1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - queue relates routines
3*08b48e0bSAndroid Build Coastguard Worker ---------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>,
8*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]> and
9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>
10*08b48e0bSAndroid Build Coastguard Worker
11*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved.
12*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
13*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
14*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
15*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
16*08b48e0bSAndroid Build Coastguard Worker
17*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0
18*08b48e0bSAndroid Build Coastguard Worker
19*08b48e0bSAndroid Build Coastguard Worker This is the real deal: the program takes an instrumented binary and
20*08b48e0bSAndroid Build Coastguard Worker attempts a variety of basic fuzzing tricks, paying close attention to
21*08b48e0bSAndroid Build Coastguard Worker how they affect the execution path.
22*08b48e0bSAndroid Build Coastguard Worker
23*08b48e0bSAndroid Build Coastguard Worker */
24*08b48e0bSAndroid Build Coastguard Worker
25*08b48e0bSAndroid Build Coastguard Worker #include "afl-fuzz.h"
26*08b48e0bSAndroid Build Coastguard Worker #include <limits.h>
27*08b48e0bSAndroid Build Coastguard Worker #include <ctype.h>
28*08b48e0bSAndroid Build Coastguard Worker #include <math.h>
29*08b48e0bSAndroid Build Coastguard Worker
30*08b48e0bSAndroid Build Coastguard Worker #ifdef _STANDALONE_MODULE
minimize_bits(afl_state_t * afl,u8 * dst,u8 * src)31*08b48e0bSAndroid Build Coastguard Worker void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) {
32*08b48e0bSAndroid Build Coastguard Worker
33*08b48e0bSAndroid Build Coastguard Worker return;
34*08b48e0bSAndroid Build Coastguard Worker
35*08b48e0bSAndroid Build Coastguard Worker }
36*08b48e0bSAndroid Build Coastguard Worker
run_afl_custom_queue_new_entry(afl_state_t * afl,struct queue_entry * q,u8 * a,u8 * b)37*08b48e0bSAndroid Build Coastguard Worker void run_afl_custom_queue_new_entry(afl_state_t *afl, struct queue_entry *q,
38*08b48e0bSAndroid Build Coastguard Worker u8 *a, u8 *b) {
39*08b48e0bSAndroid Build Coastguard Worker
40*08b48e0bSAndroid Build Coastguard Worker return;
41*08b48e0bSAndroid Build Coastguard Worker
42*08b48e0bSAndroid Build Coastguard Worker }
43*08b48e0bSAndroid Build Coastguard Worker
44*08b48e0bSAndroid Build Coastguard Worker #endif
45*08b48e0bSAndroid Build Coastguard Worker
46*08b48e0bSAndroid Build Coastguard Worker /* select next queue entry based on alias algo - fast! */
47*08b48e0bSAndroid Build Coastguard Worker
select_next_queue_entry(afl_state_t * afl)48*08b48e0bSAndroid Build Coastguard Worker inline u32 select_next_queue_entry(afl_state_t *afl) {
49*08b48e0bSAndroid Build Coastguard Worker
50*08b48e0bSAndroid Build Coastguard Worker u32 s = rand_below(afl, afl->queued_items);
51*08b48e0bSAndroid Build Coastguard Worker double p = rand_next_percent(afl);
52*08b48e0bSAndroid Build Coastguard Worker
53*08b48e0bSAndroid Build Coastguard Worker /*
54*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "select: p=%f s=%u ... p < prob[s]=%f ? s=%u : alias[%u]=%u"
55*08b48e0bSAndroid Build Coastguard Worker " ==> %u\n", p, s, afl->alias_probability[s], s, s, afl->alias_table[s], p <
56*08b48e0bSAndroid Build Coastguard Worker afl->alias_probability[s] ? s : afl->alias_table[s]);
57*08b48e0bSAndroid Build Coastguard Worker */
58*08b48e0bSAndroid Build Coastguard Worker
59*08b48e0bSAndroid Build Coastguard Worker return (p < afl->alias_probability[s] ? s : afl->alias_table[s]);
60*08b48e0bSAndroid Build Coastguard Worker
61*08b48e0bSAndroid Build Coastguard Worker }
62*08b48e0bSAndroid Build Coastguard Worker
compute_weight(afl_state_t * afl,struct queue_entry * q,double avg_exec_us,double avg_bitmap_size,double avg_top_size)63*08b48e0bSAndroid Build Coastguard Worker double compute_weight(afl_state_t *afl, struct queue_entry *q,
64*08b48e0bSAndroid Build Coastguard Worker double avg_exec_us, double avg_bitmap_size,
65*08b48e0bSAndroid Build Coastguard Worker double avg_top_size) {
66*08b48e0bSAndroid Build Coastguard Worker
67*08b48e0bSAndroid Build Coastguard Worker double weight = 1.0;
68*08b48e0bSAndroid Build Coastguard Worker
69*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
70*08b48e0bSAndroid Build Coastguard Worker
71*08b48e0bSAndroid Build Coastguard Worker u32 hits = afl->n_fuzz[q->n_fuzz_entry];
72*08b48e0bSAndroid Build Coastguard Worker if (likely(hits)) { weight /= (log10(hits) + 1); }
73*08b48e0bSAndroid Build Coastguard Worker
74*08b48e0bSAndroid Build Coastguard Worker }
75*08b48e0bSAndroid Build Coastguard Worker
76*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
77*08b48e0bSAndroid Build Coastguard Worker weight *= (log(q->bitmap_size) / avg_bitmap_size);
78*08b48e0bSAndroid Build Coastguard Worker weight *= (1 + (q->tc_ref / avg_top_size));
79*08b48e0bSAndroid Build Coastguard Worker
80*08b48e0bSAndroid Build Coastguard Worker if (unlikely(weight < 0.1)) { weight = 0.1; }
81*08b48e0bSAndroid Build Coastguard Worker if (unlikely(q->favored)) { weight *= 5; }
82*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->was_fuzzed)) { weight *= 2; }
83*08b48e0bSAndroid Build Coastguard Worker if (unlikely(q->fs_redundant)) { weight *= 0.8; }
84*08b48e0bSAndroid Build Coastguard Worker
85*08b48e0bSAndroid Build Coastguard Worker return weight;
86*08b48e0bSAndroid Build Coastguard Worker
87*08b48e0bSAndroid Build Coastguard Worker }
88*08b48e0bSAndroid Build Coastguard Worker
89*08b48e0bSAndroid Build Coastguard Worker /* create the alias table that allows weighted random selection - expensive */
90*08b48e0bSAndroid Build Coastguard Worker
create_alias_table(afl_state_t * afl)91*08b48e0bSAndroid Build Coastguard Worker void create_alias_table(afl_state_t *afl) {
92*08b48e0bSAndroid Build Coastguard Worker
93*08b48e0bSAndroid Build Coastguard Worker u32 n = afl->queued_items, i = 0, nSmall = 0, nLarge = n - 1;
94*08b48e0bSAndroid Build Coastguard Worker double sum = 0;
95*08b48e0bSAndroid Build Coastguard Worker
96*08b48e0bSAndroid Build Coastguard Worker double *P = (double *)afl_realloc(AFL_BUF_PARAM(out), n * sizeof(double));
97*08b48e0bSAndroid Build Coastguard Worker u32 *Small = (int *)afl_realloc(AFL_BUF_PARAM(out_scratch), n * sizeof(u32));
98*08b48e0bSAndroid Build Coastguard Worker u32 *Large = (int *)afl_realloc(AFL_BUF_PARAM(in_scratch), n * sizeof(u32));
99*08b48e0bSAndroid Build Coastguard Worker
100*08b48e0bSAndroid Build Coastguard Worker afl->alias_table =
101*08b48e0bSAndroid Build Coastguard Worker (u32 *)afl_realloc((void **)&afl->alias_table, n * sizeof(u32));
102*08b48e0bSAndroid Build Coastguard Worker afl->alias_probability = (double *)afl_realloc(
103*08b48e0bSAndroid Build Coastguard Worker (void **)&afl->alias_probability, n * sizeof(double));
104*08b48e0bSAndroid Build Coastguard Worker
105*08b48e0bSAndroid Build Coastguard Worker if (!P || !Small || !Large || !afl->alias_table || !afl->alias_probability) {
106*08b48e0bSAndroid Build Coastguard Worker
107*08b48e0bSAndroid Build Coastguard Worker FATAL("could not acquire memory for alias table");
108*08b48e0bSAndroid Build Coastguard Worker
109*08b48e0bSAndroid Build Coastguard Worker }
110*08b48e0bSAndroid Build Coastguard Worker
111*08b48e0bSAndroid Build Coastguard Worker memset((void *)afl->alias_probability, 0, n * sizeof(double));
112*08b48e0bSAndroid Build Coastguard Worker memset((void *)afl->alias_table, 0, n * sizeof(u32));
113*08b48e0bSAndroid Build Coastguard Worker memset((void *)Small, 0, n * sizeof(u32));
114*08b48e0bSAndroid Build Coastguard Worker memset((void *)Large, 0, n * sizeof(u32));
115*08b48e0bSAndroid Build Coastguard Worker
116*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->schedule < RARE)) {
117*08b48e0bSAndroid Build Coastguard Worker
118*08b48e0bSAndroid Build Coastguard Worker double avg_exec_us = 0.0;
119*08b48e0bSAndroid Build Coastguard Worker double avg_bitmap_size = 0.0;
120*08b48e0bSAndroid Build Coastguard Worker double avg_top_size = 0.0;
121*08b48e0bSAndroid Build Coastguard Worker u32 active = 0;
122*08b48e0bSAndroid Build Coastguard Worker
123*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < n; i++) {
124*08b48e0bSAndroid Build Coastguard Worker
125*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q = afl->queue_buf[i];
126*08b48e0bSAndroid Build Coastguard Worker
127*08b48e0bSAndroid Build Coastguard Worker // disabled entries might have timings and bitmap values
128*08b48e0bSAndroid Build Coastguard Worker if (likely(!q->disabled)) {
129*08b48e0bSAndroid Build Coastguard Worker
130*08b48e0bSAndroid Build Coastguard Worker avg_exec_us += q->exec_us;
131*08b48e0bSAndroid Build Coastguard Worker avg_bitmap_size += log(q->bitmap_size);
132*08b48e0bSAndroid Build Coastguard Worker avg_top_size += q->tc_ref;
133*08b48e0bSAndroid Build Coastguard Worker ++active;
134*08b48e0bSAndroid Build Coastguard Worker
135*08b48e0bSAndroid Build Coastguard Worker }
136*08b48e0bSAndroid Build Coastguard Worker
137*08b48e0bSAndroid Build Coastguard Worker }
138*08b48e0bSAndroid Build Coastguard Worker
139*08b48e0bSAndroid Build Coastguard Worker avg_exec_us /= active;
140*08b48e0bSAndroid Build Coastguard Worker avg_bitmap_size /= active;
141*08b48e0bSAndroid Build Coastguard Worker avg_top_size /= active;
142*08b48e0bSAndroid Build Coastguard Worker
143*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < n; i++) {
144*08b48e0bSAndroid Build Coastguard Worker
145*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q = afl->queue_buf[i];
146*08b48e0bSAndroid Build Coastguard Worker
147*08b48e0bSAndroid Build Coastguard Worker if (likely(!q->disabled)) {
148*08b48e0bSAndroid Build Coastguard Worker
149*08b48e0bSAndroid Build Coastguard Worker q->weight =
150*08b48e0bSAndroid Build Coastguard Worker compute_weight(afl, q, avg_exec_us, avg_bitmap_size, avg_top_size);
151*08b48e0bSAndroid Build Coastguard Worker q->perf_score = calculate_score(afl, q);
152*08b48e0bSAndroid Build Coastguard Worker sum += q->weight;
153*08b48e0bSAndroid Build Coastguard Worker
154*08b48e0bSAndroid Build Coastguard Worker }
155*08b48e0bSAndroid Build Coastguard Worker
156*08b48e0bSAndroid Build Coastguard Worker }
157*08b48e0bSAndroid Build Coastguard Worker
158*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->schedule == MMOPT) && afl->queued_discovered) {
159*08b48e0bSAndroid Build Coastguard Worker
160*08b48e0bSAndroid Build Coastguard Worker u32 cnt = afl->queued_discovered >= 5 ? 5 : afl->queued_discovered;
161*08b48e0bSAndroid Build Coastguard Worker
162*08b48e0bSAndroid Build Coastguard Worker for (i = n - cnt; i < n; i++) {
163*08b48e0bSAndroid Build Coastguard Worker
164*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q = afl->queue_buf[i];
165*08b48e0bSAndroid Build Coastguard Worker
166*08b48e0bSAndroid Build Coastguard Worker if (likely(!q->disabled)) { q->weight *= 2.0; }
167*08b48e0bSAndroid Build Coastguard Worker
168*08b48e0bSAndroid Build Coastguard Worker }
169*08b48e0bSAndroid Build Coastguard Worker
170*08b48e0bSAndroid Build Coastguard Worker }
171*08b48e0bSAndroid Build Coastguard Worker
172*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < n; i++) {
173*08b48e0bSAndroid Build Coastguard Worker
174*08b48e0bSAndroid Build Coastguard Worker // weight is always 0 for disabled entries
175*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->queue_buf[i]->disabled)) {
176*08b48e0bSAndroid Build Coastguard Worker
177*08b48e0bSAndroid Build Coastguard Worker P[i] = 0;
178*08b48e0bSAndroid Build Coastguard Worker
179*08b48e0bSAndroid Build Coastguard Worker } else {
180*08b48e0bSAndroid Build Coastguard Worker
181*08b48e0bSAndroid Build Coastguard Worker P[i] = (afl->queue_buf[i]->weight * n) / sum;
182*08b48e0bSAndroid Build Coastguard Worker
183*08b48e0bSAndroid Build Coastguard Worker }
184*08b48e0bSAndroid Build Coastguard Worker
185*08b48e0bSAndroid Build Coastguard Worker }
186*08b48e0bSAndroid Build Coastguard Worker
187*08b48e0bSAndroid Build Coastguard Worker } else {
188*08b48e0bSAndroid Build Coastguard Worker
189*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < n; i++) {
190*08b48e0bSAndroid Build Coastguard Worker
191*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q = afl->queue_buf[i];
192*08b48e0bSAndroid Build Coastguard Worker
193*08b48e0bSAndroid Build Coastguard Worker if (likely(!q->disabled)) {
194*08b48e0bSAndroid Build Coastguard Worker
195*08b48e0bSAndroid Build Coastguard Worker q->perf_score = calculate_score(afl, q);
196*08b48e0bSAndroid Build Coastguard Worker sum += q->perf_score;
197*08b48e0bSAndroid Build Coastguard Worker
198*08b48e0bSAndroid Build Coastguard Worker }
199*08b48e0bSAndroid Build Coastguard Worker
200*08b48e0bSAndroid Build Coastguard Worker }
201*08b48e0bSAndroid Build Coastguard Worker
202*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < n; i++) {
203*08b48e0bSAndroid Build Coastguard Worker
204*08b48e0bSAndroid Build Coastguard Worker // perf_score is always 0 for disabled entries
205*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->queue_buf[i]->disabled)) {
206*08b48e0bSAndroid Build Coastguard Worker
207*08b48e0bSAndroid Build Coastguard Worker P[i] = 0;
208*08b48e0bSAndroid Build Coastguard Worker
209*08b48e0bSAndroid Build Coastguard Worker } else {
210*08b48e0bSAndroid Build Coastguard Worker
211*08b48e0bSAndroid Build Coastguard Worker P[i] = (afl->queue_buf[i]->perf_score * n) / sum;
212*08b48e0bSAndroid Build Coastguard Worker
213*08b48e0bSAndroid Build Coastguard Worker }
214*08b48e0bSAndroid Build Coastguard Worker
215*08b48e0bSAndroid Build Coastguard Worker }
216*08b48e0bSAndroid Build Coastguard Worker
217*08b48e0bSAndroid Build Coastguard Worker }
218*08b48e0bSAndroid Build Coastguard Worker
219*08b48e0bSAndroid Build Coastguard Worker // Done collecting weightings in P, now create the arrays.
220*08b48e0bSAndroid Build Coastguard Worker
221*08b48e0bSAndroid Build Coastguard Worker for (s32 j = (s32)(n - 1); j >= 0; j--) {
222*08b48e0bSAndroid Build Coastguard Worker
223*08b48e0bSAndroid Build Coastguard Worker if (P[j] < 1) {
224*08b48e0bSAndroid Build Coastguard Worker
225*08b48e0bSAndroid Build Coastguard Worker Small[nSmall++] = (u32)j;
226*08b48e0bSAndroid Build Coastguard Worker
227*08b48e0bSAndroid Build Coastguard Worker } else {
228*08b48e0bSAndroid Build Coastguard Worker
229*08b48e0bSAndroid Build Coastguard Worker Large[nLarge--] = (u32)j;
230*08b48e0bSAndroid Build Coastguard Worker
231*08b48e0bSAndroid Build Coastguard Worker }
232*08b48e0bSAndroid Build Coastguard Worker
233*08b48e0bSAndroid Build Coastguard Worker }
234*08b48e0bSAndroid Build Coastguard Worker
235*08b48e0bSAndroid Build Coastguard Worker while (nSmall && nLarge != n - 1) {
236*08b48e0bSAndroid Build Coastguard Worker
237*08b48e0bSAndroid Build Coastguard Worker u32 small = Small[--nSmall];
238*08b48e0bSAndroid Build Coastguard Worker u32 large = Large[++nLarge];
239*08b48e0bSAndroid Build Coastguard Worker
240*08b48e0bSAndroid Build Coastguard Worker afl->alias_probability[small] = P[small];
241*08b48e0bSAndroid Build Coastguard Worker afl->alias_table[small] = large;
242*08b48e0bSAndroid Build Coastguard Worker
243*08b48e0bSAndroid Build Coastguard Worker P[large] = P[large] - (1 - P[small]);
244*08b48e0bSAndroid Build Coastguard Worker
245*08b48e0bSAndroid Build Coastguard Worker if (P[large] < 1) {
246*08b48e0bSAndroid Build Coastguard Worker
247*08b48e0bSAndroid Build Coastguard Worker Small[nSmall++] = large;
248*08b48e0bSAndroid Build Coastguard Worker
249*08b48e0bSAndroid Build Coastguard Worker } else {
250*08b48e0bSAndroid Build Coastguard Worker
251*08b48e0bSAndroid Build Coastguard Worker Large[nLarge--] = large;
252*08b48e0bSAndroid Build Coastguard Worker
253*08b48e0bSAndroid Build Coastguard Worker }
254*08b48e0bSAndroid Build Coastguard Worker
255*08b48e0bSAndroid Build Coastguard Worker }
256*08b48e0bSAndroid Build Coastguard Worker
257*08b48e0bSAndroid Build Coastguard Worker while (nSmall) {
258*08b48e0bSAndroid Build Coastguard Worker
259*08b48e0bSAndroid Build Coastguard Worker afl->alias_probability[Small[--nSmall]] = 1;
260*08b48e0bSAndroid Build Coastguard Worker
261*08b48e0bSAndroid Build Coastguard Worker }
262*08b48e0bSAndroid Build Coastguard Worker
263*08b48e0bSAndroid Build Coastguard Worker while (nLarge != n - 1) {
264*08b48e0bSAndroid Build Coastguard Worker
265*08b48e0bSAndroid Build Coastguard Worker afl->alias_probability[Large[++nLarge]] = 1;
266*08b48e0bSAndroid Build Coastguard Worker
267*08b48e0bSAndroid Build Coastguard Worker }
268*08b48e0bSAndroid Build Coastguard Worker
269*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 0;
270*08b48e0bSAndroid Build Coastguard Worker
271*08b48e0bSAndroid Build Coastguard Worker /*
272*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
273*08b48e0bSAndroid Build Coastguard Worker u8 fn[PATH_MAX];
274*08b48e0bSAndroid Build Coastguard Worker snprintf(fn, PATH_MAX, "%s/introspection_corpus.txt", afl->out_dir);
275*08b48e0bSAndroid Build Coastguard Worker FILE *f = fopen(fn, "a");
276*08b48e0bSAndroid Build Coastguard Worker if (f) {
277*08b48e0bSAndroid Build Coastguard Worker
278*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < n; i++) {
279*08b48e0bSAndroid Build Coastguard Worker
280*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q = afl->queue_buf[i];
281*08b48e0bSAndroid Build Coastguard Worker fprintf(
282*08b48e0bSAndroid Build Coastguard Worker f,
283*08b48e0bSAndroid Build Coastguard Worker "entry=%u name=%s favored=%s variable=%s disabled=%s len=%u "
284*08b48e0bSAndroid Build Coastguard Worker "exec_us=%u "
285*08b48e0bSAndroid Build Coastguard Worker "bitmap_size=%u bitsmap_size=%u tops=%u weight=%f perf_score=%f\n",
286*08b48e0bSAndroid Build Coastguard Worker i, q->fname, q->favored ? "true" : "false",
287*08b48e0bSAndroid Build Coastguard Worker q->var_behavior ? "true" : "false", q->disabled ? "true" : "false",
288*08b48e0bSAndroid Build Coastguard Worker q->len, (u32)q->exec_us, q->bitmap_size, q->bitsmap_size, q->tc_ref,
289*08b48e0bSAndroid Build Coastguard Worker q->weight, q->perf_score);
290*08b48e0bSAndroid Build Coastguard Worker
291*08b48e0bSAndroid Build Coastguard Worker }
292*08b48e0bSAndroid Build Coastguard Worker
293*08b48e0bSAndroid Build Coastguard Worker fprintf(f, "\n");
294*08b48e0bSAndroid Build Coastguard Worker fclose(f);
295*08b48e0bSAndroid Build Coastguard Worker
296*08b48e0bSAndroid Build Coastguard Worker }
297*08b48e0bSAndroid Build Coastguard Worker
298*08b48e0bSAndroid Build Coastguard Worker #endif
299*08b48e0bSAndroid Build Coastguard Worker */
300*08b48e0bSAndroid Build Coastguard Worker /*
301*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, " entry alias probability perf_score weight
302*08b48e0bSAndroid Build Coastguard Worker filename\n"); for (i = 0; i < n; ++i) fprintf(stderr, " %5u %5u %11u
303*08b48e0bSAndroid Build Coastguard Worker %0.9f %0.9f %s\n", i, afl->alias_table[i], afl->alias_probability[i],
304*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[i]->perf_score, afl->queue_buf[i]->weight,
305*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[i]->fname);
306*08b48e0bSAndroid Build Coastguard Worker */
307*08b48e0bSAndroid Build Coastguard Worker
308*08b48e0bSAndroid Build Coastguard Worker }
309*08b48e0bSAndroid Build Coastguard Worker
310*08b48e0bSAndroid Build Coastguard Worker /* Mark deterministic checks as done for a particular queue entry. We use the
311*08b48e0bSAndroid Build Coastguard Worker .state file to avoid repeating deterministic fuzzing when resuming aborted
312*08b48e0bSAndroid Build Coastguard Worker scans. */
313*08b48e0bSAndroid Build Coastguard Worker
mark_as_det_done(afl_state_t * afl,struct queue_entry * q)314*08b48e0bSAndroid Build Coastguard Worker void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
315*08b48e0bSAndroid Build Coastguard Worker
316*08b48e0bSAndroid Build Coastguard Worker char fn[PATH_MAX];
317*08b48e0bSAndroid Build Coastguard Worker s32 fd;
318*08b48e0bSAndroid Build Coastguard Worker
319*08b48e0bSAndroid Build Coastguard Worker snprintf(fn, PATH_MAX, "%s/queue/.state/deterministic_done/%s", afl->out_dir,
320*08b48e0bSAndroid Build Coastguard Worker strrchr((char *)q->fname, '/') + 1);
321*08b48e0bSAndroid Build Coastguard Worker
322*08b48e0bSAndroid Build Coastguard Worker fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
323*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
324*08b48e0bSAndroid Build Coastguard Worker close(fd);
325*08b48e0bSAndroid Build Coastguard Worker
326*08b48e0bSAndroid Build Coastguard Worker q->passed_det = 1;
327*08b48e0bSAndroid Build Coastguard Worker
328*08b48e0bSAndroid Build Coastguard Worker }
329*08b48e0bSAndroid Build Coastguard Worker
330*08b48e0bSAndroid Build Coastguard Worker /* Mark as variable. Create symlinks if possible to make it easier to examine
331*08b48e0bSAndroid Build Coastguard Worker the files. */
332*08b48e0bSAndroid Build Coastguard Worker
mark_as_variable(afl_state_t * afl,struct queue_entry * q)333*08b48e0bSAndroid Build Coastguard Worker void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
334*08b48e0bSAndroid Build Coastguard Worker
335*08b48e0bSAndroid Build Coastguard Worker char fn[PATH_MAX];
336*08b48e0bSAndroid Build Coastguard Worker char ldest[PATH_MAX];
337*08b48e0bSAndroid Build Coastguard Worker
338*08b48e0bSAndroid Build Coastguard Worker char *fn_name = strrchr((char *)q->fname, '/') + 1;
339*08b48e0bSAndroid Build Coastguard Worker
340*08b48e0bSAndroid Build Coastguard Worker sprintf(ldest, "../../%s", fn_name);
341*08b48e0bSAndroid Build Coastguard Worker sprintf(fn, "%s/queue/.state/variable_behavior/%s", afl->out_dir, fn_name);
342*08b48e0bSAndroid Build Coastguard Worker
343*08b48e0bSAndroid Build Coastguard Worker if (symlink(ldest, fn)) {
344*08b48e0bSAndroid Build Coastguard Worker
345*08b48e0bSAndroid Build Coastguard Worker s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
346*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
347*08b48e0bSAndroid Build Coastguard Worker close(fd);
348*08b48e0bSAndroid Build Coastguard Worker
349*08b48e0bSAndroid Build Coastguard Worker }
350*08b48e0bSAndroid Build Coastguard Worker
351*08b48e0bSAndroid Build Coastguard Worker q->var_behavior = 1;
352*08b48e0bSAndroid Build Coastguard Worker
353*08b48e0bSAndroid Build Coastguard Worker }
354*08b48e0bSAndroid Build Coastguard Worker
355*08b48e0bSAndroid Build Coastguard Worker /* Mark / unmark as redundant (edge-only). This is not used for restoring state,
356*08b48e0bSAndroid Build Coastguard Worker but may be useful for post-processing datasets. */
357*08b48e0bSAndroid Build Coastguard Worker
mark_as_redundant(afl_state_t * afl,struct queue_entry * q,u8 state)358*08b48e0bSAndroid Build Coastguard Worker void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
359*08b48e0bSAndroid Build Coastguard Worker
360*08b48e0bSAndroid Build Coastguard Worker if (likely(state == q->fs_redundant)) { return; }
361*08b48e0bSAndroid Build Coastguard Worker
362*08b48e0bSAndroid Build Coastguard Worker char fn[PATH_MAX];
363*08b48e0bSAndroid Build Coastguard Worker
364*08b48e0bSAndroid Build Coastguard Worker q->fs_redundant = state;
365*08b48e0bSAndroid Build Coastguard Worker
366*08b48e0bSAndroid Build Coastguard Worker sprintf(fn, "%s/queue/.state/redundant_edges/%s", afl->out_dir,
367*08b48e0bSAndroid Build Coastguard Worker strrchr((char *)q->fname, '/') + 1);
368*08b48e0bSAndroid Build Coastguard Worker
369*08b48e0bSAndroid Build Coastguard Worker if (state) {
370*08b48e0bSAndroid Build Coastguard Worker
371*08b48e0bSAndroid Build Coastguard Worker s32 fd;
372*08b48e0bSAndroid Build Coastguard Worker
373*08b48e0bSAndroid Build Coastguard Worker fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
374*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
375*08b48e0bSAndroid Build Coastguard Worker close(fd);
376*08b48e0bSAndroid Build Coastguard Worker
377*08b48e0bSAndroid Build Coastguard Worker } else {
378*08b48e0bSAndroid Build Coastguard Worker
379*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn)) { PFATAL("Unable to remove '%s'", fn); }
380*08b48e0bSAndroid Build Coastguard Worker
381*08b48e0bSAndroid Build Coastguard Worker }
382*08b48e0bSAndroid Build Coastguard Worker
383*08b48e0bSAndroid Build Coastguard Worker }
384*08b48e0bSAndroid Build Coastguard Worker
385*08b48e0bSAndroid Build Coastguard Worker /* check if pointer is ascii or UTF-8 */
386*08b48e0bSAndroid Build Coastguard Worker
check_if_text_buf(u8 * buf,u32 len)387*08b48e0bSAndroid Build Coastguard Worker u8 check_if_text_buf(u8 *buf, u32 len) {
388*08b48e0bSAndroid Build Coastguard Worker
389*08b48e0bSAndroid Build Coastguard Worker u32 offset = 0, ascii = 0, utf8 = 0;
390*08b48e0bSAndroid Build Coastguard Worker
391*08b48e0bSAndroid Build Coastguard Worker while (offset < len) {
392*08b48e0bSAndroid Build Coastguard Worker
393*08b48e0bSAndroid Build Coastguard Worker // ASCII: <= 0x7F to allow ASCII control characters
394*08b48e0bSAndroid Build Coastguard Worker if ((buf[offset + 0] == 0x09 || buf[offset + 0] == 0x0A ||
395*08b48e0bSAndroid Build Coastguard Worker buf[offset + 0] == 0x0D ||
396*08b48e0bSAndroid Build Coastguard Worker (0x20 <= buf[offset + 0] && buf[offset + 0] <= 0x7E))) {
397*08b48e0bSAndroid Build Coastguard Worker
398*08b48e0bSAndroid Build Coastguard Worker offset++;
399*08b48e0bSAndroid Build Coastguard Worker utf8++;
400*08b48e0bSAndroid Build Coastguard Worker ascii++;
401*08b48e0bSAndroid Build Coastguard Worker continue;
402*08b48e0bSAndroid Build Coastguard Worker
403*08b48e0bSAndroid Build Coastguard Worker }
404*08b48e0bSAndroid Build Coastguard Worker
405*08b48e0bSAndroid Build Coastguard Worker if (isascii((int)buf[offset]) || isprint((int)buf[offset])) {
406*08b48e0bSAndroid Build Coastguard Worker
407*08b48e0bSAndroid Build Coastguard Worker ascii++;
408*08b48e0bSAndroid Build Coastguard Worker // we continue though as it can also be a valid utf8
409*08b48e0bSAndroid Build Coastguard Worker
410*08b48e0bSAndroid Build Coastguard Worker }
411*08b48e0bSAndroid Build Coastguard Worker
412*08b48e0bSAndroid Build Coastguard Worker // non-overlong 2-byte
413*08b48e0bSAndroid Build Coastguard Worker if (len - offset > 1 &&
414*08b48e0bSAndroid Build Coastguard Worker ((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) &&
415*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) {
416*08b48e0bSAndroid Build Coastguard Worker
417*08b48e0bSAndroid Build Coastguard Worker offset += 2;
418*08b48e0bSAndroid Build Coastguard Worker utf8++;
419*08b48e0bSAndroid Build Coastguard Worker continue;
420*08b48e0bSAndroid Build Coastguard Worker
421*08b48e0bSAndroid Build Coastguard Worker }
422*08b48e0bSAndroid Build Coastguard Worker
423*08b48e0bSAndroid Build Coastguard Worker // excluding overlongs
424*08b48e0bSAndroid Build Coastguard Worker if ((len - offset > 2) &&
425*08b48e0bSAndroid Build Coastguard Worker ((buf[offset + 0] == 0xE0 &&
426*08b48e0bSAndroid Build Coastguard Worker (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
427*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] &&
428*08b48e0bSAndroid Build Coastguard Worker buf[offset + 2] <= 0xBF)) || // straight 3-byte
429*08b48e0bSAndroid Build Coastguard Worker (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) ||
430*08b48e0bSAndroid Build Coastguard Worker buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) &&
431*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
432*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] &&
433*08b48e0bSAndroid Build Coastguard Worker buf[offset + 2] <= 0xBF)) || // excluding surrogates
434*08b48e0bSAndroid Build Coastguard Worker (buf[offset + 0] == 0xED &&
435*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) &&
436*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF)))) {
437*08b48e0bSAndroid Build Coastguard Worker
438*08b48e0bSAndroid Build Coastguard Worker offset += 3;
439*08b48e0bSAndroid Build Coastguard Worker utf8++;
440*08b48e0bSAndroid Build Coastguard Worker continue;
441*08b48e0bSAndroid Build Coastguard Worker
442*08b48e0bSAndroid Build Coastguard Worker }
443*08b48e0bSAndroid Build Coastguard Worker
444*08b48e0bSAndroid Build Coastguard Worker // planes 1-3
445*08b48e0bSAndroid Build Coastguard Worker if ((len - offset > 3) &&
446*08b48e0bSAndroid Build Coastguard Worker ((buf[offset + 0] == 0xF0 &&
447*08b48e0bSAndroid Build Coastguard Worker (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
448*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
449*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 3] &&
450*08b48e0bSAndroid Build Coastguard Worker buf[offset + 3] <= 0xBF)) || // planes 4-15
451*08b48e0bSAndroid Build Coastguard Worker ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) &&
452*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
453*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
454*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16
455*08b48e0bSAndroid Build Coastguard Worker (buf[offset + 0] == 0xF4 &&
456*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) &&
457*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
458*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)))) {
459*08b48e0bSAndroid Build Coastguard Worker
460*08b48e0bSAndroid Build Coastguard Worker offset += 4;
461*08b48e0bSAndroid Build Coastguard Worker utf8++;
462*08b48e0bSAndroid Build Coastguard Worker continue;
463*08b48e0bSAndroid Build Coastguard Worker
464*08b48e0bSAndroid Build Coastguard Worker }
465*08b48e0bSAndroid Build Coastguard Worker
466*08b48e0bSAndroid Build Coastguard Worker offset++;
467*08b48e0bSAndroid Build Coastguard Worker
468*08b48e0bSAndroid Build Coastguard Worker }
469*08b48e0bSAndroid Build Coastguard Worker
470*08b48e0bSAndroid Build Coastguard Worker return (utf8 > ascii ? utf8 : ascii);
471*08b48e0bSAndroid Build Coastguard Worker
472*08b48e0bSAndroid Build Coastguard Worker }
473*08b48e0bSAndroid Build Coastguard Worker
474*08b48e0bSAndroid Build Coastguard Worker /* check if queue entry is ascii or UTF-8 */
475*08b48e0bSAndroid Build Coastguard Worker
check_if_text(afl_state_t * afl,struct queue_entry * q)476*08b48e0bSAndroid Build Coastguard Worker static u8 check_if_text(afl_state_t *afl, struct queue_entry *q) {
477*08b48e0bSAndroid Build Coastguard Worker
478*08b48e0bSAndroid Build Coastguard Worker if (q->len < AFL_TXT_MIN_LEN || q->len < AFL_TXT_MAX_LEN) return 0;
479*08b48e0bSAndroid Build Coastguard Worker
480*08b48e0bSAndroid Build Coastguard Worker u8 *buf;
481*08b48e0bSAndroid Build Coastguard Worker int fd;
482*08b48e0bSAndroid Build Coastguard Worker u32 len = q->len, offset = 0, ascii = 0, utf8 = 0;
483*08b48e0bSAndroid Build Coastguard Worker ssize_t comp;
484*08b48e0bSAndroid Build Coastguard Worker
485*08b48e0bSAndroid Build Coastguard Worker if (len >= MAX_FILE) len = MAX_FILE - 1;
486*08b48e0bSAndroid Build Coastguard Worker if ((fd = open((char *)q->fname, O_RDONLY)) < 0) return 0;
487*08b48e0bSAndroid Build Coastguard Worker buf = (u8 *)afl_realloc(AFL_BUF_PARAM(in_scratch), len + 1);
488*08b48e0bSAndroid Build Coastguard Worker comp = read(fd, buf, len);
489*08b48e0bSAndroid Build Coastguard Worker close(fd);
490*08b48e0bSAndroid Build Coastguard Worker if (comp != (ssize_t)len) return 0;
491*08b48e0bSAndroid Build Coastguard Worker buf[len] = 0;
492*08b48e0bSAndroid Build Coastguard Worker
493*08b48e0bSAndroid Build Coastguard Worker while (offset < len) {
494*08b48e0bSAndroid Build Coastguard Worker
495*08b48e0bSAndroid Build Coastguard Worker // ASCII: <= 0x7F to allow ASCII control characters
496*08b48e0bSAndroid Build Coastguard Worker if ((buf[offset + 0] == 0x09 || buf[offset + 0] == 0x0A ||
497*08b48e0bSAndroid Build Coastguard Worker buf[offset + 0] == 0x0D ||
498*08b48e0bSAndroid Build Coastguard Worker (0x20 <= buf[offset + 0] && buf[offset + 0] <= 0x7E))) {
499*08b48e0bSAndroid Build Coastguard Worker
500*08b48e0bSAndroid Build Coastguard Worker offset++;
501*08b48e0bSAndroid Build Coastguard Worker utf8++;
502*08b48e0bSAndroid Build Coastguard Worker ascii++;
503*08b48e0bSAndroid Build Coastguard Worker continue;
504*08b48e0bSAndroid Build Coastguard Worker
505*08b48e0bSAndroid Build Coastguard Worker }
506*08b48e0bSAndroid Build Coastguard Worker
507*08b48e0bSAndroid Build Coastguard Worker if (isascii((int)buf[offset]) || isprint((int)buf[offset])) {
508*08b48e0bSAndroid Build Coastguard Worker
509*08b48e0bSAndroid Build Coastguard Worker ascii++;
510*08b48e0bSAndroid Build Coastguard Worker // we continue though as it can also be a valid utf8
511*08b48e0bSAndroid Build Coastguard Worker
512*08b48e0bSAndroid Build Coastguard Worker }
513*08b48e0bSAndroid Build Coastguard Worker
514*08b48e0bSAndroid Build Coastguard Worker // non-overlong 2-byte
515*08b48e0bSAndroid Build Coastguard Worker if (len - offset > 1 &&
516*08b48e0bSAndroid Build Coastguard Worker ((0xC2 <= buf[offset + 0] && buf[offset + 0] <= 0xDF) &&
517*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF))) {
518*08b48e0bSAndroid Build Coastguard Worker
519*08b48e0bSAndroid Build Coastguard Worker offset += 2;
520*08b48e0bSAndroid Build Coastguard Worker utf8++;
521*08b48e0bSAndroid Build Coastguard Worker comp--;
522*08b48e0bSAndroid Build Coastguard Worker continue;
523*08b48e0bSAndroid Build Coastguard Worker
524*08b48e0bSAndroid Build Coastguard Worker }
525*08b48e0bSAndroid Build Coastguard Worker
526*08b48e0bSAndroid Build Coastguard Worker // excluding overlongs
527*08b48e0bSAndroid Build Coastguard Worker if ((len - offset > 2) &&
528*08b48e0bSAndroid Build Coastguard Worker ((buf[offset + 0] == 0xE0 &&
529*08b48e0bSAndroid Build Coastguard Worker (0xA0 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
530*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] &&
531*08b48e0bSAndroid Build Coastguard Worker buf[offset + 2] <= 0xBF)) || // straight 3-byte
532*08b48e0bSAndroid Build Coastguard Worker (((0xE1 <= buf[offset + 0] && buf[offset + 0] <= 0xEC) ||
533*08b48e0bSAndroid Build Coastguard Worker buf[offset + 0] == 0xEE || buf[offset + 0] == 0xEF) &&
534*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
535*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] &&
536*08b48e0bSAndroid Build Coastguard Worker buf[offset + 2] <= 0xBF)) || // excluding surrogates
537*08b48e0bSAndroid Build Coastguard Worker (buf[offset + 0] == 0xED &&
538*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x9F) &&
539*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF)))) {
540*08b48e0bSAndroid Build Coastguard Worker
541*08b48e0bSAndroid Build Coastguard Worker offset += 3;
542*08b48e0bSAndroid Build Coastguard Worker utf8++;
543*08b48e0bSAndroid Build Coastguard Worker comp -= 2;
