enable new mopt

include/afl-fuzz.h

@@ -275,35 +275,62 @@ struct auto_extra_data {
 };
 
 /* Fuzzing stages */
-
 enum {
 
-  /* 00 */ STAGE_FLIP1,
-  /* 01 */ STAGE_FLIP2,
-  /* 02 */ STAGE_FLIP4,
-  /* 03 */ STAGE_FLIP8,
-  /* 04 */ STAGE_FLIP16,
-  /* 05 */ STAGE_FLIP32,
-  /* 06 */ STAGE_ARITH8,
-  /* 07 */ STAGE_ARITH16,
-  /* 08 */ STAGE_ARITH32,
-  /* 09 */ STAGE_INTEREST8,
-  /* 10 */ STAGE_INTEREST16,
-  /* 11 */ STAGE_INTEREST32,
-  /* 12 */ STAGE_EXTRAS_UO,
-  /* 13 */ STAGE_EXTRAS_UI,
-  /* 14 */ STAGE_EXTRAS_AO,
-  /* 15 */ STAGE_EXTRAS_AI,
-  /* 16 */ STAGE_HAVOC,
-  /* 17 */ STAGE_SPLICE,
-  /* 18 */ STAGE_PYTHON,
-  /* 19 */ STAGE_CUSTOM_MUTATOR,
-  /* 20 */ STAGE_COLORIZATION,
-  /* 21 */ STAGE_ITS,
-  /* 22 */ STAGE_INF,
-  /* 23 */ STAGE_QUICK,
-
-  STAGE_NUM_MAX
+  /* 00 */ STAGE_FLIPBIT,
+  /* 01 */ STAGE_INTEREST8,
+  /* 02 */ STAGE_INTEREST16,
+  /* 03 */ STAGE_INTEREST16BE,
+  /* 04 */ STAGE_INTEREST32,
+  /* 05 */ STAGE_INTEREST32BE,
+  /* 06 */ STAGE_ARITH8_,
+  /* 07 */ STAGE_ARITH8,
+  /* 08 */ STAGE_ARITH16_,
+  /* 09 */ STAGE_ARITH16BE_,
+  /* 10 */ STAGE_ARITH16,
+  /* 11 */ STAGE_ARITH16BE,
+  /* 12 */ STAGE_ARITH32_,
+  /* 13 */ STAGE_ARITH32BE_,
+  /* 14 */ STAGE_ARITH32,
+  /* 15 */ STAGE_ARITH32BE,
+  /* 16 */ STAGE_RAND8,
+  /* 17 */ STAGE_CLONE_COPY,
+  /* 18 */ STAGE_CLONE_FIXED,
+  /* 19 */ STAGE_OVERWRITE_COPY,
+  /* 20 */ STAGE_OVERWRITE_FIXED,
+  /* 21 */ STAGE_BYTEADD,
+  /* 22 */ STAGE_BYTESUB,
+  /* 23 */ STAGE_FLIP8,
+  /* 24 */ STAGE_SWITCH,
+  /* 25 */ STAGE_DEL,
+  /* 26 */ STAGE_SHUFFLE,
+  /* 27 */ STAGE_DELONE,
+  /* 28 */ STAGE_INSERTONE,
+  /* 29 */ STAGE_ASCIINUM,
+  /* 30 */ STAGE_INSERTASCIINUM,
+  /* 31 */ STAGE_EXTRA_OVERWRITE,
+  /* 32 */ STAGE_EXTRA_INSERT,
+  /* 33 */ STAGE_AUTO_EXTRA_OVERWRITE,
+  /* 34 */ STAGE_AUTO_EXTRA_INSERT,
+  /* 35 */ STAGE_SPLICE_OVERWRITE,
+  /* 36 */ STAGE_SPLICE_INSERT,
+  // max havoc mutation types
+  STAGE_HAVOC_MAX,
+  // other stages
+  STAGE_FLIP1,
+  STAGE_FLIP2,
+  STAGE_FLIP4,
+  STAGE_FLIP16,
+  STAGE_FLIP32,
+  STAGE_HAVOC,
+  STAGE_SPLICE,
+  STAGE_CUSTOM_MUTATOR,
+  STAGE_PYTHON,
+  STAGE_COLORIZATION,
+  STAGE_ITS,
+  STAGE_INF,
+  STAGE_QUICK,
+  STAGE_MAX
 
