diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-03-19 22:54:09 +0100 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-03-19 22:54:09 +0100 |
| commit | 5b9d306cdfac1cb2a32373a0d4028abffb7ce979 (patch) | |
| tree | 573bb954c93f473d948a8c2bf6a34f612a82300a | |
| parent | 0fa47bb867bea6585abdeee0830acbf5b39db690 (diff) | |
| download | afl++-5b9d306cdfac1cb2a32373a0d4028abffb7ce979.tar.gz | |
no more (?) statics
| -rw-r--r-- | include/afl-fuzz.h | 13 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 26 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 6 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 10 | ||||
| -rw-r--r-- | src/afl-fuzz-extras.c | 19 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 13 | ||||
| -rw-r--r-- | src/afl-fuzz-misc.c | 88 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 178 |
10 files changed, 207 insertions, 158 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 28156268..1a798239 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,8 +109,9 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ -#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \ - */ +#define STAGE_BUF_SIZE \ + (64) /* usable size of the stage name buf in afl_state \ + */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; @@ -801,10 +802,10 @@ u8 has_new_bits(afl_state_t *, u8 *); /* Misc */ -u8 * DI(u64); -u8 * DF(double); -u8 * DMS(u64); -void DTD(u8 *, size_t, u64, u64); +u8 *DI(u8 *, size_t, u64); +u8 *DF(u8 *, size_t, double); +u8 *DMS(u8 *, size_t, u64); +u8 *DTD(u8 *, size_t, u64, u64); /* Extras */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 6755a73c..75b69178 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -55,16 +55,16 @@ static void forkserver_stringify_int(u8 *buf, size_t len, u64 val) { u8 cur = 0; -#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ - do { \ - \ - if (val < (_divisor) * (_limit_mult)) { \ - \ - snprintf(buf, len, _fmt, ((_cast)val) / (_divisor));\ - return; \ - \ - } \ - \ +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ + do { \ + \ + if (val < (_divisor) * (_limit_mult)) { \ + \ + snprintf(buf, len, _fmt, ((_cast)val) / (_divisor)); \ + return; \ + \ + } \ + \ } while (0) cur = (cur + 1) % 12; @@ -454,7 +454,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { } else { u8 mem_limit_buf[16]; - forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), fsrv->mem_limit << 20); + forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), + fsrv->mem_limit << 20); SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " @@ -524,7 +525,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { } else { u8 mem_limit_buf[16]; - forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), fsrv->mem_limit << 20); + forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), + fsrv->mem_limit << 20); SAYF( "\n" cLRD "[-] " cRST diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index de5d147e..86474adc 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -465,6 +465,8 @@ static void write_crash_readme(afl_state_t *afl) { s32 fd; FILE *f; + u8 int_buf[16]; + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); ck_free(fn); @@ -501,7 +503,9 @@ static void write_crash_readme(afl_state_t *afl) { " https://github.com/AFLplusplus/AFLplusplus\n\n", - afl->orig_cmdline, DMS(afl->fsrv.mem_limit << 20)); /* ignore errors */ + afl->orig_cmdline, + DMS(int_buf, sizeof(int_buf), + afl->fsrv.mem_limit << 20)); /* ignore errors */ fclose(f); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 6211548b..5f7909cc 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -264,6 +264,8 @@ void init_cmplog_forkserver(afl_state_t *afl) { } else { + u8 int_buf[16]; + SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " "before receiving any input\n" @@ -296,7 +298,8 @@ void init_cmplog_forkserver(afl_state_t *afl) { "options\n" " fail, poke <afl-users@googlegroups.com> for troubleshooting " "tips.