544*08b48e0bSAndroid Build Coastguard Worker continue;
545*08b48e0bSAndroid Build Coastguard Worker
546*08b48e0bSAndroid Build Coastguard Worker }
547*08b48e0bSAndroid Build Coastguard Worker
548*08b48e0bSAndroid Build Coastguard Worker // planes 1-3
549*08b48e0bSAndroid Build Coastguard Worker if ((len - offset > 3) &&
550*08b48e0bSAndroid Build Coastguard Worker ((buf[offset + 0] == 0xF0 &&
551*08b48e0bSAndroid Build Coastguard Worker (0x90 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
552*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
553*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 3] &&
554*08b48e0bSAndroid Build Coastguard Worker buf[offset + 3] <= 0xBF)) || // planes 4-15
555*08b48e0bSAndroid Build Coastguard Worker ((0xF1 <= buf[offset + 0] && buf[offset + 0] <= 0xF3) &&
556*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0xBF) &&
557*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
558*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)) || // plane 16
559*08b48e0bSAndroid Build Coastguard Worker (buf[offset + 0] == 0xF4 &&
560*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 1] && buf[offset + 1] <= 0x8F) &&
561*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 2] && buf[offset + 2] <= 0xBF) &&
562*08b48e0bSAndroid Build Coastguard Worker (0x80 <= buf[offset + 3] && buf[offset + 3] <= 0xBF)))) {
563*08b48e0bSAndroid Build Coastguard Worker
564*08b48e0bSAndroid Build Coastguard Worker offset += 4;
565*08b48e0bSAndroid Build Coastguard Worker utf8++;
566*08b48e0bSAndroid Build Coastguard Worker comp -= 3;
567*08b48e0bSAndroid Build Coastguard Worker continue;
568*08b48e0bSAndroid Build Coastguard Worker
569*08b48e0bSAndroid Build Coastguard Worker }
570*08b48e0bSAndroid Build Coastguard Worker
571*08b48e0bSAndroid Build Coastguard Worker offset++;
572*08b48e0bSAndroid Build Coastguard Worker
573*08b48e0bSAndroid Build Coastguard Worker }
574*08b48e0bSAndroid Build Coastguard Worker
575*08b48e0bSAndroid Build Coastguard Worker u32 percent_utf8 = (utf8 * 100) / comp;
576*08b48e0bSAndroid Build Coastguard Worker u32 percent_ascii = (ascii * 100) / len;
577*08b48e0bSAndroid Build Coastguard Worker
578*08b48e0bSAndroid Build Coastguard Worker if (percent_utf8 >= percent_ascii && percent_utf8 >= AFL_TXT_MIN_PERCENT)
579*08b48e0bSAndroid Build Coastguard Worker return 2;
580*08b48e0bSAndroid Build Coastguard Worker if (percent_ascii >= AFL_TXT_MIN_PERCENT) return 1;
581*08b48e0bSAndroid Build Coastguard Worker return 0;
582*08b48e0bSAndroid Build Coastguard Worker
583*08b48e0bSAndroid Build Coastguard Worker }
584*08b48e0bSAndroid Build Coastguard Worker
585*08b48e0bSAndroid Build Coastguard Worker /* Append new test case to the queue. */
586*08b48e0bSAndroid Build Coastguard Worker
add_to_queue(afl_state_t * afl,u8 * fname,u32 len,u8 passed_det)587*08b48e0bSAndroid Build Coastguard Worker void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
588*08b48e0bSAndroid Build Coastguard Worker
589*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q =
590*08b48e0bSAndroid Build Coastguard Worker (struct queue_entry *)ck_alloc(sizeof(struct queue_entry));
591*08b48e0bSAndroid Build Coastguard Worker
592*08b48e0bSAndroid Build Coastguard Worker q->fname = fname;
593*08b48e0bSAndroid Build Coastguard Worker q->len = len;
594*08b48e0bSAndroid Build Coastguard Worker q->depth = afl->cur_depth + 1;
595*08b48e0bSAndroid Build Coastguard Worker q->passed_det = passed_det;
596*08b48e0bSAndroid Build Coastguard Worker q->trace_mini = NULL;
597*08b48e0bSAndroid Build Coastguard Worker q->testcase_buf = NULL;
598*08b48e0bSAndroid Build Coastguard Worker q->mother = afl->queue_cur;
599*08b48e0bSAndroid Build Coastguard Worker
600*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
601*08b48e0bSAndroid Build Coastguard Worker q->bitsmap_size = afl->bitsmap_size;
602*08b48e0bSAndroid Build Coastguard Worker #endif
603*08b48e0bSAndroid Build Coastguard Worker
604*08b48e0bSAndroid Build Coastguard Worker if (q->depth > afl->max_depth) { afl->max_depth = q->depth; }
605*08b48e0bSAndroid Build Coastguard Worker
606*08b48e0bSAndroid Build Coastguard Worker if (afl->queue_top) {
607*08b48e0bSAndroid Build Coastguard Worker
608*08b48e0bSAndroid Build Coastguard Worker afl->queue_top = q;
609*08b48e0bSAndroid Build Coastguard Worker
610*08b48e0bSAndroid Build Coastguard Worker } else {
611*08b48e0bSAndroid Build Coastguard Worker
612*08b48e0bSAndroid Build Coastguard Worker afl->queue = afl->queue_top = q;
613*08b48e0bSAndroid Build Coastguard Worker
614*08b48e0bSAndroid Build Coastguard Worker }
615*08b48e0bSAndroid Build Coastguard Worker
616*08b48e0bSAndroid Build Coastguard Worker if (likely(q->len > 4)) { ++afl->ready_for_splicing_count; }
617*08b48e0bSAndroid Build Coastguard Worker
618*08b48e0bSAndroid Build Coastguard Worker ++afl->queued_items;
619*08b48e0bSAndroid Build Coastguard Worker ++afl->active_items;
620*08b48e0bSAndroid Build Coastguard Worker ++afl->pending_not_fuzzed;
621*08b48e0bSAndroid Build Coastguard Worker
622*08b48e0bSAndroid Build Coastguard Worker afl->cycles_wo_finds = 0;
623*08b48e0bSAndroid Build Coastguard Worker
624*08b48e0bSAndroid Build Coastguard Worker struct queue_entry **queue_buf = (struct queue_entry **)afl_realloc(
625*08b48e0bSAndroid Build Coastguard Worker AFL_BUF_PARAM(queue), afl->queued_items * sizeof(struct queue_entry *));
626*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!queue_buf)) { PFATAL("alloc"); }
627*08b48e0bSAndroid Build Coastguard Worker queue_buf[afl->queued_items - 1] = q;
628*08b48e0bSAndroid Build Coastguard Worker q->id = afl->queued_items - 1;
629*08b48e0bSAndroid Build Coastguard Worker
630*08b48e0bSAndroid Build Coastguard Worker u64 cur_time = get_cur_time();
631*08b48e0bSAndroid Build Coastguard Worker
632*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->start_time) &&
633*08b48e0bSAndroid Build Coastguard Worker unlikely(afl->longest_find_time < cur_time - afl->last_find_time)) {
634*08b48e0bSAndroid Build Coastguard Worker
635*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->last_find_time)) {
636*08b48e0bSAndroid Build Coastguard Worker
637*08b48e0bSAndroid Build Coastguard Worker afl->longest_find_time = cur_time - afl->start_time;
638*08b48e0bSAndroid Build Coastguard Worker
639*08b48e0bSAndroid Build Coastguard Worker } else {
640*08b48e0bSAndroid Build Coastguard Worker
641*08b48e0bSAndroid Build Coastguard Worker afl->longest_find_time = cur_time - afl->last_find_time;
642*08b48e0bSAndroid Build Coastguard Worker
643*08b48e0bSAndroid Build Coastguard Worker }
644*08b48e0bSAndroid Build Coastguard Worker
645*08b48e0bSAndroid Build Coastguard Worker }
646*08b48e0bSAndroid Build Coastguard Worker
647*08b48e0bSAndroid Build Coastguard Worker afl->last_find_time = cur_time;
648*08b48e0bSAndroid Build Coastguard Worker
649*08b48e0bSAndroid Build Coastguard Worker if (afl->custom_mutators_count) {
650*08b48e0bSAndroid Build Coastguard Worker
651*08b48e0bSAndroid Build Coastguard Worker /* At the initialization stage, queue_cur is NULL */
652*08b48e0bSAndroid Build Coastguard Worker if (afl->queue_cur && !afl->syncing_party) {
653*08b48e0bSAndroid Build Coastguard Worker
654*08b48e0bSAndroid Build Coastguard Worker run_afl_custom_queue_new_entry(afl, q, fname, afl->queue_cur->fname);
655*08b48e0bSAndroid Build Coastguard Worker
656*08b48e0bSAndroid Build Coastguard Worker }
657*08b48e0bSAndroid Build Coastguard Worker
658*08b48e0bSAndroid Build Coastguard Worker }
659*08b48e0bSAndroid Build Coastguard Worker
660*08b48e0bSAndroid Build Coastguard Worker /* only redqueen currently uses is_ascii */
661*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->shm.cmplog_mode && !q->is_ascii)) {
662*08b48e0bSAndroid Build Coastguard Worker
663*08b48e0bSAndroid Build Coastguard Worker q->is_ascii = check_if_text(afl, q);
664*08b48e0bSAndroid Build Coastguard Worker
665*08b48e0bSAndroid Build Coastguard Worker }
666*08b48e0bSAndroid Build Coastguard Worker
667*08b48e0bSAndroid Build Coastguard Worker q->skipdet_e = (struct skipdet_entry *)ck_alloc(sizeof(struct skipdet_entry));
668*08b48e0bSAndroid Build Coastguard Worker
669*08b48e0bSAndroid Build Coastguard Worker }
670*08b48e0bSAndroid Build Coastguard Worker
671*08b48e0bSAndroid Build Coastguard Worker /* Destroy the entire queue. */
672*08b48e0bSAndroid Build Coastguard Worker
destroy_queue(afl_state_t * afl)673*08b48e0bSAndroid Build Coastguard Worker void destroy_queue(afl_state_t *afl) {
674*08b48e0bSAndroid Build Coastguard Worker
675*08b48e0bSAndroid Build Coastguard Worker u32 i;
676*08b48e0bSAndroid Build Coastguard Worker
677*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->queued_items; i++) {
678*08b48e0bSAndroid Build Coastguard Worker
679*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q;
680*08b48e0bSAndroid Build Coastguard Worker
681*08b48e0bSAndroid Build Coastguard Worker q = afl->queue_buf[i];
682*08b48e0bSAndroid Build Coastguard Worker ck_free(q->fname);
683*08b48e0bSAndroid Build Coastguard Worker ck_free(q->trace_mini);
684*08b48e0bSAndroid Build Coastguard Worker if (q->skipdet_e) {
685*08b48e0bSAndroid Build Coastguard Worker
686*08b48e0bSAndroid Build Coastguard Worker if (q->skipdet_e->done_inf_map) ck_free(q->skipdet_e->done_inf_map);
687*08b48e0bSAndroid Build Coastguard Worker if (q->skipdet_e->skip_eff_map) ck_free(q->skipdet_e->skip_eff_map);
688*08b48e0bSAndroid Build Coastguard Worker
689*08b48e0bSAndroid Build Coastguard Worker ck_free(q->skipdet_e);
690*08b48e0bSAndroid Build Coastguard Worker
691*08b48e0bSAndroid Build Coastguard Worker }
692*08b48e0bSAndroid Build Coastguard Worker
693*08b48e0bSAndroid Build Coastguard Worker ck_free(q);
694*08b48e0bSAndroid Build Coastguard Worker
695*08b48e0bSAndroid Build Coastguard Worker }
696*08b48e0bSAndroid Build Coastguard Worker
697*08b48e0bSAndroid Build Coastguard Worker }
698*08b48e0bSAndroid Build Coastguard Worker
699*08b48e0bSAndroid Build Coastguard Worker /* When we bump into a new path, we call this to see if the path appears
700*08b48e0bSAndroid Build Coastguard Worker more "favorable" than any of the existing ones. The purpose of the
701*08b48e0bSAndroid Build Coastguard Worker "favorables" is to have a minimal set of paths that trigger all the bits
702*08b48e0bSAndroid Build Coastguard Worker seen in the bitmap so far, and focus on fuzzing them at the expense of
703*08b48e0bSAndroid Build Coastguard Worker the rest.
