commit 6cc8d607fb24e060591ece4b42d83fc06de68fc6
author vanhauser-thc <vh@thc.org> Thu Apr 13 11:44:39 2023 +0200
committer vanhauser-thc <vh@thc.org> Thu Apr 13 11:44:39 2023 +0200
tree 247daa2e572544c999305c59f5fd25eca7a3944f
parent 824385f52ce3133ecd033e587aa1a3b324adf76c

remove -z option, use -p mmopt instead

GNUmakefile

diff --git a/GNUmakefile b/GNUmakefile
index 208e965..85f164f 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -546,7 +546,7 @@
 test_build: afl-cc afl-gcc afl-as afl-showmap
 	@echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..."
 	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c $(LDFLAGS) -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 )
-	- ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -o .test-instr0 ./test-instr < /dev/null
+	-ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -q -m none -o .test-instr0 ./test-instr < /dev/null
 	-echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
 	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-cc does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi

docs/Changelog.md

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 736deb3..501300b 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -12,7 +12,7 @@
     - fixed a crash in pizza (1st april easter egg) mode. Sorry for
       everyone who was affected!
     - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1
-    - add -z switch to prefer new coverage findings in seed selection
+    - option `-p mmopt` now also selects new queue items more often
     - print name of custom mutator in UI
   - afl-cc:
     - add CFI sanitizer variant to gcc targets

include/afl-fuzz.h

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 7ff3315..5fd393d 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -501,8 +501,7 @@
       custom_splice_optout,             /* Custom mutator no splice buffer  */
       is_main_node,                     /* if this is the main node         */
       is_secondary_node,                /* if this is a secondary instance  */
-      pizza_is_served,                  /* pizza mode                       */
-      prefer_new;                       /* prefer new queue entries         */
+      pizza_is_served;                  /* pizza mode                       */
 
   u32 stats_update_freq;                /* Stats update frequency (execs)   */
 

instrumentation/SanitizerCoverageLTO.so.cc

diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index 5603c45..e41f19b 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -18,7 +18,7 @@
 #include "llvm/ADT/ArrayRef.h"
 #include "llvm/ADT/SmallVector.h"
 #if LLVM_VERSION_MAJOR < 17
-#include "llvm/ADT/Triple.h"
+  #include "llvm/ADT/Triple.h"
 #endif
 #include "llvm/Analysis/EHPersonalities.h"
 #include "llvm/Analysis/PostDominators.h"

instrumentation/SanitizerCoveragePCGUARD.so.cc

diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
index 5f23698..85b1ddd 100644
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@@ -14,7 +14,7 @@
 #include "llvm/ADT/ArrayRef.h"
 #include "llvm/ADT/SmallVector.h"
 #if LLVM_VERSION_MAJOR < 17
-#include "llvm/ADT/Triple.h"
+  #include "llvm/ADT/Triple.h"
 #endif
 #include "llvm/Analysis/EHPersonalities.h"
 #include "llvm/Analysis/PostDominators.h"

src/afl-fuzz-queue.c

diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 6fc3c74..8ad7cd9 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -149,21 +149,15 @@
 
     }
 
-    if (unlikely(afl->prefer_new) && afl->queued_discovered) {
+    if (unlikely(afl->schedule == MMOPT) && afl->queued_discovered) {
 
-      double avg_weight = sum / active;
+      u32 cnt = afl->queued_discovered >= 5 ? 5 : afl->queued_discovered;
 
-      for (i = n - afl->queued_discovered; i < n; i++) {
+      for (i = n - cnt; i < n; i++) {
 
         struct queue_entry *q = afl->queue_buf[i];
 
-        if (likely(!q->disabled) && q->weight > avg_weight) {
-
-          double prev_weight = q->weight;
-          q->weight *= (2.0 * (i / n));
-          sum += (q->weight - prev_weight);
-
-        }
+        if (likely(!q->disabled)) { q->weight *= 2.0; }
 
       }
 

src/afl-fuzz.c

diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index a0c322d..5ba54d0 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -132,7 +132,6 @@
       "                  fast(default), explore, exploit, seek, rare, mmopt, "
       "coe, lin\n"
       "                  quad -- see docs/FAQ.md for more information\n"
-      "  -z            - prefer new coverage findings when fuzzing\n"
       "  -f file       - location read by the fuzzed program (default: stdin "
       "or @@)\n"
       "  -t msec       - timeout for each run (auto-scaled, default %u ms). "
@@ -556,7 +555,7 @@
   while (
       (opt = getopt(
            argc, argv,
-           "+Ab:B:c:CdDe:E:hi:I:f:F:g:G:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:YzZ")) >
+           "+Ab:B:c:CdDe:E:hi:I:f:F:g:G:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:YZ")) >
       0) {
 
     switch (opt) {
@@ -569,10 +568,6 @@
         afl->max_length = atoi(optarg);
         break;
 
-      case 'z':
-        afl->prefer_new = 1;
-        break;
-
       case 'Z':
         afl->old_seed_selection = 1;
         break;