(afl_state_t *afl) {
   t_bytes = count_non_255_bytes(afl->virgin_bits);
   t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE;
 
-  if (t_bytes)
+  if (likely(t_bytes) && unlikely(afl->var_byte_count))
-    stab_ratio = 100 - (((double)afl->var_byte_count) * 100) / t_bytes;
+    stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes);
   else
     stab_ratio = 100;