704*08b48e0bSAndroid Build Coastguard Worker
705*08b48e0bSAndroid Build Coastguard Worker The first step of the process is to maintain a list of afl->top_rated[]
706*08b48e0bSAndroid Build Coastguard Worker entries for every byte in the bitmap. We win that slot if there is no
707*08b48e0bSAndroid Build Coastguard Worker previous contender, or if the contender has a more favorable speed x size
708*08b48e0bSAndroid Build Coastguard Worker factor. */
709*08b48e0bSAndroid Build Coastguard Worker
update_bitmap_score(afl_state_t * afl,struct queue_entry * q)710*08b48e0bSAndroid Build Coastguard Worker void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
711*08b48e0bSAndroid Build Coastguard Worker
712*08b48e0bSAndroid Build Coastguard Worker u32 i;
713*08b48e0bSAndroid Build Coastguard Worker u64 fav_factor;
714*08b48e0bSAndroid Build Coastguard Worker u64 fuzz_p2;
715*08b48e0bSAndroid Build Coastguard Worker
716*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->schedule >= FAST && afl->schedule < RARE)) {
717*08b48e0bSAndroid Build Coastguard Worker
718*08b48e0bSAndroid Build Coastguard Worker fuzz_p2 = 0; // Skip the fuzz_p2 comparison
719*08b48e0bSAndroid Build Coastguard Worker
720*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(afl->schedule == RARE)) {
721*08b48e0bSAndroid Build Coastguard Worker
722*08b48e0bSAndroid Build Coastguard Worker fuzz_p2 = next_pow2(afl->n_fuzz[q->n_fuzz_entry]);
723*08b48e0bSAndroid Build Coastguard Worker
724*08b48e0bSAndroid Build Coastguard Worker } else {
725*08b48e0bSAndroid Build Coastguard Worker
726*08b48e0bSAndroid Build Coastguard Worker fuzz_p2 = q->fuzz_level;
727*08b48e0bSAndroid Build Coastguard Worker
728*08b48e0bSAndroid Build Coastguard Worker }
729*08b48e0bSAndroid Build Coastguard Worker
730*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
731*08b48e0bSAndroid Build Coastguard Worker
732*08b48e0bSAndroid Build Coastguard Worker fav_factor = q->len << 2;
733*08b48e0bSAndroid Build Coastguard Worker
734*08b48e0bSAndroid Build Coastguard Worker } else {
735*08b48e0bSAndroid Build Coastguard Worker
736*08b48e0bSAndroid Build Coastguard Worker fav_factor = q->exec_us * q->len;
737*08b48e0bSAndroid Build Coastguard Worker
738*08b48e0bSAndroid Build Coastguard Worker }
739*08b48e0bSAndroid Build Coastguard Worker
740*08b48e0bSAndroid Build Coastguard Worker /* For every byte set in afl->fsrv.trace_bits[], see if there is a previous
741*08b48e0bSAndroid Build Coastguard Worker winner, and how it compares to us. */
742*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->fsrv.map_size; ++i) {
743*08b48e0bSAndroid Build Coastguard Worker
744*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.trace_bits[i]) {
745*08b48e0bSAndroid Build Coastguard Worker
746*08b48e0bSAndroid Build Coastguard Worker if (afl->top_rated[i]) {
747*08b48e0bSAndroid Build Coastguard Worker
748*08b48e0bSAndroid Build Coastguard Worker /* Faster-executing or smaller test cases are favored. */
749*08b48e0bSAndroid Build Coastguard Worker u64 top_rated_fav_factor;
750*08b48e0bSAndroid Build Coastguard Worker u64 top_rated_fuzz_p2;
751*08b48e0bSAndroid Build Coastguard Worker
752*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->schedule >= FAST && afl->schedule < RARE)) {
753*08b48e0bSAndroid Build Coastguard Worker
754*08b48e0bSAndroid Build Coastguard Worker top_rated_fuzz_p2 = 0; // Skip the fuzz_p2 comparison
755*08b48e0bSAndroid Build Coastguard Worker
756*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(afl->schedule == RARE)) {
757*08b48e0bSAndroid Build Coastguard Worker
758*08b48e0bSAndroid Build Coastguard Worker top_rated_fuzz_p2 =
759*08b48e0bSAndroid Build Coastguard Worker next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]);
760*08b48e0bSAndroid Build Coastguard Worker
761*08b48e0bSAndroid Build Coastguard Worker } else {
762*08b48e0bSAndroid Build Coastguard Worker
763*08b48e0bSAndroid Build Coastguard Worker top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level;
764*08b48e0bSAndroid Build Coastguard Worker
765*08b48e0bSAndroid Build Coastguard Worker }
766*08b48e0bSAndroid Build Coastguard Worker
767*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
768*08b48e0bSAndroid Build Coastguard Worker
769*08b48e0bSAndroid Build Coastguard Worker top_rated_fav_factor = afl->top_rated[i]->len << 2;
770*08b48e0bSAndroid Build Coastguard Worker
771*08b48e0bSAndroid Build Coastguard Worker } else {
772*08b48e0bSAndroid Build Coastguard Worker
773*08b48e0bSAndroid Build Coastguard Worker top_rated_fav_factor =
774*08b48e0bSAndroid Build Coastguard Worker afl->top_rated[i]->exec_us * afl->top_rated[i]->len;
775*08b48e0bSAndroid Build Coastguard Worker
776*08b48e0bSAndroid Build Coastguard Worker }
777*08b48e0bSAndroid Build Coastguard Worker
778*08b48e0bSAndroid Build Coastguard Worker if (likely(fuzz_p2 > top_rated_fuzz_p2)) { continue; }
779*08b48e0bSAndroid Build Coastguard Worker
780*08b48e0bSAndroid Build Coastguard Worker if (likely(fav_factor > top_rated_fav_factor)) { continue; }
781*08b48e0bSAndroid Build Coastguard Worker
782*08b48e0bSAndroid Build Coastguard Worker /* Looks like we're going to win. Decrease ref count for the
783*08b48e0bSAndroid Build Coastguard Worker previous winner, discard its afl->fsrv.trace_bits[] if necessary. */
784*08b48e0bSAndroid Build Coastguard Worker
785*08b48e0bSAndroid Build Coastguard Worker if (!--afl->top_rated[i]->tc_ref) {
786*08b48e0bSAndroid Build Coastguard Worker
787*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->top_rated[i]->trace_mini);
788*08b48e0bSAndroid Build Coastguard Worker afl->top_rated[i]->trace_mini = 0;
789*08b48e0bSAndroid Build Coastguard Worker
790*08b48e0bSAndroid Build Coastguard Worker }
791*08b48e0bSAndroid Build Coastguard Worker
792*08b48e0bSAndroid Build Coastguard Worker }
793*08b48e0bSAndroid Build Coastguard Worker
794*08b48e0bSAndroid Build Coastguard Worker /* Insert ourselves as the new winner. */
795*08b48e0bSAndroid Build Coastguard Worker
796*08b48e0bSAndroid Build Coastguard Worker afl->top_rated[i] = q;
797*08b48e0bSAndroid Build Coastguard Worker ++q->tc_ref;
798*08b48e0bSAndroid Build Coastguard Worker
799*08b48e0bSAndroid Build Coastguard Worker if (!q->trace_mini) {
800*08b48e0bSAndroid Build Coastguard Worker
801*08b48e0bSAndroid Build Coastguard Worker u32 len = (afl->fsrv.map_size >> 3);
802*08b48e0bSAndroid Build Coastguard Worker q->trace_mini = (u8 *)ck_alloc(len);
803*08b48e0bSAndroid Build Coastguard Worker minimize_bits(afl, q->trace_mini, afl->fsrv.trace_bits);
804*08b48e0bSAndroid Build Coastguard Worker
805*08b48e0bSAndroid Build Coastguard Worker }
806*08b48e0bSAndroid Build Coastguard Worker
807*08b48e0bSAndroid Build Coastguard Worker afl->score_changed = 1;
808*08b48e0bSAndroid Build Coastguard Worker
809*08b48e0bSAndroid Build Coastguard Worker }
810*08b48e0bSAndroid Build Coastguard Worker
811*08b48e0bSAndroid Build Coastguard Worker }
812*08b48e0bSAndroid Build Coastguard Worker
813*08b48e0bSAndroid Build Coastguard Worker }
814*08b48e0bSAndroid Build Coastguard Worker
815*08b48e0bSAndroid Build Coastguard Worker /* The second part of the mechanism discussed above is a routine that
816*08b48e0bSAndroid Build Coastguard Worker goes over afl->top_rated[] entries, and then sequentially grabs winners for
817*08b48e0bSAndroid Build Coastguard Worker previously-unseen bytes (temp_v) and marks them as favored, at least
818*08b48e0bSAndroid Build Coastguard Worker until the next run. The favored entries are given more air time during
819*08b48e0bSAndroid Build Coastguard Worker all fuzzing steps. */
820*08b48e0bSAndroid Build Coastguard Worker
cull_queue(afl_state_t * afl)821*08b48e0bSAndroid Build Coastguard Worker void cull_queue(afl_state_t *afl) {
822*08b48e0bSAndroid Build Coastguard Worker
823*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->score_changed || afl->non_instrumented_mode)) { return; }
824*08b48e0bSAndroid Build Coastguard Worker
825*08b48e0bSAndroid Build Coastguard Worker u32 len = (afl->fsrv.map_size >> 3);
826*08b48e0bSAndroid Build Coastguard Worker u32 i;
827*08b48e0bSAndroid Build Coastguard Worker u8 *temp_v = afl->map_tmp_buf;
828*08b48e0bSAndroid Build Coastguard Worker
829*08b48e0bSAndroid Build Coastguard Worker afl->score_changed = 0;
830*08b48e0bSAndroid Build Coastguard Worker
831*08b48e0bSAndroid Build Coastguard Worker memset(temp_v, 255, len);
832*08b48e0bSAndroid Build Coastguard Worker
833*08b48e0bSAndroid Build Coastguard Worker afl->queued_favored = 0;
834*08b48e0bSAndroid Build Coastguard Worker afl->pending_favored = 0;
835*08b48e0bSAndroid Build Coastguard Worker
836*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->queued_items; i++) {
837*08b48e0bSAndroid Build Coastguard Worker
838*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[i]->favored = 0;
839*08b48e0bSAndroid Build Coastguard Worker
840*08b48e0bSAndroid Build Coastguard Worker }
841*08b48e0bSAndroid Build Coastguard Worker
842*08b48e0bSAndroid Build Coastguard Worker /* Let's see if anything in the bitmap isn't captured in temp_v.
843*08b48e0bSAndroid Build Coastguard Worker If yes, and if it has a afl->top_rated[] contender, let's use it. */
844*08b48e0bSAndroid Build Coastguard Worker
845*08b48e0bSAndroid Build Coastguard Worker afl->smallest_favored = -1;
846*08b48e0bSAndroid Build Coastguard Worker
847*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->fsrv.map_size; ++i) {
848*08b48e0bSAndroid Build Coastguard Worker
849*08b48e0bSAndroid Build Coastguard Worker if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) {
850*08b48e0bSAndroid Build Coastguard Worker
851*08b48e0bSAndroid Build Coastguard Worker u32 j = len;
852*08b48e0bSAndroid Build Coastguard Worker
853*08b48e0bSAndroid Build Coastguard Worker /* Remove all bits belonging to the current entry from temp_v. */
854*08b48e0bSAndroid Build Coastguard Worker
855*08b48e0bSAndroid Build Coastguard Worker while (j--) {
856*08b48e0bSAndroid Build Coastguard Worker
857*08b48e0bSAndroid Build Coastguard Worker if (afl->top_rated[i]->trace_mini[j]) {
858*08b48e0bSAndroid Build Coastguard Worker
859*08b48e0bSAndroid Build Coastguard Worker temp_v[j] &= ~afl->top_rated[i]->trace_mini[j];
860*08b48e0bSAndroid Build Coastguard Worker
861*08b48e0bSAndroid Build Coastguard Worker }
862*08b48e0bSAndroid Build Coastguard Worker
863*08b48e0bSAndroid Build Coastguard Worker }
864*08b48e0bSAndroid Build Coastguard Worker
865*08b48e0bSAndroid Build Coastguard Worker if (!afl->top_rated[i]->favored) {
866*08b48e0bSAndroid Build Coastguard Worker
867*08b48e0bSAndroid Build Coastguard Worker afl->top_rated[i]->favored = 1;
868*08b48e0bSAndroid Build Coastguard Worker ++afl->queued_favored;
869*08b48e0bSAndroid Build Coastguard Worker
870*08b48e0bSAndroid Build Coastguard Worker if (!afl->top_rated[i]->was_fuzzed) {
871*08b48e0bSAndroid Build Coastguard Worker
872*08b48e0bSAndroid Build Coastguard Worker ++afl->pending_favored;
873*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->smallest_favored < 0)) {
874*08b48e0bSAndroid Build Coastguard Worker
875*08b48e0bSAndroid Build Coastguard Worker afl->smallest_favored = (s64)afl->top_rated[i]->id;
876*08b48e0bSAndroid Build Coastguard Worker
877*08b48e0bSAndroid Build Coastguard Worker }
878*08b48e0bSAndroid Build Coastguard Worker
879*08b48e0bSAndroid Build Coastguard Worker }
880*08b48e0bSAndroid Build Coastguard Worker
881*08b48e0bSAndroid Build Coastguard Worker }
882*08b48e0bSAndroid Build Coastguard Worker
883*08b48e0bSAndroid Build Coastguard Worker }
884*08b48e0bSAndroid Build Coastguard Worker
885*08b48e0bSAndroid Build Coastguard Worker }
886*08b48e0bSAndroid Build Coastguard Worker
887*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->queued_items; i++) {
888*08b48e0bSAndroid Build Coastguard Worker
889*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->queue_buf[i]->disabled)) {
890*08b48e0bSAndroid Build Coastguard Worker
891*08b48e0bSAndroid Build Coastguard Worker mark_as_redundant(afl, afl->queue_buf[i], !afl->queue_buf[i]->favored);
892*08b48e0bSAndroid Build Coastguard Worker
893*08b48e0bSAndroid Build Coastguard Worker }
894*08b48e0bSAndroid Build Coastguard Worker
895*08b48e0bSAndroid Build Coastguard Worker }
896*08b48e0bSAndroid Build Coastguard Worker
897*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 1;
898*08b48e0bSAndroid Build Coastguard Worker
899*08b48e0bSAndroid Build Coastguard Worker }
900*08b48e0bSAndroid Build Coastguard Worker
901*08b48e0bSAndroid Build Coastguard Worker /* Calculate case desirability score to adjust the length of havoc fuzzing.
902*08b48e0bSAndroid Build Coastguard Worker A helper function for fuzz_one(). Maybe some of these constants should
903*08b48e0bSAndroid Build Coastguard Worker go into config.h. */
904*08b48e0bSAndroid Build Coastguard Worker
calculate_score(afl_state_t * afl,struct queue_entry * q)905*08b48e0bSAndroid Build Coastguard Worker u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
906*08b48e0bSAndroid Build Coastguard Worker
907*08b48e0bSAndroid Build Coastguard Worker u32 cal_cycles = afl->total_cal_cycles;
908*08b48e0bSAndroid Build Coastguard Worker u32 bitmap_entries = afl->total_bitmap_entries;
909*08b48e0bSAndroid Build Coastguard Worker
910*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!cal_cycles)) { cal_cycles = 1; }
911*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!bitmap_entries)) { bitmap_entries = 1; }
912*08b48e0bSAndroid Build Coastguard Worker
913*08b48e0bSAndroid Build Coastguard Worker u32 avg_exec_us = afl->total_cal_us / cal_cycles;
914*08b48e0bSAndroid Build Coastguard Worker u32 avg_bitmap_size = afl->total_bitmap_size / bitmap_entries;
915*08b48e0bSAndroid Build Coastguard Worker u32 perf_score = 100;
916*08b48e0bSAndroid Build Coastguard Worker
917*08b48e0bSAndroid Build Coastguard Worker /* Adjust score based on execution speed of this path, compared to the
918*08b48e0bSAndroid Build Coastguard Worker global average. Multiplier ranges from 0.1x to 3x. Fast inputs are
919*08b48e0bSAndroid Build Coastguard Worker less expensive to fuzz, so we're giving them more air time. */
920*08b48e0bSAndroid Build Coastguard Worker
921*08b48e0bSAndroid Build Coastguard Worker // TODO BUG FIXME: is this really a good idea?
922*08b48e0bSAndroid Build Coastguard Worker // This sounds like looking for lost keys under a street light just because
923*08b48e0bSAndroid Build Coastguard Worker // the light is better there.
924*08b48e0bSAndroid Build Coastguard Worker // Longer execution time means longer work on the input, the deeper in
925*08b48e0bSAndroid Build Coastguard Worker // coverage, the better the fuzzing, right? -mh
926*08b48e0bSAndroid Build Coastguard Worker
927*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->schedule < RARE) && likely(!afl->fixed_seed)) {
928*08b48e0bSAndroid Build Coastguard Worker
929*08b48e0bSAndroid Build Coastguard Worker if (q->exec_us * 0.1 > avg_exec_us) {
930*08b48e0bSAndroid Build Coastguard Worker
931*08b48e0bSAndroid Build Coastguard Worker perf_score = 10;
932*08b48e0bSAndroid Build Coastguard Worker
933*08b48e0bSAndroid Build Coastguard Worker } else if (q->exec_us * 0.25 > avg_exec_us) {
934*08b48e0bSAndroid Build Coastguard Worker
935*08b48e0bSAndroid Build Coastguard Worker perf_score = 25;
936*08b48e0bSAndroid Build Coastguard Worker
937*08b48e0bSAndroid Build Coastguard Worker } else if (q->exec_us * 0.5 > avg_exec_us) {
938*08b48e0bSAndroid Build Coastguard Worker
939*08b48e0bSAndroid Build Coastguard Worker perf_score = 50;
940*08b48e0bSAndroid Build Coastguard Worker
941*08b48e0bSAndroid Build Coastguard Worker } else if (q->exec_us * 0.75 > avg_exec_us) {
942*08b48e0bSAndroid Build Coastguard Worker
943*08b48e0bSAndroid Build Coastguard Worker perf_score = 75;
944*08b48e0bSAndroid Build Coastguard Worker
945*08b48e0bSAndroid Build Coastguard Worker } else if (q->exec_us * 4 < avg_exec_us) {
946*08b48e0bSAndroid Build Coastguard Worker
947*08b48e0bSAndroid Build Coastguard Worker perf_score = 300;
948*08b48e0bSAndroid Build Coastguard Worker
949*08b48e0bSAndroid Build Coastguard Worker } else if (q->exec_us * 3 < avg_exec_us) {
950*08b48e0bSAndroid Build Coastguard Worker
951*08b48e0bSAndroid Build Coastguard Worker perf_score = 200;
952*08b48e0bSAndroid Build Coastguard Worker
953*08b48e0bSAndroid Build Coastguard Worker } else if (q->exec_us * 2 < avg_exec_us) {
954*08b48e0bSAndroid Build Coastguard Worker
955*08b48e0bSAndroid Build Coastguard Worker perf_score = 150;
956*08b48e0bSAndroid Build Coastguard Worker
957*08b48e0bSAndroid Build Coastguard Worker }
958*08b48e0bSAndroid Build Coastguard Worker
959*08b48e0bSAndroid Build Coastguard Worker }
960*08b48e0bSAndroid Build Coastguard Worker
961*08b48e0bSAndroid Build Coastguard Worker /* Adjust score based on bitmap size. The working theory is that better
962*08b48e0bSAndroid Build Coastguard Worker coverage translates to better targets. Multiplier from 0.25x to 3x. */
963*08b48e0bSAndroid Build Coastguard Worker
964*08b48e0bSAndroid Build Coastguard Worker if (q->bitmap_size * 0.3 > avg_bitmap_size) {
965*08b48e0bSAndroid Build Coastguard Worker
966*08b48e0bSAndroid Build Coastguard Worker perf_score *= 3;
967*08b48e0bSAndroid Build Coastguard Worker
968*08b48e0bSAndroid Build Coastguard Worker } else if (q->bitmap_size * 0.5 > avg_bitmap_size) {
969*08b48e0bSAndroid Build Coastguard Worker
970*08b48e0bSAndroid Build Coastguard Worker perf_score *= 2;
971*08b48e0bSAndroid Build Coastguard Worker
972*08b48e0bSAndroid Build Coastguard Worker } else if (q->bitmap_size * 0.75 > avg_bitmap_size) {
973*08b48e0bSAndroid Build Coastguard Worker
974*08b48e0bSAndroid Build Coastguard Worker perf_score *= 1.5;
975*08b48e0bSAndroid Build Coastguard Worker
976*08b48e0bSAndroid Build Coastguard Worker } else if (q->bitmap_size * 3 < avg_bitmap_size) {
977*08b48e0bSAndroid Build Coastguard Worker
978*08b48e0bSAndroid Build Coastguard Worker perf_score *= 0.25;
979*08b48e0bSAndroid Build Coastguard Worker
980*08b48e0bSAndroid Build Coastguard Worker } else if (q->bitmap_size * 2 < avg_bitmap_size) {
981*08b48e0bSAndroid Build Coastguard Worker
982*08b48e0bSAndroid Build Coastguard Worker perf_score *= 0.5;
983*08b48e0bSAndroid Build Coastguard Worker
984*08b48e0bSAndroid Build Coastguard Worker } else if (q->bitmap_size * 1.5 < avg_bitmap_size) {
985*08b48e0bSAndroid Build Coastguard Worker
986*08b48e0bSAndroid Build Coastguard Worker perf_score *= 0.75;
987*08b48e0bSAndroid Build Coastguard Worker
988*08b48e0bSAndroid Build Coastguard Worker }
989*08b48e0bSAndroid Build Coastguard Worker
990*08b48e0bSAndroid Build Coastguard Worker /* Adjust score based on handicap. Handicap is proportional to how late
991*08b48e0bSAndroid Build Coastguard Worker in the game we learned about this path. Latecomers are allowed to run
992*08b48e0bSAndroid Build Coastguard Worker for a bit longer until they catch up with the rest. */
993*08b48e0bSAndroid Build Coastguard Worker
994*08b48e0bSAndroid Build Coastguard Worker if (q->handicap >= 4) {
995*08b48e0bSAndroid Build Coastguard Worker
996*08b48e0bSAndroid Build Coastguard Worker perf_score *= 4;
997*08b48e0bSAndroid Build Coastguard Worker q->handicap -= 4;
998*08b48e0bSAndroid Build Coastguard Worker
999*08b48e0bSAndroid Build Coastguard Worker } else if (q->handicap) {
1000*08b48e0bSAndroid Build Coastguard Worker
1001*08b48e0bSAndroid Build Coastguard Worker perf_score *= 2;
1002*08b48e0bSAndroid Build Coastguard Worker --q->handicap;
1003*08b48e0bSAndroid Build Coastguard Worker
1004*08b48e0bSAndroid Build Coastguard Worker }
1005*08b48e0bSAndroid Build Coastguard Worker
1006*08b48e0bSAndroid Build Coastguard Worker /* Final adjustment based on input depth, under the assumption that fuzzing
1007*08b48e0bSAndroid Build Coastguard Worker deeper test cases is more likely to reveal stuff that can't be
1008*08b48e0bSAndroid Build Coastguard Worker discovered with traditional fuzzers. */
1009*08b48e0bSAndroid Build Coastguard Worker
1010*08b48e0bSAndroid Build Coastguard Worker switch (q->depth) {
1011*08b48e0bSAndroid Build Coastguard Worker
1012*08b48e0bSAndroid Build Coastguard Worker case 0 ... 3:
1013*08b48e0bSAndroid Build Coastguard Worker break;
1014*08b48e0bSAndroid Build Coastguard Worker case 4 ... 7:
1015*08b48e0bSAndroid Build Coastguard Worker perf_score *= 2;
1016*08b48e0bSAndroid Build Coastguard Worker break;
1017*08b48e0bSAndroid Build Coastguard Worker case 8 ... 13:
1018*08b48e0bSAndroid Build Coastguard Worker perf_score *= 3;
1019*08b48e0bSAndroid Build Coastguard Worker break;
1020*08b48e0bSAndroid Build Coastguard Worker case 14 ... 25:
1021*08b48e0bSAndroid Build Coastguard Worker perf_score *= 4;
1022*08b48e0bSAndroid Build Coastguard Worker break;
1023*08b48e0bSAndroid Build Coastguard Worker default:
1024*08b48e0bSAndroid Build Coastguard Worker perf_score *= 5;
1025*08b48e0bSAndroid Build Coastguard Worker
1026*08b48e0bSAndroid Build Coastguard Worker }
1027*08b48e0bSAndroid Build Coastguard Worker
1028*08b48e0bSAndroid Build Coastguard Worker u32 n_items;
1029*08b48e0bSAndroid Build Coastguard Worker double factor = 1.0;
1030*08b48e0bSAndroid Build Coastguard Worker long double fuzz_mu;
1031*08b48e0bSAndroid Build Coastguard Worker
1032*08b48e0bSAndroid Build Coastguard Worker switch (afl->schedule) {
1033*08b48e0bSAndroid Build Coastguard Worker
1034*08b48e0bSAndroid Build Coastguard Worker case EXPLORE:
1035*08b48e0bSAndroid Build Coastguard Worker break;
1036*08b48e0bSAndroid Build Coastguard Worker
1037*08b48e0bSAndroid Build Coastguard Worker case SEEK:
1038*08b48e0bSAndroid Build Coastguard Worker break;
1039*08b48e0bSAndroid Build Coastguard Worker
1040*08b48e0bSAndroid Build Coastguard Worker case EXPLOIT:
1041*08b48e0bSAndroid Build Coastguard Worker factor = MAX_FACTOR;
1042*08b48e0bSAndroid Build Coastguard Worker break;
1043*08b48e0bSAndroid Build Coastguard Worker
1044*08b48e0bSAndroid Build Coastguard Worker case COE:
1045*08b48e0bSAndroid Build Coastguard Worker fuzz_mu = 0.0;
1046*08b48e0bSAndroid Build Coastguard Worker n_items = 0;
1047*08b48e0bSAndroid Build Coastguard Worker
1048*08b48e0bSAndroid Build Coastguard Worker // Don't modify perf_score for unfuzzed seeds
1049*08b48e0bSAndroid Build Coastguard Worker if (!q->fuzz_level) break;
1050*08b48e0bSAndroid Build Coastguard Worker
1051*08b48e0bSAndroid Build Coastguard Worker u32 i;
1052*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->queued_items; i++) {
1053*08b48e0bSAndroid Build Coastguard Worker
1054*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->queue_buf[i]->disabled)) {
1055*08b48e0bSAndroid Build Coastguard Worker
1056*08b48e0bSAndroid Build Coastguard Worker fuzz_mu += log2(afl->n_fuzz[afl->queue_buf[i]->n_fuzz_entry]);
1057*08b48e0bSAndroid Build Coastguard Worker n_items++;
1058*08b48e0bSAndroid Build Coastguard Worker
1059*08b48e0bSAndroid Build Coastguard Worker }
1060*08b48e0bSAndroid Build Coastguard Worker
1061*08b48e0bSAndroid Build Coastguard Worker }
1062*08b48e0bSAndroid Build Coastguard Worker
1063*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!n_items)) { FATAL("Queue state corrupt"); }
1064*08b48e0bSAndroid Build Coastguard Worker
1065*08b48e0bSAndroid Build Coastguard Worker fuzz_mu = fuzz_mu / n_items;
1066*08b48e0bSAndroid Build Coastguard Worker
1067*08b48e0bSAndroid Build Coastguard Worker if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) {
1068*08b48e0bSAndroid Build Coastguard Worker
1069*08b48e0bSAndroid Build Coastguard Worker /* Never skip favourites */
1070*08b48e0bSAndroid Build Coastguard Worker if (!q->favored) factor = 0;
1071*08b48e0bSAndroid Build Coastguard Worker
1072*08b48e0bSAndroid Build Coastguard Worker break;
1073*08b48e0bSAndroid Build Coastguard Worker
1074*08b48e0bSAndroid Build Coastguard Worker }
1075*08b48e0bSAndroid Build Coastguard Worker
1076*08b48e0bSAndroid Build Coastguard Worker // Fall through
1077*08b48e0bSAndroid Build Coastguard Worker case FAST:
1078*08b48e0bSAndroid Build Coastguard Worker
1079*08b48e0bSAndroid Build Coastguard Worker // Don't modify unfuzzed seeds
1080*08b48e0bSAndroid Build Coastguard Worker if (!q->fuzz_level) break;
1081*08b48e0bSAndroid Build Coastguard Worker
1082*08b48e0bSAndroid Build Coastguard Worker switch ((u32)log2(afl->n_fuzz[q->n_fuzz_entry])) {
1083*08b48e0bSAndroid Build Coastguard Worker
1084*08b48e0bSAndroid Build Coastguard Worker case 0 ... 1:
1085*08b48e0bSAndroid Build Coastguard Worker factor = 4;
1086*08b48e0bSAndroid Build Coastguard Worker break;
1087*08b48e0bSAndroid Build Coastguard Worker
1088*08b48e0bSAndroid Build Coastguard Worker case 2 ... 3:
1089*08b48e0bSAndroid Build Coastguard Worker factor = 3;
1090*08b48e0bSAndroid Build Coastguard Worker break;
1091*08b48e0bSAndroid Build Coastguard Worker
1092*08b48e0bSAndroid Build Coastguard Worker case 4:
1093*08b48e0bSAndroid Build Coastguard Worker factor = 2;
1094*08b48e0bSAndroid Build Coastguard Worker break;
1095*08b48e0bSAndroid Build Coastguard Worker
1096*08b48e0bSAndroid Build Coastguard Worker case 5:
1097*08b48e0bSAndroid Build Coastguard Worker break;
1098*08b48e0bSAndroid Build Coastguard Worker
1099*08b48e0bSAndroid Build Coastguard Worker case 6:
1100*08b48e0bSAndroid Build Coastguard Worker if (!q->favored) factor = 0.8;
1101*08b48e0bSAndroid Build Coastguard Worker break;
1102*08b48e0bSAndroid Build Coastguard Worker
1103*08b48e0bSAndroid Build Coastguard Worker case 7:
1104*08b48e0bSAndroid Build Coastguard Worker if (!q->favored) factor = 0.6;
1105*08b48e0bSAndroid Build Coastguard Worker break;
1106*08b48e0bSAndroid Build Coastguard Worker
1107*08b48e0bSAndroid Build Coastguard Worker default:
1108*08b48e0bSAndroid Build Coastguard Worker if (!q->favored) factor = 0.4;
1109*08b48e0bSAndroid Build Coastguard Worker break;
1110*08b48e0bSAndroid Build Coastguard Worker
1111*08b48e0bSAndroid Build Coastguard Worker }
1112*08b48e0bSAndroid Build Coastguard Worker
1113*08b48e0bSAndroid Build Coastguard Worker if (q->favored) factor *= 1.15;
1114*08b48e0bSAndroid Build Coastguard Worker
1115*08b48e0bSAndroid Build Coastguard Worker break;
1116*08b48e0bSAndroid Build Coastguard Worker
1117*08b48e0bSAndroid Build Coastguard Worker case LIN:
1118*08b48e0bSAndroid Build Coastguard Worker // Don't modify perf_score for unfuzzed seeds
1119*08b48e0bSAndroid Build Coastguard Worker if (!q->fuzz_level) break;
1120*08b48e0bSAndroid Build Coastguard Worker
1121*08b48e0bSAndroid Build Coastguard Worker factor = q->fuzz_level / (afl->n_fuzz[q->n_fuzz_entry] + 1);
1122*08b48e0bSAndroid Build Coastguard Worker break;
1123*08b48e0bSAndroid Build Coastguard Worker
1124*08b48e0bSAndroid Build Coastguard Worker case QUAD:
1125*08b48e0bSAndroid Build Coastguard Worker // Don't modify perf_score for unfuzzed seeds
1126*08b48e0bSAndroid Build Coastguard Worker if (!q->fuzz_level) break;
1127*08b48e0bSAndroid Build Coastguard Worker
1128*08b48e0bSAndroid Build Coastguard Worker factor =
1129*08b48e0bSAndroid Build Coastguard Worker q->fuzz_level * q->fuzz_level / (afl->n_fuzz[q->n_fuzz_entry] + 1);
1130*08b48e0bSAndroid Build Coastguard Worker break;
1131*08b48e0bSAndroid Build Coastguard Worker
1132*08b48e0bSAndroid Build Coastguard Worker case MMOPT:
1133*08b48e0bSAndroid Build Coastguard Worker /* -- this was a more complex setup, which is good, but competed with
1134*08b48e0bSAndroid Build Coastguard Worker -- rare. the simpler algo however is good when rare is not.
1135*08b48e0bSAndroid Build Coastguard Worker // the newer the entry, the higher the pref_score
1136*08b48e0bSAndroid Build Coastguard Worker perf_score *= (1 + (double)((double)q->depth /
1137*08b48e0bSAndroid Build Coastguard Worker (double)afl->queued_items));
1138*08b48e0bSAndroid Build Coastguard Worker // with special focus on the last 8 entries
1139*08b48e0bSAndroid Build Coastguard Worker if (afl->max_depth - q->depth < 8) perf_score *= (1 + ((8 -
1140*08b48e0bSAndroid Build Coastguard Worker (afl->max_depth - q->depth)) / 5));
1141*08b48e0bSAndroid Build Coastguard Worker */
1142*08b48e0bSAndroid Build Coastguard Worker // put focus on the last 5 entries
1143*08b48e0bSAndroid Build Coastguard Worker if (afl->max_depth - q->depth < 5) { perf_score *= 2; }
1144*08b48e0bSAndroid Build Coastguard Worker
1145*08b48e0bSAndroid Build Coastguard Worker break;
1146*08b48e0bSAndroid Build Coastguard Worker
1147*08b48e0bSAndroid Build Coastguard Worker case RARE:
1148*08b48e0bSAndroid Build Coastguard Worker
1149*08b48e0bSAndroid Build Coastguard Worker // increase the score for every bitmap byte for which this entry
1150*08b48e0bSAndroid Build Coastguard Worker // is the top contender
1151*08b48e0bSAndroid Build Coastguard Worker perf_score += (q->tc_ref * 10);
1152*08b48e0bSAndroid Build Coastguard Worker // the more often fuzz result paths are equal to this queue entry,
1153*08b48e0bSAndroid Build Coastguard Worker // reduce its value
1154*08b48e0bSAndroid Build Coastguard Worker perf_score *= (1 - (double)((double)afl->n_fuzz[q->n_fuzz_entry] /
1155*08b48e0bSAndroid Build Coastguard Worker (double)afl->fsrv.total_execs));
1156*08b48e0bSAndroid Build Coastguard Worker
1157*08b48e0bSAndroid Build Coastguard Worker break;
1158*08b48e0bSAndroid Build Coastguard Worker
1159*08b48e0bSAndroid Build Coastguard Worker default:
1160*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unknown Power Schedule");
1161*08b48e0bSAndroid Build Coastguard Worker
1162*08b48e0bSAndroid Build Coastguard Worker }
1163*08b48e0bSAndroid Build Coastguard Worker
1164*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->schedule >= EXPLOIT && afl->schedule <= QUAD)) {
1165*08b48e0bSAndroid Build Coastguard Worker
1166*08b48e0bSAndroid Build Coastguard Worker if (factor > MAX_FACTOR) { factor = MAX_FACTOR; }
1167*08b48e0bSAndroid Build Coastguard Worker perf_score *= factor / POWER_BETA;
1168*08b48e0bSAndroid Build Coastguard Worker
1169*08b48e0bSAndroid Build Coastguard Worker }
1170*08b48e0bSAndroid Build Coastguard Worker
1171*08b48e0bSAndroid Build Coastguard Worker // MOpt mode
1172*08b48e0bSAndroid Build Coastguard Worker if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) {
1173*08b48e0bSAndroid Build Coastguard Worker
1174*08b48e0bSAndroid Build Coastguard Worker perf_score *= 2;
1175*08b48e0bSAndroid Build Coastguard Worker
1176*08b48e0bSAndroid Build Coastguard Worker } else if (afl->schedule != COE && perf_score < 1) {
1177*08b48e0bSAndroid Build Coastguard Worker
1178*08b48e0bSAndroid Build Coastguard Worker // Add a lower bound to AFLFast's energy assignment strategies
1179*08b48e0bSAndroid Build Coastguard Worker perf_score = 1;
1180*08b48e0bSAndroid Build Coastguard Worker
1181*08b48e0bSAndroid Build Coastguard Worker }
1182*08b48e0bSAndroid Build Coastguard Worker
1183*08b48e0bSAndroid Build Coastguard Worker /* Make sure that we don't go over limit. */
1184*08b48e0bSAndroid Build Coastguard Worker
1185*08b48e0bSAndroid Build Coastguard Worker if (perf_score > afl->havoc_max_mult * 100) {
1186*08b48e0bSAndroid Build Coastguard Worker
1187*08b48e0bSAndroid Build Coastguard Worker perf_score = afl->havoc_max_mult * 100;
1188*08b48e0bSAndroid Build Coastguard Worker
1189*08b48e0bSAndroid Build Coastguard Worker }
1190*08b48e0bSAndroid Build Coastguard Worker
1191*08b48e0bSAndroid Build Coastguard Worker return perf_score;
1192*08b48e0bSAndroid Build Coastguard Worker
1193*08b48e0bSAndroid Build Coastguard Worker }
1194*08b48e0bSAndroid Build Coastguard Worker
1195*08b48e0bSAndroid Build Coastguard Worker /* after a custom trim we need to reload the testcase from disk */
1196*08b48e0bSAndroid Build Coastguard Worker
queue_testcase_retake(afl_state_t * afl,struct queue_entry * q,u32 old_len)1197*08b48e0bSAndroid Build Coastguard Worker inline void queue_testcase_retake(afl_state_t *afl, struct queue_entry *q,
1198*08b48e0bSAndroid Build Coastguard Worker u32 old_len) {
1199*08b48e0bSAndroid Build Coastguard Worker
1200*08b48e0bSAndroid Build Coastguard Worker if (likely(q->testcase_buf)) {
1201*08b48e0bSAndroid Build Coastguard Worker
1202*08b48e0bSAndroid Build Coastguard Worker u32 len = q->len;
1203*08b48e0bSAndroid Build Coastguard Worker
1204*08b48e0bSAndroid Build Coastguard Worker if (len != old_len) {
1205*08b48e0bSAndroid Build Coastguard Worker
1206*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_size = afl->q_testcase_cache_size + len - old_len;
1207*08b48e0bSAndroid Build Coastguard Worker q->testcase_buf = (u8 *)realloc(q->testcase_buf, len);
1208*08b48e0bSAndroid Build Coastguard Worker
1209*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->testcase_buf)) {
1210*08b48e0bSAndroid Build Coastguard Worker
1211*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to malloc '%s' with len %u", (char *)q->fname, len);
1212*08b48e0bSAndroid Build Coastguard Worker
1213*08b48e0bSAndroid Build Coastguard Worker }
1214*08b48e0bSAndroid Build Coastguard Worker
1215*08b48e0bSAndroid Build Coastguard Worker }
1216*08b48e0bSAndroid Build Coastguard Worker
1217*08b48e0bSAndroid Build Coastguard Worker int fd = open((char *)q->fname, O_RDONLY);
1218*08b48e0bSAndroid Build Coastguard Worker
1219*08b48e0bSAndroid Build Coastguard Worker if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", (char *)q->fname); }
1220*08b48e0bSAndroid Build Coastguard Worker
1221*08b48e0bSAndroid Build Coastguard Worker ck_read(fd, q->testcase_buf, len, q->fname);
1222*08b48e0bSAndroid Build Coastguard Worker close(fd);
1223*08b48e0bSAndroid Build Coastguard Worker
1224*08b48e0bSAndroid Build Coastguard Worker }
1225*08b48e0bSAndroid Build Coastguard Worker
1226*08b48e0bSAndroid Build Coastguard Worker }
1227*08b48e0bSAndroid Build Coastguard Worker
1228*08b48e0bSAndroid Build Coastguard Worker /* after a normal trim we need to replace the testcase with the new data */
1229*08b48e0bSAndroid Build Coastguard Worker
queue_testcase_retake_mem(afl_state_t * afl,struct queue_entry * q,u8 * in,u32 len,u32 old_len)1230*08b48e0bSAndroid Build Coastguard Worker inline void queue_testcase_retake_mem(afl_state_t *afl, struct queue_entry *q,
1231*08b48e0bSAndroid Build Coastguard Worker u8 *in, u32 len, u32 old_len) {
1232*08b48e0bSAndroid Build Coastguard Worker
1233*08b48e0bSAndroid Build Coastguard Worker if (likely(q->testcase_buf)) {
1234*08b48e0bSAndroid Build Coastguard Worker
1235*08b48e0bSAndroid Build Coastguard Worker u32 is_same = in == q->testcase_buf;
1236*08b48e0bSAndroid Build Coastguard Worker
1237*08b48e0bSAndroid Build Coastguard Worker if (likely(len != old_len)) {
1238*08b48e0bSAndroid Build Coastguard Worker
1239*08b48e0bSAndroid Build Coastguard Worker u8 *ptr = (u8 *)realloc(q->testcase_buf, len);
1240*08b48e0bSAndroid Build Coastguard Worker
1241*08b48e0bSAndroid Build Coastguard Worker if (likely(ptr)) {
1242*08b48e0bSAndroid Build Coastguard Worker
1243*08b48e0bSAndroid Build Coastguard Worker q->testcase_buf = ptr;
1244*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_size = afl->q_testcase_cache_size + len - old_len;
1245*08b48e0bSAndroid Build Coastguard Worker
1246*08b48e0bSAndroid Build Coastguard Worker }
1247*08b48e0bSAndroid Build Coastguard Worker
1248*08b48e0bSAndroid Build Coastguard Worker }
1249*08b48e0bSAndroid Build Coastguard Worker
1250*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!is_same)) { memcpy(q->testcase_buf, in, len); }
1251*08b48e0bSAndroid Build Coastguard Worker
1252*08b48e0bSAndroid Build Coastguard Worker }
1253*08b48e0bSAndroid Build Coastguard Worker
1254*08b48e0bSAndroid Build Coastguard Worker }
1255*08b48e0bSAndroid Build Coastguard Worker
1256*08b48e0bSAndroid Build Coastguard Worker /* Returns the testcase buf from the file behind this queue entry.
