add AFL_KEEP_TIMEOUTS

2025-06-14 02:58:08 +00:00 · 2022-04-08 22:44:10 +02:00
parent 891f4d3c8e
commit e9288bcfad
6 changed files with 25 additions and 3 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -23,6 +23,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
    - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
      possible in the target (for afl-gcc-fast/afl-clang-fast/
      afl-clang-lto)
+    - "saved timeouts" was wrong information, timeouts are still thrown
+      away by default even if they have new coverage (hangs are always
+      kept), unless AFL_KEEP_TIMEOUTS are set
    - document and auto-activate pizza mode on condition
  - afl-cc:
    - converted all passed to use the new llvm pass manager for llvm 11+
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool:
  - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
    usually a bad idea!

+  - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach
+    new coverage
+
  - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
    does not allow crashes or timeout seeds in the initial -i corpus.

--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -385,7 +385,7 @@ typedef struct afl_env_vars {
      afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
      afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
      afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
-      afl_pizza_mode;
+      afl_keep_timeouts, afl_pizza_mode;

  u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
      *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
--- a/include/envs.h
+++ b/include/envs.h
@ -106,6 +106,7 @@ static char *afl_environment_variables[] = {
    "AFL_INPUT_LEN_MAX",
    "AFL_INST_LIBS",
    "AFL_INST_RATIO",
+    "AFL_KEEP_TIMEOUTS",
    "AFL_KILL_SIGNAL",
    "AFL_KEEP_TRACES",
    "AFL_KEEP_ASSEMBLY",
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -664,9 +664,17 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {

        if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) {

+          if (afl->afl_env.afl_keep_timeouts) {
+
            ++afl->saved_tmouts;
            goto save_to_queue;

+          } else {
+
+            return keeping;
+
+          }
+
        }

      }
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
            afl->afl_env.afl_hang_tmout =
                (u8 *)get_afl_env(afl_environment_variables[i]);

+          } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_keep_timeouts =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
          } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK",

                              afl_environment_variable_len)) {