| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 american fuzzy lop - fuzzer code | 2 american fuzzy lop - fuzzer code |
| 3 -------------------------------- | 3 -------------------------------- |
| 4 | 4 |
| 5 Written and maintained by Michal Zalewski <lcamtuf@google.com> | 5 Written and maintained by Michal Zalewski <lcamtuf@google.com> |
| 6 | 6 |
| 7 Forkserver design by Jann Horn <jannhorn@googlemail.com> | 7 Forkserver design by Jann Horn <jannhorn@googlemail.com> |
| 8 | 8 |
| 9 Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. | 9 Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. |
| 10 | 10 |
| (...skipping 3888 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3899 | 3899 |
| 3900 if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { | 3900 if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { |
| 3901 | 3901 |
| 3902 last_plot_ms = cur_ms; | 3902 last_plot_ms = cur_ms; |
| 3903 maybe_update_plot_file(t_byte_ratio, avg_exec); | 3903 maybe_update_plot_file(t_byte_ratio, avg_exec); |
| 3904 | 3904 |
| 3905 } | 3905 } |
| 3906 | 3906 |
| 3907 /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ | 3907 /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ |
| 3908 | 3908 |
| 3909 if (!dumb_mode && cycles_wo_finds > 20 && !pending_not_fuzzed && | 3909 if (!dumb_mode && cycles_wo_finds > 50 && !pending_not_fuzzed && |
| 3910 getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; | 3910 getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; |
| 3911 | 3911 |
| 3912 if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; | 3912 if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; |
| 3913 | 3913 |
| 3914 /* If we're not on TTY, bail out. */ | 3914 /* If we're not on TTY, bail out. */ |
| 3915 | 3915 |
| 3916 if (not_on_tty) return; | 3916 if (not_on_tty) return; |
| 3917 | 3917 |
| 3918 /* Compute some mildly useful bitmap stats. */ | 3918 /* Compute some mildly useful bitmap stats. */ |
| 3919 | 3919 |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3973 if (dumb_mode) { | 3973 if (dumb_mode) { |
| 3974 | 3974 |
| 3975 strcpy(tmp, cRST); | 3975 strcpy(tmp, cRST); |
| 3976 | 3976 |
| 3977 } else { | 3977 } else { |
| 3978 | 3978 |
| 3979 /* First queue cycle: don't stop now! */ | 3979 /* First queue cycle: don't stop now! */ |
| 3980 if (queue_cycle == 1) strcpy(tmp, cMGN); else | 3980 if (queue_cycle == 1) strcpy(tmp, cMGN); else |
| 3981 | 3981 |
| 3982 /* Subsequent cycles, but we're still making finds. */ | 3982 /* Subsequent cycles, but we're still making finds. */ |
| 3983 if (cycles_wo_finds < 3) strcpy(tmp, cYEL); else | 3983 if (cycles_wo_finds < 5) strcpy(tmp, cYEL); else |
| 3984 | 3984 |
| 3985 /* No finds for a long time and no test cases to try. */ | 3985 /* No finds for a long time and no test cases to try. */ |
| 3986 if (cycles_wo_finds > 20 && !pending_not_fuzzed) strcpy(tmp, cLGN); | 3986 if (cycles_wo_finds > 50 && !pending_not_fuzzed) strcpy(tmp, cLGN); |
| 3987 | 3987 |
| 3988 /* Default: cautiously OK to stop? */ | 3988 /* Default: cautiously OK to stop? */ |
| 3989 else strcpy(tmp, cLBL); | 3989 else strcpy(tmp, cLBL); |
| 3990 | 3990 |
| 3991 } | 3991 } |
| 3992 | 3992 |
| 3993 SAYF(bV bSTOP " run time : " cRST "%-34s " bSTG bV bSTOP | 3993 SAYF(bV bSTOP " run time : " cRST "%-34s " bSTG bV bSTOP |
| 3994 " cycles done : %s%-5s " bSTG bV "\n", | 3994 " cycles done : %s%-5s " bSTG bV "\n", |
| 3995 DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); | 3995 DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); |
| 3996 | 3996 |
| (...skipping 877 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4874 function is a tad too long... returns 0 if fuzzed successfully, 1 if | 4874 function is a tad too long... returns 0 if fuzzed successfully, 1 if |
| 4875 skipped or bailed out. */ | 4875 skipped or bailed out. */ |
| 4876 | 4876 |
| 4877 static u8 fuzz_one(char** argv) { | 4877 static u8 fuzz_one(char** argv) { |
| 4878 | 4878 |
| 4879 s32 len, fd, temp_len, i, j; | 4879 s32 len, fd, temp_len, i, j; |
| 4880 u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; | 4880 u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; |
| 4881 u64 havoc_queued, orig_hit_cnt, new_hit_cnt; | 4881 u64 havoc_queued, orig_hit_cnt, new_hit_cnt; |
| 4882 u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; | 4882 u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; |
| 4883 | 4883 |
| 4884 u8 ret_val = 1; | 4884 u8 ret_val = 1, doing_det = 0; |
| 4885 | 4885 |
| 4886 u8 a_collect[MAX_AUTO_EXTRA]; | 4886 u8 a_collect[MAX_AUTO_EXTRA]; |
| 4887 u32 a_len = 0; | 4887 u32 a_len = 0; |
| 4888 | 4888 |
| 4889 #ifdef IGNORE_FINDS | 4889 #ifdef IGNORE_FINDS |
| 4890 | 4890 |
