From b1bfc1ae76bacbf48b81c81480a9f32e0c8919f6 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Mon, 27 Mar 2023 17:51:53 +0200
Subject: time_wo_finds in fuzzer_stats

---
 include/afl-fuzz.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include/afl-fuzz.h')

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 6a8e8b5d..58d02af5 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -591,6 +591,7 @@ typedef struct afl_state {
       last_find_time,                   /* Time for most recent path (ms)   */
       last_crash_time,                  /* Time for most recent crash (ms)  */
       last_hang_time,                   /* Time for most recent hang (ms)   */
+      longest_find_time,                /* Longest time taken for a find    */
       exit_on_time,                     /* Delay to exit if no new paths    */
       sync_time;                        /* Sync time (ms)                   */
 
-- 
cgit 1.4.1


From e46e0bce44f0799731f5e7724ba3dfacafd4c41a Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Sun, 2 Apr 2023 12:03:45 +0200
Subject: allow pizza mode to be disabled

---
 docs/Changelog.md     |  3 +++
 docs/env_variables.md |  2 +-
 include/afl-fuzz.h    |  6 ++++--
 src/afl-fuzz-state.c  | 10 +++++++++-
 4 files changed, 17 insertions(+), 4 deletions(-)

(limited to 'include/afl-fuzz.h')

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 3c06a785..fbf50137 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -9,6 +9,9 @@
     - added `AFL_NO_WARN_INSTABILITY`
     - added `AFL_FRIDA_STATS_INTERVAL`
     - added time_wo_finds to fuzzer_stats
+    - fixed a crash in pizza (1st april easter egg) mode. Sorry for
+      everyone who was affected!
+    - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1
   - afl-cc:
     - add CFI sanitizer variant to gcc targets
     - llvm 16 support (thanks to @devnexen!)
diff --git a/docs/env_variables.md b/docs/env_variables.md
index c9dc1bbd..a6a0ae44 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -581,7 +581,7 @@ checks or alter some of the more exotic semantics of the tool:
     constructors in your target, you can set `AFL_EARLY_FORKSERVER`.
     Note that this is not a compile time option but a runtime option :-)
 
-  - Set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to 0
+  - Set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to -1
     to disable although it is 1st of April.
 
   - If you need a specific interval to update fuzzer_stats file, you can
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 58d02af5..5fd393dd 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -398,8 +398,8 @@ typedef struct afl_env_vars {
       afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
       afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
       afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
-      afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme,
-      afl_ignore_timeouts, afl_no_startup_calibration, afl_no_warn_instability;
+      afl_keep_timeouts, afl_no_crash_readme, afl_ignore_timeouts,
+      afl_no_startup_calibration, afl_no_warn_instability;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
@@ -408,6 +408,8 @@ typedef struct afl_env_vars {
       *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal,
       *afl_target_env, *afl_persistent_record, *afl_exit_on_time;
 
+  s32 afl_pizza_mode;
+
 } afl_env_vars_t;
 
 struct afl_pass_stat {
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index f9aa5cfe..46b67def 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -648,7 +648,15 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
 
   }
 
-  if (afl->afl_env.afl_pizza_mode) { afl->pizza_is_served = 1; }
+  if (afl->afl_env.afl_pizza_mode > 0) {
+
+    afl->pizza_is_served = 1;
+
+  } else if (afl->afl_env.afl_pizza_mode < 0) {
+
+    OKF("Pizza easter egg mode is now disabled.");
+
+  }
 
   if (issue_detected) { sleep(2); }
 
-- 
cgit 1.4.1


From 36127fb1970746f53fec44f9394061f57a4e94c3 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Wed, 5 Apr 2023 12:59:20 +0200
Subject: add -z switch

---
 docs/Changelog.md    | 1 +
 include/afl-fuzz.h   | 3 ++-
 src/afl-fuzz-queue.c | 7 ++++++-
 src/afl-fuzz.c       | 5 +++++
 4 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'include/afl-fuzz.h')

diff --git a/docs/Changelog.md b/docs/Changelog.md
index fbf50137..8127e594 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -12,6 +12,7 @@
     - fixed a crash in pizza (1st april easter egg) mode. Sorry for
       everyone who was affected!
     - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1
+    - add -z switch to prefer new coverage findings in seed selection
   - afl-cc:
     - add CFI sanitizer variant to gcc targets
     - llvm 16 support (thanks to @devnexen!)
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 5fd393dd..7ff3315b 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -501,7 +501,8 @@ typedef struct afl_state {
       custom_splice_optout,             /* Custom mutator no splice buffer  */
       is_main_node,                     /* if this is the main node         */
       is_secondary_node,                /* if this is a secondary instance  */
-      pizza_is_served;                  /* pizza mode                       */
+      pizza_is_served,                  /* pizza mode                       */
+      prefer_new;                       /* prefer new queue entries         */
 
   u32 stats_update_freq;                /* Stats update frequency (execs)   */
 
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 40184645..1cdc8b54 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -74,9 +74,14 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
   if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
   weight *= (log(q->bitmap_size) / avg_bitmap_size);
   weight *= (1 + (q->tc_ref / avg_top_size));
-  if (unlikely(weight < 1.0)) { weight = 1.0; }
+  if (unlikely(weight < 0.1)) { weight = 0.1; }
   if (unlikely(q->favored)) { weight *= 5; }
   if (unlikely(!q->was_fuzzed)) { weight *= 2; }
+  if (unlikely(afl->prefer_new)) {
+
+    weight *= (2.0 * (q->id / (afl->queued_items - 1)));
+
+  }
 
   return weight;
 
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 3380fd90..0f01360e 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -132,6 +132,7 @@ static void usage(u8 *argv0, int more_help) {
       "                  fast(default), explore, exploit, seek, rare, mmopt, "
       "coe, lin\n"
       "                  quad -- see docs/FAQ.md for more information\n"
+      "  -z            - prefer new coverage findings when fuzzing\n"
       "  -f file       - location read by the fuzzed program (default: stdin "
       "or @@)\n"
       "  -t msec       - timeout for each run (auto-scaled, default %u ms). "
@@ -569,6 +570,10 @@ int main(int argc, char **argv_orig, char **envp) {
         afl->max_length = atoi(optarg);
         break;
 
+      case 'z':
+        afl->prefer_new = 1;
+        break;
+
       case 'Z':
         afl->old_seed_selection = 1;
         break;
-- 
cgit 1.4.1