diff options
| -rw-r--r-- | docs/env_variables.md | 10 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 4 |
2 files changed, 13 insertions, 1 deletions
diff --git a/docs/env_variables.md b/docs/env_variables.md index e8129a3f..7d4f6716 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -384,6 +384,16 @@ checks or alter some of the more exotic semantics of the tool: Note that this setting inhibits some of the user-friendly diagnostics normally done when starting up the forkserver and causes a pretty significant performance drop. + + - Setting AFL_MAX_DET_EXTRAS changes the count of dictionary enties/extras + (default 200), after which the entries will be used probabilistically. + So, if the dict/extras file (`-x`) contains more tokens than this threshold, + not all of the tokens will be used in each fuzzing step, every time. + Instead, there is a chance that the entry will be skipped during fuzzing. + This makes sure that the fuzzer doesn't spend all its time only inserting + the extras, but will still do other mutations. However, it decreases the + likelyhood for each token to be inserted, before the next queue entrie is fuzzed. + Either way, all tokens will be used eventually, in a longer fuzzing campaign. - Outdated environment variables that are that not supported anymore: AFL_DEFER_FORKSRV diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 97e60347..f3a76492 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1028,7 +1028,9 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) { } /* Modulo is biased - we don't want our fuzzing to be biased so let's do it - * right. */ + right. See: + https://stackoverflow.com/questions/10984974/why-do-people-say-there-is-modulo-bias-when-using-a-random-number-generator + */ u64 unbiased_rnd; do { |