From 29853549c3c12b4ebd4c2af4f0d728a13f30a727 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Mar 2020 08:54:09 +0100 Subject: add RARE schedule. also fixes doc_path --- src/afl-fuzz.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 10fee76c..15caa65f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -96,8 +96,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Execution control settings:\n" " -p schedule - power schedules recompute a seed's performance " "score.\n" - " \n" + " \n" " see docs/power_schedules.md\n" " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" @@ -250,7 +250,7 @@ int main(int argc, char **argv_orig, char **envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a big online community\n"); - doc_path = access(DOC_PATH, F_OK) ? (u8 *)"docs" : doc_path; + doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; gettimeofday(&tv, &tz); afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); @@ -304,6 +304,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->schedule = MMOPT; + } else if (!stricmp(optarg, "rare")) { + + afl->schedule = RARE; + } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") || !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) { @@ -760,8 +764,9 @@ int main(int argc, char **argv_orig, char **envp) { case LIN: OKF("Using linear power schedule (LIN)"); break; case QUAD: OKF("Using quadratic power schedule (QUAD)"); break; case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break; + case RARE: OKF("Using rare edge focus power schedule (RARE)"); break; case EXPLORE: - OKF("Using exploration-based constant power schedule (EXPLORE)"); + OKF("Using exploration-based constant power schedule (EXPLORE, default)"); break; default: FATAL("Unknown power schedule"); break; -- cgit 1.4.1 From c6db05c5ae11e2a33df8aa450d6ccac7d6109a02 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 21 Mar 2020 21:10:38 +0100 Subject: test.sh with -no-pie --- Makefile | 18 +++++++++++++----- README.md | 1 + include/afl-fuzz.h | 3 +++ src/afl-fuzz-bitmap.c | 1 + src/afl-fuzz-globals.c | 2 ++ src/afl-fuzz-init.c | 1 + src/afl-fuzz-one.c | 2 ++ src/afl-fuzz-run.c | 2 ++ src/afl-fuzz.c | 2 ++ test/test.sh | 10 +++++----- 10 files changed, 32 insertions(+), 10 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/Makefile b/Makefile index 018efe29..9913c603 100644 --- a/Makefile +++ b/Makefile @@ -151,6 +151,18 @@ ifdef STATIC LDFLAGS += -lm -lpthread -lz -lutil endif +ifdef ASAN_BUILD + $(info Compiling ASAN version of binaries) + CFLAGS+=-fsanitize=address + LDFLAGS+=-fsanitize=address +endif + +ifdef PROFILING + $(info Compiling profiling version of binaries) + CFLAGS+=-pg + LDFLAGS+=-pg +endif + ifeq "$(shell echo '$(HASH)include @$(HASH)include @int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" SHMAT_OK=1 else @@ -165,11 +177,6 @@ ifeq "$(TEST_MMAP)" "1" LDFLAGS+=-Wno-deprecated-declarations endif -ifdef ASAN_BUILD - CFLAGS+=-fsanitize=address - LDFLAGS+=-fsanitize=address -endif - all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done man: $(MANPAGES) @@ -208,6 +215,7 @@ help: @echo "==========================================" @echo STATIC - compile AFL++ static @echo ASAN_BUILD - compiles with memory sanitizer for debug purposes + @echo PROFILING - compile afl-fuzz with profiling information @echo AFL_NO_X86 - if compiling on non-intel/amd platforms @echo "==========================================" @echo e.g.: make ASAN_BUILD=1 diff --git a/README.md b/README.md index 1476b440..8982d76a 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,7 @@ These build options exist: * STATIC - compile AFL++ static * ASAN_BUILD - compiles with memory sanitizer for debug purposes +* PROFILING - compile with profiling information (gprof) * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1d83f335..ef68ba5d 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -118,6 +118,9 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; +extern u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; + + struct queue_entry { u8 *fname; /* File name for the test case */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 86474adc..06078fc2 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -578,6 +578,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { /* Try to calibrate inline; this also calls update_bitmap_score() when successful. */ + bmcnt++; res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); if (res == FAULT_ERROR) FATAL("Unable to execute target application"); diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 88633a1b..108952e4 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -38,6 +38,8 @@ u8 *doc_path = NULL; /* gath to documentation dir */ /* Initialize MOpt "globals" for this afl state */ +u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; + static void init_mopt_globals(afl_state_t *afl) { MOpt_globals_t *core = &afl->mopt_globals_core; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index c3f3fac0..456415f9 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -473,6 +473,7 @@ void perform_dry_run(afl_state_t *afl) { close(fd); + initcnt++; res = calibrate_case(afl, q, use_mem, 0, 1); ck_free(use_mem); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index c1458dbb..5211d565 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -442,6 +442,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { + one1cnt++; res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); @@ -2460,6 +2461,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { + one2cnt++; res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c8153857..6fbb7539 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -303,6 +303,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, trying to calibrate already-added finds. This helps avoid trouble due to intermittent latency. */ + runcnt++; + if (!from_queue || afl->resuming_fuzz) use_tmout = MAX(afl->fsrv.exec_tmout + CAL_TMOUT_ADD, afl->fsrv.exec_tmout * CAL_TMOUT_PERC / 100); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 15caa65f..9692c1cb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1196,6 +1196,8 @@ stop_fuzzing: OKF("We're done here. Have a nice day!\n"); +printf("%u %u %u %u %u\n", bmcnt, initcnt, one1cnt, one2cnt, runcnt); + exit(0); } diff --git a/test/test.sh b/test/test.sh index 5246a3ec..19231e50 100755 --- a/test/test.sh +++ b/test/test.sh @@ -653,7 +653,7 @@ test -e ../libradamsa.so && { $ECHO "$BLUE[*] Testing: qemu_mode" test -e ../afl-qemu-trace && { - gcc -pie -fPIE -o test-instr ../test-instr.c + gcc -no-pie -fPIE -o test-instr ../test-instr.c gcc -o test-compcov test-compcov.c test -e test-instr -a -e test-compcov && { { @@ -678,8 +678,8 @@ test -e ../afl-qemu-trace && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode AFL_ENTRYPOINT, this will take approx 6 seconds" { { - export AFL_ENTRYPOINT=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//')` - $ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(m test-instr | grep "T main") - $(file ./test-instr) + export AFL_ENTRYPOINT=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' )` + #$ECHO AFL_ENTRYPOINT=$AFL_ENTRYPOINT - $(nm test-instr | grep "T main") - $(file ./test-instr) ../afl-fuzz -m ${MEM_LIMIT} -V2 -Q -i in -o out -- ./test-instr unset AFL_ENTRYPOINT } >>errors 2>&1 @@ -727,9 +727,9 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" { - export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//')` + export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4$(nm test-instr | grep "T main" | awk '{print $1}' )` export AFL_QEMU_PERSISTENT_GPR=1 - $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" + #$ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" file test-instr ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr unset AFL_QEMU_PERSISTENT_ADDR -- cgit 1.4.1 From 5cf342683414616d4cecc55155226cf77cb2e20f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 21 Mar 2020 22:17:57 +0100 Subject: remove debug code --- include/afl-fuzz.h | 3 --- src/afl-fuzz-bitmap.c | 1 - src/afl-fuzz-globals.c | 2 -- src/afl-fuzz-init.c | 1 - src/afl-fuzz-one.c | 2 -- src/afl-fuzz-run.c | 2 -- src/afl-fuzz.c | 2 -- 7 files changed, 13 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 643d58bd..fce03d04 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -118,9 +118,6 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; -extern u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; - - struct queue_entry { u8 *fname; /* File name for the test case */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 6375cb57..d4318725 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -578,7 +578,6 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { /* Try to calibrate inline; this also calls update_bitmap_score() when successful. */ - bmcnt++; res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); if (res == FAULT_ERROR) FATAL("Unable to execute target application"); diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 108952e4..88633a1b 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -38,8 +38,6 @@ u8 *doc_path = NULL; /* gath to documentation dir */ /* Initialize MOpt "globals" for this afl state */ -u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; - static void init_mopt_globals(afl_state_t *afl) { MOpt_globals_t *core = &afl->mopt_globals_core; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 918801d0..6bdc4853 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -473,7 +473,6 @@ void perform_dry_run(afl_state_t *afl) { close(fd); - initcnt++; res = calibrate_case(afl, q, use_mem, 0, 1); ck_free(use_mem); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 5211d565..c1458dbb 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -442,7 +442,6 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { - one1cnt++; res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); @@ -2461,7 +2460,6 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { - one2cnt++; res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 3f0a5962..8c075bdb 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -438,8 +438,6 @@ abort_calibration: if (!first_run) show_stats(afl); - runcnt++; - return fault; } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9692c1cb..15caa65f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1196,8 +1196,6 @@ stop_fuzzing: OKF("We're done here. Have a nice day!\n"); -printf("%u %u %u %u %u\n", bmcnt, initcnt, one1cnt, one2cnt, runcnt); - exit(0); } -- cgit 1.4.1 From 5a0cc43ee142842d845a0281fa8f5d0d0721a8ba Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 09:26:46 +0100 Subject: all afl msgs to stdout and only read AFL_BENCH_JUST_ONE once --- docs/Changelog.md | 2 ++ include/debug.h | 4 ++++ src/afl-fuzz.c | 4 ++-- 3 files changed, 8 insertions(+), 2 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index ece2c4b5..8e63c388 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,6 +20,8 @@ sending a mail to . multiple fuzzing threads in the future or even become a library - afl basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output + - force all output to stdout (some OK/SAY/WARN messages were sent to + stdout, some to stderr) - afl-fuzz: - python mutator modules and custom mutator modules now use the same interface and hence the API changed diff --git a/include/debug.h b/include/debug.h index b3865c19..6ced60b1 100644 --- a/include/debug.h +++ b/include/debug.h @@ -32,6 +32,10 @@ * Terminal colors * *******************/ +#ifndev MESSAGES_TO_STDOUT +#define MESSAGES_TO_STDOUT +#endif + #ifdef USE_COLOR #define cBLK "\x1b[0;30m" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 15caa65f..cc22fd5c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -230,8 +230,7 @@ int main(int argc, char **argv_orig, char **envp) { u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0; u8 * extras_dir = 0; - u8 mem_limit_given = 0; - u8 exit_1 = !!get_afl_env("AFL_BENCH_JUST_ONE"); + u8 mem_limit_given = 0, exit_1 = 0; char **use_argv; struct timeval tv; @@ -246,6 +245,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init(&afl->fsrv); read_afl_environment(afl, envp); + exit_1 = !!afl->afl_env.afl_bench_just_one; SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a big online community\n"); -- cgit 1.4.1 From 5b646818670c7f8a7a22503883a37c758d7acd64 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 18:27:04 +0100 Subject: a little bit more performance --- src/afl-fuzz.c | 8 ++++---- test/checkcommit.sh | 6 ++++-- 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index cc22fd5c..550bd255 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1051,9 +1051,9 @@ int main(int argc, char **argv_orig, char **envp) { } - show_stats(afl); + //show_stats(afl); - if (afl->not_on_tty) { + if (unlikely(afl->not_on_tty)) { ACTF("Entering queue cycle %llu.", afl->queue_cycle); fflush(stdout); @@ -1124,7 +1124,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->queue_cur) show_stats(afl); + //if (afl->queue_cur) show_stats(afl); /* * ATTENTION - the following 10 lines were copied from a PR to Google's afl @@ -1149,12 +1149,12 @@ int main(int argc, char **argv_orig, char **envp) { } write_bitmap(afl); - write_stats_file(afl, 0, 0, 0); maybe_update_plot_file(afl, 0, 0); save_auto(afl); stop_fuzzing: + write_stats_file(afl, 0, 0, 0); afl->force_ui_update = 1; // ensure the screen is reprinted show_stats(afl); // print the screen one last time diff --git a/test/checkcommit.sh b/test/checkcommit.sh index e36a31a2..27d08d36 100755 --- a/test/checkcommit.sh +++ b/test/checkcommit.sh @@ -8,6 +8,7 @@ test -z "$1" -o -n "$4" && { echo "Switches to the defined commit ID, compiles with profiling and runs" echo "afl-fuzz on a defind target and input directory, saving timing," echo "fuzzer_stats and profiling output to \".out\"" + echo "Honors CFLAGS and LDFLAGS" echo echo "Defaults:" echo " indir: \"$INDIR\"" @@ -21,8 +22,9 @@ test -n "$3" && CMDLINE=$3 