1.71b

legend-issue · Apr 20, 2015 · 15a0385 · 15a0385
1 parent 67822ca
commit 15a0385
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 19 deletions.
diff --git a/Makefile b/Makefile
@@ -14,7 +14,7 @@
 #
 
 PROGNAME    = afl
-VERSION     = 1.70b
+VERSION     = 1.71b
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin

diff --git a/afl-fuzz.c b/afl-fuzz.c
@@ -3013,6 +3013,9 @@ static void write_stats_file(double bitmap_cvg, double eps) {
              "bitmap_cvg     : %0.02f%%\n"
              "unique_crashes : %llu\n"
              "unique_hangs   : %llu\n"
+             "last_path      : %llu\n"
+             "last_crash     : %llu\n"
+             "last_hang      : %llu\n"
              "exec_timeout   : %u\n"
              "afl_banner     : %s\n"
              "afl_version    : " VERSION "\n"
@@ -3022,7 +3025,9 @@ static void write_stats_file(double bitmap_cvg, double eps) {
              queued_paths, queued_discovered, queued_imported, max_depth,
              current_entry, pending_favored, pending_not_fuzzed,
              queued_variable, bitmap_cvg, unique_crashes, unique_hangs,
-             exec_tmout, use_banner, orig_cmdline); /* ignore errors */
+             last_path_time / 1000, last_crash_time / 1000,
+             last_hang_time / 1000, exec_tmout, use_banner, orig_cmdline);
+             /* ignore errors */
 
   fclose(f);
 
@@ -6844,9 +6849,9 @@ static char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
 
   } else ck_free(own_copy);
 
-  if (!access(AFL_PATH "/afl-qemu-trace", X_OK)) {
+  if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
 
-    target_path = new_argv[0] = ck_strdup(AFL_PATH "/afl-qemu-trace");
+    target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace");
     return new_argv;
 
   }

diff --git a/afl-showmap.c b/afl-showmap.c
@@ -521,7 +521,6 @@ static char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
 
   tmp = getenv("AFL_PATH");
 
-
   if (tmp) {
 
     cp = alloc_printf("%s/afl-qemu-trace", tmp);
@@ -553,9 +552,9 @@ static char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
 
   } else ck_free(own_copy);
 
-  if (!access(AFL_PATH "/afl-qemu-trace", X_OK)) {
+  if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
 
-    target_path = new_argv[0] = AFL_PATH "/afl-qemu-trace";
+    target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
     return new_argv;
 
   }

diff --git a/afl-tmin.c b/afl-tmin.c
@@ -877,9 +877,9 @@ static char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
 
   } else ck_free(own_copy);
 
-  if (!access(AFL_PATH "/afl-qemu-trace", X_OK)) {
+  if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
 
-    target_path = new_argv[0] = AFL_PATH "/afl-qemu-trace";
+    target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
     return new_argv;
 
   }

diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -16,6 +16,18 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 1.48b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 1.71b:
+--------------
+
+  - Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted
+    by G.M. Lime.
+
+  - Added last path / crash / hang times to fuzzer_stats, suggested by
+    Richard Hipp.
+
+  - Fixed a typo, thanks to Jakub Wilk.
+
 --------------
 Version 1.70b:
 --------------

diff --git a/docs/README b/docs/README
@@ -370,10 +370,9 @@ Here are some of the most important caveats for AFL:
 
   - AFL detects faults by checking for the first spawned process dying due to
     a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for
-    these signals may need to have the relevant code commented out.
-
-    In the same vein, faults in child processed spawned by the fuzzed target
-    may evade detection unless explicitly checked for.
+    these signals may need to have the relevant code commented out. In the same
+    vein, faults in child processed spawned by the fuzzed target may evade
+    detection unless you manually add some code to catch that.
 
   - As with any other brute-force tool, the fuzzer offers limited coverage if
     encryption, checksums, cryptographic signatures, or compression are used to
@@ -388,7 +387,7 @@ Here are some of the most important caveats for AFL:
     isn't due to any specific fault of afl-fuzz; see notes_for_asan.txt for
     tips.
 
-  - There is no direct support for; fuzzing network services, background
+  - There is no direct support for fuzzing network services, background
     daemons, or interactive apps that require UI interaction to work. You may
     need to make simple code changes to make them behave in a more traditional
     way.

diff --git a/docs/env_variables.txt b/docs/env_variables.txt
@@ -116,6 +116,8 @@ checks or alter some of the more exotic semantics of the tool:
     be initialized manually (see llvm_mode/README.llvm). This setting has no
     effect for programs not compiled with afl-clang-fast.
 
+  - In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace.
+
 3) Settings for afl-qemu-trace
 ------------------------------
 
@@ -152,13 +154,21 @@ will have a more striking effect. For this tool, 0 is not a valid choice.
 
 The corpus minimization script offers very little customization:
 
-  - Setting AFL_PATH offers a way to specify the location of afl-showmap.
+  - Setting AFL_PATH offers a way to specify the location of afl-showmap
+    and afl-qemu-trace (the latter only in -Q mode).
 
   - AFL_KEEP_TRACES makes the tool keep traces and other metadata used for
     minimization and normally deleted at exit. The files can be found in the
     <out_dir>/.traces/*.
 
-6) Third-party variables set by afl-fuzz & other tools
+6) Settings for afl-tmin
+------------------------
+
+Virtually nothing to play with:
+
+  - In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace.
+
+7) Third-party variables set by afl-fuzz & other tools
 ------------------------------------------------------
 
 Several variables are not directly interpreted by afl-fuzz, but are set to

diff --git a/docs/technical_details.txt b/docs/technical_details.txt
@@ -116,7 +116,7 @@ already-seen execution counts for each tuple.
 
 Changes within the range of a single bucket are ignored; transition from one
 bucket to another is flagged as an interesting change in program control flow,
-and are routed to the evolutionary process outlined in the section below.
+and is routed to the evolutionary process outlined in the section below.
 
 The hit count behavior provides a way to distinguish between potentially
 interesting control flow changes, such as a block of code being executed
@@ -182,7 +182,7 @@ input queue with afl-fuzz:
 The first entry for blind fuzzing ("S") corresponds to executing just a single
 round of testing; the second set of figures ("L") shows the fuzzer running in a
 loop for a number of execution cycles comparable with that of the instrumented
-runs, which required more time to fully process the queue.
+runs, which required more time to fully process the growing queue.
 
 Roughly similar results have been obtained in a separate experiment where the
 fuzzer was modified to compile out all the random fuzzing stages and leave just
@@ -412,7 +412,9 @@ simply stops at the first instrumented function to await commands from
 afl-fuzz.
 
 With fast targets, the fork server can offer considerable performance gains,
-usually between 1.5x and 2x.
+usually between 1.5x and 2x. It is also possible to use the fork server in
+manual mode, skipping over larger, user-selected chunks of initialization
+code. With some targets, this can produce 10x+ performance gain.
 
 11) Parallelization
 -------------------