Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in at 2016-03-31 13:03:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2016-03-01 10:20:59.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2016-03-31 13:03:14.000000000 +0200
@@ -1,0 +2,30 @@
+Mon Mar 28 19:11:03 UTC 2016 - mpluskal@suse.com
+
+- Update to 2.09b
+ * Made several documentation updates.
+ * Added some visual indicators to promote and simplify the use
+ of -Z.
+- Changes for 2.08b
+ * Added explicit support for -m32 and -m64 for llvm_mode.
+ Inspired by a request from Christian Holler.
+ * Added a new benchmarking option, as requested by Kostya
+ Serebryany.
+- Changes for 2.07b
+ * Added CPU affinity option (-Z) on Linux. With some caution,
+ this can offer a significant (10%+) performance bump and
+ reduce jitter. Proposed by Austin Seipp.
+ * Updated afl-gotcpu to use CPU affinity where supported.
+ * Fixed confusing CPU_TARGET error messages with QEMU build.
+ Spotted by Daniel Komaromy and others.
+- Changes for 2.06b
+ * Worked around LLVM persistent mode hiccups with -shared code.
+ Contributed by Christian Holler.
+ * Added __AFL_COMPILER as a convenient way to detect that
+ something is built under afl-gcc / afl-clang / afl-clang-fast
+ and enable custom optimizations in your code. Suggested by
+ Pedro Corte-Real.
+ * Upstreamed several minor changes developed by Franjo Ivancic to
+ allow AFL to be built as a library. This is fairly use-specific
+ and may have relatively little appeal to general audiences.
+
+-------------------------------------------------------------------
Old:
----
afl-2.05b.tgz
New:
----
afl-2.09b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.SVZiNL/_old 2016-03-31 13:03:15.000000000 +0200
+++ /var/tmp/diff_new_pack.SVZiNL/_new 2016-03-31 13:03:15.000000000 +0200
@@ -17,7 +17,7 @@
Name: afl
-Version: 2.05b
+Version: 2.09b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
@@ -41,10 +41,10 @@
%build
export CFLAGS="$CFLAGS %{optflags}"
-make PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} %{?_smp_mflags}
+make %{?_smp_mflags} PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir}
%install
-make PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} DESTDIR=%{buildroot} install %{?_smp_mflags}
+make %{?_smp_mflags} PREFIX=%{_prefix} LIBEXEC_DIR=%{_libexecdir} DOC_DIR=%{_docdir} DESTDIR=%{buildroot} install
%files
%defattr(-,root,root)
++++++ afl-2.05b.tgz -> afl-2.09b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/Makefile new/afl-2.09b/Makefile
--- old/afl-2.05b/Makefile 2016-02-24 23:45:50.000000000 +0100
+++ new/afl-2.09b/Makefile 2016-03-26 23:08:53.000000000 +0100
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 2.05b
+VERSION = 2.09b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -103,6 +103,7 @@
endif
all_done: test_build
+ @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
@echo "[+] All done! Be sure to review README - it's pretty short and useful."
