allow -L -1 to enable mopt in parallel to classic mutation

Author: vanhauser-thc

docs/Changelog.md

@@ -17,6 +17,8 @@ sending a mail to <[email protected]>.
   - afl-fuzz:
     - variable map size support added (only LTO mode can use this)
     - snapshot feature usage now visible in UI
+    - Now setting "-L -1" will enable MOpt in parallel to normal mutation.
+      Additionally this allows to run dictionaries, radamsa and cmplog.
   - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
     static global and local variable comparisons (cannot find all though)
   - extended forkserver: map_size and more information is communicated to

docs/README.MOpt.md

@@ -36,6 +36,9 @@ enter the pacemaker fuzzing mode.
 Setting 0 will enter the pacemaker fuzzing mode at first, which is
 recommended in a short time-scale evaluation. 
 
+Setting -1 will enable both pacemaker mode and normal aflmutation fuzzing in
+parallel.
+
 Other important parameters can be found in afl-fuzz.c, for instance, 
 
 'swarm_num': the number of the PSO swarms used in the fuzzing process.

include/afl-fuzz.h

@@ -354,14 +354,14 @@ typedef struct afl_state {
   /* MOpt:
     Lots of globals, but mostly for the status UI and other things where it
     really makes no sense to haul them around as function parameters. */
-  u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start,
-      tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find,
-      most_time_key, most_time, most_execs_key, most_execs, old_hit_count,
-      force_ui_update;
+  u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time,
+      total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key,
+      most_time, most_execs_key, most_execs, old_hit_count, force_ui_update;
 
   MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
 
-  s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module;
+  s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
+      key_module;
 
   double w_init, w_end, w_now;
 

src/afl-forkserver.c

@@ -365,9 +365,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
       kill(fsrv->fsrv_pid, SIGKILL);
 
     } else {
-    
+
       rlen = 4;
-    
+
     }
 
   } else {
@@ -631,9 +631,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
 static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
 
-    if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL);
-    if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL);
-    if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); }
+  if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL);
+  if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL);
+  if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); }
 
 }
 

src/afl-fuzz-one.c

@@ -4377,7 +4377,7 @@ void pso_updating(afl_state_t *afl) {
 
 u8 fuzz_one(afl_state_t *afl) {
 
-  int key_val_lv = 0;
+  int key_val_lv_1 = 0, key_val_lv_2 = 0;
 
 #ifdef _AFL_DOCUMENT_MUTATIONS
 
@@ -4397,22 +4397,22 @@ u8 fuzz_one(afl_state_t *afl) {
 
 #endif
 
-  if (afl->limit_time_sig == 0) {
+  // if limit_time_sig == -1 then both are run after each other
 
-    key_val_lv = fuzz_one_original(afl);
+  if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); }
 
-  } else {
+  if (afl->limit_time_sig != 0) {
 
     if (afl->key_module == 0)
-      key_val_lv = pilot_fuzzing(afl);
+      key_val_lv_2 = pilot_fuzzing(afl);
     else if (afl->key_module == 1)
-      key_val_lv = core_fuzzing(afl);
+      key_val_lv_2 = core_fuzzing(afl);
     else if (afl->key_module == 2)
       pso_updating(afl);
 
   }
 
-  return key_val_lv;
+  return (key_val_lv_1 | key_val_lv_2);
 
 #undef BUF_PARAMS
 

src/afl-fuzz-run.c

@@ -49,7 +49,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
   memset(fsrv->trace_bits, 0, fsrv->map_size);
 
   MEM_BARRIER();
-  
+
   /* we have the fork server (or faux server) up and running, so simply
       tell it to have at it, and then read back PID. */
 

src/afl-fuzz.c

@@ -109,12 +109,12 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
       "Mutator settings:\n"
       "  -R[R]         - add Radamsa as mutator, add another -R to exclusivly "
       "run it\n"
-      "  -L minutes    - use MOpt(imize) mode and set the limit time for "
+      "  -L minutes    - use MOpt(imize) mode and set the time limit for "
       "entering the\n"
-      "                  pacemaker mode (minutes of no new paths, 0 = "
-      "immediately).\n"
-      "                  a recommended value is 10-60. see "
-      "docs/README.MOpt.md\n"
+      "                  pacemaker mode (minutes of no new paths). 0 = "
+      "immediately,\n"
+      "                  -1 = immediately and together with normal mutation).\n"
+      "                  See docs/README.MOpt.md\n"
       "  -c program    - enable CmpLog by specifying a binary compiled for "
       "it.\n"
       "                  if using QEMU, just use -c 0.\n\n"
@@ -553,20 +553,33 @@ int main(int argc, char **argv_orig, char **envp) {
       case 'L': {                                              /* MOpt mode */
 
         if (afl->limit_time_sig) FATAL("Multiple -L options not supported");
-        afl->limit_time_sig = 1;
         afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
 
-        if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 ||
-            optarg[0] == '-')
+        if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1)
           FATAL("Bad syntax used for -L");
 
+        if (afl->limit_time_puppet == -1) {
+
+          afl->limit_time_sig = -1;
+          afl->limit_time_puppet = 0;
+
+        } else if (afl->limit_time_puppet < 0) {
+
+          FATAL("-L value must be between 0 and 2000000 or -1");
+
+        } else {
+
+          afl->limit_time_sig = 1;
+
+        }
+
         u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000;
 
         if (limit_time_puppet2 < afl->limit_time_puppet)
           FATAL("limit_time overflow");
         afl->limit_time_puppet = limit_time_puppet2;
 
-        SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet);
+        SAYF("limit_time_puppet %d\n", afl->limit_time_puppet);
         afl->swarm_now = 0;
 
         if (afl->limit_time_puppet == 0) afl->key_puppet = 1;
@@ -701,11 +714,14 @@ int main(int argc, char **argv_orig, char **envp) {
 
   if (afl->use_radamsa) {
 
-    if (afl->limit_time_sig)
+    if (afl->limit_time_sig > 0)
       FATAL(
-          "MOpt and Radamsa are mutually exclusive. We accept pull requests "
-          "that integrates MOpt with the optional mutators "
-          "(custom/radamsa/redquenn/...).");
+          "MOpt and Radamsa are mutually exclusive unless you specify -L -1. "
+          "We accept pull requests that integrates MOpt with the optional "
+          "mutators (custom/radamsa/redqueen/...).");
+
+    if (afl->limit_time_sig && afl->use_radamsa > 1)
+      FATAL("Radamsa in radamsa-only mode can not run together with -L");
 
     OKF("Using Radamsa add-on");
 
@@ -984,11 +1000,11 @@ int main(int argc, char **argv_orig, char **envp) {
 
   if (afl->cmplog_binary) {
 
-    if (afl->limit_time_sig)
+    if (afl->limit_time_sig > 0)
       FATAL(
-          "MOpt and CmpLog are mutually exclusive. We accept pull requests "
-          "that integrates MOpt with the optional mutators "
-          "(custom/radamsa/redquenn/...).");
+          "MOpt and CmpLog are mutually exclusive unless you specify -L -1. We "
+          "accept pull requests that integrates MOpt with the optional "
+          "mutators (custom/radamsa/redqueen/...).");
 
     if (afl->unicorn_mode)
       FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry");