Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

provide option for deterministic dictionary mutation in non-deterministic mode (-d or -S) #91

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions afl-fuzz.c
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */
run_over10m, /* Run time over 10 minutes? */
persistent_mode, /* Running in persistent mode? */
deferred_mode, /* Deferred forkserver mode? */
use_dictionary, /* Use dictionary? */
fast_cal; /* Try to calibrate faster? */

static s32 out_fd, /* Persistent fd for out_file */
Expand Down Expand Up @@ -5117,7 +5118,7 @@ static u8 fuzz_one(char** argv) {
this entry ourselves (was_fuzzed), or if it has gone through deterministic
testing in earlier, resumed runs (passed_det). */

if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det)
if ((skip_deterministic && !use_dictionary) || queue_cur->was_fuzzed || queue_cur->passed_det)
goto havoc_stage;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be simpler to leave this condition, and goto dict_stage here, and at

dict_stage:
  if (!use_dictionary) goto havoc_stage;

?


/* Skip deterministic fuzzing if exec path checksum puts this out of scope
Expand All @@ -5128,6 +5129,10 @@ static u8 fuzz_one(char** argv) {

doing_det = 1;

/* We skip deterministic steps but still perform the dictionary part */
if (skip_deterministic && use_dictionary)
goto dict_stage;

/*********************************************
* SIMPLE BITFLIP (+dictionary construction) *
*********************************************/
Expand Down Expand Up @@ -5915,6 +5920,10 @@ static u8 fuzz_one(char** argv) {
* DICTIONARY STUFF *
********************/

dict_stage:

new_hit_cnt = queued_paths + unique_crashes;

if (!extras_cnt) goto skip_user_extras;

/* Overwrite with user-supplied extras. */
Expand Down Expand Up @@ -5949,7 +5958,8 @@ static u8 fuzz_one(char** argv) {
if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) ||
extras[j].len > len - i ||
!memcmp(extras[j].data, out_buf + i, extras[j].len) ||
!memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) {
/* WARNING: eff_map is not allocated if skip_deterministic and use_dictionary are set */
(eff_map && !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len)))) {

stage_max--;
continue;
Expand Down Expand Up @@ -7822,6 +7832,7 @@ int main(int argc, char** argv) {

if (extras_dir) FATAL("Multiple -x options not supported");
extras_dir = optarg;
use_dictionary = 1;
break;

case 't': { /* timeout */
Expand Down