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
@@ -121,6 +122,8 @@
rm -f $${DESTDIR}$(BIN_PATH)/afl-as
if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
+ if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
+ if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/afl-fuzz.c new/afl-2.09b/afl-fuzz.c
--- old/afl-2.05b/afl-fuzz.c 2016-02-21 06:41:16.000000000 +0100
+++ new/afl-2.09b/afl-fuzz.c 2016-03-26 23:07:40.000000000 +0100
@@ -44,6 +44,7 @@
#include
#include
#include
+#include
#include
#include
@@ -59,11 +60,26 @@
# include
#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
+/* For supporting -Z on systems that have sched_setaffinity. */
+
+#ifdef __linux__
+# define HAVE_AFFINITY 1
+#endif /* __linux__ */
+
+/* A toggle to export some variables when building as a library. Not very
+ useful for the general public. */
+
+#ifdef AFL_LIB
+# define EXP_ST
+#else
+# define EXP_ST static
+#endif /* ^AFL_LIB */
/* Lots of globals, but mostly for the status UI and other things where it
really makes no sense to haul them around as function parameters. */
-static u8 *in_dir, /* Input directory with test cases */
+
+EXP_ST u8 *in_dir, /* Input directory with test cases */
*out_file, /* File to fuzz, if any */
*out_dir, /* Working & output directory */
*sync_dir, /* Synchronization directory */
@@ -74,12 +90,12 @@
*target_path, /* Path to target binary */
*orig_cmdline; /* Original command line */
-static u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */
-static u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */
+EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */
+EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */
static u32 stats_update_freq = 1; /* Stats update frequency (execs) */
-static u8 skip_deterministic, /* Skip deterministic stages? */
+EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */
force_deterministic, /* Force deterministic stages? */
use_splicing, /* Recombine input files? */
dumb_mode, /* Run in non-instrumented mode? */
@@ -112,9 +128,9 @@
child_pid = -1, /* PID of the fuzzed program */
out_dir_fd = -1; /* FD of the lock file */
-static u8* trace_bits; /* SHM with instrumentation bitmap */
+EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */
-static u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
+EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
virgin_hang[MAP_SIZE], /* Bits we haven't seen in hangs */
virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */
@@ -124,7 +140,7 @@
clear_screen = 1, /* Window resized? */
child_timed_out; /* Traced process timed out? */
-static u32 queued_paths, /* Total number of queued testcases */
+EXP_ST u32 queued_paths, /* Total number of queued testcases */
queued_variable, /* Testcases with variable behavior */
queued_at_start, /* Total number of initial inputs */
queued_discovered, /* Items discovered during this run */
@@ -140,7 +156,7 @@
current_entry, /* Current queue entry ID */
havoc_div = 1; /* Cycle count divisor for havoc */
-static u64 total_crashes, /* Total number of crashes */
+EXP_ST u64 total_crashes, /* Total number of crashes */
unique_crashes, /* Crashes with unique signatures */
total_hangs, /* Total number of hangs */
unique_hangs, /* Hangs with unique signatures */
@@ -186,6 +202,15 @@
static u32 cpu_core_count; /* CPU core count */
+#ifdef HAVE_AFFINITY
+
+static u8 use_affinity; /* Using -Z */
+
+static u32 cpu_aff_main, /* Affinity for main process */
+ cpu_aff_child; /* Affinity for fuzzed child */
+
+#endif /* HAVE_AFFINITY */
+
static FILE* plot_file; /* Gnuplot output file */
struct queue_entry {
@@ -315,6 +340,25 @@
}
+#ifdef HAVE_AFFINITY
+
+/* Set CPU affinity (on systems that support it). */
+
+static void set_cpu_affinity(u32 cpu_id) {
+
+ cpu_set_t c;
+
+ CPU_ZERO(&c);
+ CPU_SET(cpu_id, &c);
+
+ if (sched_setaffinity(0, sizeof(c), &c))