 };
 
@@ -317,24 +344,15 @@ enum {
 
 };
 
-#define operator_num 19
-#define swarm_num 5
-#define period_core 500000
-
+#define OPERATOR_NUM STAGE_HAVOC_MAX
+#define SWARM_NUM 5
+#define PERIOD_CORE 500000
+#define PERIOD_PILOT 50000
 #define RAND_C (rand() % 1000 * 0.001)
-#define v_max 1
-#define v_min 0.05
-#define limit_time_bound 1.1
+#define V_MAX 1
+#define V_MIN 0.05
 #define SPLICE_CYCLES_puppet_up 25
 #define SPLICE_CYCLES_puppet_low 5
-#define STAGE_RANDOMBYTE 12
-#define STAGE_DELETEBYTE 13
-#define STAGE_Clone75 14
-#define STAGE_OverWrite75 15
-#define STAGE_OverWriteExtra 16
-#define STAGE_InsertExtra 17
-#define STAGE_Splice 18
-#define period_pilot 50000
 
 enum {
 
@@ -508,8 +526,7 @@ typedef struct afl_state {
 
   MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
 
-  s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
-      key_module;
+  s32 SPLICE_CYCLES_puppet, limit_time_sig, pacemaker_mode, key_module;
 
   double w_init, w_end, w_now;
 
@@ -519,23 +536,23 @@ typedef struct afl_state {
   u64 tmp_core_time;
   s32 swarm_now;
 
-  double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num],
-      eff_best[swarm_num][operator_num], G_best[operator_num],
-      v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num],
-      swarm_fitness[swarm_num];
+  double x_now[SWARM_NUM][OPERATOR_NUM], L_best[SWARM_NUM][OPERATOR_NUM],
+      eff_best[SWARM_NUM][OPERATOR_NUM], G_best[OPERATOR_NUM],
+      v_now[SWARM_NUM][OPERATOR_NUM], probability_now[SWARM_NUM][OPERATOR_NUM],
+      swarm_fitness[SWARM_NUM];
 
-  u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per
+  u64 stage_finds_puppet[SWARM_NUM][OPERATOR_NUM], /* Patterns found per
                                                             fuzz stage    */
-      stage_finds_puppet_v2[swarm_num][operator_num],
-      stage_cycles_puppet_v2[swarm_num][operator_num],
-      stage_cycles_puppet_v3[swarm_num][operator_num],
-      stage_cycles_puppet[swarm_num][operator_num],
-      operator_finds_puppet[operator_num],
-      core_operator_finds_puppet[operator_num],
-      core_operator_finds_puppet_v2[operator_num],
-      core_operator_cycles_puppet[operator_num],
-      core_operator_cycles_puppet_v2[operator_num],
-      core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
+      stage_finds_puppet_v2[SWARM_NUM][OPERATOR_NUM],
+      stage_cycles_puppet_v2[SWARM_NUM][OPERATOR_NUM],
+      stage_cycles_puppet_v3[SWARM_NUM][OPERATOR_NUM],
+      stage_cycles_puppet[SWARM_NUM][OPERATOR_NUM],
+      operator_finds_puppet[OPERATOR_NUM],
+      core_operator_finds_puppet[OPERATOR_NUM],
+      core_operator_finds_puppet_v2[OPERATOR_NUM],
+      core_operator_cycles_puppet[OPERATOR_NUM],
+      core_operator_cycles_puppet_v2[OPERATOR_NUM],
+      core_operator_cycles_puppet_v3[OPERATOR_NUM]; /* Execs per fuzz stage */
 