1257*08b48e0bSAndroid Build Coastguard Worker Increases the refcount. */
1258*08b48e0bSAndroid Build Coastguard Worker
queue_testcase_get(afl_state_t * afl,struct queue_entry * q)1259*08b48e0bSAndroid Build Coastguard Worker inline u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q) {
1260*08b48e0bSAndroid Build Coastguard Worker
1261*08b48e0bSAndroid Build Coastguard Worker u32 len = q->len;
1262*08b48e0bSAndroid Build Coastguard Worker
1263*08b48e0bSAndroid Build Coastguard Worker /* first handle if no testcase cache is configured */
1264*08b48e0bSAndroid Build Coastguard Worker
1265*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->q_testcase_max_cache_size)) {
1266*08b48e0bSAndroid Build Coastguard Worker
1267*08b48e0bSAndroid Build Coastguard Worker u8 *buf;
1268*08b48e0bSAndroid Build Coastguard Worker
1269*08b48e0bSAndroid Build Coastguard Worker if (unlikely(q == afl->queue_cur)) {
1270*08b48e0bSAndroid Build Coastguard Worker
1271*08b48e0bSAndroid Build Coastguard Worker buf = (u8 *)afl_realloc((void **)&afl->testcase_buf, len);
1272*08b48e0bSAndroid Build Coastguard Worker
1273*08b48e0bSAndroid Build Coastguard Worker } else {
1274*08b48e0bSAndroid Build Coastguard Worker
1275*08b48e0bSAndroid Build Coastguard Worker buf = (u8 *)afl_realloc((void **)&afl->splicecase_buf, len);
1276*08b48e0bSAndroid Build Coastguard Worker
1277*08b48e0bSAndroid Build Coastguard Worker }
1278*08b48e0bSAndroid Build Coastguard Worker
1279*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!buf)) {
1280*08b48e0bSAndroid Build Coastguard Worker
1281*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to malloc '%s' with len %u", (char *)q->fname, len);
1282*08b48e0bSAndroid Build Coastguard Worker
1283*08b48e0bSAndroid Build Coastguard Worker }
1284*08b48e0bSAndroid Build Coastguard Worker
1285*08b48e0bSAndroid Build Coastguard Worker int fd = open((char *)q->fname, O_RDONLY);
1286*08b48e0bSAndroid Build Coastguard Worker
1287*08b48e0bSAndroid Build Coastguard Worker if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", (char *)q->fname); }
1288*08b48e0bSAndroid Build Coastguard Worker
1289*08b48e0bSAndroid Build Coastguard Worker ck_read(fd, buf, len, q->fname);
1290*08b48e0bSAndroid Build Coastguard Worker close(fd);
1291*08b48e0bSAndroid Build Coastguard Worker return buf;
1292*08b48e0bSAndroid Build Coastguard Worker
1293*08b48e0bSAndroid Build Coastguard Worker }
1294*08b48e0bSAndroid Build Coastguard Worker
1295*08b48e0bSAndroid Build Coastguard Worker /* now handle the testcase cache */
1296*08b48e0bSAndroid Build Coastguard Worker
1297*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->testcase_buf)) {
1298*08b48e0bSAndroid Build Coastguard Worker
1299*08b48e0bSAndroid Build Coastguard Worker /* Buf not cached, let's load it */
1300*08b48e0bSAndroid Build Coastguard Worker u32 tid = afl->q_testcase_max_cache_count;
1301*08b48e0bSAndroid Build Coastguard Worker static u32 do_once = 0; // because even threaded we would want this. WIP
1302*08b48e0bSAndroid Build Coastguard Worker
1303*08b48e0bSAndroid Build Coastguard Worker while (unlikely(
1304*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_size + len >= afl->q_testcase_max_cache_size ||
1305*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_count >= afl->q_testcase_max_cache_entries - 1)) {
1306*08b48e0bSAndroid Build Coastguard Worker
1307*08b48e0bSAndroid Build Coastguard Worker /* We want a max number of entries to the cache that we learn.
1308*08b48e0bSAndroid Build Coastguard Worker Very simple: once the cache is filled by size - that is the max. */
1309*08b48e0bSAndroid Build Coastguard Worker
1310*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->q_testcase_cache_size + len >=
1311*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_size &&
1312*08b48e0bSAndroid Build Coastguard Worker (afl->q_testcase_cache_count <
1313*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries &&
1314*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_count <
1315*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries) &&
1316*08b48e0bSAndroid Build Coastguard Worker !do_once)) {
1317*08b48e0bSAndroid Build Coastguard Worker
1318*08b48e0bSAndroid Build Coastguard Worker if (afl->q_testcase_max_cache_count > afl->q_testcase_cache_count) {
1319*08b48e0bSAndroid Build Coastguard Worker
1320*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries =
1321*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_count + 1;
1322*08b48e0bSAndroid Build Coastguard Worker
1323*08b48e0bSAndroid Build Coastguard Worker } else {
1324*08b48e0bSAndroid Build Coastguard Worker
1325*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries = afl->q_testcase_cache_count + 1;
1326*08b48e0bSAndroid Build Coastguard Worker
1327*08b48e0bSAndroid Build Coastguard Worker }
1328*08b48e0bSAndroid Build Coastguard Worker
1329*08b48e0bSAndroid Build Coastguard Worker do_once = 1;
1330*08b48e0bSAndroid Build Coastguard Worker // release unneeded memory
1331*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache = (struct queue_entry **)ck_realloc(
1332*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache,
1333*08b48e0bSAndroid Build Coastguard Worker (afl->q_testcase_max_cache_entries + 1) * sizeof(size_t));
1334*08b48e0bSAndroid Build Coastguard Worker
1335*08b48e0bSAndroid Build Coastguard Worker }
1336*08b48e0bSAndroid Build Coastguard Worker
1337*08b48e0bSAndroid Build Coastguard Worker /* Cache full. We neet to evict one or more to map one.
1338*08b48e0bSAndroid Build Coastguard Worker Get a random one which is not in use */
1339*08b48e0bSAndroid Build Coastguard Worker
1340*08b48e0bSAndroid Build Coastguard Worker do {
1341*08b48e0bSAndroid Build Coastguard Worker
1342*08b48e0bSAndroid Build Coastguard Worker // if the cache (MB) is not enough for the queue then this gets
1343*08b48e0bSAndroid Build Coastguard Worker // undesirable because q_testcase_max_cache_count grows sometimes
1344*08b48e0bSAndroid Build Coastguard Worker // although the number of items in the cache will not change hence
1345*08b48e0bSAndroid Build Coastguard Worker // more and more loops
1346*08b48e0bSAndroid Build Coastguard Worker tid = rand_below(afl, afl->q_testcase_max_cache_count);
1347*08b48e0bSAndroid Build Coastguard Worker
1348*08b48e0bSAndroid Build Coastguard Worker } while (afl->q_testcase_cache[tid] == NULL ||
1349*08b48e0bSAndroid Build Coastguard Worker
1350*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache[tid] == afl->queue_cur);
1351*08b48e0bSAndroid Build Coastguard Worker
1352*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *old_cached = afl->q_testcase_cache[tid];
1353*08b48e0bSAndroid Build Coastguard Worker free(old_cached->testcase_buf);
1354*08b48e0bSAndroid Build Coastguard Worker old_cached->testcase_buf = NULL;
1355*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_size -= old_cached->len;
1356*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache[tid] = NULL;
1357*08b48e0bSAndroid Build Coastguard Worker --afl->q_testcase_cache_count;
1358*08b48e0bSAndroid Build Coastguard Worker ++afl->q_testcase_evictions;
1359*08b48e0bSAndroid Build Coastguard Worker if (tid < afl->q_testcase_smallest_free)
1360*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_smallest_free = tid;
1361*08b48e0bSAndroid Build Coastguard Worker
1362*08b48e0bSAndroid Build Coastguard Worker }
1363*08b48e0bSAndroid Build Coastguard Worker
1364*08b48e0bSAndroid Build Coastguard Worker if (unlikely(tid >= afl->q_testcase_max_cache_entries)) {
1365*08b48e0bSAndroid Build Coastguard Worker
1366*08b48e0bSAndroid Build Coastguard Worker // uh we were full, so now we have to search from start
1367*08b48e0bSAndroid Build Coastguard Worker tid = afl->q_testcase_smallest_free;
1368*08b48e0bSAndroid Build Coastguard Worker
1369*08b48e0bSAndroid Build Coastguard Worker }
1370*08b48e0bSAndroid Build Coastguard Worker
1371*08b48e0bSAndroid Build Coastguard Worker // we need this while loop in case there were ever previous evictions but
1372*08b48e0bSAndroid Build Coastguard Worker // not in this call.
1373*08b48e0bSAndroid Build Coastguard Worker while (unlikely(afl->q_testcase_cache[tid] != NULL))
1374*08b48e0bSAndroid Build Coastguard Worker ++tid;
1375*08b48e0bSAndroid Build Coastguard Worker
1376*08b48e0bSAndroid Build Coastguard Worker /* Map the test case into memory. */
1377*08b48e0bSAndroid Build Coastguard Worker
1378*08b48e0bSAndroid Build Coastguard Worker int fd = open((char *)q->fname, O_RDONLY);
1379*08b48e0bSAndroid Build Coastguard Worker
1380*08b48e0bSAndroid Build Coastguard Worker if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", (char *)q->fname); }
1381*08b48e0bSAndroid Build Coastguard Worker
1382*08b48e0bSAndroid Build Coastguard Worker q->testcase_buf = (u8 *)malloc(len);
1383*08b48e0bSAndroid Build Coastguard Worker
1384*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->testcase_buf)) {
1385*08b48e0bSAndroid Build Coastguard Worker
1386*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to malloc '%s' with len %u", (char *)q->fname, len);
1387*08b48e0bSAndroid Build Coastguard Worker
1388*08b48e0bSAndroid Build Coastguard Worker }
1389*08b48e0bSAndroid Build Coastguard Worker
1390*08b48e0bSAndroid Build Coastguard Worker ck_read(fd, q->testcase_buf, len, q->fname);
1391*08b48e0bSAndroid Build Coastguard Worker close(fd);
1392*08b48e0bSAndroid Build Coastguard Worker
1393*08b48e0bSAndroid Build Coastguard Worker /* Register testcase as cached */
1394*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache[tid] = q;
1395*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_size += len;
1396*08b48e0bSAndroid Build Coastguard Worker ++afl->q_testcase_cache_count;
1397*08b48e0bSAndroid Build Coastguard Worker if (likely(tid >= afl->q_testcase_max_cache_count)) {
1398*08b48e0bSAndroid Build Coastguard Worker
1399*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_count = tid + 1;
1400*08b48e0bSAndroid Build Coastguard Worker
1401*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(tid == afl->q_testcase_smallest_free)) {
1402*08b48e0bSAndroid Build Coastguard Worker
1403*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_smallest_free = tid + 1;
1404*08b48e0bSAndroid Build Coastguard Worker
1405*08b48e0bSAndroid Build Coastguard Worker }
1406*08b48e0bSAndroid Build Coastguard Worker
1407*08b48e0bSAndroid Build Coastguard Worker }
1408*08b48e0bSAndroid Build Coastguard Worker
1409*08b48e0bSAndroid Build Coastguard Worker return q->testcase_buf;
1410*08b48e0bSAndroid Build Coastguard Worker
1411*08b48e0bSAndroid Build Coastguard Worker }
1412*08b48e0bSAndroid Build Coastguard Worker
1413*08b48e0bSAndroid Build Coastguard Worker /* Adds the new queue entry to the cache. */
1414*08b48e0bSAndroid Build Coastguard Worker
queue_testcase_store_mem(afl_state_t * afl,struct queue_entry * q,u8 * mem)1415*08b48e0bSAndroid Build Coastguard Worker inline void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q,
1416*08b48e0bSAndroid Build Coastguard Worker u8 *mem) {
1417*08b48e0bSAndroid Build Coastguard Worker
1418*08b48e0bSAndroid Build Coastguard Worker u32 len = q->len;
1419*08b48e0bSAndroid Build Coastguard Worker
1420*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->q_testcase_cache_size + len >=
1421*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_size ||
1422*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_count >=
1423*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries - 1)) {
1424*08b48e0bSAndroid Build Coastguard Worker
1425*08b48e0bSAndroid Build Coastguard Worker // no space? will be loaded regularly later.
1426*08b48e0bSAndroid Build Coastguard Worker return;
1427*08b48e0bSAndroid Build Coastguard Worker
1428*08b48e0bSAndroid Build Coastguard Worker }
1429*08b48e0bSAndroid Build Coastguard Worker
1430*08b48e0bSAndroid Build Coastguard Worker u32 tid;
1431*08b48e0bSAndroid Build Coastguard Worker
1432*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->q_testcase_max_cache_count >=
1433*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries)) {
1434*08b48e0bSAndroid Build Coastguard Worker
1435*08b48e0bSAndroid Build Coastguard Worker // uh we were full, so now we have to search from start
1436*08b48e0bSAndroid Build Coastguard Worker tid = afl->q_testcase_smallest_free;
1437*08b48e0bSAndroid Build Coastguard Worker
1438*08b48e0bSAndroid Build Coastguard Worker } else {
1439*08b48e0bSAndroid Build Coastguard Worker
1440*08b48e0bSAndroid Build Coastguard Worker tid = afl->q_testcase_max_cache_count;
1441*08b48e0bSAndroid Build Coastguard Worker
1442*08b48e0bSAndroid Build Coastguard Worker }
1443*08b48e0bSAndroid Build Coastguard Worker
1444*08b48e0bSAndroid Build Coastguard Worker while (unlikely(afl->q_testcase_cache[tid] != NULL))
1445*08b48e0bSAndroid Build Coastguard Worker ++tid;
1446*08b48e0bSAndroid Build Coastguard Worker
1447*08b48e0bSAndroid Build Coastguard Worker /* Map the test case into memory. */
1448*08b48e0bSAndroid Build Coastguard Worker
1449*08b48e0bSAndroid Build Coastguard Worker q->testcase_buf = (u8 *)malloc(len);
1450*08b48e0bSAndroid Build Coastguard Worker
1451*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->testcase_buf)) {
1452*08b48e0bSAndroid Build Coastguard Worker
1453*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to malloc '%s' with len %u", (char *)q->fname, len);
1454*08b48e0bSAndroid Build Coastguard Worker
1455*08b48e0bSAndroid Build Coastguard Worker }
1456*08b48e0bSAndroid Build Coastguard Worker
1457*08b48e0bSAndroid Build Coastguard Worker memcpy(q->testcase_buf, mem, len);
1458*08b48e0bSAndroid Build Coastguard Worker
1459*08b48e0bSAndroid Build Coastguard Worker /* Register testcase as cached */
1460*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache[tid] = q;
1461*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache_size += len;
1462*08b48e0bSAndroid Build Coastguard Worker ++afl->q_testcase_cache_count;
1463*08b48e0bSAndroid Build Coastguard Worker
1464*08b48e0bSAndroid Build Coastguard Worker if (likely(tid >= afl->q_testcase_max_cache_count)) {
1465*08b48e0bSAndroid Build Coastguard Worker
1466*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_count = tid + 1;
1467*08b48e0bSAndroid Build Coastguard Worker
1468*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(tid == afl->q_testcase_smallest_free)) {
1469*08b48e0bSAndroid Build Coastguard Worker
1470*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_smallest_free = tid + 1;
1471*08b48e0bSAndroid Build Coastguard Worker
1472*08b48e0bSAndroid Build Coastguard Worker }
1473*08b48e0bSAndroid Build Coastguard Worker
1474*08b48e0bSAndroid Build Coastguard Worker }
1475*08b48e0bSAndroid Build Coastguard Worker
1476