+ PFATAL("sched_setaffinity failed");
+
+}
+
+#endif /* HAVE_AFFINITY */
+
+
/* Generate a random number (from 0 to limit - 1). This may
have slight bias. */
@@ -659,7 +703,7 @@
/* Destroy the entire queue. */
-static void destroy_queue(void) {
+EXP_ST void destroy_queue(void) {
struct queue_entry *q = queue, *n;
@@ -680,7 +724,7 @@
-B option, to focus a separate fuzzing session on a particular
interesting input without rediscovering all the others. */
-static void write_bitmap(void) {
+EXP_ST void write_bitmap(void) {
u8* fname;
s32 fd;
@@ -703,7 +747,7 @@
/* Read bitmap from file. This is for the -B option again. */
-static void read_bitmap(u8* fname) {
+EXP_ST void read_bitmap(u8* fname) {
s32 fd = open(fname, O_RDONLY);
@@ -1200,7 +1244,7 @@
/* Configure shared memory and virgin_bits. This is called at startup. */
-static void setup_shm(void) {
+EXP_ST void setup_shm(void) {
u8* shm_str;
@@ -1834,7 +1878,7 @@
cloning a stopped child. So, we just execute once, and then send commands
through a pipe. The other part of this logic is in afl-as.h. */
-static void init_forkserver(char** argv) {
+EXP_ST void init_forkserver(char** argv) {
static struct itimerval it;
int st_pipe[2], ctl_pipe[2];
@@ -1853,6 +1897,10 @@
struct rlimit r;
+#ifdef HAVE_AFFINITY
+ if (use_affinity) set_cpu_affinity(cpu_aff_child);
+#endif /* HAVE_AFFINITY */
+
/* Umpf. On OpenBSD, the default fd limit for root users is set to
soft 128. Let's try to fix that... */
@@ -2151,6 +2199,10 @@
struct rlimit r;
+#ifdef HAVE_AFFINITY
+ if (use_affinity) set_cpu_affinity(cpu_aff_child);
+#endif /* HAVE_AFFINITY */
+
if (mem_limit) {
r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20;
@@ -3730,11 +3782,13 @@
}
- /* Honor AFL_EXIT_WHEN_DONE. */
+ /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */
if (!dumb_mode && cycles_wo_finds > 20 && !pending_not_fuzzed &&
getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2;
+ if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2;
+
/* If we're not on TTY, bail out. */
if (not_on_tty) return;
@@ -4076,8 +4130,26 @@
if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD;
+#ifdef HAVE_AFFINITY
+
+ if (use_affinity) {
+
+ SAYF(SP10 cGRA "[cpu@%02u:%s%3u%%" cGRA "]\r" cRST,
+ MIN(cpu_aff_child, 99), cpu_color,
+ MIN(cur_utilization, 999));
+
+ } else {
+
+ SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST,
+ cpu_color, MIN(cur_utilization, 999));
+
+ }
+#else
+
SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST,
- cpu_color, cur_utilization < 999 ? cur_utilization : 999);
+ cpu_color, MIN(cur_utilization, 999));
+
+#endif /* ^HAVE_AFFINITY */
} else SAYF("\r");
@@ -4331,7 +4403,7 @@
error conditions, returning 1 if it's time to bail out. This is
a helper function for fuzz_one(). */
-static u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) {
+EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) {
u8 fault;
@@ -6504,7 +6576,7 @@
isn't a shell script - a common and painful mistake. We also check for
a valid ELF header and for evidence of AFL instrumentation. */
-static void check_binary(u8* fname) {
+EXP_ST void check_binary(u8* fname) {
u8* env_path = 0;
struct stat st;
@@ -6761,6 +6833,9 @@
" -T text - text banner to show on the screen\n"
" -M / -S id - distributed mode (see parallel_fuzzing.txt)\n"
+#ifdef HAVE_AFFINITY
+ " -Z core_id - set CPU affinity (see perf_tips.txt)\n"
+#endif /* HAVE_AFFINITY */
" -C - crash exploration mode (the peruvian rabbit thing)\n\n"
"For additional tips, please consult %s/README.\n\n",
@@ -6774,7 +6849,7 @@
/* Prepare output directories and fds. */
-static void setup_dirs_fds(void) {
+EXP_ST void setup_dirs_fds(void) {
u8* tmp;
s32 fd;
@@ -6894,7 +6969,7 @@
/* Setup the output file for fuzzed data, if not using -f. */
-static void setup_stdio_file(void) {
+EXP_ST void setup_stdio_file(void) {
u8* fn = alloc_printf("%s/.cur_input", out_dir);
@@ -7104,6 +7179,16 @@
} else WARNF("Unable to figure out the number of CPU cores.");
+#ifdef HAVE_AFFINITY
+
+ if (use_affinity)
+ OKF("Using specified CPU affinity: main = %u, child = %u",
+ cpu_aff_main, cpu_aff_child);
+ else if (cpu_core_count > 1)
+ OKF(cBRI "Try setting CPU affinity (-Z) for a performance boost!" cRST);
+
+#endif /* HAVE_AFFINITY */
+
}
@@ -7189,7 +7274,7 @@
/* Detect @@ in args. */
-static void detect_file_args(char** argv) {
+EXP_ST void detect_file_args(char** argv) {
u32 i = 0;
u8* cwd = getcwd(NULL, 0);
@@ -7238,7 +7323,7 @@
Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call
siginterrupt(), and does other stupid things. */
-static void setup_signal_handlers(void) {
+EXP_ST void setup_signal_handlers(void) {
struct sigaction sa;
@@ -7376,6 +7461,8 @@
}
+#ifndef AFL_LIB
+
/* Main entry point */
int main(int argc, char** argv) {
@@ -7393,7 +7480,7 @@
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
- while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:Q")) > 0)
+ while ((opt = getopt(argc, argv, "+i:o:f:m:t:T:dnCB:S:M:x:QZ:")) > 0)
switch (opt) {
@@ -7489,6 +7576,35 @@
break;
+#ifdef HAVE_AFFINITY
+
+ case 'Z': {
+
+ s32 i;
+
+ if (use_affinity) FATAL("Multiple -Z options not supported");
+ use_affinity = 1;
+
+ cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN);
+
+ i = sscanf(optarg, "%u,%u", &cpu_aff_main, &cpu_aff_child);
+
+ if (i < 1 || cpu_aff_main >= cpu_core_count)
+ FATAL("Bogus primary core ID passed to -Z (expected 0-%u)",
+ cpu_core_count - 1);
+
+ if (i == 1) cpu_aff_child = cpu_aff_main;
+
+ if (cpu_aff_child >= cpu_core_count)
+ FATAL("Bogus secondary core ID passed to -Z (expected 0-%u)",
+ cpu_core_count - 1);
+
+ break;
+
+ }
+
+#endif /* HAVE_AFFINITY */
+
case 'd':
if (skip_deterministic) FATAL("Multiple -d options not supported");
@@ -7554,6 +7670,10 @@
setup_signal_handlers();
check_asan_opts();
+#ifdef HAVE_AFFINITY
+ if (use_affinity) set_cpu_affinity(cpu_aff_main);
+#endif /* HAVE_AFFINITY */
+
if (sync_id) fix_up_sync();
if (!strcmp(in_dir, out_dir))
@@ -7727,3 +7847,5 @@
exit(0);
}
+
+#endif /* !AFL_LIB */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/afl-gcc.c new/afl-2.09b/afl-gcc.c
--- old/afl-2.05b/afl-gcc.c 2016-02-10 16:49:13.000000000 +0100
+++ new/afl-2.09b/afl-gcc.c 2016-03-05 01:08:50.000000000 +0100
@@ -116,7 +116,7 @@
u8 m32_set = 0;
#endif
- cc_params = ck_alloc((argc + 16) * sizeof(u8*));
+ cc_params = ck_alloc((argc + 64) * sizeof(u8*));
name = strrchr(argv[0], '/');
if (!name) name = argv[0]; else name++;
@@ -262,6 +262,7 @@
cc_params[cc_par_cnt++] = "-O3";
cc_params[cc_par_cnt++] = "-funroll-loops";
+ cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/afl-gotcpu.c new/afl-2.09b/afl-gotcpu.c
--- old/afl-2.05b/afl-gotcpu.c 2016-02-10 16:46:49.000000000 +0100
+++ new/afl-2.09b/afl-gotcpu.c 2016-03-08 08:09:26.000000000 +0100
@@ -4,7 +4,7 @@
Written and maintained by Michal Zalewski
- Copyright 2015 Google Inc. All rights reserved.
+ Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -26,10 +26,12 @@
*/
#define AFL_MAIN
+#define _GNU_SOURCE
#include
#include
#include
+#include
#include
#include
@@ -39,6 +41,10 @@
#include "types.h"
#include "debug.h"
+#ifdef __linux__
+# define HAVE_AFFINITY 1
+#endif /* __linux__ */
+
/* Get unix time in microseconds. */
@@ -68,21 +74,14 @@
}
-/* Do the benchmark thing. */
+/* Measure preemption rate. */
-int main(int argc, char** argv) {
+static u32 measure_preemption(u32 target_ms) {
static volatile u32 v1, v2;
- s32 loop_repeats = 0, util_perc;
u64 st_t, en_t, st_c, en_c, real_delta, slice_delta;
-
- SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n");
-
- /* Run a busy loop for CTEST_TARGET_MS. */
-
- ACTF("Measuring preemption rate (this will take %0.02f sec)...",
- ((double)CTEST_TARGET_MS) / 1000);
+ s32 loop_repeats = 0;
st_t = get_cur_time_us();
st_c = get_cpu_usage_us();
@@ -96,7 +95,7 @@
en_t = get_cur_time_us();
- if (en_t - st_t < CTEST_TARGET_MS * 1000) {
+ if (en_t - st_t < target_ms * 1000) {
loop_repeats++;
goto repeat_loop;
}
@@ -109,10 +108,104 @@
real_delta = (en_t - st_t) / 1000;
slice_delta = (en_c - st_c) / 1000;
- OKF("Busy loop hit %u times, real = %llu ms, slice = %llu ms.",
- loop_repeats, real_delta, slice_delta);
+ return real_delta * 100 / slice_delta;
+
+}
+
+
+/* Do the benchmark thing. */
+
+int main(int argc, char** argv) {
+
+#ifdef HAVE_AFFINITY
+
+ u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN),
+ idle_cpus = 0, maybe_cpus = 0, i;
+
+ SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n");
+
+ ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...",
+ ((double)CTEST_CORE_TRG_MS) * cpu_cnt / 1000);
+
+ for (i = 0; i < cpu_cnt; i++) {
+
+ cpu_set_t c;
+ u32 util_perc;
+
+ CPU_ZERO(&c);
+ CPU_SET(i, &c);
+
+ if (sched_setaffinity(0, sizeof(c), &c))
+ PFATAL("sched_setaffinity failed");
+
+ util_perc = measure_preemption(CTEST_CORE_TRG_MS);
+
+ if (util_perc < 105) {
+
+ SAYF(" Core #%u: " cLGN "AVAILABLE\n" cRST, i);
+ maybe_cpus++;
+ idle_cpus++;
+
+ } else if (util_perc < 130) {
+
+ SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc);
+ maybe_cpus++;
+
+ } else {
- util_perc = real_delta * 100 / slice_delta;
+ SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i,
+ util_perc);
+
+ }
+
+ }
+
+ SAYF(cGRA "\n>>> ");
+
+ if (idle_cpus) {
+
+ if (maybe_cpus == idle_cpus) {
+
+ SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.",
+ idle_cpus, idle_cpus > 1 ? "s" : "");
+
+ } else {
+
+ SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.",
+ idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : "");
+
+ }
+
+ SAYF(cGRA " <<<" cRST "\n\n");
+ return 0;
+
+ }
+
+ if (maybe_cpus) {
+
+ SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.",
+ maybe_cpus, maybe_cpus > 1 ? "s" : "");
+ SAYF(cGRA " <<<" cRST "\n\n");
+ return 1;
+
+ }
+
+ SAYF(cLRD "FAIL: " cRST "All cores are overbooked.");
+ SAYF(cGRA " <<<" cRST "\n\n");
+ return 2;
+
+#else
+
+ u32 util_perc;
+
+ SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n");
+
+ /* Run a busy loop for CTEST_TARGET_MS. */
+
+ ACTF("Measuring gross preemption rate (this will take %0.02f sec)...",
+ ((double)CTEST_TARGET_MS) / 1000);
+
+ util_perc = measure_preemption(CTEST_TARGET_MS);
/* Deliver the final verdict. */
@@ -137,4 +230,6 @@
return (util_perc > 105) + (util_perc > 130);
+#endif /* ^HAVE_AFFINITY */
+
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/config.h new/afl-2.09b/config.h
--- old/afl-2.05b/config.h 2016-02-20 23:24:03.000000000 +0100
+++ new/afl-2.09b/config.h 2016-03-08 05:30:34.000000000 +0100
@@ -321,6 +321,7 @@
/* Constants for afl-gotcpu to control busy loop timing: */
#define CTEST_TARGET_MS 5000
+#define CTEST_CORE_TRG_MS 1000
#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
/* Uncomment this to use inferior block-coverage-based instrumentation. Note
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/docs/ChangeLog new/afl-2.09b/docs/ChangeLog
--- old/afl-2.05b/docs/ChangeLog 2016-02-24 23:07:22.000000000 +0100
+++ new/afl-2.09b/docs/ChangeLog 2016-03-26 23:08:34.000000000 +0100
@@ -13,10 +13,55 @@
sending a mail to .
Not sure if you should upgrade? The lowest currently recommended version
-is 2.03b. If you're stuck on an earlier release, it's strongly advisable
+is 2.07b. If you're stuck on an earlier release, it's strongly advisable
to get on with the times.
--------------
+Version 2.09b:
+--------------
+
+ - Made several documentation updates.
+
+ - Added some visual indicators to promote and simplify the use of -Z.
+
+--------------
+Version 2.08b:
+--------------
+
+ - Added explicit support for -m32 and -m64 for llvm_mode. Inspired by
+ a request from Christian Holler.
