From 65b14554f7010fd14d3fe6a12b47feddfa789221 Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 21 Oct 2024 16:25:06 +0800 Subject: [PATCH] =?UTF-8?q?=E5=88=98=E6=98=8A=E5=86=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- afl-fuzz.c | 1064 +++++++++++++++++++++++----------------------------- 1 file changed, 459 insertions(+), 605 deletions(-) diff --git a/afl-fuzz.c b/afl-fuzz.c index 46a216c..7fd40d8 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -67,6 +67,7 @@ #include #include +/*检查编译环境是否定义了__APPLE__、__FreeBSD__或__OpenBSD__宏,这些宏分别代表苹果的macOS系统、FreeBSD操作系统和OpenBSD操作系统*/ #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) # include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ @@ -74,6 +75,7 @@ /* For systems that have sched_setaffinity; right now just Linux, but one can hope... */ +/*检查是否定义了__linux__宏,这个宏通常在编译Linux系统下的代码时被编译器定义*/ #ifdef __linux__ # define HAVE_AFFINITY 1 #endif /* __linux__ */ @@ -81,6 +83,8 @@ /* A toggle to export some variables when building as a library. Not very useful for the general public. */ +/*如果代码中定义了AFL_LIB宏,那么EXP_ST宏被定义为一个空的宏,可以作为布尔标志使用。 + 如果代码中没有定义AFL_LIB宏,那么EXP_ST宏被定义为static,用于限制作用域。*/ #ifdef AFL_LIB # define EXP_ST #else @@ -91,211 +95,211 @@ really makes no sense to haul them around as function parameters. */ -EXP_ST u8 *in_dir, /* Input directory with test cases */ - *out_file, /* File to fuzz, if any */ - *out_dir, /* Working & output directory */ - *sync_dir, /* Synchronization directory */ - *sync_id, /* Fuzzer ID */ - *use_banner, /* Display banner */ - *in_bitmap, /* Input bitmap */ - *doc_path, /* Path to documentation dir */ - *target_path, /* Path to target binary */ - *orig_cmdline; /* Original command line */ - -EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ -static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ - -EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ - -EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ - -static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ - -EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ - use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ - score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ - resuming_fuzz, /* Resuming an older fuzzing job? */ - timeout_given, /* Specific timeout given? */ - cpu_to_bind_given, /* Specified cpu_to_bind given? */ - not_on_tty, /* stdout is not a tty */ - term_too_small, /* terminal dimensions too small */ - uses_asan, /* Target uses ASAN? */ - no_forkserver, /* Disable forkserver? */ - crash_mode, /* Crash mode! Yeah! */ - in_place_resume, /* Attempt in-place resume? */ - auto_changed, /* Auto-generated tokens changed? */ - no_cpu_meter_red, /* Feng shui on the status screen */ - no_arith, /* Skip most arithmetic ops */ - shuffle_queue, /* Shuffle input queue? */ - bitmap_changed = 1, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ - skip_requested, /* Skip request, via SIGUSR1 */ - run_over10m, /* Run time over 10 minutes? */ - persistent_mode, /* Running in persistent mode? */ - deferred_mode, /* Deferred forkserver mode? */ - fast_cal; /* Try to calibrate faster? */ - -static s32 out_fd, /* Persistent fd for out_file */ - dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ - dev_null_fd = -1, /* Persistent fd for /dev/null */ - fsrv_ctl_fd, /* Fork server control pipe (write) */ - fsrv_st_fd; /* Fork server status pipe (read) */ - -static s32 forksrv_pid, /* PID of the fork server */ - child_pid = -1, /* PID of the fuzzed program */ - out_dir_fd = -1; /* FD of the lock file */ - -EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ - -EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ - -static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ - -static s32 shm_id; /* ID of the SHM region */ - -static volatile u8 stop_soon, /* Ctrl-C pressed? */ - clear_screen = 1, /* Window resized? */ - child_timed_out; /* Traced process timed out? */ - -EXP_ST u32 queued_paths, /* Total number of queued testcases */ - queued_variable, /* Testcases with variable behavior */ - queued_at_start, /* Total number of initial inputs */ - queued_discovered, /* Items discovered during this run */ - queued_imported, /* Items imported via -S */ - queued_favored, /* Paths deemed favorable */ - queued_with_cov, /* Paths with new coverage bytes */ - pending_not_fuzzed, /* Queued but not done yet */ - pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ - cur_depth, /* Current path depth */ - max_depth, /* Max path depth */ - useless_at_start, /* Number of useless starting paths */ - var_byte_count, /* Bitmap bytes with var behavior */ - current_entry, /* Current queue entry ID */ - havoc_div = 1; /* Cycle count divisor for havoc */ - -EXP_ST u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ - total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ - slowest_exec_ms, /* Slowest testcase non hang in ms */ - start_time, /* Unix start time (ms) */ - last_path_time, /* Time for most recent path (ms) */ - last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time, /* Time for most recent hang (ms) */ - last_crash_execs, /* Exec counter at last crash */ - queue_cycle, /* Queue round counter */ - cycles_wo_finds, /* Cycles without any new paths */ - trim_execs, /* Execs done to trim input files */ - bytes_trim_in, /* Bytes coming into the trimmer */ - bytes_trim_out, /* Bytes coming outa the trimmer */ - blocks_eff_total, /* Blocks subject to effector maps */ - blocks_eff_select; /* Blocks selected as fuzzable */ - -static u32 subseq_tmouts; /* Number of timeouts in a row */ - -static u8 *stage_name = "init", /* Name of the current fuzz stage */ - *stage_short, /* Short stage name */ - *syncing_party; /* Currently syncing with... */ - -static s32 stage_cur, stage_max; /* Stage progression */ -static s32 splicing_with = -1; /* Splicing with which test case? */ - -static u32 master_id, master_max; /* Master instance job splitting */ - -static u32 syncing_case; /* Syncing with case #... */ - -static s32 stage_cur_byte, /* Byte offset of current stage op */ - stage_cur_val; /* Value used for stage op */ - -static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ - -static u64 stage_finds[32], /* Patterns found per fuzz stage */ - stage_cycles[32]; /* Execs per fuzz stage */ - -static u32 rand_cnt; /* Random number counter */ - -static u64 total_cal_us, /* Total calibration time (us) */ - total_cal_cycles; /* Total calibration cycles */ - -static u64 total_bitmap_size, /* Total bit count for all bitmaps */ - total_bitmap_entries; /* Number of bitmaps counted */ - -static s32 cpu_core_count; /* CPU core count */ +EXP_ST u8 *in_dir, /* 包含测试用例的输入目录 */ + *out_file, /* 要模糊测试的文件(如果有的话) */ + *out_dir, /* 工作和输出目录 */ + *sync_dir, /* 同步目录 */ + *sync_id, /* 模糊测试器标识符 */ + *use_banner, /* 显示横幅 */ + *in_bitmap, /* 输入位图 */ + *doc_path, /* 文档目录的路径 */ + *target_path, /* 目标二进制文件路径 */ + *orig_cmdline; /* 原始命令行 */ + +EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* 可配置的执行超时 (ms) */ +static u32 hang_tmout = EXEC_TIMEOUT; /* 用于挂起的超时时间 (ms) */ + +EXP_ST u64 mem_limit = MEM_LIMIT; /* 子进程的内存限制 (MB) */ + +EXP_ST u32 cpu_to_bind = 0; /* 待绑定的空闲CPU核id */ + +static u32 stats_update_freq = 1; /* 统计更新频率 (执行次数)*/ + +EXP_ST u8 skip_deterministic, /* 跳过确定性阶段? */ + force_deterministic, /* 强制执行确定性阶段? */ + use_splicing, /* 重组输入文件? */ + dumb_mode, /* 在非插桩模式下运行? */ + score_changed, /* 收藏项的评分改变了? */ + kill_signal, /* 导致子进程退出的信号 */ + resuming_fuzz, /* 恢复旧的模糊测试工作? */ + timeout_given, /* 给出了特定的超时时间? */ + cpu_to_bind_given, /* 指定了cpu_to_bind? */ + not_on_tty, /* 标准输出不是tty */ + term_too_small, /* 终端尺寸太小 */ + uses_asan, /* 目标使用ASAN? */ + no_forkserver, /* 禁用forkserver? */ + crash_mode, /* 崩溃模式!耶! */ + in_place_resume, /* 尝试就地恢复? */ + auto_changed, /* 自动生成的令牌改变了? */ + no_cpu_meter_red, /* 状态屏幕上的风水 */ + no_arith, /* 跳过大多数算术操作 */ + shuffle_queue, /* 打乱输入队列? */ + bitmap_changed = 1, /* 更新位图的时间? */ + qemu_mode, /* 在QEMU模式下运行? */ + skip_requested, /* 通过SIGUSR1跳过请求 */ + run_over10m, /* 运行时间超过10分钟? */ + persistent_mode, /* 在持久模式下运行? */ + deferred_mode, /* 延迟forkserver模式? */ + fast_cal; /* 尝试更快地校准? */ + +static s32 out_fd, /* 用于out_file的持久文件描述符 */ + dev_urandom_fd = -1, /* 用于/dev/urandom的持久文件描述符 */ + dev_null_fd = -1, /* 用于/dev/null的持久文件描述符 */ + fsrv_ctl_fd, /* fork服务器控制管道(写入) */ + fsrv_st_fd; /* fork服务器状态管道(读取) */ + +static s32 forksrv_pid, /* fork服务器的进程ID */ + child_pid = -1, /* 被模糊测试的程序的进程ID */ + out_dir_fd = -1; /* 锁定文件的文件描述符 */ + +EXP_ST u8* trace_bits; /* 与插桩位图共享的共享内存 */ + +EXP_ST u8 virgin_bits[MAP_SIZE], /* 