| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* cache item number to cache memory size
* reload testcase if trimming changed the size
* fix splicing selection
* slim splicing
* import sync fix
* write testcache stats to fuzzer_stats
* fix new seed selection algo
* malloc+read instead of mmap
* fix
* testcache is configurable now and no reference counts
* fixes compilation, test script
* fixes
* switch TEST_CC to afl-cc in makefile
* code format
* fix
* fix crash
* fix crash
* fix env help output
* remove unnecessary pointer resets
* fix endless loop bug
* actually use the cache if set
* one more fix
* increase default cache entries, add default cache size value to config.h
Co-authored-by: hexcoder- <heiko@hexco.de>
|
|
|
|
* maybe_grow takes a single ptr
* fixed use_deflate
* reworked maybe_grow_bufsize
* helper to access underlying buf
* remove redundant realloc_block
* code format
* fixes
* added unit tests
* renamed maybe_grow to afl_realloc
* BUF_PARAMS -> AFL_BUF_PARAM
|
|
This reverts commit a7537b5511ad767d2240cf2dc6d3e261daa676f9, reversing
changes made to 15e799f7ae666418e75c6a79db833c5316b21f97.
|
|
|
|
skipping ctor+ifunc functions for all llvm, code-format
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Add post-process functionality in write_with_gap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fix saturated maps & stability cliff in recalibration
|
|
|
|
I have observed two problems:
1. A sudden "stability cliff" where stability drops precipitously.
2. A sudden jump to a 100% saturated "density map".
Both issues are due to attempted "recalibration" of a case at the
beginning of fuzz_one_original() or mopt_common_fuzzing(). See the
comments "CALIBRATION (only if failed earlier on)" in those functions
and the subsequent call to calibrate_case().
At those calls to calibrate_case(), afl->fsrv.trace_bits holds
trace_bits for a run of the SUT on a prior queue entry. However,
calibrate_case() may use the trace_bits as if they apply to the
current queue entry (afl->queue_cur).
Most often this bug causes the "stability cliff". Trace bits are
compared for runs on distinct inputs, which can be very different.
The result is a sudden drop in stability.
Sometimes it leads to the "saturated map" problem. A saturated
density map arises if the trace bits on the previous entry were
"simplified" by simplify_trace(). Simplified traces only contain the
values 1 and 128. They are meant to be compared against
virgin_crashes and virgin_tmouts.
However, this bug causes the (stale) simplified trace to be compared
against virgin_bits during a call to has_new_bits(), which causes
every byte in vigin_bits to be something other than 255. The overall
map density is determined by the percentage of bytes not 255, which
will be 100%. Worse, AFL++ will be unable to detect novel occurrences
of edge counts 1 and 128 going forward.
This patch avoids the above issues by clearing q->exec_cksum when
calibration fails. Recalibrations are forced to start with a fresh
trace on the queue entry.
Thanks to @andreafioraldi for suggesting the current, improved patch.
|
