fixes and debug

include/envs.h

@@ -21,19 +21,20 @@ static char *afl_environment_variables[] = {
     "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CC_COMPILER",
     "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMPLOG_ONLY_NEW",
     "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME",
-    "AFL_DUMP_CYCLOMATIC_COMPLEXITY", "AFL_DUMP_VULNERABILITY_COMPLEXITY",
+    "AFL_DUMP_QUEUE_ON_EXIT", "AFL_DUMP_CYCLOMATIC_COMPLEXITY",
-    "AFL_CMPLOG_MAX_LEN", "AFL_COMPCOV_LEVEL",
+    "AFL_DUMP_VULNERABILITY_COMPLEXITY", "AFL_CMPLOG_MAX_LEN",
-    "AFL_CRASH_EXITCODE", "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
+    "AFL_COMPCOV_LEVEL", "AFL_CRASH_EXITCODE",
-    "AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY",
+    "AFL_CRASHING_SEEDS_AS_NEW_CRASH", "AFL_CUSTOM_MUTATOR_LIBRARY",
-    "AFL_CUSTOM_INFO_PROGRAM", "AFL_CUSTOM_INFO_PROGRAM_ARGV",
+    "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_INFO_PROGRAM",
-    "AFL_CUSTOM_INFO_PROGRAM_INPUT", "AFL_CUSTOM_INFO_OUT", "AFL_CXX",
+    "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_INFO_PROGRAM_INPUT",
-    "AFL_CYCLE_SCHEDULES", "AFL_DEBUG", "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB",
+    "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG",
-    "AFL_DEBUG_UNICORN", "AFL_DISABLE_REDUNDANT", "AFL_NO_REDUNDANT",
+    "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN",
-    "AFL_DISABLE_TRIM", "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION",
+    "AFL_DISABLE_REDUNDANT", "AFL_NO_REDUNDANT", "AFL_DISABLE_TRIM",
-    "AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME",
+    "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE",
-    "AFL_DUMB_FORKSRV", "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT",
+    "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV",
-    "AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES",
+    "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE",
-    "AFL_FAST_CAL", "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS",
+    "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL",
+    "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS",
     "AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES",
     "AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
     "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE",

src/afl-forkserver.c

@@ -578,7 +578,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
     void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path);
 
     fsrv->nyx_handlers->nyx_config_set_workdir_path(nyx_config, workdir_path);
-    fsrv->nyx_handlers->nyx_config_set_input_buffer_size(nyx_config, fsrv->max_length);
+    fsrv->nyx_handlers->nyx_config_set_input_buffer_size(nyx_config,
+                                                         fsrv->max_length);
     fsrv->nyx_handlers->nyx_config_set_input_buffer_write_protection(nyx_config,
                                                                      true);
 

src/afl-fuzz-queue.c

@@ -76,7 +76,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
   if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
   weight *= (log(q->bitmap_size) / avg_bitmap_size);
   weight *= (1 + (q->tc_ref / avg_top_size));
-  if (avg_score != 0.0) { weight *= (log(q->score) / avg_score); }
+  if (unlikely(avg_score != 0.0)) { weight *= (log(q->score) / avg_score); }
 
   if (unlikely(weight < 0.1)) { weight = 0.1; }
   if (unlikely(q->favored)) { weight *= 5; }
@@ -92,7 +92,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
 void create_alias_table(afl_state_t *afl) {
 
   u32 n = afl->queued_items, i = 0, nSmall = 0, nLarge = n - 1,
-      explore = afl->fuzz_mode;
+      exploit = afl->fuzz_mode;
   double sum = 0;
 
   double *P = (double *)afl_realloc(AFL_BUF_PARAM(out), n * sizeof(double));
@@ -133,7 +133,7 @@ void create_alias_table(afl_state_t *afl) {
         avg_exec_us += q->exec_us;
         avg_bitmap_size += log(q->bitmap_size);
         avg_top_size += q->tc_ref;
-        if (!explore) { avg_score += q->score; }
+        if (exploit) { avg_score += q->score; }
         ++active;
 
       }
@@ -144,7 +144,7 @@ void create_alias_table(afl_state_t *afl) {
     avg_bitmap_size /= active;
     avg_top_size /= active;
 
-    if (!explore) { avg_score /= active; }
+    if (exploit) { avg_score /= active; }
 
     for (i = 0; i < n; i++) {
 
@@ -603,6 +603,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
   q->testcase_buf = NULL;
   q->mother = afl->queue_cur;
   q->score = afl->current_score;
+  if (unlikely(!q->score)) { q->score = 1; }
 
 #ifdef INTROSPECTION
   q->bitsmap_size = afl->bitsmap_size;

src/afl-fuzz-run.c

@@ -606,6 +606,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
   }
 
   q->exec_us = diff_us / afl->stage_max;
+  if (unlikely(!q->exec_us)) { q->exec_us = 1; }
+
   q->bitmap_size = count_bytes(afl, afl->fsrv.trace_bits);
   q->handicap = handicap;
   q->cal_failed = 0;

src/afl-fuzz.c

@@ -3067,6 +3067,28 @@ stop_fuzzing:
 
   }
 
+  if (getenv("AFL_DUMP_QUEUE_ON_EXIT")) {
+
+    fprintf(stderr, "\nQUEUE DUMP:\n");
+    for (u32 k = 0; k < afl->queued_items; ++k) {
+
+      struct queue_entry *q = afl->queue_buf[k];
+      fprintf(
+          stderr,
+          "item=%u fname=%s len=%u exec_us=%llu has_new_cov=%u var_behavior=%u "
+          "favored=%u fs_redundant=%u disabled=%u bitmap_size=%u fuzz_level=%u "
+          "mother=%d perf_score=%.2f weight=%.2f score=%u\n",
+          k, q->fname, q->len, q->exec_us, q->has_new_cov, q->var_behavior,
+          q->favored, q->fs_redundant, q->disabled, q->bitmap_size,
+          q->fuzz_level, q->mother == NULL ? -1 : (int)q->mother->id,
+          q->perf_score, q->weight, q->score);
+
+    }
+
+    fprintf(stderr, "\n");
+
+  }
+
   if (frida_afl_preload) { ck_free(frida_afl_preload); }
 
   fclose(afl->fsrv.plot_file);