about summary refs log tree commit diff
path: root/src/afl-fuzz-queue.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/afl-fuzz-queue.c')
-rw-r--r--src/afl-fuzz-queue.c20
1 files changed, 13 insertions, 7 deletions
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 9a0d199e..66938635 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -43,7 +43,8 @@ inline u32 select_next_queue_entry(afl_state_t *afl) {
 }
 
 double compute_weight(afl_state_t *afl, struct queue_entry *q,
-                      double avg_exec_us, double avg_bitmap_size) {
+                      double avg_exec_us, double avg_bitmap_size,
+                      double avg_top_size) {
 
   double weight = 1.0;
 
@@ -54,9 +55,9 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
 
   }
 
-  weight *= avg_exec_us / q->exec_us;
+  if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
   weight *= (log(q->bitmap_size) / avg_bitmap_size);
-
+  weight *= (1 + (q->tc_ref / avg_top_size));
   if (unlikely(q->favored)) weight *= 5;
 
   return weight;
@@ -91,6 +92,7 @@ void create_alias_table(afl_state_t *afl) {
 
     double avg_exec_us = 0.0;
     double avg_bitmap_size = 0.0;
+    double avg_top_size = 0.0;
     u32    active = 0;
 
     for (i = 0; i < n; i++) {
@@ -102,6 +104,7 @@ void create_alias_table(afl_state_t *afl) {
 
         avg_exec_us += q->exec_us;
         avg_bitmap_size += log(q->bitmap_size);
+        avg_top_size += q->tc_ref;
         ++active;
 
       }
@@ -110,6 +113,7 @@ void create_alias_table(afl_state_t *afl) {
 
     avg_exec_us /= active;
     avg_bitmap_size /= active;
+    avg_top_size /= active;
 
     for (i = 0; i < n; i++) {
 
@@ -117,7 +121,8 @@ void create_alias_table(afl_state_t *afl) {
 
       if (likely(!q->disabled)) {
 
-        q->weight = compute_weight(afl, q, avg_exec_us, avg_bitmap_size);
+        q->weight =
+            compute_weight(afl, q, avg_exec_us, avg_bitmap_size, avg_top_size);
         q->perf_score = calculate_score(afl, q);
         sum += q->weight;
 
@@ -489,11 +494,12 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
 
 void destroy_queue(afl_state_t *afl) {
 
-  struct queue_entry *q;
-  u32                 i;
+  u32 i;
 
   for (i = 0; i < afl->queued_paths; i++) {
 
+    struct queue_entry *q;
+
     q = afl->queue_buf[i];
     ck_free(q->fname);
     ck_free(q->trace_mini);
@@ -996,7 +1002,7 @@ inline void queue_testcase_retake(afl_state_t *afl, struct queue_entry *q,
 
       if (unlikely(!q->testcase_buf)) {
 
-        PFATAL("Unable to malloc '%s' with len %d", q->fname, len);
+        PFATAL("Unable to malloc '%s' with len %u", q->fname, len);
 
       }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 18:00:01 +0000