You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I can't fully understand your algorithm for the selection of favored testcases.
In cull_queue I read:
if (dsf_enabled) {
for (i=0; i<dsf_len_actual; i++) {
if (top_rated[i]) {
/* if top rated for any i, will be favored */u8was_favored_already=top_rated[i]->favored;
top_rated[i]->favored=1;
/* increments counts only if not also favored for another i */if (!was_favored_already){
queued_favored++;
if (!top_rated[i]->was_fuzzed) pending_favored++;
}
}
}
} else {
// old AFL cull_queue
}
This takes into account only dsf, why not combine both dsf and edge coverage?
The text was updated successfully, but these errors were encountered:
This takes into account only dsf, why not combine both dsf and edge coverage?
That's certainly a reasonable alternative. Usually, in applications such as PerfFuzz, SlowFuzz, etc. the assumption is that the seed inputs already have some reasonable coverage and/or there is a parallel fuzzing session for coverage using master-slave mode; the favoring mechanism therefore focuses only on the domain-specific testing objective. However, I can certainly imagine cases where one would want to simultaneously maximize edge coverage and some other metric (the CMP domain comes to mind).
In FuzzFactory, you can always encode edge coverage itself in the DSF map itself as an additional domain, which gives you the desired result (and turn off AFL's default edge coverage instrumentation to avoid performance overheads). I haven't tried changing the favoring mechanism to always consider edge coverage---that would require maintaining two different data structures for top_rated, where one tracks the coverage and the other tracks the DSF map. Possibly worth a try.
Hi,
I can't fully understand your algorithm for the selection of favored testcases.
In cull_queue I read:
This takes into account only dsf, why not combine both dsf and edge coverage?
The text was updated successfully, but these errors were encountered: