diff options
| -rw-r--r-- | include/afl-fuzz.h | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 19 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 25 |
3 files changed, 39 insertions, 6 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 65304d19..1e670702 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -656,6 +656,7 @@ typedef struct afl_state { switch_fuzz_mode, /* auto or fixed fuzz mode */ calibration_time_us, /* Time spend on calibration */ sync_time_us, /* Time spend on sync */ + cmplog_time_us, /* Time spend on cmplog */ trim_time_us; /* Time spend on trimming */ u32 slowest_exec_ms, /* Slowest testcase non hang in ms */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6c3582f2..954e5671 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2938,7 +2938,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // afl->queue_cur->exec_cksum u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { - u8 r = 1; + u64 cmplog_start_us = get_cur_time_us(); + u8 r = 1; if (unlikely(!afl->pass_stats)) { afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); @@ -2966,7 +2967,12 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { if (!afl->queue_cur->taint || !afl->queue_cur->cmplog_colorinput) { - if (unlikely(colorization(afl, buf, len, &taint))) { return 1; } + if (unlikely(colorization(afl, buf, len, &taint))) { + + update_cmplog_time(afl, &cmplog_start_us); + return 1; + + } // no taint? still try, create a dummy to prevent again colorization if (!taint) { @@ -2975,6 +2981,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { fprintf(stderr, "TAINT FAILED\n"); #endif afl->queue_cur->colorized = CMPLOG_LVL_MAX; + update_cmplog_time(afl, &cmplog_start_us); return 0; } @@ -2995,6 +3002,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); + struct tainted *t = taint; #ifdef _DEBUG @@ -3027,6 +3036,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); return 1; } @@ -3050,6 +3060,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); return 1; } @@ -3068,6 +3079,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; orig_hit_cnt = afl->queued_items + afl->saved_crashes; + update_cmplog_time(afl, &cmplog_start_us); afl->stage_name = "input-to-state"; afl->stage_short = "its"; @@ -3144,6 +3156,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); + } r = 0; @@ -3272,6 +3286,7 @@ exit_its: #endif + update_cmplog_time(afl, &cmplog_start_us); return r; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 609b11e4..3a71e158 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -207,6 +207,12 @@ void load_stats_file(afl_state_t *afl) { } + if (starts_with("cmplog_time", keystring)) { + + afl->cmplog_time_us = strtoull(lptr, &nptr, 10) * 1000000; + + } + if (starts_with("trim_time", keystring)) { afl->trim_time_us = strtoull(lptr, &nptr, 10) * 1000000; @@ -322,8 +328,9 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif u64 runtime_ms = afl->prev_run_time + cur_time - afl->start_time; - u64 overhead_ms = - (afl->calibration_time_us + afl->sync_time_us + afl->trim_time_us) / 1000; + u64 overhead_ms = (afl->calibration_time_us + afl->sync_time_us + + afl->trim_time_us + afl->cmplog_time_us) / + 1000; if (!runtime_ms) { runtime_ms = 1; } fprintf( @@ -337,6 +344,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, "time_wo_finds : %llu\n" "fuzz_time : %llu\n" "calibration_time : %llu\n" + "cmplog_time : %llu\n" "sync_time : %llu\n" "trim_time : %llu\n" "execs_done : %llu\n" @@ -385,8 +393,9 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, ? 0 : (cur_time - afl->last_find_time) / 1000), (runtime_ms - MIN(runtime_ms, overhead_ms)) / 1000, - afl->calibration_time_us / 1000000, afl->sync_time_us / 1000000, - afl->trim_time_us / 1000000, afl->fsrv.total_execs, + afl->calibration_time_us / 1000000, afl->cmplog_time_us / 1000000, + afl->sync_time_us / 1000000, afl->trim_time_us / 1000000, + afl->fsrv.total_execs, afl->fsrv.total_execs / ((double)(runtime_ms) / 1000), afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->queued_variable, @@ -2511,3 +2520,11 @@ inline void update_sync_time(afl_state_t *afl, u64 *time) { } +inline void update_cmplog_time(afl_state_t *afl, u64 *time) { + + u64 cur = get_cur_time_us(); + afl->cmplog_time_us += cur - *time; + *time = cur; + +} + |