aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--GNUmakefile7
-rw-r--r--TODO.md11
-rw-r--r--docs/status_screen.md2
-rw-r--r--examples/custom_mutators/README.md6
-rw-r--r--src/afl-fuzz-bitmap.c18
-rw-r--r--src/afl-fuzz-queue.c22
-rw-r--r--src/afl-fuzz-run.c9
-rw-r--r--src/afl-fuzz-stats.c8
-rw-r--r--test/unittests/unit_list.c2
9 files changed, 55 insertions, 30 deletions
diff --git a/GNUmakefile b/GNUmakefile
index 1409b428..ff27e125 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -183,8 +183,6 @@ endif
all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
man: $(MANPAGES)
- -$(MAKE) -C llvm_mode
- -$(MAKE) -C gcc_plugin
tests: source-only
@cd test ; ./test.sh
@@ -339,7 +337,10 @@ unit_preallocable: test/unittests/unit_preallocable.o
$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
./test/unittests/unit_preallocable
-unit: unit_maybe_alloc unit_preallocable unit_list
+unit_clean:
+ @rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o
+
+unit: unit_maybe_alloc unit_preallocable unit_list unit_clean
code-format:
./.custom-format.py -i src/*.c
diff --git a/TODO.md b/TODO.md
index 1a34fba4..91297332 100644
--- a/TODO.md
+++ b/TODO.md
@@ -2,7 +2,16 @@
## Roadmap 2.63
- - get "no global vars" working
+ - complete custom_mutator API changes and documentation
+ - fix stability calculation bug
+ - libradamsa as a custom module?
+
+
+## Roadmap 2.64
+
+ - context sensitive branch coverage in llvm_mode
+ - random crc32 HASH_CONST per run? because with 65536 paths we have collisions
+
## Further down the road
diff --git a/docs/status_screen.md b/docs/status_screen.md
index 8b3d5bda..a66558b9 100644
--- a/docs/status_screen.md
+++ b/docs/status_screen.md
@@ -400,6 +400,8 @@ directory. This includes:
- `exec_timeout` - the -t command line value
- `slowest_exec_ms` - real time of the slowest execution in ms
- `peak_rss_mb` - max rss usage reached during fuzzing in MB
+ - `edges_found` - how many edges have been found
+ - `var_byte_count` - how many edges are non-deterministic
- `afl_banner` - banner text (e.g. the target name)
- `afl_version` - the version of afl used
- `target_mode` - default, persistent, qemu, unicorn, dumb
diff --git a/examples/custom_mutators/README.md b/examples/custom_mutators/README.md
index 15c6ffc5..6fc7be6c 100644
--- a/examples/custom_mutators/README.md
+++ b/examples/custom_mutators/README.md
@@ -20,3 +20,9 @@ common.py - this can be used for common functions and helpers.
wrapper_afl_min.py - mutation of XML documents, loads XmlMutatorMin.py
XmlMutatorMin.py - module for XML mutation
+
+custom_mutator_helpers.h is an header that defines some helper routines
+like surgical_havoc_mutate() that allow to perform a randomly chosen
+mutation from a subset of the havoc mutations.
+If you do so, you have to specify -I /path/to/AFLplusplus/include when
+compiling.