   double period_pilot_tmp;
   s32    key_lv;
@@ -683,8 +700,8 @@ typedef struct afl_state {
 
   u8 stage_val_type;                    /* Value type (STAGE_VAL_*)         */
 
-  u64 stage_finds[32],                  /* Patterns found per fuzz stage    */
-      stage_cycles[32];                 /* Execs per fuzz stage             */
+  u64 stage_finds[STAGE_MAX],           /* Patterns found per fuzz stage    */
+      stage_cycles[STAGE_MAX];          /* Execs per fuzz stage             */
 
   u32 rand_cnt;                         /* Random number counter            */
 

src/afl-fuzz-state.c

@@ -44,7 +44,7 @@ static void init_mopt_globals(afl_state_t *afl) {
   core->cycles_v3 = afl->core_operator_cycles_puppet_v3;
   core->is_pilot_mode = 0;
   core->pTime = &afl->tmp_core_time;
-  core->period = period_core;
+  core->period = PERIOD_CORE;
   core->havoc_stagename = "MOpt-core-havoc";
   core->splice_stageformat = "MOpt-core-splice %u";
   core->havoc_stagenameshort = "MOpt_core_havoc";
@@ -58,7 +58,7 @@ static void init_mopt_globals(afl_state_t *afl) {
   pilot->cycles_v3 = afl->stage_cycles_puppet_v3[0];
   pilot->is_pilot_mode = 1;
   pilot->pTime = &afl->tmp_pilot_time;
-  pilot->period = period_pilot;
+  pilot->period = PERIOD_PILOT;
   pilot->havoc_stagename = "MOpt-havoc";
   pilot->splice_stageformat = "MOpt-splice %u";
   pilot->havoc_stagenameshort = "MOpt_havoc";

src/afl-fuzz-stats.c

@@ -1250,15 +1250,16 @@ void show_stats_normal(afl_state_t *afl) {
 
   if (unlikely(!afl->skip_deterministic)) {
 
-    sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s",
-            u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]),
-            u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]),
-            u_stringify_int(IB(2), afl->stage_finds[STAGE_EXTRAS_UI]),
-            u_stringify_int(IB(3), afl->stage_cycles[STAGE_EXTRAS_UI]),
-            u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]),
-            u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO]),
-            u_stringify_int(IB(6), afl->stage_finds[STAGE_EXTRAS_AI]),
-            u_stringify_int(IB(7), afl->stage_cycles[STAGE_EXTRAS_AI]));
+    sprintf(
+        tmp, "%s/%s, %s/%s, %s/%s, %s/%s",
+        u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(2), afl->stage_finds[STAGE_EXTRA_INSERT]),
+        u_stringify_int(IB(3), afl->stage_cycles[STAGE_EXTRA_INSERT]),
+        u_stringify_int(IB(4), afl->stage_finds[STAGE_AUTO_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(5), afl->stage_cycles[STAGE_AUTO_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(6), afl->stage_finds[STAGE_AUTO_EXTRA_INSERT]),
+        u_stringify_int(IB(7), afl->stage_cycles[STAGE_AUTO_EXTRA_INSERT]));
 