\n", - DMS(afl->fsrv.mem_limit << 20), afl->fsrv.mem_limit - 1); + DMS(int_buf, sizeof(int_buf), afl->fsrv.mem_limit << 20), + afl->fsrv.mem_limit - 1); } @@ -331,6 +334,8 @@ void init_cmplog_forkserver(afl_state_t *afl) { } else { + u8 int_buf[16]; + SAYF( "\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " @@ -362,7 +367,8 @@ void init_cmplog_forkserver(afl_state_t *afl) { "never\n" " reached before the program terminates.\n\n" : "", - DMS(afl->fsrv.mem_limit << 20), afl->fsrv.mem_limit - 1); + DMS(int_buf, sizeof(int_buf), afl->fsrv.mem_limit << 20), + afl->fsrv.mem_limit - 1); } diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index ff4c0ae2..256489f5 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -55,6 +55,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, u8 * lptr; u32 cur_line = 0; + u8 int_bufs[2][16]; + f = fopen(fname, "r"); if (!f) PFATAL("Unable to open '%s'", fname); @@ -170,8 +172,9 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, afl->extras[afl->extras_cnt].len = klen; if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE) - FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line, DMS(klen), - DMS(MAX_DICT_FILE)); + FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line, + DMS(int_bufs[0], sizeof(int_bufs[0]), klen), + DMS(int_bufs[1], sizeof(int_bufs[1]), MAX_DICT_FILE)); if (*min_len > klen) *min_len = klen; if (*max_len < klen) *max_len = klen; @@ -193,6 +196,8 @@ void load_extras(afl_state_t *afl, u8 *dir) { u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u8 * x; + u8 int_bufs[2][16]; + /* If the name ends with @, extract level and continue. */ if ((x = strchr(dir, '@'))) { @@ -238,8 +243,9 @@ void load_extras(afl_state_t *afl, u8 *dir) { } if (st.st_size > MAX_DICT_FILE) - FATAL("Extra '%s' is too big (%s, limit is %s)", fn, DMS(st.st_size), - DMS(MAX_DICT_FILE)); + FATAL("Extra '%s' is too big (%s, limit is %s)", fn, + DMS(int_bufs[0], sizeof(int_bufs[0]), st.st_size), + DMS(int_bufs[1], sizeof(int_bufs[1]), MAX_DICT_FILE)); if (min_len > st.st_size) min_len = st.st_size; if (max_len < st.st_size) max_len = st.st_size; @@ -273,11 +279,12 @@ check_and_sort: compare_extras_len); OKF("Loaded %u extra tokens, size range %s to %s.", afl->extras_cnt, - DMS(min_len), DMS(max_len)); + DMS(int_bufs[0], sizeof(int_bufs[0]), min_len), + DMS(int_bufs[1], sizeof(int_bufs[1]), max_len)); if (max_len > 32) WARNF("Some tokens are relatively large (%s) - consider trimming.", - DMS(max_len)); + DMS(int_bufs[0], sizeof(int_bufs[0]), max_len)); if (afl->extras_cnt > MAX_DET_EXTRAS) WARNF("More than %d tokens - will use them probabilistically.", diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 48ccbe9c..4d68ee78 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -323,6 +323,8 @@ void read_testcases(afl_state_t *afl) { u32 i; u8 * fn1; + u8 int_buf[12][16]; + /* Auto-detect non-in-place resumption attempts. */ fn1 = alloc_printf("%s/queue", afl->in_dir); @@ -389,8 +391,9 @@ void read_testcases(afl_state_t *afl) { } if (st.st_size > MAX_FILE) - FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, DMS(st.st_size), - DMS(MAX_FILE)); + FATAL("Test case '%s' is too big (%s, limit is %s)", fn2, + DMS(int_buf[0], sizeof(int_buf[0]), st.st_size), + DMS(int_buf[1], sizeof(int_buf[1]), MAX_FILE)); /* Check for metadata that indicates that deterministic fuzzing is complete for this entry. We don't want to repeat deterministic @@ -553,6 +556,8 @@ void perform_dry_run(afl_state_t *afl) { if (afl->fsrv.mem_limit) { + u8 int_tmp[16]; + SAYF("\n" cLRD "[-] " cRST "Oops, the program crashed with one of the test cases provided. " "There are\n" @@ -593,8 +598,8 @@ void perform_dry_run(afl_state_t *afl) { "other options\n" " fail, poke <afl-users@googlegroups.com> for " "troubleshooting tips.