diff options
| author | Christian Holler (:decoder) <choller@mozilla.com> | 2024-06-19 12:36:58 +0200 |
|---|---|---|
| committer | Christian Holler (:decoder) <choller@mozilla.com> | 2024-06-19 12:36:58 +0200 |
| commit | 8fcca6fb410a6ece1a4cd2eb8a2cdeed4d4d9865 (patch) | |
| tree | 1bda28182c1dbf1f9570da2926f6f62be117f154 /src/afl-fuzz-run.c | |
| parent | b8568034f0c120ab8500c03ed4982d641eaa88fb (diff) | |
| download | afl++-8fcca6fb410a6ece1a4cd2eb8a2cdeed4d4d9865.tar.gz | |
Collect persistent coverage data and dump it at the end of the run
With CODE_COVERAGE builds, we need to collect the coverage data of each iteration in a persistant buffer that has the same size as the regular trace buffer used for fuzzing. We dump this information at the end of the run and when combined with pointer data and module info, this can be used to calculate code coverage.
Diffstat (limited to 'src/afl-fuzz-run.c')
| -rw-r--r-- | src/afl-fuzz-run.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 6a0da6ab..c234fc42 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -60,6 +60,27 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); +#ifdef __AFL_CODE_COVERAGE + if (unlikely(!fsrv->persistent_trace_bits)) { + + // On the first run, we allocate the persistent map to collect coverage. + fsrv->persistent_trace_bits = (u8 *)malloc(fsrv->map_size); + memset(fsrv->persistent_trace_bits, 0, fsrv->map_size); + + } + + for (u32 i = 0; i < fsrv->map_size; ++i) { + + if (fsrv->persistent_trace_bits[i] != 255 && fsrv->trace_bits[i]) { + + fsrv->persistent_trace_bits[i]++; + + } + + } + +#endif + /* If post_run() function is defined in custom mutator, the function will be called each time after AFL++ executes the target program. */ |