diff options
| -rw-r--r-- | docs/ChangeLog | 3 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-src/afl-fuzz.c | 29 | ||||
| -rw-r--r-- | src/afl-fuzz-src/globals.c | 1 |
4 files changed, 31 insertions, 3 deletions
diff --git a/docs/ChangeLog b/docs/ChangeLog index dd5b597c..1cd95650 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -29,18 +29,17 @@ Version ++2.53d (dev): - Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though - fix building qemu on some Ubuntus (thanks to floyd!) - custom mutator by a loaded library is now supported (thanks to kyakdan!) + - added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report - more support for *BSD (thanks to devnexen!) - fix building on *BSD (thanks to tobias.kortkamp for the patch) - fix for a few features to support different map sized than 2^16 - afl-showmap: new option -r now shows the real values in the buckets (stock afl never did), plus shows tuple content summary information now - - the forkserver is now in its own C file to be easily integratable - small docu updates - NeverZero counters for QEMU - NeverZero counters for Unicorn - CompareCoverage Unicorn - Immediates-only instrumentation for CompareCoverage - - ... your patch? :) -------------------------- diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c50a21a7..7b380dce 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -350,6 +350,7 @@ extern u64 total_crashes, /* Total number of crashes */ unique_tmouts, /* Timeouts with unique signatures */ unique_hangs, /* Hangs with unique signatures */ total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ start_time, /* Unix start time (ms) */ last_path_time, /* Time for most recent path (ms) */ last_crash_time, /* Time for most recent crash (ms) */ diff --git a/src/afl-fuzz-src/afl-fuzz.c b/src/afl-fuzz-src/afl-fuzz.c index 0e12f493..dc21de17 100644 --- a/src/afl-fuzz-src/afl-fuzz.c +++ b/src/afl-fuzz-src/afl-fuzz.c @@ -370,6 +370,7 @@ static u8 run_target(char** argv, u32 timeout) { static struct itimerval it; static u32 prev_timed_out = 0; + static u64 exec_ms = 0; int status = 0; u32 tb4; @@ -519,6 +520,10 @@ static u8 run_target(char** argv, u32 timeout) { } if (!WIFSTOPPED(status)) child_pid = 0; + + getitimer(ITIMER_REAL, &it); + exec_ms = (u64) timeout - (it.it_value.tv_sec * 1000 + it.it_value.tv_usec / 1000); + if (slowest_exec_ms < exec_ms) slowest_exec_ms = exec_ms; it.it_value.tv_sec = 0; it.it_value.tv_usec = 0; @@ -1491,6 +1496,7 @@ static void find_timeout(void) { static void write_stats_file(double bitmap_cvg, double stability, double eps) { static double last_bcvg, last_stab, last_eps; + static struct rusage usage; u8* fn = alloc_printf("%s/fuzzer_stats", out_dir); s32 fd; @@ -1543,6 +1549,8 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "last_hang : %llu\n" "execs_since_crash : %llu\n" "exec_timeout : %u\n" + "slowest_exec_ms : %llu\n" + "peak_rss_mb : %lu\n" "afl_banner : %s\n" "afl_version : " VERSION "\n" "target_mode : %s%s%s%s%s%s%s%s\n" @@ -1554,7 +1562,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { queued_variable, stability, bitmap_cvg, unique_crashes, unique_hangs, last_path_time / 1000, last_crash_time / 1000, last_hang_time / 1000, total_execs - last_crash_execs, - exec_tmout, use_banner, + exec_tmout, slowest_exec_ms, (unsigned long int)usage.ru_maxrss, use_banner, unicorn_mode ? "unicorn" : "", qemu_mode ? "qemu " : "", dumb_mode ? " dumb " : "", no_forkserver ? "no_forksrv " : "", crash_mode ? "crash " : "", persistent_mode ? "persistent " : "", deferred_mode ? "deferred " : "", @@ -10347,6 +10355,25 @@ int main(int argc, char** argv) { if (queue_cur) show_stats(); + /* + * ATTENTION - the following 10 lines were copied from a PR to Google's afl + * repository - and slightly fixed. + * These lines have nothing to do with the purpose of original PR though. + * Looks like when an exit condition was completed (AFL_BENCH_JUST_ONE, + * AFL_EXIT_WHEN_DONE or AFL_BENCH_UNTIL_CRASH) the child and forkserver + * where not killed? + */ + /* if we stopped programmatically, we kill the forkserver and the current runner. + if we stopped manually, this is done by the signal handler */ + if (stop_soon == 2){ + if (child_pid > 0) kill(child_pid, SIGKILL); + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + /* Now that we've killed the forkserver, we wait for it to be able to get rusage stats. */ + if (waitpid(forksrv_pid, NULL, 0) <= 0) { + WARNF("error waitpid\n"); + } + } + write_bitmap(); write_stats_file(0, 0, 0); save_auto(); diff --git a/src/afl-fuzz-src/globals.c b/src/afl-fuzz-src/globals.c index 127d7609..e28c3099 100644 --- a/src/afl-fuzz-src/globals.c +++ b/src/afl-fuzz-src/globals.c @@ -189,6 +189,7 @@ u64 total_crashes, /* Total number of crashes */ unique_tmouts, /* Timeouts with unique signatures */ unique_hangs, /* Hangs with unique signatures */ total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ start_time, /* Unix start time (ms) */ last_path_time, /* Time for most recent path (ms) */ last_crash_time, /* Time for most recent crash (ms) */ |