\n", - DMS(afl->fsrv.mem_limit << 20), afl->fsrv.mem_limit - 1, - doc_path); + DMS(int_tmp, sizeof(int_tmp), afl->fsrv.mem_limit << 20), + afl->fsrv.mem_limit - 1, doc_path); } else { diff --git a/src/afl-fuzz-misc.c b/src/afl-fuzz-misc.c index 90e0ee8a..c6117bd9 100644 --- a/src/afl-fuzz-misc.c +++ b/src/afl-fuzz-misc.c @@ -25,27 +25,22 @@ #include "afl-fuzz.h" -/* Describe integer. Uses 12 cyclic static buffers for return values. The value - returned should be five characters or less for all the integers we reasonably - expect to see. */ - -u8 *DI(u64 val) { - - static u8 tmp[12][16]; - static u8 cur; - - cur = (cur + 1) % 12; - -#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ - do { \ - \ - if (val < (_divisor) * (_limit_mult)) { \ - \ - sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ - return tmp[cur]; \ - \ - } \ - \ +/* Describe integer. The buf should be + at least 6 bytes to fit all ints we randomly see. + Will return buf for convenience. */ + +u8 *DI(u8 *buf, size_t len, u64 val) { +\ +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ + do { \ + \ + if (val < (_divisor) * (_limit_mult)) { \ + \ + snprintf(buf, len, _fmt, ((_cast)val) / (_divisor)); \ + return buf; \ + \ + } \ + \ } while (0) /* 0-9999 */ @@ -82,44 +77,38 @@ u8 *DI(u64 val) { CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); /* 100T+ */ - strcpy(tmp[cur], "infty"); - return tmp[cur]; + strncpy(buf, "infty", len); + buf[len - 1] = '\0'; -} + return buf; -/* Describe float. Similar to the above, except with a single - static buffer. */ +} -u8 *DF(double val) { +/* Describe float. Similar as int. */ - static u8 tmp[16]; +u8 *DF(u8 *buf, size_t len, double val) { if (val < 99.995) { - sprintf(tmp, "%0.02f", val); - return tmp; + snprintf(buf, len, "%0.02f", val); - } + } else if (val < 999.95) { + + snprintf(buf, len, "%0.01f", val); - if (val < 999.95) { + } else { - sprintf(tmp, "%0.01f", val); - return tmp; + DI(buf, len, (u64)val); } - return DI((u64)val); + return buf; } /* Describe integer as memory size. */ -u8 *DMS(u64 val) { - - static u8 tmp[12][16]; - static u8 cur; - - cur = (cur + 1) % 12; +u8 *DMS(u8 *buf, size_t len, u64 val) { /* 0-9999 */ CHK_FORMAT(1, 10000, "%llu B", u64); @@ -157,17 +146,21 @@ u8 *DMS(u64 val) { #undef CHK_FORMAT /* 100T+ */ - strcpy(tmp[cur], "infty"); - return tmp[cur]; + strncpy(buf, "infty", len - 1); + buf[len - 1] = '\0'; + + return buf; } -/* Describe time delta as string. */ +/* Describe time delta as string. + Returns a pointer to buf for convenience. */ -void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { +u8 *DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { u64 delta; s32 t_d, t_h, t_m, t_s; + u8 int_buf[16]; if (!event_ms) snprintf(buf, len, "none seen yet"); @@ -178,7 +171,10 @@ void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { t_m = (delta / 1000 / 60) % 60; t_s = (delta / 1000) % 60; - snprintf(buf, len, "%s days, %d hrs, %d min, %d sec", DI(t_d), t_h, t_m, t_s); + DI(int_buf, sizeof(int_buf), t_d); + snprintf(buf, len, "%s days, %d hrs, %d min, %d sec", int_buf, t_h, t_m, t_s); + + return buf; } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 9788da49..032c61fe 