+
+ - Added a new benchmarking option, as requested by Kostya Serebryany.
+
+--------------
+Version 2.07b:
+--------------
+
+ - Added CPU affinity option (-Z) on Linux. With some caution, this can
+ offer a significant (10%+) performance bump and reduce jitter.
+ Proposed by Austin Seipp.
+
+ - Updated afl-gotcpu to use CPU affinity where supported.
+
+ - Fixed confusing CPU_TARGET error messages with QEMU build. Spotted by
+ Daniel Komaromy and others.
+
+--------------
+Version 2.06b:
+--------------
+
+ - Worked around LLVM persistent mode hiccups with -shared code.
+ Contributed by Christian Holler.
+
+ - Added __AFL_COMPILER as a convenient way to detect that something is
+ built under afl-gcc / afl-clang / afl-clang-fast and enable custom
+ optimizations in your code. Suggested by Pedro Corte-Real.
+
+ - Upstreamed several minor changes developed by Franjo Ivancic to
+ allow AFL to be built as a library. This is fairly use-specific and
+ may have relatively little appeal to general audiences.
+
+--------------
Version 2.05b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/docs/README new/afl-2.09b/docs/README
--- old/afl-2.05b/docs/README 2016-02-21 01:04:50.000000000 +0100
+++ new/afl-2.09b/docs/README 2016-03-15 16:21:42.000000000 +0100
@@ -256,6 +256,10 @@
For tips on how to fuzz a common target on multiple cores or multiple networked
machines, please refer to parallel_fuzzing.txt.
+The parallel fuzzing mode also offers a simple way for interfacing AFL to other
+fuzzers, to symbolic or concolic execution engines, and so forth; again, see the
+last section of parallel_fuzzing.txt for tips.
+
9) Fuzzer dictionaries
----------------------
@@ -433,7 +437,8 @@
Jacek Wielemborek Leo Barnes
Jeremy Barnes Jeff Trull
Guillaume Endignoux ilovezfs
- Daniel Godas-Lopez
+ Daniel Godas-Lopez Franjo Ivancic
+ Austin Seipp Daniel Komaromy
Thank you!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/docs/env_variables.txt new/afl-2.09b/docs/env_variables.txt
--- old/afl-2.05b/docs/env_variables.txt 2016-02-21 06:42:37.000000000 +0100
+++ new/afl-2.09b/docs/env_variables.txt 2016-03-11 03:30:04.000000000 +0100
@@ -146,7 +146,8 @@
Others need not apply.
- Benchmarking only: AFL_BENCH_JUST_ONE causes the fuzzer to exit after
- processing the first queue entry.
+ processing the first queue entry; and AFL_BENCH_UNTIL_CRASH causes it to
+ exit when first crash is found.
4) Settings for afl-qemu-trace
------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/docs/perf_tips.txt new/afl-2.09b/docs/perf_tips.txt
--- old/afl-2.05b/docs/perf_tips.txt 2015-09-01 09:55:22.000000000 +0200
+++ new/afl-2.09b/docs/perf_tips.txt 2016-03-08 07:03:11.000000000 +0100
@@ -144,7 +144,29 @@
presented with pathological inputs. Low -m values can make them give up sooner
and not waste CPU time.
-8) Check OS configuration
+8) Set CPU core affinity for AFL
+--------------------------------
+
+Making sure that the fuzzer always runs on the same (idle) CPU core can offer
+a significant speed bump and reduce scheduler jitter. The benefits can be even
+more striking on true multiprocessor systems.
+
+On Linux, you can assign the fuzzer to a specific core by first running
+afl-gotcpu to see which cores are idle, and then specifying the ID of a
+preferred core via -Z, like so:
+
+ $ ./afl-fuzz -Z core_id [...other parameters...]
+
+Note that this parameter needs to be used with care; accidentally forcing
+multiple fuzzers to share the same core may result in performance that is
+worse than what you would get without -Z.
+
+(It is also possible to specify two comma-delimited values for -Z, in which
+case, the fuzzer will run on one designated core, and the target binary will
+be banished to another. This can sometimes offer minor benefits, but isn't
+recommended for general use.)