| 4891 /* In IGNORE_FINDS mode, skip any entries that weren't in the | 4891 /* In IGNORE_FINDS mode, skip any entries that weren't in the |
| 4892 initial data set. */ | 4892 initial data set. */ |
| 4893 | 4893 |
| 4894 if (queue_cur->depth > 1) return 1; | 4894 if (queue_cur->depth > 1) return 1; |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5013 | 5013 |
| 5014 if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) | 5014 if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) |
| 5015 goto havoc_stage; | 5015 goto havoc_stage; |
| 5016 | 5016 |
| 5017 /* Skip deterministic fuzzing if exec path checksum puts this out of scope | 5017 /* Skip deterministic fuzzing if exec path checksum puts this out of scope |
| 5018 for this master instance. */ | 5018 for this master instance. */ |
| 5019 | 5019 |
| 5020 if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) | 5020 if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) |
| 5021 goto havoc_stage; | 5021 goto havoc_stage; |
| 5022 | 5022 |
| 5023 doing_det = 1; |
| 5024 |
| 5023 /********************************************* | 5025 /********************************************* |
| 5024 * SIMPLE BITFLIP (+dictionary construction) * | 5026 * SIMPLE BITFLIP (+dictionary construction) * |
| 5025 *********************************************/ | 5027 *********************************************/ |
| 5026 | 5028 |
| 5027 #define FLIP_BIT(_ar, _b) do { \ | 5029 #define FLIP_BIT(_ar, _b) do { \ |
| 5028 u8* _arf = (u8*)(_ar); \ | 5030 u8* _arf = (u8*)(_ar); \ |
| 5029 u32 _bf = (_b); \ | 5031 u32 _bf = (_b); \ |
| 5030 _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ | 5032 _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ |
| 5031 } while (0) | 5033 } while (0) |
| 5032 | 5034 |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5119 | 5121 |
| 5120 } | 5122 } |
| 5121 | 5123 |
| 5122 } | 5124 } |
| 5123 | 5125 |
| 5124 new_hit_cnt = queued_paths + unique_crashes; | 5126 new_hit_cnt = queued_paths + unique_crashes; |
| 5125 | 5127 |
| 5126 stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; | 5128 stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; |
| 5127 stage_cycles[STAGE_FLIP1] += stage_max; | 5129 stage_cycles[STAGE_FLIP1] += stage_max; |
| 5128 | 5130 |
| 5129 if (queue_cur->passed_det) goto havoc_stage; | |
| 5130 | |
| 5131 /* Two walking bits. */ | 5131 /* Two walking bits. */ |
| 5132 | 5132 |
| 5133 stage_name = "bitflip 2/1"; | 5133 stage_name = "bitflip 2/1"; |
| 5134 stage_short = "flip2"; | 5134 stage_short = "flip2"; |
| 5135 stage_max = (len << 3) - 1; | 5135 stage_max = (len << 3) - 1; |
| 5136 | 5136 |
| 5137 orig_hit_cnt = new_hit_cnt; | 5137 orig_hit_cnt = new_hit_cnt; |
| 5138 | 5138 |
| 5139 for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { | 5139 for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { |
| 5140 | 5140 |
| (...skipping 842 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 5983 | 5983 |
| 5984 stage_cur_byte = -1; | 5984 stage_cur_byte = -1; |
| 5985 | 5985 |
| 5986 /* The havoc stage mutation code is also invoked when splicing files; if the | 5986 /* The havoc stage mutation code is also invoked when splicing files; if the |
| 5987 splice_cycle variable is set, generate different descriptions and such. */ | 5987 splice_cycle variable is set, generate different descriptions and such. */ |
| 5988 | 5988 |
| 5989 if (!splice_cycle) { | 5989 if (!splice_cycle) { |
| 5990 | 5990 |
| 5991 stage_name = "havoc"; | 5991 stage_name = "havoc"; |
| 5992 stage_short = "havoc"; | 5992 stage_short = "havoc"; |
| 5993 stage_max = HAVOC_CYCLES * perf_score / havoc_div / 100; | 5993 stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * |
| 5994 perf_score / havoc_div / 100; |
| 5994 | 5995 |
| 5995 } else { | 5996 } else { |
| 5996 | 5997 |
| 5997 static u8 tmp[32]; | 5998 static u8 tmp[32]; |
| 5998 | 5999 |
| 5999 perf_score = orig_perf; | 6000 perf_score = orig_perf; |
| 6000 | 6001 |
| 6001 sprintf(tmp, "splice %u", splice_cycle); | 6002 sprintf(tmp, "splice %u", splice_cycle); |
| 6002 stage_name = tmp; | 6003 stage_name = tmp; |
| 6003 stage_short = "splice"; | 6004 stage_short = "splice"; |
| (...skipping 1980 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7984 | 7985 |
| 7985 alloc_report(); | 7986 alloc_report(); |
| 7986 | 7987 |
| 7987 OKF("We're done here. Have a nice day!\n"); | 7988 OKF("We're done here. Have a nice day!\n"); |
| 7988 | 7989 |
| 7989 exit(0); | 7990 exit(0); |
| 7990 | 7991 |
| 7991 } | 7992 } |
| 7992 | 7993 |
| 7993 #endif /* !AFL_LIB */ | 7994 #endif /* !AFL_LIB */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2252273004:
Roll AFL 2.30b..2.31b (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master