Merge branch 'dev' into reinit

author: van Hauser <vh@thc.org> 2023-09-11 12:54:21 +0000
committer: GitHub <noreply@github.com> 2023-09-11 12:54:21 +0000
commit: 9f023d482bf4deace3b2f3d726a1bf7062511087 (patch)
tree: d9f99fec6352900147f3b51fd5e7572d68a0e521 /src
parent: 87b33740ea426bac276a9eb4bc5f201bd396b6dc (diff)
parent: a8185f8ff294d937e6074f148f6b4c971ca02cee (diff)
download: afl++-9f023d482bf4deace3b2f3d726a1bf7062511087.tar.gz
4 files changed, 68 insertions, 15 deletions
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 9da096f7..07f5a1a9 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -272,6 +272,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
   fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode;
   fsrv_to->crash_exitcode = from->crash_exitcode;
   fsrv_to->child_kill_signal = from->child_kill_signal;
+  fsrv_to->fsrv_kill_signal = from->fsrv_kill_signal;
   fsrv_to->debug = from->debug;
 
   // These are forkserver specific.
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index c2b7e583..db88f239 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -3442,7 +3442,12 @@ abandon_entry:
     --afl->pending_not_fuzzed;
     afl->queue_cur->was_fuzzed = 1;
     afl->reinit_table = 1;
-    if (afl->queue_cur->favored) { --afl->pending_favored; }
+    if (afl->queue_cur->favored) {
+
+      --afl->pending_favored;
+      afl->smallest_favored = -1;
+
+    }
 
   }
 
@@ -5906,8 +5911,10 @@ pacemaker_fuzzing:
             --afl->pending_not_fuzzed;
             afl->queue_cur->was_fuzzed = 1;
             afl->reinit_table = 1
-            if (afl->queue_cur->favored) { --afl->pending_favored; }
-
+            if (afl->queue_cur->favored) {
+              --afl->pending_favored;
+              afl->smallest_favored = -1;
+            }
           }
 
         }
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 78c1d654..ce9718b0 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -738,7 +738,11 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
         u64 top_rated_fav_factor;
         u64 top_rated_fuzz_p2;
 
-        if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
+        if (likely(afl->schedule >= FAST && afl->schedule < RARE)) {
+
+          top_rated_fuzz_p2 = 0;  // Skip the fuzz_p2 comparison
+
+        } else if (unlikely(afl->schedule == RARE)) {
 
           top_rated_fuzz_p2 =
               next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]);
@@ -827,6 +831,8 @@ void cull_queue(afl_state_t *afl) {
   /* Let's see if anything in the bitmap isn't captured in temp_v.
      If yes, and if it has a afl->top_rated[] contender, let's use it. */
 
+  afl->smallest_favored = -1;
+
   for (i = 0; i < afl->fsrv.map_size; ++i) {
 
     if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) {
@@ -850,7 +856,16 @@ void cull_queue(afl_state_t *afl) {
         afl->top_rated[i]->favored = 1;
         ++afl->queued_favored;
 
-        if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; }
+        if (!afl->top_rated[i]->was_fuzzed) {
+
+          ++afl->pending_favored;
+          if (unlikely(afl->smallest_favored < 0)) {
+
+            afl->smallest_favored = (s64)afl->top_rated[i]->id;
+
+          }
+
+        }
 
       }
 
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 768a5bbd..a3d5e300 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -2707,22 +2707,52 @@ int main(int argc, char **argv_orig, char **envp) {
 
       if (likely(!afl->old_seed_selection)) {
 
-        if (unlikely(prev_queued_items < afl->queued_items ||
-                     afl->reinit_table)) {
+        if (likely(afl->pending_favored && afl->smallest_favored >= 0)) {
 
-          // we have new queue entries since the last run, recreate alias table
-          prev_queued_items = afl->queued_items;
-          create_alias_table(afl);
+          afl->current_entry = afl->smallest_favored;
 
-        }
+          /*
 
-        do {
+                    } else {
 
-          afl->current_entry = select_next_queue_entry(afl);
+                      for (s32 iter = afl->queued_items - 1; iter >= 0; --iter)
+             {
 
-        } while (unlikely(afl->current_entry >= afl->queued_items));
+                        if (unlikely(afl->queue_buf[iter]->favored &&
+                                     !afl->queue_buf[iter]->was_fuzzed)) {
 
-        afl->queue_cur = afl->queue_buf[afl->current_entry];
+                          afl->current_entry = iter;
+                          break;
+
+                        }
+
+                      }
+
+          */
+
+          afl->queue_cur = afl->queue_buf[afl->current_entry];
+
+        } else {
+
+          if (unlikely(prev_queued_items < afl->queued_items ||
+                       afl->reinit_table)) {
+
+            // we have new queue entries since the last run, recreate alias
+            // table
+            prev_queued_items = afl->queued_items;
+            create_alias_table(afl);
+
+          }
+
+          do {
+
+            afl->current_entry = select_next_queue_entry(afl);
+
+          } while (unlikely(afl->current_entry >= afl->queued_items));
+
+          afl->queue_cur = afl->queue_buf[afl->current_entry];
+
+        }
 
       }
author	van Hauser <vh@thc.org>	2023-09-11 12:54:21 +0000
committer	GitHub <noreply@github.com>	2023-09-11 12:54:21 +0000
commit	9f023d482bf4deace3b2f3d726a1bf7062511087 (patch)
tree	d9f99fec6352900147f3b51fd5e7572d68a0e521 /src
parent	87b33740ea426bac276a9eb4bc5f201bd396b6dc (diff)
parent	a8185f8ff294d937e6074f148f6b4c971ca02cee (diff)
download	afl++-9f023d482bf4deace3b2f3d726a1bf7062511087.tar.gz