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -196,6 +196,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 trim_exec = 0; u32 orig_len = q->len; + u8 int_buf[16]; + if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; @@ -210,7 +212,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { while (afl->stage_cur < afl->stage_max) { - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "ptrim %s", DI(trim_exec)); + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "ptrim %s", + DI(int_buf, sizeof(int_buf), trim_exec)); u32 cksum; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 500c5ba2..c8153857 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -603,6 +603,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 remove_len; u32 len_p2; + u8 int_bufs[2][16]; + /* Although the trimmer will be less useful when variable behavior is detected, it will still work to some extent, so we don't check for this. */ @@ -626,8 +628,9 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 remove_pos = remove_len; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), - DI(remove_len)); + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", + DI(int_bufs[0], sizeof(int_bufs[0]), remove_len), + DI(int_bufs[1], sizeof(int_bufs[1]), remove_len)); afl->stage_cur = 0; afl->stage_max = q->len / remove_len; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index c89820d8..dcd4f542 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -201,6 +201,9 @@ void show_stats(afl_state_t *afl) { u8 tmp[256]; u8 time_tmp[64]; + u8 int_buf[16][16]; +#define IB(i) int_buf[(i)], sizeof(int_buf[(i)]) + cur_ms = get_cur_time(); /* If not enough time has passed since last UI update, bail out. */ @@ -390,7 +393,7 @@ void show_stats(afl_state_t *afl) { DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time); SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP " cycles done : %s%-5s " bSTG bV "\n", - time_tmp, tmp, DI(afl->queue_cycle - 1)); + time_tmp, tmp, DI(IB(0), afl->queue_cycle - 1)); /* We want to warn people about not seeing new paths after a full cycle, except when resuming fuzzing or running in non-instrumented mode. */ @@ -417,12 +420,12 @@ void show_stats(afl_state_t *afl) { } SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", - DI(afl->queued_paths)); + DI(IB(0), afl->queued_paths)); /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH limit with a '+' appended to the count. */ - sprintf(tmp, "%s%s", DI(afl->unique_crashes), + sprintf(tmp, "%s%s", DI(IB(0), afl->unique_crashes), (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time); @@ -430,7 +433,7 @@ void show_stats(afl_state_t *afl) { " uniq crashes : %s%-6s" bSTG bV "\n", time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); - sprintf(tmp, "%s%s", DI(afl->unique_hangs), + sprintf(tmp, "%s%s", DI(IB(0), afl->unique_hangs), (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time); @@ -446,7 +449,7 @@ void show_stats(afl_state_t *afl) { together, but then cram them into a fixed-width field - so we need to put them in a temporary buffer first. */ - sprintf(tmp, "%s%s%u (%0.01f%%)", DI(afl->current_entry), + sprintf(tmp, "%s%s%u (%0.01f%%)", DI(IB(0), afl->current_entry), afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level, ((double)afl->current_entry * 100) / afl->queued_paths); @@ -460,7 +463,7 @@ void show_stats(afl_state_t *afl) { : ((t_bytes < 200 && !afl->dumb_mode) ? cPIN : cRST), tmp); - sprintf(tmp, "%s (%0.02f%%)", DI(afl->cur_skipped_paths), + sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->cur_skipped_paths), ((double)afl->cur_skipped_paths * 100) / afl->queued_paths); SAYF(bV bSTOP " paths timed out : " cRST "%-16s " bSTG bV, tmp); @@ -473,7 +476,7 @@ void show_stats(afl_state_t *afl) { " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); - sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), + sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); /* Yeah... it's still going on... halp? */ @@ -484,37 +487,38 @@ void show_stats(afl_state_t *afl) { if (!afl->stage_max) { - sprintf(tmp, "%s/-", DI(afl->stage_cur)); + sprintf(tmp, "%s/-", DI(IB(0), afl->stage_cur)); } else { - sprintf(tmp, "%s/%s (%0.02f%%)", DI(afl->stage_cur), DI(afl->stage_max), + sprintf(tmp, "%s/%s (%0.02f%%)", DI(IB(0), afl->stage_cur), + DI(IB(1), afl->stage_max), ((double)afl->stage_cur) * 100 / afl->stage_max); } SAYF(bV bSTOP " stage execs : " cRST "%-21s" bSTG bV bSTOP, tmp); - sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_with_cov), + sprintf(tmp, "%s (%0.02f%%)", DI(IB(0), afl->queued_with_cov), ((double)afl->queued_with_cov) * 100 / afl->queued_paths); SAYF(" new edges on : " cRST "%-22s" bSTG bV "\n", tmp); - sprintf(tmp, "%s (%s%s unique)", DI(afl->total_crashes), - DI(afl->unique_crashes), + sprintf(tmp, "%s (%s%s unique)", DI(IB(0), afl->total_crashes), + DI(IB(1), afl->unique_crashes), (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); if (afl->crash_mode) { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " new crashes : %s%-22s" bSTG bV "\n", - DI(afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp); + DI(IB(0), afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp); } else { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " total crashes : %s%-22s" bSTG bV "\n", - DI(afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp); + DI(IB(0), afl->total_execs), afl->unique_crashes ? cLRD : cRST, tmp); } @@ -522,21 +526,21 @@ void show_stats(afl_state_t *afl) { if (afl->stats_avg_exec < 100) { - sprintf(tmp, "%s/sec (%s)", DF(afl->stats_avg_exec), - afl->stats_avg_exec < 20 ? "zzzz..." : "slow!"); + snprintf(tmp, sizeof(tmp), "%s/sec (%s)", DF(IB(0), afl->stats_avg_exec), + afl->stats_avg_exec < 20 ? "zzzz..." : "slow!"); SAYF(bV bSTOP " exec speed : " cLRD "%-20s ", tmp); } else { - sprintf(tmp, "%s/sec", DF(afl->stats_avg_exec)); + snprintf(tmp, sizeof(tmp), "%s/sec", DF(IB(0), afl->stats_avg_exec)); SAYF(bV bSTOP " exec speed : " cRST "%-20s ", tmp); } - sprintf(tmp, "%s (%s%s unique)", DI(afl->total_tmouts), - DI(afl->unique_tmouts), - (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + snprintf(tmp, sizeof(tmp), "%s (%s%s unique)", DI(IB(0), afl->total_tmouts), + DI(IB(1), afl->unique_tmouts), + (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp); @@ -548,74 +552,84 @@ void show_stats(afl_state_t *afl) { if (afl->skip_deterministic) { - strcpy(tmp, "n/a, n/a, n/a"); + strncpy(tmp, "n/a, n/a, n/a", sizeof(tmp) - 1); + tmp[sizeof(tmp) - 1] = '\0'; } else { - sprintf( - tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_FLIP1]), - DI(afl->stage_cycles[STAGE_FLIP1]), DI(afl->stage_finds[STAGE_FLIP2]), - DI(afl->stage_cycles[STAGE_FLIP2]), DI(afl->stage_finds[STAGE_FLIP4]), - DI(afl->stage_cycles[STAGE_FLIP4])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_FLIP1]), + DI(IB(1), afl->stage_cycles[STAGE_FLIP1]), + DI(IB(2), afl->stage_finds[STAGE_FLIP2]), + DI(IB(3), afl->stage_cycles[STAGE_FLIP2]), + DI(IB(3), afl->stage_finds[STAGE_FLIP4]), + DI(IB(5), afl->stage_cycles[STAGE_FLIP4])); } SAYF(bV bSTOP " bit flips : " cRST "%-36s " bSTG bV bSTOP " levels : " cRST "%-10s" bSTG bV "\n", - tmp, DI(afl->max_depth)); + tmp, DI(IB(0), afl->max_depth)); if (!afl->skip_deterministic) - sprintf( - tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_FLIP8]), - DI(afl->stage_cycles[STAGE_FLIP8]), DI(afl->stage_finds[STAGE_FLIP16]), - DI(afl->stage_cycles[STAGE_FLIP16]), DI(afl->stage_finds[STAGE_FLIP32]), - DI(afl->stage_cycles[STAGE_FLIP32])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_FLIP8]), + DI(IB(1), afl->stage_cycles[STAGE_FLIP8]), + DI(IB(2), afl->stage_finds[STAGE_FLIP16]), + DI(IB(3), afl->stage_cycles[STAGE_FLIP16]), + DI(IB(4), afl->stage_finds[STAGE_FLIP32]), + DI(IB(5), afl->stage_cycles[STAGE_FLIP32])); SAYF(bV bSTOP " byte flips : " cRST "%-36s " bSTG bV bSTOP " pending : " cRST "%-10s" bSTG bV "\n", - tmp, DI(afl->pending_not_fuzzed)); + tmp, DI(IB(0), afl->pending_not_fuzzed)); if (!afl->skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_ARITH8]), - DI(afl->stage_cycles[STAGE_ARITH8]), - DI(afl->stage_finds[STAGE_ARITH16]), - DI(afl->stage_cycles[STAGE_ARITH16]), - DI(afl->stage_finds[STAGE_ARITH32]), - DI(afl->stage_cycles[STAGE_ARITH32])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_ARITH8]), + DI(IB(1), afl->stage_cycles[STAGE_ARITH8]), + DI(IB(2), afl->stage_finds[STAGE_ARITH16]), + DI(IB(3), afl->stage_cycles[STAGE_ARITH16]), + DI(IB(4), afl->stage_finds[STAGE_ARITH32]), + DI(IB(5), afl->stage_cycles[STAGE_ARITH32])); SAYF(bV bSTOP " arithmetics : " cRST "%-36s " bSTG bV bSTOP " pend fav : " cRST "%-10s" bSTG bV "\n", - tmp, DI(afl->pending_favored)); + tmp, DI(IB(0), afl->pending_favored)); if (!afl->skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_INTEREST8]), - DI(afl->stage_cycles[STAGE_INTEREST8]), - DI(afl->stage_finds[STAGE_INTEREST16]), - DI(afl->stage_cycles[STAGE_INTEREST16]), - DI(afl->stage_finds[STAGE_INTEREST32]), - DI(afl->stage_cycles[STAGE_INTEREST32])); + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_INTEREST8]), + DI(IB(1), afl->stage_cycles[STAGE_INTEREST8]), + DI(IB(2), afl->stage_finds[STAGE_INTEREST16]), + DI(IB(3), afl->stage_cycles[STAGE_INTEREST16]), + DI(IB(4), afl->stage_finds[STAGE_INTEREST32]), + DI(IB(5), afl->stage_cycles[STAGE_INTEREST32])); SAYF(bV bSTOP " known ints : " cRST "%-36s " bSTG bV bSTOP " own finds : " cRST "%-10s" bSTG bV "\n", - tmp, DI(afl->queued_discovered)); + tmp, DI(IB(0), afl->queued_discovered)); if (!afl->skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_EXTRAS_UO]), - DI(afl->stage_cycles[STAGE_EXTRAS_UO]), - DI(afl->stage_finds[STAGE_EXTRAS_UI]), - DI(afl->stage_cycles[STAGE_EXTRAS_UI]), - DI(afl->stage_finds[STAGE_EXTRAS_AO]), - DI(afl->stage_cycles[STAGE_EXTRAS_AO])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]), + DI(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]), + DI(IB(2), afl->stage_finds[STAGE_EXTRAS_UI]), + DI(IB(3), afl->stage_cycles[STAGE_EXTRAS_UI]), + DI(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]), + DI(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO])); SAYF(bV bSTOP " dictionary : " cRST "%-36s " bSTG bV bSTOP " imported : " cRST "%-10s" bSTG bV "\n", - tmp, afl->sync_id ? DI(afl->queued_imported) : (u8 *)"n/a"); + tmp, afl->sync_id ? DI(IB(0), afl->queued_imported) : (u8 *)"n/a"); - sprintf( - tmp, "%s/%s, %s/%s, %s/%s", DI(afl->stage_finds[STAGE_HAVOC]), - DI(afl->stage_cycles[STAGE_HAVOC]), DI(afl->stage_finds[STAGE_SPLICE]), - DI(afl->stage_cycles[STAGE_SPLICE]), DI(afl->stage_finds[STAGE_RADAMSA]), - DI(afl->stage_cycles[STAGE_RADAMSA])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_HAVOC]), + DI(IB(2), afl->stage_cycles[STAGE_HAVOC]), + DI(IB(3), afl->stage_finds[STAGE_SPLICE]), + DI(IB(4), afl->stage_cycles[STAGE_SPLICE]), + DI(IB(5), afl->stage_finds[STAGE_RADAMSA]), + DI(IB(6), afl->stage_cycles[STAGE_RADAMSA])); SAYF(bV bSTOP " havoc/rad : " cRST "%-36s " bSTG bV bSTOP, tmp); @@ -635,24 +649,26 @@ void show_stats(afl_state_t *afl) { if (afl->shm.cmplog_mode) { - sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", - DI(afl->stage_finds[STAGE_PYTHON]), - DI(afl->stage_cycles[STAGE_PYTHON]), - DI(afl->stage_finds[STAGE_CUSTOM_MUTATOR]), - DI(afl->stage_cycles[STAGE_CUSTOM_MUTATOR]), - DI(afl->stage_finds[STAGE_COLORIZATION]), - DI(afl->stage_cycles[STAGE_COLORIZATION]), - DI(afl->stage_finds[STAGE_ITS]), DI(afl->stage_cycles[STAGE_ITS])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s, %s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_PYTHON]), + DI(IB(1), afl->stage_cycles[STAGE_PYTHON]), + DI(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]), + DI(IB(4), afl->stage_finds[STAGE_COLORIZATION]), + DI(IB(5), afl->stage_cycles[STAGE_COLORIZATION]), + DI(IB(6), afl->stage_finds[STAGE_ITS]), + DI(IB(7), afl->stage_cycles[STAGE_ITS])); SAYF(bV bSTOP " custom/rq : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n", tmp); } else { - sprintf(tmp, "%s/%s, %s/%s", DI(afl->stage_finds[STAGE_PYTHON]), - DI(afl->stage_cycles[STAGE_PYTHON]), - DI(afl->stage_finds[STAGE_CUSTOM_MUTATOR]), - DI(afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); + snprintf(tmp, sizeof(tmp), "%s/%s, %s/%s", + DI(IB(0), afl->stage_finds[STAGE_PYTHON]), + DI(IB(1), afl->stage_cycles[STAGE_PYTHON]), + DI(IB(2), afl->stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(IB(3), afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP " py/custom : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n", tmp); @@ -668,7 +684,7 @@ void show_stats(afl_state_t *afl) { sprintf(tmp, "%0.02f%%/%s, ", ((double)(afl->bytes_trim_in - afl->bytes_trim_out)) * 100 / afl->bytes_trim_in, - DI(afl->trim_execs)); + DI(IB(0), afl->trim_execs)); } @@ -693,8 +709,8 @@ void show_stats(afl_state_t *afl) { if (afl->mutator) { - sprintf(tmp, "%s/%s", DI(afl->stage_finds[STAGE_CUSTOM_MUTATOR]), - DI(afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); + sprintf(tmp, "%s/%s", DI(IB(0), afl->stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(IB(1), afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bV RESET_G1, tmp); } else { @@ -749,6 +765,8 @@ void show_stats(afl_state_t *afl) { /* Last line */ SAYF(SET_G1 "\n" bSTG bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1); +#undef IB + /* Hallelujah! */ fflush(0); @@ -767,6 +785,9 @@ void show_init_stats(afl_state_t *afl) { u64 avg_us = 0; u32 max_len = 0; + u8 int_buf[12][16]; +#define IB(i) int_buf[(i)], sizeof(int_buf[(i)]) + if (afl->total_cal_cycles) avg_us = afl->total_cal_us / afl->total_cal_cycles; while (q) { @@ -802,10 +823,10 @@ void show_init_stats(afl_state_t *afl) { if (max_len > 50 * 1024) WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.md!", - DMS(max_len), doc_path); + DMS(IB(0), max_len), doc_path); else if (max_len > 10 * 1024) - WARNF("Some test cases are big (%s) - see %s/perf_tips.md.", DMS(max_len), - doc_path); + WARNF("Some test cases are big (%s) - see %s/perf_tips.md.", + DMS(IB(0), max_len), doc_path); if (afl->useless_at_start && !afl->in_bitmap) WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); @@ -829,7 +850,7 @@ void show_init_stats(afl_state_t *afl) { max_bits, ((double)afl->total_bitmap_size) / (afl->total_bitmap_entries ? afl->total_bitmap_entries : 1), - DI(min_us), DI(max_us), DI(avg_us)); + DI(IB(0), min_us), DI(IB(1), max_us), DI(IB(2), avg_us)); if (!afl->timeout_given) { @@ -873,6 +894,7 @@ void show_init_stats(afl_state_t *afl) { afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100); OKF("All set and ready to roll!"); +#undef IB } |