Merge pull request AFLplusplus#379 from arnow117/master

vanhauser-thc · web-flow · commit cee4b4593bd8 · 2020-05-27T11:27:11.000+02:00
Fix MOpt implementation flaws
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
@@ -4250,14 +4250,29 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
           u64 temp_temp_puppet =
               afl->queued_paths + afl->unique_crashes - temp_total_found;
           afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet;
-          for (i = 0; i < operator_num; ++i) {
 
-            if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) {
+          if (MOpt_globals.is_pilot_mode){
 
-              MOpt_globals.finds_v2[i] += temp_temp_puppet;
+            for (i = 0; i < operator_num; ++i) {
+
+              if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) {
+
+                MOpt_globals.finds_v2[i] += temp_temp_puppet;
+
+              }
 
             }
 
+          } else {
+
+          	for (i = 0; i < operator_num; i++) {
+
+							if (afl->core_operator_cycles_puppet_v2[i] > afl->core_operator_cycles_puppet_v3[i])
+
+								afl->core_operator_finds_puppet_v2[i] += temp_temp_puppet;
+
+				    }
+
           }
 
         }                                                             /* if */
@@ -4437,7 +4452,6 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
         afl->total_pacemaker_time += *MOpt_globals.pTime;
         *MOpt_globals.pTime = 0;
-        afl->temp_puppet_find = afl->total_puppet_find;
         new_hit_cnt = afl->queued_paths + afl->unique_crashes;
 
         if (MOpt_globals.is_pilot_mode) {
@@ -4448,6 +4462,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
         }
 
+        afl->temp_puppet_find = afl->total_puppet_find;
         u64 temp_stage_finds_puppet = 0;
         for (i = 0; i < operator_num; ++i) {
 
@@ -4530,6 +4545,15 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
         } else {
 
+					for (i = 0; i < operator_num; i++)
+					{
+
+						afl->core_operator_finds_puppet[i] = afl->core_operator_finds_puppet_v2[i];
+						afl->core_operator_cycles_puppet[i] = afl->core_operator_cycles_puppet_v2[i];
+						temp_stage_finds_puppet += afl->core_operator_finds_puppet[i];
+            
+					}
+
           afl->key_module = 2;
 
           afl->old_hit_count = new_hit_cnt;
