diff options
| author | vanhauser-thc <vh@thc.org> | 2021-12-09 13:22:10 +0100 |
|---|---|---|
| committer | vanhauser-thc <vh@thc.org> | 2021-12-09 13:22:10 +0100 |
| commit | 9063002af22e916701588248eca2fd2669e4d0df (patch) | |
| tree | 89dce15383ef3db54faddc39acf68551b3fefa98 /src | |
| parent | 4c6d94ea5f854071277ed9729de2d4ef7d07cc84 (diff) | |
| download | afl++-9063002af22e916701588248eca2fd2669e4d0df.tar.gz | |
rename path
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 24 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 44 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 146 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 34 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 14 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 279 | ||||
| -rw-r--r-- | src/afl-fuzz-statsd.c | 82 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 46 |
10 files changed, 339 insertions, 338 deletions
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index fa413dcf..2d88896f 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -491,13 +491,13 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES queue_fn = alloc_printf( - "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths, + "%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items, describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,"))); #else queue_fn = - alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths); + alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_items); #endif /* ^!SIMPLE_FILES */ fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); @@ -586,7 +586,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ++afl->total_tmouts; - if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; } + if (afl->saved_hangs >= KEEP_UNIQUE_HANG) { return keeping; } if (likely(!afl->non_instrumented_mode)) { @@ -603,7 +603,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - ++afl->unique_tmouts; + ++afl->saved_tmouts; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { @@ -661,17 +661,17 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, - afl->unique_hangs, + afl->saved_hangs, describe_op(afl, 0, NAME_MAX - strlen("id:000000,"))); #else snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, - afl->unique_hangs); + afl->saved_hangs); #endif /* ^!SIMPLE_FILES */ - ++afl->unique_hangs; + ++afl->saved_hangs; afl->last_hang_time = get_cur_time(); @@ -687,7 +687,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { ++afl->total_crashes; - if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } + if (afl->saved_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } if (likely(!afl->non_instrumented_mode)) { @@ -699,22 +699,22 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); } + if (unlikely(!afl->saved_crashes)) { write_crash_readme(afl); } #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, - afl->unique_crashes, afl->fsrv.last_kill_signal, + afl->saved_crashes, afl->fsrv.last_kill_signal, describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,"))); #else snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, - afl->unique_crashes, afl->last_kill_signal); + afl->saved_crashes, afl->last_kill_signal); #endif /* ^!SIMPLE_FILES */ - ++afl->unique_crashes; + ++afl->saved_crashes; #ifdef INTROSPECTION if (afl->custom_mutators_count && afl->current_custom_fuzz) { diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 6fc926f0..28a3ae3f 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -59,7 +59,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } @@ -76,7 +76,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->skip_requested) { afl->skip_requested = 0; - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 4c030c0a..3a0e0801 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -638,8 +638,8 @@ void read_foreign_testcases(afl_state_t *afl, int first) { if (first) { - afl->last_path_time = 0; - afl->queued_at_start = afl->queued_paths; + afl->last_find_time = 0; + afl->queued_at_start = afl->queued_items; } @@ -812,7 +812,7 @@ void read_testcases(afl_state_t *afl, u8 *directory) { free(nl); /* not tracked */ - if (!afl->queued_paths && directory == NULL) { + if (!afl->queued_items && directory == NULL) { SAYF("\n" cLRD "[-] " cRST "Looks like there are no valid test cases in the input directory! The " @@ -841,8 +841,8 @@ void read_testcases(afl_state_t *afl, u8 *directory) { } - afl->last_path_time = 0; - afl->queued_at_start = afl->queued_paths; + afl->last_find_time = 0; + afl->queued_at_start = afl->queued_items; } @@ -855,7 +855,7 @@ void perform_dry_run(afl_state_t *afl) { u32 cal_failures = 0, idx; u8 * use_mem; - for (idx = 0; idx < afl->queued_paths; idx++) { + for (idx = 0; idx < afl->queued_items; idx++) { q = afl->queue_buf[idx]; if (unlikely(!q || q->disabled)) { continue; } @@ -1059,14 +1059,14 @@ void perform_dry_run(afl_state_t *afl) { q->perf_score = 0; u32 i = 0; - while (unlikely(i < afl->queued_paths && afl->queue_buf[i] && + while (unlikely(i < afl->queued_items && afl->queue_buf[i] && afl->queue_buf[i]->disabled)) { ++i; } - if (i < afl->queued_paths && afl->queue_buf[i]) { + if (i < afl->queued_items && afl->queue_buf[i]) { afl->queue = afl->queue_buf[i]; @@ -1077,7 +1077,7 @@ void perform_dry_run(afl_state_t *afl) { } afl->max_depth = 0; - for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) { + for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { if (!afl->queue_buf[i]->disabled && afl->queue_buf[i]->depth > afl->max_depth) @@ -1118,16 +1118,16 @@ void perform_dry_run(afl_state_t *afl) { if (cal_failures) { - if (cal_failures == afl->queued_paths) { + if (cal_failures == afl->queued_items) { FATAL("All test cases time out or crash, giving up!"); } WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.", - cal_failures, ((double)cal_failures) * 100 / afl->queued_paths); + cal_failures, ((double)cal_failures) * 100 / afl->queued_items); - if (cal_failures * 5 > afl->queued_paths) { + if (cal_failures * 5 > afl->queued_items) { WARNF(cLRD "High percentage of rejected test cases, check settings!"); @@ -1139,14 +1139,14 @@ void perform_dry_run(afl_state_t *afl) { u32 duplicates = 0, i; - for (idx = 0; idx < afl->queued_paths; idx++) { + for (idx = 0; idx < afl->queued_items; idx++) { q = afl->queue_buf[idx]; if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; } u32 done = 0; for (i = idx + 1; - i < afl->queued_paths && !done && likely(afl->queue_buf[i]); i++) { + i < afl->queued_items && !done && likely(afl->queue_buf[i]); i++) { struct queue_entry *p = afl->queue_buf[i]; if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; } @@ -1196,7 +1196,7 @@ void perform_dry_run(afl_state_t *afl) { afl->max_depth = 0; - for (idx = 0; idx < afl->queued_paths; idx++) { + for (idx = 0; idx < afl->queued_items; idx++) { if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled && afl->queue_buf[idx]->depth > afl->max_depth) @@ -1254,7 +1254,7 @@ void pivot_inputs(afl_state_t *afl) { ACTF("Creating hard links for all input files..."); - for (i = 0; i < afl->queued_paths && likely(afl->queue_buf[i]); i++) { + for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { q = afl->queue_buf[i]; @@ -1293,7 +1293,7 @@ void pivot_inputs(afl_state_t *afl) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { - if (src_id < afl->queued_paths) { + if (src_id < afl->queued_items) { struct queue_entry *s = afl->queue_buf[src_id]; @@ -1391,11 +1391,11 @@ u32 find_start_position(afl_state_t *afl) { (void)i; /* Ignore errors */ close(fd); - off = strstr(tmp, "cur_path : "); + off = strstr(tmp, "cur_item : "); if (!off) { return 0; } ret = atoi(off + 20); - if (ret >= afl->queued_paths) { ret = 0; } + if (ret >= afl->queued_items) { ret = 0; } return ret; } @@ -2040,9 +2040,9 @@ void setup_dirs_fds(afl_state_t *afl) { fprintf( afl->fsrv.plot_file, - "# relative_time, cycles_done, cur_path, paths_total, " - "pending_total, pending_favs, map_size, unique_crashes, " - "unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n"); + "# relative_time, cycles_done, cur_item, corpus_count, " + "pending_total, pending_favs, map_size, saved_crashes, " + "saved_hangs, max_depth, execs_per_sec, total_execs, edges_found\n"); } else { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index f4d3b77f..96c32a86 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -423,7 +423,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && - afl->queued_paths > 10) { + afl->queued_items > 10) { /* Otherwise, still possibly skip non-favored cases, albeit less often. The odds of skipping stuff are higher for already-fuzzed inputs and @@ -449,7 +449,7 @@ u8 fuzz_one_original(afl_state_t *afl) { ACTF( "Fuzzing test case #%u (%u total, %llu uniq crashes found, " "perf_score=%0.0f, exec_us=%llu, hits=%u, map=%u, ascii=%u)...", - afl->current_entry, afl->queued_paths, afl->unique_crashes, + afl->current_entry, afl->queued_items, afl->saved_crashes, afl->queue_cur->perf_score, afl->queue_cur->exec_us, likely(afl->n_fuzz) ? afl->n_fuzz[afl->queue_cur->n_fuzz_entry] : 0, afl->queue_cur->bitmap_size, afl->queue_cur->is_ascii); @@ -492,7 +492,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->stop_soon) || res != afl->crash_mode) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -519,7 +519,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->stop_soon)) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -566,8 +566,8 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->cmplog_lvl == 3 || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || afl->queue_cur->favored || - !(afl->fsrv.total_execs % afl->queued_paths) || - get_cur_time() - afl->last_path_time > 300000) { // 300 seconds + !(afl->fsrv.total_execs % afl->queued_items) || + get_cur_time() - afl->last_find_time > 300000) { // 300 seconds if (input_to_state_stage(afl, in_buf, out_buf, len)) { @@ -630,7 +630,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_val_type = STAGE_VAL_NONE; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; prev_cksum = afl->queue_cur->exec_cksum; @@ -734,7 +734,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; @@ -766,7 +766,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; @@ -802,7 +802,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; @@ -909,7 +909,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->blocks_eff_total += EFF_ALEN(len); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; @@ -952,7 +952,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; @@ -995,7 +995,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; @@ -1087,7 +1087,7 @@ skip_bitflip: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; @@ -1217,7 +1217,7 @@ skip_bitflip: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; @@ -1346,7 +1346,7 @@ skip_bitflip: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; @@ -1412,7 +1412,7 @@ skip_arith: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; @@ -1500,7 +1500,7 @@ skip_arith: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; @@ -1589,7 +1589,7 @@ skip_arith: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; @@ -1662,7 +1662,7 @@ skip_interest: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; @@ -1718,7 +1718,7 @@ skip_interest: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; @@ -1776,7 +1776,7 @@ skip_user_extras: } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; @@ -1806,7 +1806,7 @@ custom_mutator_stage: const u32 max_seed_size = MAX_FILE, saved_max = afl->stage_max; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; #ifdef INTROSPECTION afl->mutation[0] = 0; @@ -1850,7 +1850,7 @@ custom_mutator_stage: do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (unlikely(tid == afl->current_entry || @@ -1890,7 +1890,7 @@ custom_mutator_stage: /* If we're finding new stuff, let's run for a bit longer, limits permitting. */ - if (afl->queued_paths != havoc_queued) { + if (afl->queued_items != havoc_queued) { if (perf_score <= afl->havoc_max_mult * 100) { @@ -1899,7 +1899,7 @@ custom_mutator_stage: } - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; } @@ -1926,7 +1926,7 @@ custom_mutator_stage: if (!has_custom_fuzz) goto havoc_stage; - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; @@ -1972,9 +1972,9 @@ havoc_stage: temp_len = len; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; if (afl->custom_mutators_count) { @@ -2023,7 +2023,7 @@ havoc_stage: } - if (unlikely(get_cur_time() - afl->last_path_time > 5000 /* 5 seconds */ && + if (unlikely(get_cur_time() - afl->last_find_time > 5000 /* 5 seconds */ && afl->ready_for_splicing_count > 1)) { /* add expensive havoc cases here if there is no findings in the last 5s */ @@ -2669,7 +2669,7 @@ havoc_stage: u32 tid; do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); @@ -2757,7 +2757,7 @@ havoc_stage: /* If we're finding new stuff, let's run for a bit longer, limits permitting. */ - if (afl->queued_paths != havoc_queued) { + if (afl->queued_items != havoc_queued) { if (perf_score <= afl->havoc_max_mult * 100) { @@ -2766,13 +2766,13 @@ havoc_stage: } - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; } } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (!splice_cycle) { @@ -2821,7 +2821,7 @@ retry_splicing: do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); @@ -2945,7 +2945,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && - afl->queued_paths > 10) { + afl->queued_items > 10) { /* Otherwise, still possibly skip non-favored cases, albeit less often. The odds of skipping stuff are higher for already-fuzzed inputs and @@ -2969,7 +2969,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->not_on_tty) { ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", - afl->current_entry, afl->queued_paths, afl->unique_crashes); + afl->current_entry, afl->queued_items, afl->saved_crashes); fflush(stdout); } @@ -3010,7 +3010,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->stop_soon || res != afl->crash_mode) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -3037,7 +3037,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (unlikely(afl->stop_soon)) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; goto abandon_entry; } @@ -3082,8 +3082,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->cmplog_lvl == 3 || (afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) || - !(afl->fsrv.total_execs % afl->queued_paths) || - get_cur_time() - afl->last_path_time > 300000) { // 300 seconds + !(afl->fsrv.total_execs % afl->queued_items) || + get_cur_time() - afl->last_find_time > 300000) { // 300 seconds if (input_to_state_stage(afl, in_buf, out_buf, len)) { @@ -3101,10 +3101,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { cur_ms_lv = get_cur_time(); if (!(afl->key_puppet == 0 && - ((cur_ms_lv - afl->last_path_time < (u32)afl->limit_time_puppet) || + ((cur_ms_lv - afl->last_find_time < (u32)afl->limit_time_puppet) || (afl->last_crash_time != 0 && cur_ms_lv - afl->last_crash_time < (u32)afl->limit_time_puppet) || - afl->last_path_time == 0))) { + afl->last_find_time == 0))) { afl->key_puppet = 1; goto pacemaker_fuzzing; @@ -3156,7 +3156,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_val_type = STAGE_VAL_NONE; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; prev_cksum = afl->queue_cur->exec_cksum; @@ -3259,7 +3259,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for afl->stage_cur */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; @@ -3290,7 +3290,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for afl->stage_cur */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; @@ -3325,7 +3325,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for afl->stage_cur */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; @@ -3431,7 +3431,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->blocks_eff_total += EFF_ALEN(len); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; @@ -3473,7 +3473,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; @@ -3515,7 +3515,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* for i = 0; i < len - 3 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; @@ -3605,7 +3605,7 @@ skip_bitflip: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; @@ -3731,7 +3731,7 @@ skip_bitflip: } /* for i = 0; i < len - 1 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; @@ -3856,7 +3856,7 @@ skip_bitflip: } /* for i = 0; i < len - 3 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; @@ -3921,7 +3921,7 @@ skip_arith: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; @@ -4007,7 +4007,7 @@ skip_arith: } /* for i = 0; i < len - 1 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; @@ -4094,7 +4094,7 @@ skip_arith: } /* for i = 0; i < len - 3 */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; @@ -4167,7 +4167,7 @@ skip_interest: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; @@ -4223,7 +4223,7 @@ skip_interest: } /* for i = 0; i <= len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; @@ -4282,7 +4282,7 @@ skip_user_extras: } /* for i = 0; i < len */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; @@ -4335,7 +4335,7 @@ pacemaker_fuzzing: if (unlikely(afl->orig_hit_cnt_puppet == 0)) { - afl->orig_hit_cnt_puppet = afl->queued_paths + afl->unique_crashes; + afl->orig_hit_cnt_puppet = afl->queued_items + afl->saved_crashes; afl->last_limit_time_start = get_cur_time(); afl->SPLICE_CYCLES_puppet = (rand_below( @@ -4380,9 +4380,9 @@ pacemaker_fuzzing: temp_len = len; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; u32 r_max; @@ -4948,7 +4948,7 @@ pacemaker_fuzzing: u32 tid; do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || @@ -5029,7 +5029,7 @@ pacemaker_fuzzing: ++*MOpt_globals.pTime; - u64 temp_total_found = afl->queued_paths + afl->unique_crashes; + u64 temp_total_found = afl->queued_items + afl->saved_crashes; if (common_fuzz_stuff(afl, out_buf, temp_len)) { @@ -5048,7 +5048,7 @@ pacemaker_fuzzing: /* If we're finding new stuff, let's run for a bit longer, limits permitting. */ - if (afl->queued_paths != havoc_queued) { + if (afl->queued_items != havoc_queued) { if (perf_score <= afl->havoc_max_mult * 100) { @@ -5057,15 +5057,15 @@ pacemaker_fuzzing: } - havoc_queued = afl->queued_paths; + havoc_queued = afl->queued_items; } - if (unlikely(afl->queued_paths + afl->unique_crashes > + if (unlikely(afl->queued_items + afl->saved_crashes > temp_total_found)) { u64 temp_temp_puppet = - afl->queued_paths + afl->unique_crashes - temp_total_found; + afl->queued_items + afl->saved_crashes - temp_total_found; afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet; if (MOpt_globals.is_pilot_mode) { @@ -5099,7 +5099,7 @@ pacemaker_fuzzing: ++afl->stage_cur) { */ - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (MOpt_globals.is_pilot_mode) { @@ -5149,7 +5149,7 @@ pacemaker_fuzzing: do { - tid = rand_below(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_items); } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); @@ -5235,8 +5235,8 @@ pacemaker_fuzzing: if (afl->key_puppet == 1) { if (unlikely( - afl->queued_paths + afl->unique_crashes > - ((afl->queued_paths + afl->unique_crashes) * limit_time_bound + + afl->queued_items + afl->saved_crashes > + ((afl->queued_items + afl->saved_crashes) * limit_time_bound + afl->orig_hit_cnt_puppet))) { afl->key_puppet = 0; @@ -5251,7 +5251,7 @@ pacemaker_fuzzing: afl->total_pacemaker_time += *MOpt_globals.pTime; *MOpt_globals.pTime = 0; - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (MOpt_globals.is_pilot_mode) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 1523d556..fd5610ca 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -31,7 +31,7 @@ inline u32 select_next_queue_entry(afl_state_t *afl) { - u32 s = rand_below(afl, afl->queued_paths); + u32 s = rand_below(afl, afl->queued_items); double p = rand_next_percent(afl); /* fprintf(stderr, "select: p=%f s=%u ... p < prob[s]=%f ? s=%u : alias[%u]=%u" @@ -69,7 +69,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q, void create_alias_table(afl_state_t *afl) { - u32 n = afl->queued_paths, i = 0, a, g; + u32 n = afl->queued_items, i = 0, a, g; double sum = 0; afl->alias_table = @@ -547,19 +547,19 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { if (likely(q->len > 4)) afl->ready_for_splicing_count++; - ++afl->queued_paths; + ++afl->queued_items; ++afl->active_paths; ++afl->pending_not_fuzzed; afl->cycles_wo_finds = 0; struct queue_entry **queue_buf = afl_realloc( - AFL_BUF_PARAM(queue), afl->queued_paths * sizeof(struct queue_entry *)); + AFL_BUF_PARAM(queue), afl->queued_items * sizeof(struct queue_entry *)); if (unlikely(!queue_buf)) { PFATAL("alloc"); } - queue_buf[afl->queued_paths - 1] = q; - q->id = afl->queued_paths - 1; + queue_buf[afl->queued_items - 1] = q; + q->id = afl->queued_items - 1; - afl->last_path_time = get_cur_time(); + afl->last_find_time = get_cur_time(); if (afl->custom_mutators_count) { @@ -583,7 +583,7 @@ void destroy_queue(afl_state_t *afl) { u32 i; - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { struct queue_entry *q; @@ -737,7 +737,7 @@ void cull_queue(afl_state_t *afl) { afl->queued_favored = 0; afl->pending_favored = 0; - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { afl->queue_buf[i]->favored = 0; @@ -782,7 +782,7 @@ void cull_queue(afl_state_t *afl) { } - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { if (likely(!afl->queue_buf[i]->disabled)) { @@ -915,7 +915,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } - u32 n_paths; + u32 n_items; double factor = 1.0; long double fuzz_mu; @@ -933,26 +933,26 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { case COE: fuzz_mu = 0.0; - n_paths = 0; + n_items = 0; // Don't modify perf_score for unfuzzed seeds if (q->fuzz_level == 0) break; u32 i; - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { if (likely(!afl->queue_buf[i]->disabled)) { fuzz_mu += log2(afl->n_fuzz[afl->queue_buf[i]->n_fuzz_entry]); - n_paths++; + n_items++; } } - if (unlikely(!n_paths)) { FATAL("Queue state corrupt"); } + if (unlikely(!n_items)) { FATAL("Queue state corrupt"); } - fuzz_mu = fuzz_mu / n_paths; + fuzz_mu = fuzz_mu / n_items; if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) { @@ -1018,7 +1018,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { -- rare. the simpler algo however is good when rare is not. // the newer the entry, the higher the pref_score perf_score *= (1 + (double)((double)q->depth / - (double)afl->queued_paths)); + (double)afl->queued_items)); // with special focus on the last 8 entries if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 - (afl->max_depth - q->depth)) / 5)); diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 0a6e5eee..240bd708 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -276,7 +276,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, #endif u64 orig_hit_cnt, new_hit_cnt, exec_cksum; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_name = "colorization"; afl->stage_short = "colorization"; @@ -424,7 +424,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; #if defined(_DEBUG) || defined(CMPLOG_INTROSPECTION) FILE *f = stderr; @@ -517,7 +517,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { u64 orig_hit_cnt, new_hit_cnt; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; #ifdef _DEBUG dump("DATA", buf, len); @@ -525,7 +525,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; if (unlikely(new_hit_cnt != orig_hit_cnt)) { @@ -2720,7 +2720,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; - orig_hit_cnt = afl->queued_paths + afl->unique_crashes; + orig_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_name = "input-to-state"; afl->stage_short = "its"; @@ -2845,7 +2845,7 @@ exit_its: } #ifdef CMPLOG_COMBINE - if (afl->queued_paths + afl->unique_crashes > orig_hit_cnt + 1) { + if (afl->queued_items + afl->saved_crashes > orig_hit_cnt + 1) { // copy the current virgin bits so we can recover the information u8 *virgin_save = afl_realloc((void **)&afl->eff_buf, afl->shm.map_size); @@ -2897,7 +2897,7 @@ exit_its: #endif - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + new_hit_cnt = afl->queued_items + afl->saved_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2789b56f..d730876a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -953,7 +953,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } @@ -970,7 +970,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->skip_requested) { afl->skip_requested = 0; - ++afl->cur_skipped_paths; + ++afl->cur_skipped_items; return 1; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 152bebe9..5016095f 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -147,10 +147,10 @@ void load_stats_file(afl_state_t *afl) { afl->fsrv.total_execs = strtoull(lptr, &nptr, 10); break; case 10: - if (!strcmp(keystring, "paths_total ")) { + if (!strcmp(keystring, "corpus_count ")) { - u32 paths_total = strtoul(lptr, &nptr, 10); - if (paths_total != afl->queued_paths) { + u32 corpus_count = strtoul(lptr, &nptr, 10); + if (corpus_count != afl->queued_items) { WARNF( "queue/ has been modified -- things might not work, you're " @@ -162,11 +162,11 @@ void load_stats_file(afl_state_t *afl) { break; case 12: - if (!strcmp(keystring, "paths_found ")) + if (!strcmp(keystring, "corpus_found ")) afl->queued_discovered = strtoul(lptr, &nptr, 10); break; case 13: - if (!strcmp(keystring, "paths_imported ")) + if (!strcmp(keystring, "corpus_imported ")) afl->queued_imported = strtoul(lptr, &nptr, 10); break; case 14: @@ -174,12 +174,12 @@ void load_stats_file(afl_state_t *afl) { afl->max_depth = strtoul(lptr, &nptr, 10); break; case 21: - if (!strcmp(keystring, "unique_crashes ")) - afl->unique_crashes = strtoull(lptr, &nptr, 10); + if (!strcmp(keystring, "saved_crashes ")) + afl->saved_crashes = strtoull(lptr, &nptr, 10); break; case 22: - if (!strcmp(keystring, "unique_hangs ")) - afl->unique_hangs = strtoull(lptr, &nptr, 10); + if (!strcmp(keystring, "saved_hangs ")) + afl->saved_hangs = strtoull(lptr, &nptr, 10); break; default: break; @@ -190,7 +190,7 @@ void load_stats_file(afl_state_t *afl) { } - if (afl->unique_crashes) { write_crash_readme(afl); } + if (afl->saved_crashes) { write_crash_readme(afl); } return; @@ -243,96 +243,95 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif - fprintf(f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" - "fuzzer_pid : %u\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - "execs_ps_last_min : %0.02f\n" - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" - "slowest_exec_ms : %u\n" - "peak_rss_mb : %lu\n" - "cpu_affinity : %d\n" - "edges_found : %u\n" - "total_edges : %u\n" - "var_byte_count : %u\n" - "havoc_expansion : %u\n" - "auto_dict_entries : %u\n" - "testcache_size : %llu\n" - "testcache_count : %u\n" - "testcache_evict : %u\n" - "afl_banner : %s\n" - "afl_version : " VERSION - "\n" - "target_mode : %s%s%s%s%s%s%s%s%s%s\n" - "command_line : %s\n", - (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, - (afl->prev_run_time + cur_time - afl->start_time) / 1000, - (u32)getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, - afl->cycles_wo_finds, afl->fsrv.total_execs, - afl->fsrv.total_execs / - ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) / - 1000), - afl->last_avg_execs_saved, afl->queued_paths, afl->queued_favored, - afl->queued_discovered, afl->queued_imported, afl->max_depth, - afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, - afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, - afl->unique_hangs, afl->last_path_time / 1000, - afl->last_crash_time / 1000, afl->last_hang_time / 1000, - afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, - afl->slowest_exec_ms, + fprintf( + f, + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "execs_ps_last_min : %0.02f\n" + "corpus_count : %u\n" + "corpus_favored : %u\n" + "corpus_found : %u\n" + "corpus_imported : %u\n" + "corpus_variable : %u\n" + "max_depth : %u\n" + "cur_item : %u\n" + "pending_favs : %u\n" + "pending_total : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "saved_crashes : %llu\n" + "saved_hangs : %llu\n" + "last_find : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" + "slowest_exec_ms : %u\n" + "peak_rss_mb : %lu\n" + "cpu_affinity : %d\n" + "edges_found : %u\n" + "total_edges : %u\n" + "var_byte_count : %u\n" + "havoc_expansion : %u\n" + "auto_dict_entries : %u\n" + "testcache_size : %llu\n" + "testcache_count : %u\n" + "testcache_evict : %u\n" + "afl_banner : %s\n" + "afl_version : " VERSION + "\n" + "target_mode : %s%s%s%s%s%s%s%s%s%s\n" + "command_line : %s\n", + (afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000, + (afl->prev_run_time + cur_time - afl->start_time) / 1000, (u32)getpid(), + afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, + afl->fsrv.total_execs, + afl->fsrv.total_execs / + ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) / + 1000), + afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored, + afl->queued_discovered, afl->queued_imported, afl->max_depth, + afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, + afl->queued_variable, stability, bitmap_cvg, afl->saved_crashes, + afl->saved_hangs, afl->last_find_time / 1000, afl->last_crash_time / 1000, + afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, + afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifndef __HAIKU__ #ifdef __APPLE__ - (unsigned long int)(rus.ru_maxrss >> 20), + (unsigned long int)(rus.ru_maxrss >> 20), #else - (unsigned long int)(rus.ru_maxrss >> 10), + (unsigned long int)(rus.ru_maxrss >> 10), #endif #else - -1UL, + -1UL, #endif #ifdef HAVE_AFFINITY - afl->cpu_aff, + afl->cpu_aff, #else - -1, + -1, #endif - t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, - afl->expand_havoc, afl->a_extras_cnt, afl->q_testcase_cache_size, - afl->q_testcase_cache_count, afl->q_testcase_evictions, - afl->use_banner, afl->unicorn_mode ? "unicorn" : "", - afl->fsrv.qemu_mode ? "qemu " : "", - afl->fsrv.cs_mode ? "coresight" : "", - afl->non_instrumented_mode ? " non_instrumented " : "", - afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", - afl->persistent_mode ? "persistent " : "", - afl->shmem_testcase_mode ? "shmem_testcase " : "", - afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || - afl->non_instrumented_mode || afl->no_forkserver || - afl->crash_mode || afl->persistent_mode || afl->deferred_mode) - ? "" - : "default", - afl->orig_cmdline); + t_bytes, afl->fsrv.real_map_size, afl->var_byte_count, afl->expand_havoc, + afl->a_extras_cnt, afl->q_testcase_cache_size, + afl->q_testcase_cache_count, afl->q_testcase_evictions, afl->use_banner, + afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", + afl->fsrv.cs_mode ? "coresight" : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", + afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", + afl->deferred_mode ? "deferred " : "", + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->fsrv.cs_mode || + afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || + afl->persistent_mode || afl->deferred_mode) + ? "" + : "default", + afl->orig_cmdline); /* ignore errors */ @@ -373,13 +372,13 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, if (unlikely(!afl->force_ui_update && (afl->stop_soon || - (afl->plot_prev_qp == afl->queued_paths && + (afl->plot_prev_qp == afl->queued_items && afl->plot_prev_pf == afl->pending_favored && afl->plot_prev_pnf == afl->pending_not_fuzzed && afl->plot_prev_ce == afl->current_entry && afl->plot_prev_qc == afl->queue_cycle && - afl->plot_prev_uc == afl->unique_crashes && - afl->plot_prev_uh == afl->unique_hangs && + afl->plot_prev_uc == afl->saved_crashes && + afl->plot_prev_uh == afl->saved_hangs && afl->plot_prev_md == afl->max_depth && afl->plot_prev_ed == afl->fsrv.total_execs) || !afl->queue_cycle || @@ -389,29 +388,29 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, } - afl->plot_prev_qp = afl->queued_paths; + afl->plot_prev_qp = afl->queued_items; afl->plot_prev_pf = afl->pending_favored; afl->plot_prev_pnf = afl->pending_not_fuzzed; afl->plot_prev_ce = afl->current_entry; afl->plot_prev_qc = afl->queue_cycle; - afl->plot_prev_uc = afl->unique_crashes; - afl->plot_prev_uh = afl->unique_hangs; + afl->plot_prev_uc = afl->saved_crashes; + afl->plot_prev_uh = afl->saved_hangs; afl->plot_prev_md = afl->max_depth; afl->plot_prev_ed = afl->fsrv.total_execs; /* Fields in the file: - relative_time, afl->cycles_done, cur_path, paths_total, paths_not_fuzzed, - favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, + relative_time, afl->cycles_done, cur_item, corpus_count, corpus_not_fuzzed, + favored_not_fuzzed, saved_crashes, saved_hangs, max_depth, execs_per_sec, edges_found */ fprintf(afl->fsrv.plot_file, "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, " "%u\n", ((afl->prev_run_time + get_cur_time() - afl->start_time) / 1000), - afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, + afl->queue_cycle - 1, afl->current_entry, afl->queued_items, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, - afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps, + afl->saved_crashes, afl->saved_hangs, afl->max_depth, eps, afl->plot_prev_ed, t_bytes); /* ignore errors */ fflush(afl->fsrv.plot_file); @@ -611,9 +610,9 @@ void show_stats(afl_state_t *afl) { /* AFL_EXIT_ON_TIME. */ - if (unlikely(afl->last_path_time && !afl->non_instrumented_mode && + if (unlikely(afl->last_find_time && !afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && - (cur_ms - afl->last_path_time) > afl->exit_on_time)) { + (cur_ms - afl->last_find_time) > afl->exit_on_time)) { afl->stop_soon = 2; @@ -704,10 +703,10 @@ void show_stats(afl_state_t *afl) { /* Since `total_crashes` does not get reloaded from disk on restart, it indicates if we found crashes this round already -> paint red. - If it's 0, but `unique_crashes` is set from a past run, paint in yellow. */ - char *crash_color = afl->total_crashes ? cLRD - : afl->unique_crashes ? cYEL - : cRST; + If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */ + char *crash_color = afl->total_crashes ? cLRD + : afl->saved_crashes ? cYEL + : cRST; /* Lord, forgive me this. */ @@ -721,7 +720,7 @@ void show_stats(afl_state_t *afl) { } else { - u64 min_wo_finds = (cur_ms - afl->last_path_time) / 1000 / 60; + u64 min_wo_finds = (cur_ms - afl->last_find_time) / 1000 / 60; /* First queue cycle: don't stop now! */ if (afl->queue_cycle == 1 || min_wo_finds < 15) { @@ -762,48 +761,48 @@ void show_stats(afl_state_t *afl) { except when resuming fuzzing or running in non-instrumented mode. */ if (!afl->non_instrumented_mode && - (afl->last_path_time || afl->resuming_fuzz || afl->queue_cycle == 1 || + (afl->last_find_time || afl->resuming_fuzz || afl->queue_cycle == 1 || afl->in_bitmap || afl->crash_mode)) { - u_stringify_time_diff(time_tmp, cur_ms, afl->last_path_time); - SAYF(bV bSTOP " last new path : " cRST "%-33s ", time_tmp); + u_stringify_time_diff(time_tmp, cur_ms, afl->last_find_time); + SAYF(bV bSTOP " last new find : " cRST "%-33s ", time_tmp); } else { if (afl->non_instrumented_mode) { - SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST + SAYF(bV bSTOP " last new find : " cPIN "n/a" cRST " (non-instrumented mode) "); } else { - SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD + SAYF(bV bSTOP " last new find : " cRST "none yet " cLRD "(odd, check syntax!) "); } } - SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", - u_stringify_int(IB(0), afl->queued_paths)); + SAYF(bSTG bV bSTOP " corpus count : " cRST "%-5s " bSTG bV "\n", + u_stringify_int(IB(0), afl->queued_items)); /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH limit with a '+' appended to the count. */ - sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_crashes), - (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_crashes), + (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time); - SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP - " uniq crashes : %s%-6s" bSTG bV "\n", + SAYF(bV bSTOP "last saved crash : " cRST "%-33s " bSTG bV bSTOP + "saved crashes : %s%-6s" bSTG bV "\n", time_tmp, crash_color, tmp); - sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_hangs), - (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->saved_hangs), + (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); u_stringify_time_diff(time_tmp, cur_ms, afl->last_hang_time); - SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP - " uniq hangs : " cRST "%-6s" bSTG bV "\n", + SAYF(bV bSTOP " last saved hang : " cRST "%-33s " bSTG bV bSTOP + " saved hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); SAYF(bVR bH bSTOP cCYA @@ -816,7 +815,7 @@ void show_stats(afl_state_t *afl) { sprintf(tmp, "%s%s%u (%0.01f%%)", u_stringify_int(IB(0), afl->current_entry), afl->queue_cur->favored ? "." : "*", afl->queue_cur->fuzz_level, - ((double)afl->current_entry * 100) / afl->queued_paths); + ((double)afl->current_entry * 100) / afl->queued_items); SAYF(bV bSTOP " now processing : " cRST "%-18s " bSTG bV bSTOP, tmp); @@ -830,10 +829,10 @@ void show_stats(afl_state_t *afl) { : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), tmp); - sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), - ((double)afl->cur_skipped_paths * 100) / afl->queued_paths); + sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_items), + ((double)afl->cur_skipped_items * 100) / afl->queued_items); - SAYF(bV bSTOP " paths timed out : " cRST "%-18s " bSTG bV, tmp); + SAYF(bV bSTOP " items timed out : " cRST "%-18s " bSTG bV, tmp); sprintf(tmp, "%0.02f bits/tuple", t_bytes ? (((double)t_bits) / t_bytes) : 0); @@ -844,12 +843,12 @@ void show_stats(afl_state_t *afl) { " findings in depth " bSTG bH10 bH5 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), - ((double)afl->queued_favored) * 100 / afl->queued_paths); + ((double)afl->queued_favored) * 100 / afl->queued_items); /* Yeah... it's still going on... halp? */ SAYF(bV bSTOP " now trying : " cRST "%-22s " bSTG bV bSTOP - " favored paths : " cRST "%-20s" bSTG bV "\n", + " favored items : " cRST "%-20s" bSTG bV "\n", afl->stage_name, tmp); if (!afl->stage_max) { @@ -867,13 +866,13 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " stage execs : " cRST "%-23s" bSTG bV bSTOP, tmp); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_with_cov), - ((double)afl->queued_with_cov) * 100 / afl->queued_paths); + ((double)afl->queued_with_cov) * 100 / afl->queued_items); SAYF(" new edges on : " cRST "%-20s" bSTG bV "\n", tmp); sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_crashes), - u_stringify_int(IB(1), afl->unique_crashes), - (afl->unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + u_stringify_int(IB(1), afl->saved_crashes), + (afl->saved_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); if (afl->crash_mode) { @@ -906,15 +905,15 @@ void show_stats(afl_state_t *afl) { } sprintf(tmp, "%s (%s%s unique)", u_stringify_int(IB(0), afl->total_tmouts), - u_stringify_int(IB(1), afl->unique_tmouts), - (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + