add output warning

redqueen: time limit for colorization

include/afl-fuzz.h

@@ -605,6 +605,9 @@ typedef struct afl_state {
 #define N_FUZZ_SIZE (1 << 21)
   u32 *n_fuzz;
 
+  /* CMPLOG colorless feature */
+  u64 cmplog_color_items, cmplog_color_fail, cmplog_color_depth;
+
   volatile u8 stop_soon,                /* Ctrl-C pressed?                  */
       clear_screen;                     /* Window resized?                  */
 

include/config.h

@@ -85,6 +85,11 @@
 /* Maximum allowed fails per CMP value. Default: 96 */
 #define CMPLOG_FAIL_MAX 96
 
+/* Starting timeout (in seconds) for the CMPLOG colorization phase. Upon
+   multiple timeouts this value will be doubled 4 times each.
+   So: 60 seconds => 960 seconds max. Good values are 30-120 seconds.  */
+#define CMPLOG_COLORIZATION_TIME_MAX_START 60ULL
+
 /* -------------------------------------*/
 /* Now non-cmplog configuration options */
 /* -------------------------------------*/

src/afl-fuzz-redqueen.c

@@ -107,11 +107,12 @@ static struct range *add_range(struct range *ranges, u32 start, u32 end) {
 
 }
 
-static struct range *pop_biggest_range(struct range **ranges) {
+static struct range *pop_biggest_range(struct range **ranges, int *num_ranges) {
 
   struct range *r = *ranges;
   struct range *rmax = NULL;
   u32           max_size = 0;
+  u32           count = 0;
 
   while (r) {
 
@@ -129,9 +130,11 @@ static struct range *pop_biggest_range(struct range **ranges) {
     }
 
     r = r->next;
+    ++count;
 
   }
 
+  *num_ranges = count;
   return rmax;
 
 }
@@ -311,6 +314,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
   afl->stage_short = "colorization";
   afl->stage_max = (len << 1);
   afl->stage_cur = 0;
+  ++(afl->cmplog_color_items);
 
   // in colorization we do not classify counts, hence we have to calculate
   // the original checksum.
@@ -332,7 +336,8 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
 
   }
 
-  while ((rng = pop_biggest_range(&ranges)) != NULL &&
+  u32 range_count = 0;
+  while ((rng = pop_biggest_range(&ranges, &range_count)) != NULL &&
          afl->stage_cur < afl->stage_max) {
 
     u32 s = 1 + rng->end - rng->start;
@@ -363,6 +368,50 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
         ranges = add_range(ranges, rng->start, rng->start - 1 + s / 2);
         ranges = add_range(ranges, rng->start + s / 2, rng->end);
 
+        /* Check the number of *remaining* execs for colorization; since
+          each represents a previously split range, and may be split
+          again, we break when emptying the queue would consume *half*
+          the timeout */
+        if ((range_count * afl->queue_cur->exec_us) >
+            ((CMPLOG_COLORIZATION_TIME_MAX_START << afl->cmplog_color_depth) /
+             2 * 1000000)) {
+
+          if (afl->afl_env.afl_no_ui) {
+
+            WARNF(
+                "Colorization took too long, skipping (%llu/%llu, depth %llu).",
+                afl->cmplog_color_fail + 1, afl->cmplog_color_items,
+                afl->cmplog_color_depth);
+
+          }
+
+          if (unlikely(afl->cmplog_color_depth < 4)) {
+
+            ++(afl->cmplog_color_fail);
+
+            if (likely(afl->cmplog_color_items > 4) &&
+                unlikely(afl->cmplog_color_items / afl->cmplog_color_fail) <
+                    2) {
+
+              ++(afl->cmplog_color_depth);
+              afl->cmplog_color_items = 0;
+              afl->cmplog_color_fail = 0;
+
+              if (afl->afl_env.afl_no_ui) {
+
+                WARNF("Increasing colorization time depth to %llu.",
+                      afl->cmplog_color_depth);
+
+              }
+
+            }
+
+          }
+
+          goto checksum_fail;
+
+        }
+
       }
 
       if (ranges == rng) {