about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/afl-fuzz.h3
-rw-r--r--src/afl-fuzz-run.c10
2 files changed, 13 insertions, 0 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 0f0e45d3..ab5d29bf 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -237,6 +237,7 @@ struct queue_entry {
       handicap,                         /* Number of queue cycles behind    */
       depth,                            /* Path depth                       */
       exec_cksum,                       /* Checksum of the execution trace  */
+      prox_score,                       /* Proximity score of the test case */
       custom,                           /* Marker for custom mutators       */
       stats_mutated;                    /* stats: # of mutations performed  */
 
@@ -698,6 +699,8 @@ typedef struct afl_state {
   u64 total_bitmap_size,                /* Total bit count for all bitmaps  */
       total_bitmap_entries;             /* Number of bitmaps counted        */
 
+  u64 mean_prox_score;                  /* Mean of proximity scores         */
+
   s32 cpu_core_count,                   /* CPU core count                   */
       cpu_to_bind;                      /* bind to specific CPU             */
 
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index a3787e5c..2da27453 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -427,6 +427,12 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
 }
 
+static u64 compute_proximity_score(u32 *dfg_bits) {
+  u64 result = 0;
+  for (size_t i = 0; i < DFG_MAP_SIZE; result += dfg_bits[++i]);
+  return result;
+}
+
 /* Calibrate a new test case. This is done when processing the input directory
    to warn about flaky or otherwise problematic test cases early on; and when
    new paths are discovered to detect variable behavior and so on. */
@@ -645,6 +651,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
   if (unlikely(!q->exec_us)) { q->exec_us = 1; }
 
   q->bitmap_size = count_bytes(afl, afl->fsrv.trace_bits);
+  q->prox_score = compute_proximity_score();
   q->handicap = handicap;
   q->cal_failed = 0;
 
@@ -653,6 +660,9 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
   update_bitmap_score(afl, q);
 
+  afl->mean_prox_score +=
+      (q->prox_score - afl->mean_prox_score) / afl->queued_items;
+
   /* If this case didn't result in new output from the instrumentation, tell
      parent. This is a non-critical problem, but something to warn the user
      about. */
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-06-30 13:18:49 +0000