u_stringify_int(IB(1), afl->saved_tmouts), + (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-20s" bSTG bV "\n", tmp); /* Aaaalmost there... hold on! */ SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH2 bHT bH10 bH2 - bH bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); + bH bHB bH bSTOP cCYA " item geometry " bSTG bH5 bH2 bVL "\n"); if (unlikely(afl->custom_only)) { @@ -1222,7 +1221,7 @@ void show_init_stats(afl_state_t *afl) { } - for (i = 0; i < afl->queued_paths; i++) { + for (i = 0; i < afl->queued_items; i++) { q = afl->queue_buf[i]; if (unlikely(q->disabled)) { continue; } @@ -1290,13 +1289,13 @@ void show_init_stats(afl_state_t *afl) { } - if (afl->queued_paths > 100) { + if (afl->queued_items > 100) { WARNF(cLRD "You probably have far too many input files! Consider trimming " "down."); - } else if (afl->queued_paths > 20) { + } else if (afl->queued_items > 20) { WARNF("You have lots of input files; try starting small."); @@ -1311,8 +1310,8 @@ void show_init_stats(afl_state_t *afl) { " Bitmap range : " cRST "%u to %u bits (average: %0.02f bits)\n" cGRA " Exec timing : " cRST "%s to %s us (average: %s us)\n", - afl->queued_favored, afl->queued_variable, afl->queued_paths - count, - afl->queued_paths, min_bits, max_bits, + afl->queued_favored, afl->queued_variable, afl->queued_items - count, + afl->queued_items, min_bits, max_bits, ((double)afl->total_bitmap_size) / (afl->total_bitmap_entries ? afl->total_bitmap_entries : 1), stringify_int(IB(0), min_us), stringify_int(IB(1), max_us), diff --git a/src/afl-fuzz-statsd.c b/src/afl-fuzz-statsd.c index 461bbbf6..e835c8ea 100644 --- a/src/afl-fuzz-statsd.c +++ b/src/afl-fuzz-statsd.c @@ -42,46 +42,48 @@ // For DogstatsD #define STATSD_TAGS_TYPE_SUFFIX 1 -#define STATSD_TAGS_SUFFIX_METRICS \ - METRIC_PREFIX \ - ".cycle_done:%llu|g%s\n" METRIC_PREFIX \ - ".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \ - ".execs_done:%llu|g%s\n" METRIC_PREFIX \ - ".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \ - ".paths_total:%u|g%s\n" METRIC_PREFIX \ - ".paths_favored:%u|g%s\n" METRIC_PREFIX \ - ".paths_found:%u|g%s\n" METRIC_PREFIX \ - ".paths_imported:%u|g%s\n" METRIC_PREFIX ".max_depth:%u|g%s\n" METRIC_PREFIX \ - ".cur_path:%u|g%s\n" METRIC_PREFIX ".pending_favs:%u|g%s\n" METRIC_PREFIX \ - ".pending_total:%u|g%s\n" METRIC_PREFIX \ - ".variable_paths:%u|g%s\n" METRIC_PREFIX \ - ".unique_crashes:%llu|g%s\n" METRIC_PREFIX \ - ".unique_hangs:%llu|g%s\n" METRIC_PREFIX \ - ".total_crashes:%llu|g%s\n" METRIC_PREFIX \ - ".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \ - ".edges_found:%u|g%s\n" METRIC_PREFIX \ +#define STATSD_TAGS_SUFFIX_METRICS \ + METRIC_PREFIX \ + ".cycle_done:%llu|g%s\n" METRIC_PREFIX \ + ".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX \ + ".execs_done:%llu|g%s\n" METRIC_PREFIX \ + ".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX \ + ".corpus_count:%u|g%s\n" METRIC_PREFIX \ + ".corpus_favored:%u|g%s\n" METRIC_PREFIX \ + ".corpus_found:%u|g%s\n" METRIC_PREFIX \ + ".corpus_imported:%u|g%s\n" METRIC_PREFIX \ + ".max_depth:%u|g%s\n" METRIC_PREFIX ".cur_item:%u|g%s\n" METRIC_PREFIX \ + ".pending_favs:%u|g%s\n" METRIC_PREFIX \ + ".pending_total:%u|g%s\n" METRIC_PREFIX \ + ".corpus_variable:%u|g%s\n" METRIC_PREFIX \ + ".saved_crashes:%llu|g%s\n" METRIC_PREFIX \ + ".saved_hangs:%llu|g%s\n" METRIC_PREFIX \ + ".total_crashes:%llu|g%s\n" METRIC_PREFIX \ + ".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX \ + ".edges_found:%u|g%s\n" METRIC_PREFIX \ ".var_byte_count:%u|g%s\n" METRIC_PREFIX ".havoc_expansion:%u|g%s\n" // For Librato, InfluxDB, SignalFX #define STATSD_TAGS_TYPE_MID 2 -#define STATSD_TAGS_MID_METRICS \ - METRIC_PREFIX \ - ".cycle_done%s:%llu|g\n" METRIC_PREFIX \ - ".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \ - ".execs_done%s:%llu|g\n" METRIC_PREFIX \ - ".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \ - ".paths_total%s:%u|g\n" METRIC_PREFIX \ - ".paths_favored%s:%u|g\n" METRIC_PREFIX \ - ".paths_found%s:%u|g\n" METRIC_PREFIX \ - ".paths_imported%s:%u|g\n" METRIC_PREFIX ".max_depth%s:%u|g\n" METRIC_PREFIX \ - ".cur_path%s:%u|g\n" METRIC_PREFIX ".pending_favs%s:%u|g\n" METRIC_PREFIX \ - ".pending_total%s:%u|g\n" METRIC_PREFIX \ - ".variable_paths%s:%u|g\n" METRIC_PREFIX \ - ".unique_crashes%s:%llu|g\n" METRIC_PREFIX \ - ".unique_hangs%s:%llu|g\n" METRIC_PREFIX \ - ".total_crashes%s:%llu|g\n" METRIC_PREFIX \ - ".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \ - ".edges_found%s:%u|g\n" METRIC_PREFIX \ +#define STATSD_TAGS_MID_METRICS \ + METRIC_PREFIX \ + ".cycle_done%s:%llu|g\n" METRIC_PREFIX \ + ".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX \ + ".execs_done%s:%llu|g\n" METRIC_PREFIX \ + ".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX \ + ".corpus_count%s:%u|g\n" METRIC_PREFIX \ + ".corpus_favored%s:%u|g\n" METRIC_PREFIX \ + ".corpus_found%s:%u|g\n" METRIC_PREFIX \ + ".corpus_imported%s:%u|g\n" METRIC_PREFIX \ + ".max_depth%s:%u|g\n" METRIC_PREFIX ".cur_item%s:%u|g\n" METRIC_PREFIX \ + ".pending_favs%s:%u|g\n" METRIC_PREFIX \ + ".pending_total%s:%u|g\n" METRIC_PREFIX \ + ".corpus_variable%s:%u|g\n" METRIC_PREFIX \ + ".saved_crashes%s:%llu|g\n" METRIC_PREFIX \ + ".saved_hangs%s:%llu|g\n" METRIC_PREFIX \ + ".total_crashes%s:%llu|g\n" METRIC_PREFIX \ + ".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX \ + ".edges_found%s:%u|g\n" METRIC_PREFIX \ ".var_byte_count%s:%u|g\n" METRIC_PREFIX ".havoc_expansion%s:%u|g\n" void statsd_setup_format(afl_state_t *afl) { @@ -238,11 +240,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) { afl->fsrv.total_execs / ((double)(get_cur_time() + afl->prev_run_time - afl->start_time) / 1000), - tags, afl->queued_paths, tags, afl->queued_favored, tags, + tags, afl->queued_items, tags, afl->queued_favored, tags, afl->queued_discovered, tags, afl->queued_imported, tags, afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored, tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags, - afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes, + afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes, tags, afl->slowest_exec_ms, tags, count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count, tags, afl->expand_havoc, tags); @@ -256,11 +258,11 @@ int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) { afl->fsrv.total_execs / ((double)(get_cur_time() + afl->prev_run_time - afl->start_time) / 1000), - tags, afl->queued_paths, tags, afl->queued_favored, tags, + tags, afl->queued_items, tags, afl->queued_favored, tags, afl->queued_discovered, tags, afl->queued_imported, tags, afl->max_depth, tags, afl->current_entry, tags, afl->pending_favored, tags, afl->pending_not_fuzzed, tags, afl->queued_variable, tags, - afl->unique_crashes, tags, afl->unique_hangs, tags, afl->total_crashes, + afl->saved_crashes, tags, afl->saved_hangs, tags, afl->total_crashes, tags, afl->slowest_exec_ms, tags, count_non_255_bytes(afl, afl->virgin_bits), tags, afl->var_byte_count, tags, afl->expand_havoc); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 195366bd..f59bb47c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -129,7 +129,7 @@ static void usage(u8 *argv0, int more_help) { " -D - enable deterministic fuzzing (once per queue entry)\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" - " pacemaker mode (minutes of no new paths). 