git checkout "$C" || { echo "CHECKOUT FAIL $C" > $C.out ; exit 1 ; } export AFL_BENCH_JUST_ONE=1 -export CFLAGS="-O3 -funroll-loops -pg" -export LDFLAGS=-pg +test -z "$CFLAGS" && CFLAGS="-O3 -funroll-loops" +export CFLAGS="$CFLAGS -pg" +export LDFLAGS="$LDFLAGS -pg" make >/dev/null 2>&1 || echo ERROR: BUILD FAILURE test -x ./afl-fuzz || { echo "BUILD FAIL $C" > $C.out ; make clean ; exit 1 ; } -- cgit 1.4.1 From d39e9ea11c75012023a32bef813de837f4aa7325 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 19:06:39 +0100 Subject: little performance enhancements --- include/common.h | 5 ++- src/afl-fuzz-bitmap.c | 34 ++++++++++--------- src/afl-fuzz-one.c | 94 ++++++++++++++++++++++++++++++--------------------- src/afl-fuzz-stats.c | 14 ++++---- src/afl-fuzz.c | 4 +-- 5 files changed, 84 insertions(+), 67 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/include/common.h b/include/common.h index 11ae1e66..1bfafc8b 100644 --- a/include/common.h +++ b/include/common.h @@ -78,7 +78,7 @@ static u64 get_cur_time_us(void) { Will return buf for convenience. */ static u8 *stringify_int(u8 *buf, size_t len, u64 val) { - +\ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ @@ -204,8 +204,7 @@ static u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { /* Describe time delta as string. Returns a pointer to buf for convenience. */ -static u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, - u64 event_ms) { +static u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { u64 delta; s32 t_d, t_h, t_m, t_s; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d4318725..0d5b542d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -138,7 +138,8 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { } - if (ret && virgin_map == afl->virgin_bits) afl->bitmap_changed = 1; + if (unlikely(ret) && unlikely(virgin_map == afl->virgin_bits)) + afl->bitmap_changed = 1; return ret; @@ -419,7 +420,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { u8 *ret = afl->describe_op_buf_256; - if (afl->syncing_party) { + if (unlikely(afl->syncing_party)) { sprintf(ret, "sync:%s,src:%06u", afl->syncing_party, afl->syncing_case); @@ -472,11 +473,11 @@ static void write_crash_readme(afl_state_t *afl) { /* Do not die on errors here - that would be impolite. */ - if (fd < 0) return; + if (unlikely(fd < 0)) return; f = fdopen(fd, "w"); - if (!f) { + if (unlikely(!f)) { close(fd); return; @@ -517,7 +518,7 @@ static void write_crash_readme(afl_state_t *afl) { u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { - if (len == 0) return 0; + if (unlikely(len == 0)) return 0; u8 *fn = ""; u8 hnb; @@ -541,14 +542,14 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (fault == afl->crash_mode) { + if (unlikely(fault == afl->crash_mode)) { /* Keep only if there are new bits in the map, add to queue for future fuzzing, etc. */ if (!(hnb = has_new_bits(afl, afl->virgin_bits))) { - if (afl->crash_mode) ++afl->total_crashes; + if (unlikely(afl->crash_mode)) ++afl->total_crashes; return 0; } @@ -580,10 +581,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (unlikely(res == FAULT_ERROR)) + FATAL("Unable to execute target application"); fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", fn); ck_write(fd, mem, len, fn); close(fd); @@ -604,7 +606,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->unique_hangs >= KEEP_UNIQUE_HANG) return keeping; - if (!afl->dumb_mode) { + if (likely(!afl->dumb_mode)) { #ifdef WORD_SIZE_64 simplify_trace((u64 *)afl->fsrv.trace_bits); @@ -667,7 +669,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) return keeping; - if (!afl->dumb_mode) { + if (likely(!afl->dumb_mode)) { #ifdef WORD_SIZE_64 simplify_trace((u64 *)afl->fsrv.trace_bits); @@ -679,7 +681,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (!afl->unique_crashes) write_crash_readme(afl); + if (unlikely(!afl->unique_crashes)) write_crash_readme(afl); #ifndef SIMPLE_FILES @@ -695,10 +697,10 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #endif /* ^!SIMPLE_FILES */ ++afl->unique_crashes; - if (afl->infoexec) { // if the user wants to be informed on new crashes - - // do + if (unlikely(afl->infoexec)) { + + // if the user wants to be informed on new crashes - do that #if !TARGET_OS_IPHONE - // that if (system(afl->infoexec) == -1) hnb += 0; // we dont care if system errors, but we dont want a // compiler warning either @@ -723,7 +725,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { test case, too. */ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); + if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", fn); ck_write(fd, mem, len, fn); close(fd); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 