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 8ca286b2..63c3a2c2 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -177,8 +177,6 @@ u32 count_bits(u8 *mem) {
}
-#define FF(_b) (0xff << ((_b) << 3))
-
/* Count the number of bytes set in the bitmap. Called fairly sporadically,
mostly to update the status screen or calibrate and examine confirmed
new paths. */
@@ -194,10 +192,10 @@ u32 count_bytes(u8 *mem) {
u32 v = *(ptr++);
if (!v) continue;
- if (v & FF(0)) ++ret;
- if (v & FF(1)) ++ret;
- if (v & FF(2)) ++ret;
- if (v & FF(3)) ++ret;
+ if (v & 0x000000ff) ++ret;
+ if (v & 0x0000ff00) ++ret;
+ if (v & 0x00ff0000) ++ret;
+ if (v & 0xff000000) ++ret;
}
@@ -222,10 +220,10 @@ u32 count_non_255_bytes(u8 *mem) {
case. */
if (v == 0xffffffff) continue;
- if ((v & FF(0)) != FF(0)) ++ret;
- if ((v & FF(1)) != FF(1)) ++ret;
- if ((v & FF(2)) != FF(2)) ++ret;
- if ((v & FF(3)) != FF(3)) ++ret;
+ if ((v & 0x000000ff) != 0x000000ff) ++ret;
+ if ((v & 0x0000ff00) != 0x0000ff00) ++ret;
+ if ((v & 0x00ff0000) != 0x00ff0000) ++ret;
+ if ((v & 0xff000000) != 0xff000000) ++ret;
}
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 61bf62f5..6c687ae4 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -186,7 +186,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 fav_factor;
u64 fuzz_p2 = next_pow2(q->n_fuzz);
- if (afl->schedule == MMOPT || afl->schedule == RARE)
+ if (afl->schedule == MMOPT || afl->schedule == RARE ||
+ unlikely(afl->fixed_seed))
fav_factor = q->len << 2;
else
fav_factor = q->exec_us * q->len;
@@ -203,7 +204,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 top_rated_fav_factor;
u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz);
- if (afl->schedule == MMOPT || afl->schedule == RARE)
+ if (afl->schedule == MMOPT || afl->schedule == RARE ||
+ unlikely(afl->fixed_seed))
top_rated_fav_factor = afl->top_rated[i]->len << 2;
else
top_rated_fav_factor =
@@ -214,8 +216,17 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
else if (fuzz_p2 == top_rated_fuzz_p2)
if (fav_factor > top_rated_fav_factor) continue;
- if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len)
- continue;
+ if (afl->schedule == MMOPT || afl->schedule == RARE ||
+ unlikely(afl->fixed_seed)) {
+
+ if (fav_factor > afl->top_rated[i]->len << 2) continue;
+
+ } else {
+
+ if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len)
+ continue;
+
+ }
/* Looks like we're going to win. Decrease ref count for the
previous winner, discard its afl->fsrv.trace_bits[] if necessary. */
@@ -330,7 +341,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
// Longer execution time means longer work on the input, the deeper in
// coverage, the better the fuzzing, right? -mh
- if (afl->schedule != MMOPT && afl->schedule != RARE) {
+ if (afl->schedule != MMOPT && afl->schedule != RARE &&
+ likely(!afl->fixed_seed)) {
if (q->exec_us * 0.1 > avg_exec_us)
perf_score = 10;
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 5875eb68..47f6e9d9 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -354,17 +354,14 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
for (i = 0; i < MAP_SIZE; ++i) {
- if (!afl->var_bytes[i] &&
- afl->first_trace[i] != afl->fsrv.trace_bits[i]) {
-
+ if (unlikely(!afl->var_bytes[i]) &&
+ unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i]))
afl->var_bytes[i] = 1;
- afl->stage_max = CAL_CYCLES_LONG;
-
- }
}
var_detected = 1;
+ afl->stage_max = CAL_CYCLES_LONG;
} else {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 77bbe023..d9f8c99c 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -98,8 +98,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
"exec_timeout : %u\n"
"slowest_exec_ms : %u\n"
"peak_rss_mb : %lu\n"
+ "edges_found : %u\n"
"var_byte_count : %u\n"
- "found_edges : %u\n"
"afl_banner : %s\n"
"afl_version : " VERSION
"\n"
@@ -122,7 +122,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
#else
(unsigned long int)(rus.ru_maxrss >> 10),
#endif
- afl->var_byte_count, t_bytes, afl->use_banner,
+ t_bytes, afl->var_byte_count, afl->use_banner,
afl->unicorn_mode ? "unicorn" : "", afl->qemu_mode ? "qemu " : "",
afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "",
afl->crash_mode ? "crash " : "",
@@ -260,8 +260,8 @@ void show_stats(afl_state_t *afl) {
t_bytes = count_non_255_bytes(afl->virgin_bits);
t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE;
- if (t_bytes)
- stab_ratio = 100 - (((double)afl->var_byte_count) * 100) / t_bytes;
+ if (likely(t_bytes) && unlikely(afl->var_byte_count))
+ stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes);
else
stab_ratio = 100;
diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c
index 03217112..11d3227c 100644
--- a/test/unittests/unit_list.c
+++ b/test/unittests/unit_list.c
@@ -90,7 +90,7 @@ static void test_long_list(void **state) {
LIST_FOREACH(&testlist, u32, {
result1 += *el;
});
- printf("removing %d\n", vals[50]);
+ //printf("removing %d\n", vals[50]);
list_remove(&testlist, &vals[50]);
LIST_FOREACH(&testlist, u32, {
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-16 09:42:51 +0000