Roll AFL 2.31b:2.38b and switch coverage to use trace-pc-guard.

third_party/afl/src/afl-fuzz.c

 /*
    american fuzzy lop - fuzzer code
    --------------------------------
 
    Written and maintained by Michal Zalewski <lcamtuf@google.com>
 
    Forkserver design by Jann Horn <jannhorn@googlemail.com>
 
    Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
 
@@ skipping 3888 matching lines @@
 
   if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) {
 
     last_plot_ms = cur_ms;
     maybe_update_plot_file(t_byte_ratio, avg_exec);
  
   }
 
   /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */
 
-  if (!dumb_mode && cycles_wo_finds > 50 && !pending_not_fuzzed &&
+  if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed &&
       getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2;
 
   if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2;
 
   /* If we're not on TTY, bail out. */
 
   if (not_on_tty) return;
 
   /* Compute some mildly useful bitmap stats. */
 
@@ skipping 53 matching lines @@
   if (dumb_mode) {
 
     strcpy(tmp, cRST);
 
   } else {
 
     /* First queue cycle: don't stop now! */
     if (queue_cycle == 1) strcpy(tmp, cMGN); else
 
     /* Subsequent cycles, but we're still making finds. */
-    if (cycles_wo_finds < 5) strcpy(tmp, cYEL); else
+    if (cycles_wo_finds < 25) strcpy(tmp, cYEL); else
 
     /* No finds for a long time and no test cases to try. */
-    if (cycles_wo_finds > 50 && !pending_not_fuzzed) strcpy(tmp, cLGN);
+    if (cycles_wo_finds > 100 && !pending_not_fuzzed) strcpy(tmp, cLGN);
 
     /* Default: cautiously OK to stop? */
     else strcpy(tmp, cLBL);
 
   }
 
   SAYF(bV bSTOP "        run time : " cRST "%-34s " bSTG bV bSTOP
        "  cycles done : %s%-5s  " bSTG bV "\n",
        DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1));
 
@@ skipping 665 matching lines @@
   }
 
   /* Final adjustment based on input depth, under the assumption that fuzzing
      deeper test cases is more likely to reveal stuff that can't be
      discovered with traditional fuzzers. */
 
   switch (q->depth) {
 
     case 0 ... 3:   break;
     case 4 ... 7:   perf_score *= 2; break;
-    case 8 ... 13:  perf_score *= 4; break;
-    case 14 ... 25: perf_score *= 6; break;
-    default:        perf_score *= 8;
+    case 8 ... 13:  perf_score *= 3; break;
+    case 14 ... 25: perf_score *= 4; break;
+    default:        perf_score *= 5;
 
   }
 
   /* Make sure that we don't go over limit. */
 
   if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100;
 
   return perf_score;
 
 }
@@ skipping 232 matching lines @@
     } else {
 
       if (UR(100) < SKIP_NFAV_OLD_PROB) return 1;
 
     }
 
   }
 
 #endif /* ^IGNORE_FINDS */
 
-  if (not_on_tty)
-    ACTF("Fuzzing test case #%u (%u total)...", current_entry, queued_paths);
+  if (not_on_tty) {
+    ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...",
+         current_entry, queued_paths, unique_crashes);
+    fflush(stdout);
+  }
 
   /* Map the test case into memory. */
 
   fd = open(queue_cur->fname, O_RDONLY);
 
   if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname);
 
   len = queue_cur->len;
 
   orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
@@ skipping 1976 matching lines @@
 
 }
 
 
 /* Check if we're on TTY. */
 
 static void check_if_tty(void) {
 
   struct winsize ws;
 
+  if (getenv("AFL_NO_UI")) {
+    OKF("Disabling the UI because AFL_NO_UI is set.");
+    not_on_tty = 1;
+    return;
+  }
+
   if (ioctl(1, TIOCGWINSZ, &ws)) {
 
     if (errno == ENOTTY) {
       OKF("Looks like we're not running on a tty, so I'll be a bit less verbose.");
       not_on_tty = 1;
     }
 
     return;
   }
 
@@ skipping 366 matching lines @@
     cur_runnable = (u32)get_runnable_processes();
 
 #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__)
 
     /* Add ourselves, since the 1-minute average doesn't include that yet. */
 
     cur_runnable++;
 
 #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
 
-    OKF("You have %u CPU cores and %u runnable tasks (utilization: %0.0f%%).",
-        cpu_core_count, cur_runnable, cur_runnable * 100.0 / cpu_core_count);
+    OKF("You have %u CPU core%s and %u runnable tasks (utilization: %0.0f%%).",
+        cpu_core_count, cpu_core_count > 1 ? "s" : "",
+        cur_runnable, cur_runnable * 100.0 / cpu_core_count);
 
     if (cpu_core_count > 1) {
 
       if (cur_runnable > cpu_core_count * 1.5) {
 
         WARNF("System under apparent load, performance may be spotty.");
 
       } else if (cur_runnable + 1 <= cpu_core_count) {
 
         OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path);
@@ skipping 322 matching lines @@
 
         if (out_dir) FATAL("Multiple -o options not supported");
         out_dir = optarg;
         break;
 
       case 'M': { /* master sync ID */
 
           u8* c;
 
           if (sync_id) FATAL("Multiple -S or -M options not supported");
-          sync_id = optarg;
+          sync_id = ck_strdup(optarg);
 
           if ((c = strchr(sync_id, ':'))) {
 
             *c = 0;
 
             if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 ||
                 !master_id || !master_max || master_id > master_max ||
                 master_max > 1000000) FATAL("Bogus master ID passed to -M");
 
           }
 
           force_deterministic = 1;
 
         }
 
         break;
 
       case 'S': 
 
         if (sync_id) FATAL("Multiple -S or -M options not supported");
-        sync_id = optarg;
+        sync_id = ck_strdup(optarg);
         break;
 
       case 'f': /* target file */
 
         if (out_file) FATAL("Multiple -f options not supported");
         out_file = optarg;
         break;
 
       case 'x': /* dictionary */
 
@@ skipping 288 matching lines @@
     SAYF("\n" cYEL "[!] " cRST
            "Stopped during the first cycle, results may be incomplete.\n"
            "    (For info on resuming, see %s/README.)\n", doc_path);
 
   }
 
   fclose(plot_file);
   destroy_queue();
   destroy_extras();
   ck_free(target_path);
+  ck_free(sync_id);
 
   alloc_report();
 
   OKF("We're done here. Have a nice day!\n");
 
   exit(0);
 
 }
 
 #endif /* !AFL_LIB */