tmp test

include/afl-fuzz.h

@@ -201,7 +201,6 @@ struct queue_entry {
   u32 len;                              /* Input length                     */
   u32 id;                               /* entry number in queue_buf        */
   u32 found;
-  s32 cmp, fcmp, rtn;
 
   u8 colorized,                         /* Do not run redqueen stage again  */
       cal_failed;                       /* Calibration failed?              */

src/afl-fuzz-queue.c

@@ -60,13 +60,19 @@ inline u32 select_next_queue_entry(afl_state_t *afl) {
 
 }
 
-// #define DEBUG_QUEUE 1
+//#define DEBUG_QUEUE 1
 double compute_weight(afl_state_t *afl, struct queue_entry *q,
                       double avg_exec_us, double avg_bitmap_size,
                       double avg_top_size, double avg_score) {
 
-  double weight = 1.0;
-  /*
+  if (likely(avg_score > 0)) {
+
+    return q->score / avg_score;
+
+  } else {
+
+    double weight = 1.0;
+
     if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
 
       u32 hits = afl->n_fuzz[q->n_fuzz_entry];
@@ -74,26 +80,27 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
 
     }
 
-  #ifdef DEBUG_QUEUE
+#ifdef DEBUG_QUEUE
     fprintf(stderr, "WEIGHT id=%u fname=%s start_weight=1.0\n", q->id,
-  q->fname); fprintf(stderr, "  after step 1: %.2f (log10(hits))\n", weight);
-  #endif
+            q->fname);
+    fprintf(stderr, "  after step 1: %.2f (log10(hits))\n", weight);
+#endif
     if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
-  #ifdef DEBUG_QUEUE
+#ifdef DEBUG_QUEUE
     fprintf(stderr, "  after step 2: %.2f (exec_us)\n", weight);
-  #endif
+#endif
     weight *= (log(q->bitmap_size) / avg_bitmap_size);
-  #ifdef DEBUG_QUEUE
+#ifdef DEBUG_QUEUE
     fprintf(stderr, "  after step 3: %.2f (log(bitmap_size))\n", weight);
-  #endif
+#endif
     weight *= (1 + (q->tc_ref / avg_top_size));
-  #ifdef DEBUG_QUEUE
+#ifdef DEBUG_QUEUE
     fprintf(stderr, "  after step 4: %.2f (top_size)\n", weight);
-  #endif
+#endif
     if (unlikely(avg_score != 0.0)) { weight *= (q->score / avg_score); }
-  #ifdef DEBUG_QUEUE
+#ifdef DEBUG_QUEUE
     fprintf(stderr, "  after step 5: %.2f (score)\n", weight);
-  #endif
+#endif
 
     if (unlikely(weight < 0.1)) { weight = 0.1; }
     if (unlikely(q->favored)) {
@@ -103,20 +110,21 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
 
     }
 
-  #ifdef DEBUG_QUEUE
+#ifdef DEBUG_QUEUE
     fprintf(stderr, "  after step 6: %.2f (favored)\n", weight);
-  #endif
-  */
-  if (unlikely(!q->was_fuzzed)) { weight *= 5; }
-#ifdef DEBUG_QUEUE
-  fprintf(stderr, "  after step 7: %.2f (was_fuzzed)\n", weight);
 #endif
-  if (unlikely(q->fs_redundant)) { weight = 0.0; }
+    if (unlikely(!q->was_fuzzed)) { weight *= 2.5; }
 #ifdef DEBUG_QUEUE
-  fprintf(stderr, "  after final step: %.2f (fs_redundant)\n", weight);
+    fprintf(stderr, "  after step 7: %.2f (was_fuzzed)\n", weight);
+#endif
+    if (unlikely(q->fs_redundant)) { weight *= 0.75; }
+#ifdef DEBUG_QUEUE
+    fprintf(stderr, "  after final step: %.2f (fs_redundant)\n", weight);
 #endif
 
-  return weight;
+    return weight;
+
+  }
 
 }
 
@@ -635,11 +643,6 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
   q->trace_mini = NULL;
   q->testcase_buf = NULL;
   q->mother = afl->queue_cur;
-  q->cmp = q->fcmp = q->rtn = -1;
-
-  if (afl->queue_cur) {
-    afl->queue_cur->found++;
-  }
   q->score = afl->current_score;
   if (unlikely(!q->score)) { q->score = 1; }
 
@@ -960,8 +963,6 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
   u32 avg_bitmap_size = afl->total_bitmap_size / bitmap_entries;
   u32 perf_score = 100;
 
-  return perf_score;
-
   /* Adjust score based on execution speed of this path, compared to the
      global average. Multiplier ranges from 0.1x to 3x. Fast inputs are
      less expensive to fuzz, so we're giving them more air time. */

src/afl-fuzz-redqueen.c

@@ -3072,8 +3072,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
   afl->stage_max = 0;
   afl->stage_cur = 0;
 
-  afl->queue_cur->cmp = afl->queue_cur->fcmp = afl->queue_cur->rtn = 0;
-
   u32 lvl = (afl->queue_cur->colorized ? 0 : LVL1) +
             (afl->cmplog_lvl == CMPLOG_LVL_MAX ? LVL3 : 0);
 
@@ -3091,13 +3089,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
 
     if (!afl->shm.cmp_map->headers[k].hits) { continue; }
 
-    if (afl->shm.cmp_map->headers[k].type != CMP_TYPE_INS)
-      afl->queue_cur->rtn++;
-    else if (unlikely((afl->shm.cmp_map->headers[k].attribute & 8) == 8))
-      afl->queue_cur->fcmp++;
-    else
-      afl->queue_cur->cmp++;
-
     if (afl->pass_stats[k].faileds >= CMPLOG_FAIL_MAX ||
         afl->pass_stats[k].total >= CMPLOG_FAIL_MAX) {
 

src/afl-fuzz.c

@@ -3071,7 +3071,7 @@ stop_fuzzing:
 
   if (getenv("AFL_DUMP_QUEUE_ON_EXIT")) {
 
-    for (u32 mode = 0; mode < 1; mode++) {
+    for (u32 mode = 0; mode < 2; mode++) {  // explore + exploit mode data
 
       afl->fuzz_mode = mode;
       create_alias_table(afl);
@@ -3085,12 +3085,10 @@ stop_fuzzing:
                 "has_new_cov=%u "
                 "var_behavior=%u favored=%u fs_redundant=%u disabled=%u "
                 "bitmap_size=%u tc_ref=%u fuzz_level=%u was_fuzzed=%u "
-                "cmp=%d fcmp=%d rtn=%d "
                 "mother=%d found=%u perf_score=%.2f weight=%.2f score=%u\n",
                 k, q->fname, q->len, q->exec_us, q->total_execs, q->has_new_cov,
                 q->var_behavior, q->favored, q->fs_redundant, q->disabled,
                 q->bitmap_size, q->tc_ref, q->fuzz_level, q->was_fuzzed,
-                q->cmp, q->fcmp, q->rtn,
                 q->mother == NULL ? -1 : (int)q->mother->id, q->found,
                 q->perf_score, q->weight, q->score);