   } else if (unlikely(!afl->extras_cnt || afl->custom_only)) {
 
@@ -2089,15 +2090,16 @@ void show_stats_pizza(afl_state_t *afl) {
 
   if (unlikely(!afl->skip_deterministic)) {
 
-    sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s",
-            u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]),
-            u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]),
-            u_stringify_int(IB(2), afl->stage_finds[STAGE_EXTRAS_UI]),
-            u_stringify_int(IB(3), afl->stage_cycles[STAGE_EXTRAS_UI]),
-            u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]),
-            u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO]),
-            u_stringify_int(IB(6), afl->stage_finds[STAGE_EXTRAS_AI]),
-            u_stringify_int(IB(7), afl->stage_cycles[STAGE_EXTRAS_AI]));
+    sprintf(
+        tmp, "%s/%s, %s/%s, %s/%s, %s/%s",
+        u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(2), afl->stage_finds[STAGE_EXTRA_INSERT]),
+        u_stringify_int(IB(3), afl->stage_cycles[STAGE_EXTRA_INSERT]),
+        u_stringify_int(IB(4), afl->stage_finds[STAGE_AUTO_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(5), afl->stage_cycles[STAGE_AUTO_EXTRA_OVERWRITE]),
+        u_stringify_int(IB(6), afl->stage_finds[STAGE_AUTO_EXTRA_INSERT]),
+        u_stringify_int(IB(7), afl->stage_cycles[STAGE_AUTO_EXTRA_INSERT]));
 
   } else if (unlikely(!afl->extras_cnt || afl->custom_only)) {
 

src/afl-fuzz.c

@@ -232,12 +232,8 @@ static void usage(u8 *argv0, int more_help) {
       "  -g minlength  - set min length of generated fuzz input (default: 1)\n"
       "  -G maxlength  - set max length of generated fuzz input (default: "
       "%lu)\n"
-      "  -L minutes    - use MOpt(imize) mode and set the time limit for "
-      "entering the\n"
-      "                  pacemaker mode (minutes of no new finds). 0 = "
-      "immediately,\n"
-      "                  -1 = immediately and together with normal mutation.\n"
-      "                  Note: this option is usually not very effective\n"
+      "  -L value      - use MOpt(imize) mode (the value is for backwards\n"
+      "                  compatability and ignored)\n"
       "  -u            - enable testcase splicing\n"
       "  -c program    - enable CmpLog by specifying a binary compiled for "
       "it.\n"
@@ -1306,43 +1302,10 @@ int main(int argc, char **argv_orig, char **envp) {
 
       case 'L': {                                              /* MOpt mode */
 
-        if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
-
         afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
-
-        if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) {
-
-          FATAL("Bad syntax used for -L");
-
-        }
-
-        if (afl->limit_time_puppet == -1) {
-
-          afl->limit_time_sig = -1;
-          afl->limit_time_puppet = 0;
-
-        } else if (afl->limit_time_puppet < 0) {
-
-          FATAL("-L value must be between 0 and 2000000 or -1");
-
-        } else {
-
-          afl->limit_time_sig = 1;
-
-        }
-
-        afl->old_seed_selection = 1;
-        u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000;
-
-        if ((s32)limit_time_puppet2 < afl->limit_time_puppet) {
-
-          FATAL("limit_time overflow");
-
-        }
-
-        afl->limit_time_puppet = limit_time_puppet2;
+        afl->limit_time_sig = 1;
         afl->swarm_now = 0;
-        if (afl->limit_time_puppet == 0) { afl->key_puppet = 1; }
+        afl->pacemaker_mode = 1;
 
         int j;
         int tmp_swarm = 0;
@@ -1352,12 +1315,12 @@ int main(int argc, char **argv_orig, char **envp) {
                          (afl->g_max) +
                      afl->w_end;
 
-        for (tmp_swarm = 0; tmp_swarm < swarm_num; ++tmp_swarm) {
+        for (tmp_swarm = 0; tmp_swarm < SWARM_NUM; ++tmp_swarm) {
 
           double total_puppet_temp = 0.0;
           afl->swarm_fitness[tmp_swarm] = 0.0;
 
-          for (j = 0; j < operator_num; ++j) {
+          for (j = 0; j < OPERATOR_NUM; ++j) {
 
             afl->stage_finds_puppet[tmp_swarm][j] = 0;
             afl->probability_now[tmp_swarm][j] = 0.0;
@@ -1371,7 +1334,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
           }
 
-          for (j = 0; j < operator_num; ++j) {
+          for (j = 0; j < OPERATOR_NUM; ++j) {
 
             afl->stage_cycles_puppet_v2[tmp_swarm][j] =
                 afl->stage_cycles_puppet[tmp_swarm][j];
@@ -1384,7 +1347,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
           double x_temp = 0.0;
 
-          for (j = 0; j < operator_num; ++j) {
+          for (j = 0; j < OPERATOR_NUM; ++j) {
 
             afl->probability_now[tmp_swarm][j] = 0.0;
             afl->v_now[tmp_swarm][j] =
@@ -1395,13 +1358,13 @@ int main(int argc, char **argv_orig, char **envp) {
 
             afl->x_now[tmp_swarm][j] += afl->v_now[tmp_swarm][j];
 
-            if (afl->x_now[tmp_swarm][j] > v_max) {
+            if (afl->x_now[tmp_swarm][j] > V_MAX) {
 
-              afl->x_now[tmp_swarm][j] = v_max;
+              afl->x_now[tmp_swarm][j] = V_MAX;
 
-            } else if (afl->x_now[tmp_swarm][j] < v_min) {
+            } else if (afl->x_now[tmp_swarm][j] < V_MIN) {
 
-              afl->x_now[tmp_swarm][j] = v_min;
+              afl->x_now[tmp_swarm][j] = V_MIN;
 
             }
 
@@ -1409,7 +1372,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
           }
 
-          for (j = 0; j < operator_num; ++j) {
+          for (j = 0; j < OPERATOR_NUM; ++j) {
 
             afl->x_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j] / x_temp;
             if (likely(j != 0)) {
@@ -1426,8 +1389,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
           }
 
-          if (afl->probability_now[tmp_swarm][operator_num - 1] < 0.99 ||
-              afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) {
+          if (afl->probability_now[tmp_swarm][OPERATOR_NUM - 1] < 0.99 ||
+              afl->probability_now[tmp_swarm][OPERATOR_NUM - 1] > 1.01) {
 
             FATAL("ERROR probability");
 
@@ -1435,7 +1398,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
         }
 
-        for (j = 0; j < operator_num; ++j) {
+        for (j = 0; j < OPERATOR_NUM; ++j) {
 
           afl->core_operator_finds_puppet[j] = 0;
           afl->core_operator_finds_puppet_v2[j] = 0;
@@ -1445,10 +1408,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
         }
 
-        WARNF(
-            "Note that the MOpt mode is not maintained and is not as effective "
-            "as normal havoc mode.");
-
       } break;
 
       case 'h':
@@ -2981,17 +2940,21 @@ int main(int argc, char **argv_orig, char **envp) {
             // if we did not use splicing (default) then activate it
             afl->use_splicing = 1;
 
-            // add MOpt mutator
-            /*
-            if (afl->limit_time_sig == 0 && !afl->custom_only &&
-                !afl->python_only) {
+            // switch MOpt mutator
+            if (!afl->custom_only) {
 
-              afl->limit_time_sig = -1;
-              afl->limit_time_puppet = 0;
+              if (afl->pacemaker_mode) {
+
+                afl->pacemaker_mode = 0;
+
+              } else {
+
+                afl->pacemaker_mode = 1;
+
+              }
 
             }
 
-            */
             afl->expand_havoc = 2;
             if (afl->cmplog_lvl && afl->cmplog_lvl < 2) afl->cmplog_lvl = 2;
             break;
@@ -3011,7 +2974,21 @@ int main(int argc, char **argv_orig, char **envp) {
             // 3;
             break;
           case 5:
-            // nothing else currently
+            // switch MOpt mutator back
+            if (!afl->custom_only) {
+
+              if (afl->pacemaker_mode) {
+
+                afl->pacemaker_mode = 0;
+
+              } else {
+
+                afl->pacemaker_mode = 1;
+
+              }
+
+            }
+
             break;
 
         }