0 = " + " pacemaker mode (minutes of no new finds). 0 = " "immediately,\n" " -1 = immediately and together with normal mutation.\n" " See docs/README.MOpt.md\n" @@ -214,7 +214,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_DISABLE_TRIM: disable the trimming of test cases\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" - "AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period\n" + "AFL_EXIT_ON_TIME: exit when no new coverage finds are made within the specified time period\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" @@ -1607,7 +1607,7 @@ int main(int argc, char **argv_orig, char **envp) { read_testcases(afl, NULL); // read_foreign_testcases(afl, 1); for the moment dont do this - OKF("Loaded a total of %u seeds.", afl->queued_paths); + OKF("Loaded a total of %u seeds.", afl->queued_items); pivot_inputs(afl); @@ -1929,7 +1929,7 @@ int main(int argc, char **argv_orig, char **envp) { // ensure we have at least one seed that is not disabled. u32 entry, valid_seeds = 0; - for (entry = 0; entry < afl->queued_paths; ++entry) + for (entry = 0; entry < afl->queued_items; ++entry) if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; } if (!afl->pending_not_fuzzed || !valid_seeds) { @@ -1951,7 +1951,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 max_ms = 0; - for (entry = 0; entry < afl->queued_paths; ++entry) + for (entry = 0; entry < afl->queued_items; ++entry) if (!afl->queue_buf[entry]->disabled) if (afl->queue_buf[entry]->exec_us > max_ms) max_ms = afl->queue_buf[entry]->exec_us; @@ -1993,7 +1993,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->start_time = get_cur_time(); u32 runs_in_current_cycle = (u32)-1; - u32 prev_queued_paths = 0; + u32 prev_queued_items = 0; u8 skipped_fuzz; #ifdef INTROSPECTION @@ -2014,7 +2014,7 @@ int main(int argc, char **argv_orig, char **envp) { cull_queue(afl); if (unlikely((!afl->old_seed_selection && - runs_in_current_cycle > afl->queued_paths) || + runs_in_current_cycle > afl->queued_items) || (afl->old_seed_selection && !afl->queue_cur))) { if (unlikely((afl->last_sync_cycle < afl->queue_cycle || @@ -2027,25 +2027,25 @@ int main(int argc, char **argv_orig, char **envp) { ++afl->queue_cycle; runs_in_current_cycle = (u32)-1; - afl->cur_skipped_paths = 0; + afl->cur_skipped_items = 0; if (unlikely(afl->old_seed_selection)) { afl->current_entry = 0; - while (unlikely(afl->current_entry < afl->queued_paths && + while (unlikely(afl->current_entry < afl->queued_items && afl->queue_buf[afl->current_entry]->disabled)) { ++afl->current_entry; } - if (afl->current_entry >= afl->queued_paths) { afl->current_entry = 0; } + if (afl->current_entry >= afl->queued_items) { afl->current_entry = 0; } afl->queue_cur = afl->queue_buf[afl->current_entry]; if (unlikely(seek_to)) { - if (unlikely(seek_to >= afl->queued_paths)) { + if (unlikely(seek_to >= afl->queued_items)) { // This should never happen. FATAL("BUG: seek_to location out of bounds!\n"); @@ -2070,7 +2070,7 @@ int main(int argc, char **argv_orig, char **envp) { /* If we had a full queue cycle with no new finds, try recombination strategies next. */ - if (unlikely(afl->queued_paths == prev_queued + if (unlikely(afl->queued_items == prev_queued /* FIXME TODO BUG: && (get_cur_time() - afl->start_time) >= 3600 */ )) { @@ -2148,7 +2148,7 @@ int main(int argc, char **argv_orig, char **envp) { fprintf(afl->introspection_file, "CYCLE cycle=%llu cycle_wo_finds=%llu expand_havoc=%u queue=%u\n", afl->queue_cycle, afl->cycles_wo_finds, afl->expand_havoc, - afl->queued_paths); + afl->queued_items); #endif if (afl->cycle_schedules) { @@ -2188,7 +2188,7 @@ int main(int argc, char **argv_orig, char **envp) { } // we must recalculate the scores of all queue entries - for (u32 i = 0; i < afl->queued_paths; i++) { + for (u32 i = 0; i < afl->queued_items; i++) { if (likely(!afl->queue_buf[i]->disabled)) { @@ -2200,7 +2200,7 @@ int main(int argc, char **argv_orig, char **envp) { } - prev_queued = afl->queued_paths; + prev_queued = afl->queued_items; } @@ -2210,11 +2210,11 @@ int main(int argc, char **argv_orig, char **envp) { if (likely(!afl->old_seed_selection)) { - if (unlikely(prev_queued_paths < afl->queued_paths || + if (unlikely(prev_queued_items < afl->queued_items || afl->reinit_table)) { // we have new queue entries since the last run, recreate alias table - prev_queued_paths = afl->queued_paths; + prev_queued_items = afl->queued_items; create_alias_table(afl); } @@ -2230,10 +2230,10 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->old_seed_selection)) { - while (++afl->current_entry < afl->queued_paths && + while (++afl->current_entry < afl->queued_items && afl->queue_buf[afl->current_entry]->disabled) ; - if (unlikely(afl->current_entry >= afl->queued_paths || + if (unlikely(afl->current_entry >= afl->queued_items || afl->queue_buf[afl->current_entry] == NULL || afl->queue_buf[afl->current_entry]->disabled)) afl->queue_cur = NULL; @@ -2321,11 +2321,11 @@ stop_fuzzing: u8 time_tmp[64]; u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time); ACTF( - "Statistics: %u new paths found, %.02f%% coverage achieved, %llu " - "crashes found, %llu timeouts found, total runtime %s", + "Statistics: %u new corpus items found, %.02f%% coverage achieved, " + "%llu crashes saved, %llu timeouts saved, total runtime %s", afl->queued_discovered, - ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->unique_crashes, - afl->unique_hangs, time_tmp); + ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->saved_crashes, + afl->saved_hangs, time_tmp); } |