ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 16:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow -L -1 to enable mopt in parallel to classic mutation

Browse Source
This commit is contained in:
van Hauser 2020-04-13 12:12:27 +02:00
parent 5daec436f9
commit dda096da03
7 changed files with 56 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/Changelog.md
View File

@ -17,6 +17,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- afl-fuzz: - afl-fuzz:
- variable map size support added (only LTO mode can use this) - variable map size support added (only LTO mode can use this)
- snapshot feature usage now visible in UI - snapshot feature usage now visible in UI
- Now setting "-L -1" will enable MOpt in parallel to normal mutation.
Additionally this allows to run dictionaries, radamsa and cmplog.
- compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
static global and local variable comparisons (cannot find all though) static global and local variable comparisons (cannot find all though)
- extended forkserver: map_size and more information is communicated to - extended forkserver: map_size and more information is communicated to

3
docs/README.MOpt.md
View File

@ -36,6 +36,9 @@ enter the pacemaker fuzzing mode.
Setting 0 will enter the pacemaker fuzzing mode at first, which is Setting 0 will enter the pacemaker fuzzing mode at first, which is
recommended in a short time-scale evaluation. recommended in a short time-scale evaluation.
Setting -1 will enable both pacemaker mode and normal aflmutation fuzzing in
parallel.
Other important parameters can be found in afl-fuzz.c, for instance, Other important parameters can be found in afl-fuzz.c, for instance,
'swarm_num': the number of the PSO swarms used in the fuzzing process. 'swarm_num': the number of the PSO swarms used in the fuzzing process.

10
include/afl-fuzz.h
View File

@ -354,14 +354,14 @@ typedef struct afl_state {
/* MOpt: /* MOpt:
Lots of globals, but mostly for the status UI and other things where it Lots of globals, but mostly for the status UI and other things where it
really makes no sense to haul them around as function parameters. */ really makes no sense to haul them around as function parameters. */
u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start, u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time,
tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find, total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key,
most_time_key, most_time, most_execs_key, most_execs, old_hit_count, most_time, most_execs_key, most_execs, old_hit_count, force_ui_update;
force_ui_update;
MOpt_globals_t mopt_globals_core, mopt_globals_pilot; MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module; s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
key_module;
double w_init, w_end, w_now; double w_init, w_end, w_now;

14
src/afl-fuzz-one.c
View File

@ -4377,7 +4377,7 @@ void pso_updating(afl_state_t *afl) {
u8 fuzz_one(afl_state_t *afl) { u8 fuzz_one(afl_state_t *afl) {
int key_val_lv = 0; int key_val_lv_1 = 0, key_val_lv_2 = 0;
#ifdef _AFL_DOCUMENT_MUTATIONS #ifdef _AFL_DOCUMENT_MUTATIONS
@ -4397,22 +4397,22 @@ u8 fuzz_one(afl_state_t *afl) {
#endif #endif
if (afl->limit_time_sig == 0) { // if limit_time_sig == -1 then both are run after each other
key_val_lv = fuzz_one_original(afl); if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); }
} else { if (afl->limit_time_sig != 0) {
if (afl->key_module == 0) if (afl->key_module == 0)
key_val_lv = pilot_fuzzing(afl); key_val_lv_2 = pilot_fuzzing(afl);
else if (afl->key_module == 1) else if (afl->key_module == 1)
key_val_lv = core_fuzzing(afl); key_val_lv_2 = core_fuzzing(afl);
else if (afl->key_module == 2) else if (afl->key_module == 2)
pso_updating(afl); pso_updating(afl);
} }
return key_val_lv; return (key_val_lv_1 | key_val_lv_2);
#undef BUF_PARAMS #undef BUF_PARAMS

50
src/afl-fuzz.c
View File

@ -109,12 +109,12 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
"Mutator settings:\n" "Mutator settings:\n"
" -R[R] - add Radamsa as mutator, add another -R to exclusivly " " -R[R] - add Radamsa as mutator, add another -R to exclusivly "
"run it\n" "run it\n"
" -L minutes - use MOpt(imize) mode and set the limit time for " " -L minutes - use MOpt(imize) mode and set the time limit for "
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths, 0 = " " pacemaker mode (minutes of no new paths). 0 = "
"immediately).\n" "immediately,\n"
" a recommended value is 10-60. see " " -1 = immediately and together with normal mutation).\n"
"docs/README.MOpt.md\n" " See docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for " " -c program - enable CmpLog by specifying a binary compiled for "
"it.\n" "it.\n"
" if using QEMU, just use -c 0.\n\n" " if using QEMU, just use -c 0.\n\n"
@ -553,20 +553,33 @@ int main(int argc, char **argv_orig, char **envp) {
case 'L': { /* MOpt mode */ case 'L': { /* MOpt mode */
if (afl->limit_time_sig) FATAL("Multiple -L options not supported"); if (afl->limit_time_sig) FATAL("Multiple -L options not supported");
afl->limit_time_sig = 1;
afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1)
optarg[0] == '-')
FATAL("Bad syntax used for -L"); FATAL("Bad syntax used for -L");
if (afl->limit_time_puppet == -1) {
afl->limit_time_sig = -1;
afl->limit_time_puppet = 0;
} else if (afl->limit_time_puppet < 0) {
FATAL("-L value must be between 0 and 2000000 or -1");
} else {
afl->limit_time_sig = 1;
}
u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000; u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000;
if (limit_time_puppet2 < afl->limit_time_puppet) if (limit_time_puppet2 < afl->limit_time_puppet)
FATAL("limit_time overflow"); FATAL("limit_time overflow");
afl->limit_time_puppet = limit_time_puppet2; afl->limit_time_puppet = limit_time_puppet2;
SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); SAYF("limit_time_puppet %d\n", afl->limit_time_puppet);
afl->swarm_now = 0; afl->swarm_now = 0;
if (afl->limit_time_puppet == 0) afl->key_puppet = 1; if (afl->limit_time_puppet == 0) afl->key_puppet = 1;
@ -701,11 +714,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->use_radamsa) { if (afl->use_radamsa) {
if (afl->limit_time_sig) if (afl->limit_time_sig > 0)
FATAL( FATAL(
"MOpt and Radamsa are mutually exclusive. We accept pull requests " "MOpt and Radamsa are mutually exclusive unless you specify -L -1. "
"that integrates MOpt with the optional mutators " "We accept pull requests that integrates MOpt with the optional "
"(custom/radamsa/redquenn/...)."); "mutators (custom/radamsa/redqueen/...).");
if (afl->limit_time_sig && afl->use_radamsa > 1)
FATAL("Radamsa in radamsa-only mode can not run together with -L");
OKF("Using Radamsa add-on"); OKF("Using Radamsa add-on");
@ -984,11 +1000,11 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->cmplog_binary) { if (afl->cmplog_binary) {
if (afl->limit_time_sig) if (afl->limit_time_sig > 0)
FATAL( FATAL(
"MOpt and CmpLog are mutually exclusive. We accept pull requests " "MOpt and CmpLog are mutually exclusive unless you specify -L -1. We "
"that integrates MOpt with the optional mutators " "accept pull requests that integrates MOpt with the optional "
"(custom/radamsa/redquenn/...)."); "mutators (custom/radamsa/redqueen/...).");
if (afl->unicorn_mode) if (afl->unicorn_mode)
FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry");