about summary refs log tree commit diff
path: root/src/afl-fuzz-run.c
AgeCommit message (Collapse)Author
2020-06-29fix autodictvan Hauser
2020-06-26original fix for calibration errorAndrea Fioraldi
2020-06-25shmem release fixvan Hauser
2020-06-25initialized variableDominik Maier
2020-06-25Merge pull request #425 from dgmelski/fix-recalibrationAndrea Fioraldi
Fix saturated maps & stability cliff in recalibration
2020-06-25add seek power schedule, remove update stats in calibration, fix help outputvan Hauser
2020-06-24Fix saturated maps & stability cliff in recalibrationDavid Melski
I have observed two problems: 1. A sudden "stability cliff" where stability drops precipitously. 2. A sudden jump to a 100% saturated "density map". Both issues are due to attempted "recalibration" of a case at the beginning of fuzz_one_original() or mopt_common_fuzzing(). See the comments "CALIBRATION (only if failed earlier on)" in those functions and the subsequent call to calibrate_case(). At those calls to calibrate_case(), afl->fsrv.trace_bits holds trace_bits for a run of the SUT on a prior queue entry. However, calibrate_case() may use the trace_bits as if they apply to the current queue entry (afl->queue_cur). Most often this bug causes the "stability cliff". Trace bits are compared for runs on distinct inputs, which can be very different. The result is a sudden drop in stability. Sometimes it leads to the "saturated map" problem. A saturated density map arises if the trace bits on the previous entry were "simplified" by simplify_trace(). Simplified traces only contain the values 1 and 128. They are meant to be compared against virgin_crashes and virgin_tmouts. However, this bug causes the (stale) simplified trace to be compared against virgin_bits during a call to has_new_bits(), which causes every byte in vigin_bits to be something other than 255. The overall map density is determined by the percentage of bytes not 255, which will be 100%. Worse, AFL++ will be unable to detect novel occurrences of edge counts 1 and 128 going forward. This patch avoids the above issues by clearing q->exec_cksum when calibration fails. Recalibrations are forced to start with a fresh trace on the queue entry. Thanks to @andreafioraldi for suggesting the current, improved patch.
2020-06-24create .synced/NAMES.last to document last sync attemptsvan Hauser
2020-06-22allow /tmpvan Hauser
2020-06-21fix unicorn mode for CFLAGSvan Hauser
2020-06-13code formatvan Hauser
2020-06-13fix shmemvan Hauser
2020-06-12switch to faster and better hash + randomvan Hauser
2020-06-04fix cmplog for shmem persistent modevan Hauser
2020-06-03switch shmem_len to the mapvan Hauser
2020-06-03OpenBSD: add missing limits.h header for PATH_MAXhexcoder-
2020-06-03code formatvan Hauser
2020-06-02got rid of questionable phrasingDominik Maier
2020-05-31starting shmap support for unicornDominik Maier
2020-05-25persistent mode: shared memory test case transfervan Hauser
2020-05-20better sync - lesser and better importsvan Hauser
2020-05-19forgot the unlink ...van Hauser
2020-05-19if no master is present a slave becomes a temporary mastervan Hauser
2020-05-15change: slaves only sync from mastersvan Hauser
2020-05-13fix GNUmakefilevan Hauser
2020-05-13Add post library API as custom mutator and rename pre_saverish9101
2020-05-13move has_new_bits for better performancevan Hauser
2020-05-09custom mutator code enhancements and code-formatvan Hauser
2020-05-08Support multiple custom mutators (#282)Rishi Ranjan
* Make a list of custom mutators using env variable * Set up multiple custom mutators * Add destroy custom mutator and changes to load_custom_mutator * Use array instead of list, make changes to afl-fuzz-one for multiple mutators * Make change to fuzz-one custom_queue_get to support multiple mutators * Modify custom python mutator support * Fix bug * Fix missing afl->mutator->data * Revert to list with max count * Change custom_pre_save hook and code format * Free custom_mutator struct in the list * Add testcase for multiple custom mutators * Resolve merge conflict
2020-05-07fix static and profiling compilation and add profiling calculationvan Hauser
2020-04-26fix negative stability bug (hopefully)van Hauser
2020-04-19clang-tidy readability-braces (#323)Dominik Maier
2020-04-17fix plot_data output and code-formatvan Hauser
2020-04-16renamed duplicated func namesDominik Maier
2020-04-16decoupled run and classifyDominik Maier
2020-04-16code-formatDominik Maier
2020-04-15somewhat unified write_to_testcaseDominik Maier
2020-04-15fix document modevan Hauser
2020-04-15changed run_targetDominik Maier
2020-04-14code formatDominik Maier
2020-04-14unified forkservered run_target, fixes #308Dominik Maier
2020-04-13allow -L -1 to enable mopt in parallel to classic mutationvan Hauser
2020-04-13fix all cmplog errorsAndrea Fioraldi
2020-04-13fix some cmplog refactoring bugsAndrea Fioraldi
2020-04-12Better solution for ARM64 build fix (#315)David CARLIER
2020-04-12build on arm64 fix. tested on Android. (#313)David CARLIER
2020-04-11more refactoring and update changelogvan Hauser
2020-04-11refactored cmplogDominik Maier
2020-04-10LTO optimization, variable map size, autodictionary (#307)van Hauser
* lto module clean-up * step 1/3 * step 1/3 completed * if tmp is ever made non-static * parts 2 and 3 - autodictionary is complete * variable map_size support * variable map size: changed overlooked functions * remove debug for autodict * 64 bit alignment of map size * fix review comments * force 64 bit alignment on both sides * typo
2020-04-10resize fix + code formatDominik Maier
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-06-01 23:39:51 +0000