1a0c78a8..4dea5e45 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -67,7 +67,7 @@ static u32 choose_block_len(afl_state_t *afl, u32 limit) { u32 min_value, max_value; u32 rlim = MIN(afl->queue_cycle, 3); - if (!afl->run_over10m) rlim = 1; + if (unlikely(!afl->run_over10m)) rlim = 1; switch (rand_below(afl, rlim)) { @@ -356,7 +356,7 @@ u8 fuzz_one_original(afl_state_t *afl) { #else - if (afl->mutator && afl->mutator->afl_custom_queue_get) { + if (unlikely(afl->mutator) && unlikely(afl->mutator->afl_custom_queue_get)) { /* The custom mutator will decide to skip this test case or not. */ @@ -365,7 +365,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - if (afl->pending_favored) { + if (likely(afl->pending_favored)) { /* If we have any favored, non-fuzzed new arrivals in the queue, possibly skip to them at the expense of already-fuzzed or non-favored @@ -399,7 +399,7 @@ u8 fuzz_one_original(afl_state_t *afl) { #endif /* ^IGNORE_FINDS */ - if (afl->not_on_tty) { + if (unlikely(afl->not_on_tty)) { ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); @@ -411,13 +411,13 @@ u8 fuzz_one_original(afl_state_t *afl) { fd = open(afl->queue_cur->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", afl->queue_cur->fname); + if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", afl->queue_cur->fname); len = afl->queue_cur->len; orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (orig_in == MAP_FAILED) + if (unlikely(orig_in == MAP_FAILED)) PFATAL("Unable to mmap '%s' with len %d", afl->queue_cur->fname, len); close(fd); @@ -436,7 +436,7 @@ u8 fuzz_one_original(afl_state_t *afl) { * CALIBRATION (only if failed earlier on) * *******************************************/ - if (afl->queue_cur->cal_failed) { + if (unlikely(afl->queue_cur->cal_failed)) { u8 res = FAULT_TMOUT; @@ -445,11 +445,12 @@ u8 fuzz_one_original(afl_state_t *afl) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (unlikely(res == FAULT_ERROR)) + FATAL("Unable to execute target application"); } - if (afl->stop_soon || res != afl->crash_mode) { + if (unlikely(afl->stop_soon) || res != afl->crash_mode) { ++afl->cur_skipped_paths; goto abandon_entry; @@ -466,9 +467,10 @@ u8 fuzz_one_original(afl_state_t *afl) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (unlikely(res == FAULT_ERROR)) + FATAL("Unable to execute target application"); - if (afl->stop_soon) { + if (unlikely(afl->stop_soon)) { ++afl->cur_skipped_paths; goto abandon_entry; @@ -491,9 +493,9 @@ u8 fuzz_one_original(afl_state_t *afl) { orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (perf_score == 0) goto abandon_entry; + if (unlikely(perf_score == 0)) goto abandon_entry; - if (afl->use_radamsa > 1) goto radamsa_stage; + if (unlikely(afl->use_radamsa > 1)) goto radamsa_stage; if (afl->shm.cmplog_mode) { @@ -1549,8 +1551,8 @@ custom_mutator_stage: * CUSTOM MUTATORS * *******************/ - if (!afl->mutator) goto havoc_stage; - if (!afl->mutator->afl_custom_fuzz) goto havoc_stage; + if (likely(!afl->mutator)) goto havoc_stage; + if (likely(!afl->mutator->afl_custom_fuzz)) goto havoc_stage; afl->stage_name = "custom mutator"; afl->stage_short = "custom"; @@ -1603,7 +1605,7 @@ custom_mutator_stage: /* Read the additional testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", target->fname); new_buf = ck_alloc_nozero(target->len); ck_read(fd, new_buf, target->len, target->fname); close(fd); @@ -1649,7 +1651,7 @@ custom_mutator_stage: afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; - if (afl->custom_only) { + if (likely(afl->custom_only)) { /* Skip other stages */ ret_val = 0; @@ -1680,7 +1682,7 @@ havoc_stage: perf_score = orig_perf; snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle); - if (afl->stage_name != afl->stage_name_buf) + if (unlikely(afl->stage_name != afl->stage_name_buf)) afl->stage_name = afl->stage_name_buf; afl->stage_short = "splice"; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -1727,7 +1729,8 @@ havoc_stage: } - switch (rand_below(afl, 15 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { + switch (rand_below( + afl, 15 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { case 0: @@ -1757,8 +1760,8 @@ havoc_stage: } else { - *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = - SWAP16(interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]); + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = SWAP16( + interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]); } @@ -1777,8 +1780,8 @@ havoc_stage: } else { - *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = - SWAP32(interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]); + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = SWAP32( + interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]); } @@ -1964,7 +1967,8 @@ havoc_stage: memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); else memset(new_buf + clone_to, - rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], + rand_below(afl, 2) ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], clone_len); /* Tail */ @@ -2001,7 +2005,8 @@ havoc_stage: } else memset(out_buf + copy_to, - rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], + rand_below(afl, 2) ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], copy_len); break; @@ -2215,7 +2220,7 @@ retry_splicing: fd = open(target->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", target->fname); new_buf = ck_alloc_nozero(target->len); @@ -2264,7 +2269,7 @@ retry_splicing: radamsa_stage: - if (!afl->use_radamsa || !afl->radamsa_mutate_ptr) goto abandon_entry; + if (likely(!afl->use_radamsa || !afl->radamsa_mutate_ptr)) goto abandon_entry; afl->stage_name = "radamsa"; afl->stage_short = "radamsa"; @@ -3596,7 +3601,8 @@ pacemaker_fuzzing: afl->orig_hit_cnt_puppet = afl->queued_paths + afl->unique_crashes; afl->last_limit_time_start = get_cur_time(); afl->SPLICE_CYCLES_puppet = - (rand_below(afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + + (rand_below( + afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + SPLICE_CYCLES_puppet_low); } @@ -3701,8 +3707,10 @@ pacemaker_fuzzing: break; case 6: - out_buf[rand_below(afl, temp_len)] -= 1 + rand_below(afl, ARITH_MAX); - out_buf[rand_below(afl, temp_len)] += 1 + rand_below(afl, ARITH_MAX); + out_buf[rand_below(afl, temp_len)] -= + 1 + rand_below(afl, ARITH_MAX); + out_buf[rand_below(afl, temp_len)] += + 1 + rand_below(afl, ARITH_MAX); MOpt_globals.cycles_v2[STAGE_ARITH8] += 1; break; @@ -3791,12 +3799,14 @@ pacemaker_fuzzing: if (rand_below(afl, 2)) { *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = - interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]; + interesting_16[rand_below(afl, + sizeof(interesting_16) >> 1)]; } else { - *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = SWAP16( - interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]); + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = + SWAP16(interesting_16[rand_below( + afl, sizeof(interesting_16) >> 1)]); } @@ -3811,12 +3821,14 @@ pacemaker_fuzzing: if (rand_below(afl, 2)) { *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = - interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]; + interesting_32[rand_below(afl, + sizeof(interesting_32) >> 2)]; } else { - *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = SWAP32( - interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]); + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = + SWAP32(interesting_32[rand_below( + afl, sizeof(interesting_32) >> 2)]); } @@ -3895,7 +3907,9 @@ pacemaker_fuzzing: memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); else memset(new_buf + clone_to, - rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], + rand_below(afl, 2) + ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], clone_len); /* Tail */ @@ -3933,7 +3947,8 @@ pacemaker_fuzzing: } else memset(out_buf + copy_to, - rand_below(afl, 2) ? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)], + rand_below(afl, 2) ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], copy_len); MOpt_globals.cycles_v2[STAGE_OverWrite75] += 1; break; @@ -4122,7 +4137,8 @@ pacemaker_fuzzing: if (splice_cycle >= afl->SPLICE_CYCLES_puppet) afl->SPLICE_CYCLES_puppet = - (rand_below(afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + + (rand_below( + afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + SPLICE_CYCLES_puppet_low); afl->splicing_with = -1; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 5b5c93bf..ab2b83c6 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -361,9 +361,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -446,9 +446,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -477,9 +477,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -556,7 +556,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 550bd255..ba56ff67 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1051,7 +1051,7 @@ int main(int argc, char **argv_orig, char **envp) { } - //show_stats(afl); + // show_stats(afl); if (unlikely(afl->not_on_tty)) { @@ -1124,7 +1124,7 @@ int main(int argc, char **argv_orig, char **envp) { } - //if (afl->queue_cur) show_stats(afl); + // if (afl->queue_cur) show_stats(afl); /* * ATTENTION - the following 10 lines were copied from a PR to Google's afl -- cgit 1.4.1