add AFL_NO_STARTUP_CALIBRATION feature

4 files changed, 51 insertions, 3 deletions

diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 4ffcfd2b..32e2b7b8 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -850,6 +850,30 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
 
 }
 
+/* In case no initial calibration is to be performed (e.g. huge queue and slow
+execution time), then setting AFL_NO_STARTUP_CALIBRATION will help getting
+initial data. For this to succeed, non-calibrated corpus entries have to look
+especially juicy so they are more likely to be selected then a calibrated good
+looking one. */
+
+void no_dry_run(afl_state_t *afl) {
+
+  struct queue_entry *q;
+  u32                 idx;
+
+  for (idx = 0; idx < afl->queued_items; idx++) {
+
+    q = afl->queue_buf[idx];
+    if (unlikely(!q || q->disabled)) { continue; }
+
+    q->exec_us = 1;
+    q->bitmap_size = MAP_SIZE;
+    q->tc_ref = MAP_SIZE;
+
+  }
+
+}
+
 /* Perform dry run of all test cases to confirm that the app is working as
    expected. This is done only for the initial inputs, and only once. */
 
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 02d697ab..d8dbdfbe 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -795,8 +795,14 @@ void cull_queue(afl_state_t *afl) {
 
 u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
 
-  u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles;
-  u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries;
+  u32 cal_cycles = afl->total_cal_cycles;
+  u32 bitmap_entries = afl->total_bitmap_entries;
+
+  if (unlikely(!cal_cycles)) { cal_cycles = 1; }
+  if (unlikely(!bitmap_entries)) { bitmap_entries = 1; }
+
+  u32 avg_exec_us = afl->total_cal_us / cal_cycles;
+  u32 avg_bitmap_size = afl->total_bitmap_size / bitmap_entries;
   u32 perf_score = 100;
 
   /* Adjust score based on execution speed of this path, compared to the
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index ddfd4b31..6770839a 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -265,6 +265,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_cmplog_only_new =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_NO_STARTUP_CALIBRATION",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_no_startup_calibration =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
 
             afl->afl_env.afl_no_ui =
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 2e151abb..e3851473 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -273,6 +273,7 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
       "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n"
       "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n"
+      "AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once\n"
       "AFL_NO_UI: switch status screen off\n"
 
       DYN_COLOR
@@ -2150,7 +2151,17 @@ int main(int argc, char **argv_orig, char **envp) {
   memset(afl->virgin_tmout, 255, map_size);
   memset(afl->virgin_crash, 255, map_size);
 
-  perform_dry_run(afl);
+  if (likely(!afl->afl_env.afl_no_startup_calibration)) {
+
+    perform_dry_run(afl);
+
+  } else {
+
+    ACTF("skipping initial seed calibration due option override");
+    usleep(1000);
+    no_dry_run(afl);
+
+  }
 
   if (afl->q_testcase_max_cache_entries) {