Question: what is the meaning of depth of a queue_entry ?

[stuartly]

Dear all:

I am reading the source code of AFL, and I am confused about the "depth" of a testcase(or queue_entry )

The definition of cur_depth is as follow:

EXP_ST u32 queued_paths,              /* Total number of queued testcases */
           queued_variable,           /* Testcases with variable behavior */
           queued_at_start,           /* Total number of initial inputs   */
           queued_discovered,         /* Items discovered during this run */
           queued_imported,           /* Items imported via -S            */
           queued_favored,            /* Paths deemed favorable           */
           queued_with_cov,           /* Paths with new coverage bytes    */
           pending_not_fuzzed,        /* Queued but not done yet          */
           pending_favored,           /* Pending favored paths            */
           cur_skipped_paths,         /* Abandoned inputs in cur cycle    */
           cur_depth,                 /* Current path depth               */
           max_depth,                 /* Max path depth                   */

And the q->depth is initialized in function "add_to_queue()".

static void add_to_queue(u8* fname, u32 len, u8 passed_det) {
  struct queue_entry* q = ck_alloc(sizeof(struct queue_entry));
  q->fname        = fname;
  q->len          = len;
  q->depth        = cur_depth + 1;
 ......
}

cur_depth is assigned in function "fuzz_one()":

cur_depth = queue_cur->depth;

My question is:  what's the meaning of depth of a queue_entry ?

     Do it mean the blocks length from the main entry ? or the depth in the queue ?

 

[Andrew Santosa]

It is the mutation distance from the initial seed corpus. One in the corpus has depth 1,
an input mutated from the input in the corpus has depth 2 and so on.

Best,
Andrew

--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[stuartly]

I see, thanks you very much.

I find the answer in the status_screen.txt (https://github.com/mcarpenter/afl/blob/master/docs/status_screen.txt)

8) Path geometry
	| levels : 5 |
	| pending : 1570 |
	| pend fav : 583 |
	| own finds : 0 |
	| imported : 0 |
	| stability : 100.00% |
	+---------------------+
	The first field in this section tracks the path depth reached through the
	guided fuzzing process. In essence: the initial test cases supplied by the
	user are considered "level 1". The test cases that can be derived from that
	through traditional fuzzing are considered "level 2"; the ones derived by
	using these as inputs to subsequent fuzzing rounds are "level 3"; and so forth.
	The maximum depth is therefore a rough proxy for how much value you're getting
	out of the instrumentation-guided approach taken by afl-fuzz.

Thank you very much! 

 

在 2018年4月23日星期一 UTC-4下午10:37:00，Andrew Santosa写道：