+
+9) Check OS configuration
-------------------------
There are several OS-level factors that may affect fuzzing speed:
@@ -178,8 +200,8 @@
SCHED_RR - can usually speed things up, too, but needs to be done with
care.
-9) If all other options fail, use -d
-------------------------------------
+10) If all other options fail, use -d
+-------------------------------------
For programs that are genuinely slow, in cases where you really can't escape
using huge input files, or when you simply want to get quick and dirty results
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/docs/sister_projects.txt new/afl-2.09b/docs/sister_projects.txt
--- old/afl-2.05b/docs/sister_projects.txt 2016-02-22 09:43:30.000000000 +0100
+++ new/afl-2.09b/docs/sister_projects.txt 2016-03-20 14:28:52.000000000 +0100
@@ -32,6 +32,14 @@
https://github.com/kmcallister/afl.rs
+OCaml support (KC Sivaramakrishnan)
+-----------------------------------
+
+ Adds AFL-compatible instrumentation to OCaml programs.
+
+ https://github.com/ocamllabs/opam-repo-dev/pull/23
+ http://canopy.mirage.io/Posts/Fuzzing
+
AFL for GCJ Java and other GCC frontends (-)
--------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/llvm_mode/Makefile new/afl-2.09b/llvm_mode/Makefile
--- old/afl-2.05b/llvm_mode/Makefile 2016-02-21 02:49:14.000000000 +0100
+++ new/afl-2.09b/llvm_mode/Makefile 2016-03-12 23:29:27.000000000 +0100
@@ -55,9 +55,9 @@
endif
ifndef AFL_TRACE_PC
- PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o
+ PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o
else
- PROGS = ../afl-clang-fast ../afl-llvm-rt.o
+ PROGS = ../afl-clang-fast ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o
endif
all: test_deps $(PROGS) test_build all_done
@@ -85,6 +85,14 @@
../afl-llvm-rt.o: afl-llvm-rt.o.c | test_deps
$(CC) $(CFLAGS) -fPIC -c $< -o $@
+../afl-llvm-rt-32.o: afl-llvm-rt.o.c | test_deps
+ @printf "[*] Building 32-bit variant of the runtime (-m32)... "
+ @$(CC) $(CFLAGS) -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
+
+../afl-llvm-rt-64.o: afl-llvm-rt.o.c | test_deps
+ @printf "[*] Building 64-bit variant of the runtime (-m64)... "
+ @$(CC) $(CFLAGS) -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
+
test_build: $(PROGS)
@echo "[*] Testing the CC wrapper and instrumentation output..."
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-clang-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/llvm_mode/README.llvm new/afl-2.09b/llvm_mode/README.llvm
--- old/afl-2.05b/llvm_mode/README.llvm 2016-02-21 03:30:35.000000000 +0100
+++ new/afl-2.09b/llvm_mode/README.llvm 2016-03-26 22:41:47.000000000 +0100
@@ -148,7 +148,9 @@
The numerical value specified within the loop controls the maximum number
of iterations before AFL will restart the process from scratch. This minimizes
-the impact of memory leaks and similar glitches; 1000 is a good starting point.
+the impact of memory leaks and similar glitches; 1000 is a good starting point,
+and going much higher increases the likelihood of hiccups without giving you
+any real performance benefits.
A more detailed template is shown in ../experimental/persistent_demo/.
Similarly to the previous mode, the feature works only with afl-clang-fast;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/llvm_mode/afl-clang-fast.c new/afl-2.09b/llvm_mode/afl-clang-fast.c
--- old/afl-2.05b/llvm_mode/afl-clang-fast.c 2016-02-21 21:19:23.000000000 +0100
+++ new/afl-2.09b/llvm_mode/afl-clang-fast.c 2016-03-12 23:38:56.000000000 +0100
@@ -96,7 +96,7 @@
static void edit_params(u32 argc, char** argv) {
- u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1;
+ u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
u8 *name;
cc_params = ck_alloc((argc + 64) * sizeof(u8*));
@@ -133,9 +133,8 @@
while (--argc) {
u8* cur = *(++argv);
-#if defined(__x86_64__)
- if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
-#endif
+ if (!strcmp(cur, "-m32")) bit_mode = 32;
+ if (!strcmp(cur, "-m64")) bit_mode = 64;
if (!strcmp(cur, "-x")) x_set = 1;
@@ -147,6 +146,8 @@
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
+ if (!strcmp(cur, "-shared")) maybe_linking = 0;
+
cc_params[cc_par_cnt++] = cur;
}
@@ -196,6 +197,7 @@
}
cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
+ cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
/* When the user tries to use persistent or deferred forkserver modes by
appending a single line to the program, we want to reliably inject a
@@ -221,8 +223,10 @@
"({ static volatile char *_B __attribute__((used)); "
" _B = (char*)\"" PERSIST_SIG "\"; "
#ifdef __APPLE__
+ "__attribute__((visibility(\"default\"))) "
"int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
#else
+ "__attribute__((visibility(\"default\"))) "
"int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
#endif /* ^__APPLE__ */
"_L(_A); })";
@@ -231,8 +235,10 @@
"do { static volatile char *_A __attribute__((used)); "
" _A = (char*)\"" DEFER_SIG "\"; "
#ifdef __APPLE__
+ "__attribute__((visibility(\"default\"))) "
"void _I(void) __asm__(\"___afl_manual_init\"); "
#else
+ "__attribute__((visibility(\"default\"))) "
"void _I(void) __asm__(\"__afl_manual_init\"); "
#endif /* ^__APPLE__ */
"_I(); } while (0)";
@@ -244,7 +250,29 @@
cc_params[cc_par_cnt++] = "none";
}
- cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
+ switch (bit_mode) {
+
+ case 0:
+ cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
+ break;
+
+ case 32:
+ cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path);
+
+ if (access(cc_params[cc_par_cnt - 1], R_OK))
+ FATAL("-m32 is not supported by your compiler");
+
+ break;
+
+ case 64:
+ cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path);
+
+ if (access(cc_params[cc_par_cnt - 1], R_OK))
+ FATAL("-m64 is not supported by your compiler");
+
+ break;
+
+ }
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.05b/qemu_mode/build_qemu_support.sh new/afl-2.09b/qemu_mode/build_qemu_support.sh
--- old/afl-2.05b/qemu_mode/build_qemu_support.sh 2015-04-30 05:34:59.000000000 +0200
+++ new/afl-2.09b/qemu_mode/build_qemu_support.sh 2016-03-08 08:10:20.000000000 +0100
@@ -6,7 +6,7 @@
# Written by Andrew Griffiths and
# Michal Zalewski
#
-# Copyright 2015 Google Inc. All rights reserved.
+# Copyright 2015, 2016 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -124,6 +124,8 @@
echo "[+] Patching done."
+ORIG_CPU_TARGET="$CPU_TARGET"
+
test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"
@@ -152,35 +154,43 @@
echo "[+] Successfully created '../afl-qemu-trace'."
-echo "[*] Testing the build..."
+if [ "$ORIG_CPU_TARGET" = "" ]; then
-cd ..
+ echo "[*] Testing the build..."
-make >/dev/null || exit 1
+ cd ..
-gcc test-instr.c -o test-instr || exit 1
+ make >/dev/null || exit 1
-unset AFL_INST_RATIO
+ gcc test-instr.c -o test-instr || exit 1
-echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1
-echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1
+ unset AFL_INST_RATIO
-rm -f test-instr
+ echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1
+ echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1
-cmp -s .test-instr0 .test-instr1
-DR="$?"
+ rm -f test-instr
-rm -f .test-instr0 .test-instr1
+ cmp -s .test-instr0 .test-instr1
+ DR="$?"
-if [ "$DR" = "0" ]; then
+ rm -f .test-instr0 .test-instr1
- echo "[-] Error: afl-qemu-trace instrumentation doesn't seem to work!"
- exit 1
+ if [ "$DR" = "0" ]; then
-fi
+ echo "[-] Error: afl-qemu-trace instrumentation doesn't seem to work!"
+ exit 1
-echo "[+] Instrumentation tests passed. "
+ fi
-echo "[+] All set, you can now use the -Q mode in afl-fuzz!"
+ echo "[+] Instrumentation tests passed. "
+ echo "[+] All set, you can now use the -Q mode in afl-fuzz!"
+
+else
+
+ echo "[!] Note: can't test instrumentation when CPU_TARGET set."
+ echo "[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!"
+
+fi
exit 0