尚未被模糊测试触及的区域 */ + virgin_tmout[MAP_SIZE], /* 我们在超时中尚未见过的位 */ + virgin_crash[MAP_SIZE]; /* 我们在崩溃中尚未见过的位 */ + +static u8 var_bytes[MAP_SIZE]; /* 看起来是可变的字节 */ + +static s32 shm_id; /* 共享内存区域的ID */ + +static volatile u8 stop_soon, /* Ctrl-C 被按下了吗? */ + clear_screen = 1, /* 窗口被调整大小了吗? */ + child_timed_out; /* 被追踪的进程超时了吗? */ + +EXP_ST u32 queued_paths, /* 排队的测试用例总数 */ + queued_variable, /* 具有可变行为的测试用例 */ + queued_at_start, /* 初始输入的总数 */ + queued_discovered, /* 在此运行期间发现的项目 */ + queued_imported, /* 通过-S导入的项目 */ + queued_favored, /* 被认为有利的路径 */ + queued_with_cov, /* 有新的覆盖字节的路径 */ + pending_not_fuzzed, /* 已排队但尚未完成 */ + pending_favored, /* 等待中的优先路径 */ + cur_skipped_paths, /* 当前周期中放弃的输入 */ + cur_depth, /* 当前路径深度 */ + max_depth, /* 最大路径深度 */ + useless_at_start, /* 无用的起始路径数量 */ + var_byte_count, /* 具有可变行为的位图字节 */ + current_entry, /* 当前队列条目ID */ + havoc_div = 1; /* 对havoc的循环计数除数 */ + +EXP_ST u64 total_crashes, /* 崩溃总数 */ + unique_crashes, /* 具有唯一签名的崩溃 */ + total_tmouts, /* 超时总数 */ + unique_tmouts, /* 具有唯一签名的超时 */ + unique_hangs, /* 具有唯一签名的挂起 */ + total_execs, /* 总的execve()调用次数 */ + slowest_exec_ms, /* 最慢的测试用例非挂起时间(ms) */ + start_time, /* Unix开始时间(ms) */ + last_path_time, /* 最近路径的时间(ms) */ + last_crash_time, /* 最近崩溃的时间(ms) */ + last_hang_time, /* 最近挂起的时间(ms) */ + last_crash_execs, /* 上次崩溃时的执行计数器 */ + queue_cycle, /* 队列循环计数器 */ + cycles_wo_finds, /* 没有发现新路径的周期数 */ + trim_execs, /* 用于修剪输入文件的执行次数 */ + bytes_trim_in, /* 进入修剪器的字节 */ + bytes_trim_out, /* 从修剪器出来的字节 */ + blocks_eff_total, /* 受效应器映射影响的块 */ + blocks_eff_select; /* 被选为可模糊化的块 */ + +static u32 subseq_tmouts; /* 连续超时的次数 */ + +static u8 *stage_name = "init", /* 当前模糊测试阶段的名称 */ + *stage_short, /* 简短的阶段名称 */ + *syncing_party; /* 当前正在同步的... */ + +static s32 stage_cur, stage_max; /* 阶段进度 */ +static s32 splicing_with = -1; /* 与哪个测试用例混合? */ + +static u32 master_id, master_max; /* 主实例工作分割 */ + +static u32 syncing_case; /* 与案例#...同步 */ + +static s32 stage_cur_byte, /* 当前阶段操作的字节偏移量 */ + stage_cur_val; /* 用于阶段操作的值 */ + +static u8 stage_val_type; /* 值类型(STAGE_VAL_*) */ + +static u64 stage_finds[32], /* 每个模糊测试阶段发现的模式 */ + stage_cycles[32]; /* 每个模糊测试阶段的执行次数 */ + +static u32 rand_cnt; /* 随机数计数器 */ + +static u64 total_cal_us, /* 总校准时间(微秒) */ + total_cal_cycles; /* 总校准周期 */ + +static u64 total_bitmap_size, /* 所有位图的总位数 */ + total_bitmap_entries; /* 计算的位图数量 */ + +static s32 cpu_core_count; /* CPU核心数 */ #ifdef HAVE_AFFINITY -static s32 cpu_aff = -1; /* Selected CPU core */ +static s32 cpu_aff = -1; /* 选择的CPU核心 */ #endif /* HAVE_AFFINITY */ -static FILE* plot_file; /* Gnuplot output file */ +static FILE* plot_file; /* Gnuplot输出文件 */ struct queue_entry { + + u8* fname; /* 测试用例的文件名 */ + u32 len; /* 输入长度 */ - u8* fname; /* File name for the test case */ - u32 len; /* Input length */ - - u8 cal_failed, /* Calibration failed? */ - trim_done, /* Trimmed? */ - was_fuzzed, /* Had any fuzzing done yet? */ - passed_det, /* Deterministic stages passed? */ - has_new_cov, /* Triggers new coverage? */ - var_behavior, /* Variable behavior? */ - favored, /* Currently favored? */ - fs_redundant; /* Marked as redundant in the fs? */ + u8 cal_failed, /* 校准失败? */ + trim_done, /* 修剪完成? */ + was_fuzzed, /* 之前进行过模糊测试吗? */ + passed_det, /* 通过了确定性阶段吗? */ + has_new_cov, /* 触发了新的代码覆盖吗? */ + var_behavior, /* 表现出可变行为吗? */ + favored, /* 当前是否被优先考虑? */ + fs_redundant; /* 在文件系统中被标记为冗余了吗? */ - u32 bitmap_size, /* Number of bits set in bitmap */ - exec_cksum; /* Checksum of the execution trace */ + u32 bitmap_size, /* 位图中设置的位数 */ + exec_cksum; /* 执行轨迹的校验和 */ - u64 exec_us, /* Execution time (us) */ - handicap, /* Number of queue cycles behind */ - depth; /* Path depth */ + u64 exec_us, /* 执行时间(微秒) */ + handicap, /* 在队列中的落后周期数 */ + depth; /* 路径深度 */ - u8* trace_mini; /* Trace bytes, if kept */ - u32 tc_ref; /* Trace bytes ref count */ + u8* trace_mini; /* 如果保留,执行轨迹的字节 */ + u32 tc_ref; /* 执行轨迹字节的引用计数 */ - struct queue_entry *next, /* Next element, if any */ - *next_100; /* 100 elements ahead */ + struct queue_entry *next, /* 下一个元素,如果有的话 */ + *next_100; /* 100个元素之后的元素 */ }; -static struct queue_entry *queue, /* Fuzzing queue (linked list) */ - *queue_cur, /* Current offset within the queue */ - *queue_top, /* Top of the list */ - *q_prev100; /* Previous 100 marker */ +static struct queue_entry *queue, /* 模糊测试队列(链表) */ + *queue_cur, /* 队列中的当前偏移量 */ + *queue_top, /* 列表的顶部 */ + *q_prev100; /* 上一个100个标记 */ static struct queue_entry* - top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + top_rated[MAP_SIZE]; /* 位图字节的顶级条目 */ struct extra_data { - u8* data; /* Dictionary token data */ - u32 len; /* Dictionary token length */ - u32 hit_cnt; /* Use count in the corpus */ + u8* data; /* 词典令牌数据 */ + u32 len; /* 词典令牌长度 */ + u32 hit_cnt; /* 在语料库中的使用次数 */ }; -static struct extra_data* extras; /* Extra tokens to fuzz with */ -static u32 extras_cnt; /* Total number of tokens read */ +static struct extra_data* extras; /* 用于模糊测试的额外令牌 */ +static u32 extras_cnt; /* 读取的令牌总数 */ -static struct extra_data* a_extras; /* Automatically selected extras */ -static u32 a_extras_cnt; /* Total number of tokens available */ +static struct extra_data* a_extras; /* 自动选择的额外令牌 */ +static u32 a_extras_cnt; /* 可用的令牌总数 */ static u8* (*post_handler)(u8* buf, u32* len); -/* Interesting values, as per config.h */ +/* 根据config.h中的设置interesting的值 */ static s8 interesting_8[] = { INTERESTING_8 }; static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; -/* Fuzzing stages */ +/* 模糊测试阶段 */ enum { /* 00 */ STAGE_FLIP1, @@ -317,7 +321,7 @@ enum { /* 16 */ STAGE_SPLICE }; -/* Stage value types */ +/*阶段值类型 */ enum { /* 00 */ STAGE_VAL_NONE, @@ -325,7 +329,7 @@ enum { /* 02 */ STAGE_VAL_BE }; -/* Execution status fault codes */ +/* 执行状态故障代码 */ enum { /* 00 */ FAULT_NONE, @@ -337,7 +341,7 @@ enum { }; -/* Get unix time in milliseconds */ +/* 获取毫秒级的Unix时间戳 */ static u64 get_cur_time(void) { @@ -351,7 +355,7 @@ static u64 get_cur_time(void) { } -/* Get unix time in microseconds */ +/* 获取微秒级的Unix时间戳 */ static u64 get_cur_time_us(void) { @@ -365,8 +369,7 @@ static u64 get_cur_time_us(void) { } -/* Generate a random number (from 0 to limit - 1). This may - have slight bias. */ +/* 生成一个随机数(从0到限值减1)。这可能存在轻微的偏差。 */ static inline u32 UR(u32 limit) { @@ -386,7 +389,7 @@ static inline u32 UR(u32 limit) { } -/* Shuffle an array of pointers. Might be slightly biased. */ +/* 洗牌一个指针数组。可能会有轻微的偏差。 */ static void shuffle_ptrs(void** ptrs, u32 cnt) { @@ -406,8 +409,7 @@ static void shuffle_ptrs(void** ptrs, u32 cnt) { #ifdef HAVE_AFFINITY -/* Build a list of processes bound to specific cores. Returns -1 if nothing - can be found. Assumes an upper bound of 4k CPUs. */ +/* 构建绑定到特定核心的进程列表。如果找不到任何东西,返回-1。假设cpu上限为4k。 */ static void bind_to_free_cpu(void) { @@ -438,15 +440,13 @@ static void bind_to_free_cpu(void) { ACTF("Checking CPU core loadout..."); - /* Introduce some jitter, in case multiple AFL tasks are doing the same - thing at the same time... */ + /* 引入一些抖动,以防多个AFL任务在同一时间做同一件事情... */ usleep(R(1000) * 250); - /* Scan all /proc//status entries, checking for Cpus_allowed_list. - Flag all processes bound to a specific CPU using cpu_used[]. This will - fail for some exotic binding setups, but is likely good enough in almost - all real-world use cases. */ + /* 扫描所有 /proc//status 条目,检查 Cpus_allowed_list。 + 使用 cpu_used[] 标记所有绑定到特定 CPU 的进程。 + 这在某些特殊的绑定设置中可能会失败,但在几乎所有现实世界的用例中都足够好。 */ while ((de = readdir(d))) { @@ -468,7 +468,7 @@ static void bind_to_free_cpu(void) { u32 hval; - /* Processes without VmSize are probably kernel tasks. */ + /* 没有VmSize的进程可能是内核任务。 */ if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; @@ -535,8 +535,7 @@ static void bind_to_free_cpu(void) { #ifndef IGNORE_FINDS -/* Helper function to compare buffers; returns first and last differing offset. We - use this to find reasonable locations for splicing two files. */ +/* 辅助函数用于比较缓冲区;返回第一个和最后一个不同的偏移量。我们用这个来找到合理的地点来拼接两个文件。 */ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { @@ -565,9 +564,8 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { #endif /* !IGNORE_FINDS */ -/* Describe integer. Uses 12 cyclic static buffers for return values. The value - returned should be five characters or less for all the integers we reasonably - expect to see. */ +/*描述整数。使用12个循环的静态缓冲区来存储返回值。 +对于我们合理预期会看到的所有的整数,返回的值应该是五个字符或更少。 */ static u8* DI(u64 val) { @@ -623,8 +621,7 @@ static u8* DI(u64 val) { } -/* Describe float. Similar to the above, except with a single - static buffer. */ +/* 描述浮点数。与上面的类似,只是使用单个静态缓冲区。 */ static u8* DF(double val) { @@ -645,7 +642,7 @@ static u8* DF(double val) { } -/* Describe integer as memory size. */ +/* 将整数描述为内存大小。*/ static u8* DMS(u64 val) { @@ -696,7 +693,7 @@ static u8* DMS(u64 val) { } -/* Describe time delta. Returns one static buffer, 34 chars of less. */ +/* 描述时间增量。返回一个静态缓冲区,长度不超过34个字符。 */ static u8* DTD(u64 cur_ms, u64 event_ms) { @@ -719,9 +716,7 @@ static u8* DTD(u64 cur_ms, u64 event_ms) { } -/* Mark deterministic checks as done for a particular queue entry. We use the - .state file to avoid repeating deterministic fuzzing when resuming aborted - scans. */ +/* 标记特定队列条目的确定性检查为已完成。我们使用.state文件来避免在恢复中断的扫描时重复进行确定性模糊测试。 */ static void mark_as_det_done(struct queue_entry* q) { @@ -741,8 +736,7 @@ static void mark_as_det_done(struct queue_entry* q) { } -/* Mark as variable. Create symlinks if possible to make it easier to examine - the files. */ +/* 标记为变量。如果可能的话,创建符号链接以便于检查文件。 */ static void mark_as_variable(struct queue_entry* q) { @@ -767,8 +761,7 @@ static void mark_as_variable(struct queue_entry* q) { } -/* Mark / unmark as redundant (edge-only). This is not used for restoring state, - but may be useful for post-processing datasets. */ +/* 标记/取消标记为冗余(仅边)。这并不用于恢复状态,但可能对后处理数据集有用。 */ static void mark_as_redundant(struct queue_entry* q, u8 state) { @@ -799,7 +792,7 @@ static void mark_as_redundant(struct queue_entry* q, u8 state) { } -/* Append new test case to the queue. */ +/* 向队列追加新的测试用例。 */ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { @@ -824,7 +817,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { cycles_wo_finds = 0; - /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ + /* 为每100个元素(索引0,100等)设置next_100指针,以允许更快的迭代。 */ if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { q_prev100->next_100 = q; @@ -837,7 +830,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { } -/* Destroy the entire queue. */ +/* 销毁整个队列。 */ EXP_ST void destroy_queue(void) { @@ -856,9 +849,8 @@ EXP_ST void destroy_queue(void) { } -/* Write bitmap to file. The bitmap is useful mostly for the secret - -B option, to focus a separate fuzzing session on a particular - interesting input without rediscovering all the others. */ +/* 将位图写入文件。位图主要用于秘密的 -B 选项,以便在不重新发现所有 + 其他内容的情况下,将单独的模糊测试会话集中在某个特定的有趣输入上。*/ EXP_ST void write_bitmap(void) { @@ -881,7 +873,7 @@ EXP_ST void write_bitmap(void) { } -/* Read bitmap from file. This is for the -B option again. */ +/* 从文件中读取位图。这是-B选项。 */ EXP_ST void read_bitmap(u8* fname) { @@ -896,13 +888,11 @@ EXP_ST void read_bitmap(u8* fname) { } -/* Check if the current execution path brings anything new to the table. - Update virgin bits to reflect the finds. Returns 1 if the only change is - the hit-count for a particular tuple; 2 if there are new tuples seen. - Updates the map, so subsequent calls will always return 0. +/* 检查当前的执行路径是否带来了新的内容。 +更新virgin bits以反映发现的内容。如果唯一的变化是某个特定元组的命中次数,则返回1;如果看到了新的元组,则返回2。 +更新映射,因此后续调用总是返回0。 - This function is called after every exec() on a fairly large buffer, so - it needs to be fast. We do this in 32-bit and 64-bit flavors. */ +这个函数在每次对相当大的缓冲区执行exec()之后被调用,所以它需要快速。我们在32位和64位版本中都这样做。 */ static inline u8 has_new_bits(u8* virgin_map) { @@ -926,9 +916,7 @@ static inline u8 has_new_bits(u8* virgin_map) { while (i--) { - /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap - that have not been already cleared from the virgin map - since this will - almost always be the case. */ + /* 针对(*current & *virgin)== 0进行优化——即,当前位图中没有未从virgin map中清除的位——因为这种情况几乎总是会出现。 */ if (unlikely(*current) && unlikely(*current & *virgin)) { @@ -937,8 +925,7 @@ static inline u8 has_new_bits(u8* virgin_map) { u8* cur = (u8*)current; u8* vir = (u8*)virgin; - /* Looks like we have not found any new bytes yet; see if any non-zero - bytes in current[] are pristine in virgin[]. */ + /* 看起来我们还没有找到任何新的字节;检查current[]中的任何非零字节是否在virgin[]中是未被触碰的。*/ #ifdef WORD_SIZE_64 @@ -974,8 +961,7 @@ static inline u8 has_new_bits(u8* virgin_map) { } -/* Count the number of bits set in the provided bitmap. Used for the status - screen several times every second, does not have to be fast. */ +/* 计算提供的位图中设置的位数。它每秒多次用于状态屏幕,不需要太快。 */ static u32 count_bits(u8* mem) { @@ -987,8 +973,7 @@ static u32 count_bits(u8* mem) { u32 v = *(ptr++); - /* This gets called on the inverse, virgin bitmap; optimize for sparse - data. */ + /* 这个函数被调用在相反的,virgin bitmap上;针对稀疏数据进行优化。 */ if (v == 0xffffffff) { ret += 32; @@ -1008,9 +993,7 @@ static u32 count_bits(u8* mem) { #define FF(_b) (0xff << ((_b) << 3)) -/* Count the number of bytes set in the bitmap. Called fairly sporadically, - mostly to update the status screen or calibrate and examine confirmed - new paths. */ +/* 计算位图中设置的字节数。调用相对不频繁,主要用于更新状态屏幕或校准和检查确认的新路径。 */ static u32 count_bytes(u8* mem) { @@ -1035,8 +1018,7 @@ static u32 count_bytes(u8* mem) { } -/* Count the number of non-255 bytes set in the bitmap. Used strictly for the - status screen, several calls per second or so. */ +/* 计算位图中非255字节的数量。仅用于状态屏幕,每秒大约有几调用。*/ static u32 count_non_255_bytes(u8* mem) { @@ -1048,8 +1030,7 @@ static u32 count_non_255_bytes(u8* mem) { u32 v = *(ptr++); - /* This is called on the virgin bitmap, so optimize for the most likely - case. */ + /* 这个函数是在virgin bitmap上调用的,因此要针对最可能的情况进行优化。 */ if (v == 0xffffffff) continue; if ((v & FF(0)) != FF(0)) ret++; @@ -1064,10 +1045,8 @@ static u32 count_non_255_bytes(u8* mem) { } -/* Destructively simplify trace by eliminating hit count information - and replacing it with 0x80 or 0x01 depending on whether the tuple - is hit or not. Called on every new crash or timeout, should be - reasonably fast. */ +/* 通过消除命中次数信息,并根据元组是否被命中,用0x80或0x01替换, +来破坏性地简化跟踪信息。在每次新的崩溃或超时时被调用,应该足够快。 */ static const u8 simplify_lookup[256] = { @@ -1084,7 +1063,7 @@ static void simplify_trace(u64* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1115,7 +1094,7 @@ static void simplify_trace(u32* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1136,9 +1115,7 @@ static void simplify_trace(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* Destructively classify execution counts in a trace. This is used as a - preprocessing step for any newly acquired traces. Called on every exec, - must be fast. */ +/* 破坏性地对跟踪中的执行计数进行分类。这用作任何新获得的跟踪的预处理步骤。每次执行时都会被调用,必须快速。 */ static const u8 count_class_lookup8[256] = { @@ -1178,7 +1155,7 @@ static inline void classify_counts(u64* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1205,7 +1182,7 @@ static inline void classify_counts(u32* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1225,7 +1202,7 @@ static inline void classify_counts(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* Get rid of shared memory (atexit handler). */ +/* 摆脱共享内存(atexit处理程序) */ static void remove_shm(void) { @@ -1234,9 +1211,7 @@ static void remove_shm(void) { } -/* Compact trace bytes into a smaller bitmap. We effectively just drop the - count information here. This is called only sporadically, for some - new paths. */ +/* 将跟踪字节压缩到更小的位图中。我们实际上在这里只是丢弃了计数信息。这个函数只在一些新路径上偶尔被调用。 */ static void minimize_bits(u8* dst, u8* src) { @@ -1252,23 +1227,21 @@ static void minimize_bits(u8* dst, u8* src) { } -/* When we bump into a new path, we call this to see if the path appears - more "favorable" than any of the existing ones. The purpose of the - "favorables" is to have a minimal set of paths that trigger all the bits - seen in the bitmap so far, and focus on fuzzing them at the expense of - the rest. +/* 当我们遇到一个新的路径时,我们会调用这个函数来查看这个路径是否看起来比现有的任何路径都更“favorable”。 +“favorable”的目的是拥有一个最小的路径集合,这些路径触发了迄今为止在位图中看到的所有位, +并专注于对这些路径进行模糊测试,而牺牲其他路径。 + +这个过程的第一步是为位图中的每个字节维护一个top_rated[]条目列表。如果之前没有竞争者, +或者竞争者具有更有利的速度x大小因子,我们就赢得了那个位置。 - The first step of the process is to maintain a list of top_rated[] entries - for every byte in the bitmap. We win that slot if there is no previous - contender, or if the contender has a more favorable speed x size factor. */ +对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ static void update_bitmap_score(struct queue_entry* q) { u32 i; u64 fav_factor = q->exec_us * q->len; - /* For every byte set in trace_bits[], see if there is a previous winner, - and how it compares to us. */ + /* 对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ for (i = 0; i < MAP_SIZE; i++) @@ -1276,12 +1249,11 @@ static void update_bitmap_score(struct queue_entry* q) { if (top_rated[i]) { - /* Faster-executing or smaller test cases are favored. */ + /* 执行速度更快或更小的测试用例是受青睐的。*/ if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; - /* Looks like we're going to win. Decrease ref count for the - previous winner, discard its trace_bits[] if necessary. */ + /* 看来我们要赢了。为之前的获胜者减少引用计数,如果需要的话,丢弃它的trace_bits[]。 */ if (!--top_rated[i]->tc_ref) { ck_free(top_rated[i]->trace_mini); @@ -1290,7 +1262,7 @@ static void update_bitmap_score(struct queue_entry* q) { } - /* Insert ourselves as the new winner. */ + /* 将自己插入为新的获胜者。 */ top_rated[i] = q; q->tc_ref++; @@ -1307,11 +1279,9 @@ static void update_bitmap_score(struct queue_entry* q) { } -/* The second part of the mechanism discussed above is a routine that - goes over top_rated[] entries, and then sequentially grabs winners for - previously-unseen bytes (temp_v) and marks them as favored, at least - until the next run. The favored entries are given more air time during - all fuzzing steps. */ +/* +上述机制的第二部分是一个例程,它遍历top_rated[]条目,然后依次获取之前未见过的字节(temp_v)的获胜者, +并将它们标记为受青睐的,至少直到下一次运行。在所有的模糊测试步骤中,受青睐的条目会被给予更多的测试时间。*/ static void cull_queue(void) { @@ -1335,15 +1305,14 @@ static void cull_queue(void) { q = q->next; } - /* Let's see if anything in the bitmap isn't captured in temp_v. - If yes, and if it has a top_rated[] contender, let's use it. */ + /* 让我们看看位图中是否有未在temp_v中捕获的内容。如果有,并且它在top_rated[]中有竞争者,那么我们就使用它。 */ for (i = 0; i < MAP_SIZE; i++) if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { u32 j = MAP_SIZE >> 3; - /* Remove all bits belonging to the current entry from temp_v. */ + /* 从temp_v中删除属于当前条目的所有位。 */ while (j--) if (top_rated[i]->trace_mini[j]) @@ -1366,7 +1335,7 @@ static void cull_queue(void) { } -/* Configure shared memory and virgin_bits. This is called at startup. */ +/* 配置共享内存和virgin_bits。这在启动时被调用。 */ EXP_ST void setup_shm(void) { @@ -1385,10 +1354,8 @@ EXP_ST void setup_shm(void) { shm_str = alloc_printf("%d", shm_id); - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* 如果有人要求我们在dump模式下对插桩的二进制文件进行模糊测试,我们不希望他们检测到插桩, + 因为我们不会发送fork服务器命令。这应该在以后被更好的自动检测所取代,对吗? */ if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); @@ -1401,7 +1368,7 @@ EXP_ST void setup_shm(void) { } -/* Load postprocessor, if available. */ +/* 加载后处理器(如果可用) */ static void setup_post(void) { @@ -1419,7 +1386,7 @@ static void setup_post(void) { post_handler = dlsym(dh, "afl_postprocess"); if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); - /* Do a quick test. It's better to segfault now than later =) */ + /* 做一个快速测试。现在分段故障比以后好=) */ post_handler("hello", &tlen); @@ -1428,8 +1395,7 @@ static void setup_post(void) { } -/* Read all testcases from the input directory, then queue them for testing. - Called at startup. */ +/* 从输入目录读取所有测试用例,然后将它们排队进行测试。在启动时调用。*/ static void read_testcases(void) { @@ -1438,16 +1404,14 @@ static void read_testcases(void) { u32 i; u8* fn; - /* Auto-detect non-in-place resumption attempts. */ + /* 自动检测非原位恢复尝试。 */ fn = alloc_printf("%s/queue", in_dir); if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); ACTF("Scanning '%s'...", in_dir); - /* We use scandir() + alphasort() rather than readdir() because otherwise, - the ordering of test cases would vary somewhat randomly and would be - difficult to control. */ + /* 我们使用 scandir() + alphasort() 而不是 readdir(),因为如果不这样,测试用例的排序会有些随机,并且难以控制。 */ nl_cnt = scandir(in_dir, &nl, NULL, alphasort); @@ -1486,7 +1450,7 @@ static void read_testcases(void) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* This also takes care of . and .. */ + /* 这也照顾.和. . */ if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { @@ -1500,10 +1464,8 @@ static void read_testcases(void) { FATAL("Test case '%s' is too big (%s, limit is %s)", fn, DMS(st.st_size), DMS(MAX_FILE)); - /* Check for metadata that indicates that deterministic fuzzing - is complete for this entry. We don't want to repeat deterministic - fuzzing when resuming aborted scans, because it would be pointless - and probably very time-consuming. */ + /* 检查元数据,以确定是否已经完成了这项条目的确定性模糊测试。 + 我们不想在恢复中断的扫描时重复进行确定性模糊测试,因为这样做毫无意义,而且可能非常耗时。 */ if (!access(dfn, F_OK)) passed_det = 1; ck_free(dfn); @@ -1532,7 +1494,7 @@ static void read_testcases(void) { } -/* Helper function for load_extras. */ +/* load_extras的辅助函数 */ static int compare_extras_len(const void* p1, const void* p2) { struct extra_data *e1 = (struct extra_data*)p1, @@ -1549,7 +1511,7 @@ static int compare_extras_use_d(const void* p1, const void* p2) { } -/* Read extras from a file, sort by size. */ +/* 从文件中读取额外内容,按大小排序。 */ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, u32 dict_level) { @@ -1570,7 +1532,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, cur_line++; - /* Trim on left and right. */ + /* 修剪左右 */ while (isspace(*lptr)) lptr++; @@ -1579,11 +1541,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, rptr++; *rptr = 0; - /* Skip empty lines and comments. */ + /* 跳过空行和注释 */ if (!*lptr || *lptr == '#') continue; - /* All other lines must end with '"', which we can consume. */ + /* 所有其他行必须以‘ " ’结尾,我们可以使用它。 */ rptr--; @@ -1592,11 +1554,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, *rptr = 0; - /* Skip alphanumerics and dashes (label). */ + /* 跳过字母数字和破折号(标签) */ while (isalnum(*lptr) || *lptr == '_') lptr++; - /* If @number follows, parse that. */ + /* 如果后面跟着@number,解析它 */ if (*lptr == '@') { @@ -1606,11 +1568,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } - /* Skip whitespace and = signs. */ + /* 跳过空格和=号 */ while (isspace(*lptr) || *lptr == '=') lptr++; - /* Consume opening '"'. */ + /* 消费开放‘ " ’ 。 */ if (*lptr != '"') FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); @@ -1619,8 +1581,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); - /* Okay, let's allocate memory and copy data between "...", handling - \xNN escaping, \\, and \". */ + /* 好的,我们来分配内存并在 "..." 之间复制数据,同时处理 \xNN 转义、\ 和 "*/ extras = ck_realloc_block(extras, (extras_cnt + 1) * sizeof(struct extra_data)); @@ -1686,7 +1647,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } -/* Read extras from the extras directory and sort them by size. */ +/* 从extras目录中读取extras,并按大小排序。 */ static void load_extras(u8* dir) { @@ -1695,7 +1656,7 @@ static void load_extras(u8* dir) { u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u8* x; - /* If the name ends with @, extract level and continue. */ + /* 如果名称以@结尾,则提取level并继续 */ if ((x = strchr(dir, '@'))) { @@ -1730,7 +1691,7 @@ static void load_extras(u8* dir) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* This also takes care of . and .. */ + /* 这也照顾.和. . */ if (!S_ISREG(st.st_mode) || !st.st_size) { ck_free(fn); @@ -1788,7 +1749,7 @@ check_and_sort: -/* Helper function for maybe_add_auto() */ +/* maybe_add_auto()的辅助函数 */ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { @@ -1798,24 +1759,24 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { } -/* Maybe add automatic extra. */ +/* 也许可以加上自动附加功能 */ static void maybe_add_auto(u8* mem, u32 len) { u32 i; - /* Allow users to specify that they don't want auto dictionaries. */ + /* 允许用户指定他们不需要自动字典 */ if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; - /* Skip runs of identical bytes. */ + /* 跳过相同字节的运行 */ for (i = 1; i < len; i++) if (mem[0] ^ mem[i]) break; if (i == len) return; - /* Reject builtin interesting values. */ + /* 拒绝内置有趣的值 */ if (len == 2) { @@ -1837,9 +1798,7 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* Reject anything that matches existing extras. Do a case-insensitive - match. We optimize by exploiting the fact that extras[] are sorted - by size. */ + /* 拒绝任何与现有额外内容匹配的条目。进行不区分大小写的匹配。我们通过利用extras[]按大小排序的事实来优化这个过程。 */ for (i = 0; i < extras_cnt; i++) if (extras[i].len >= len) break; @@ -1847,8 +1806,7 @@ static void maybe_add_auto(u8* mem, u32 len) { for (; i < extras_cnt && extras[i].len == len; i++) if (!memcmp_nocase(extras[i].data, mem, len)) return; - /* Last but not least, check a_extras[] for matches. There are no - guarantees of a particular sort order. */ + /* 最后但同样重要的是,检查 a_extras[] 中是否有匹配项。没有保证特定的排序顺序。 */ auto_changed = 1; @@ -1863,9 +1821,8 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* At this point, looks like we're dealing with a new entry. So, let's - append it if we have room. Otherwise, let's randomly evict some other - entry from the bottom half of the list. */ + /* 在这一点上,看起来我们正在处理一个新的条目。所以,如果有空间的话, + 让我们把它追加上去。否则,让我们从列表的下半部分随机驱逐其他某个条目。 */ if (a_extras_cnt < MAX_AUTO_EXTRAS) { @@ -1891,12 +1848,12 @@ static void maybe_add_auto(u8* mem, u32 len) { sort_a_extras: - /* First, sort all auto extras by use count, descending order. */ + /* 首先,按使用次数降序对所有自动附加项进行排序 */ qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), compare_extras_use_d); - /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ + /* 然后,按大小对最上面的USE_AUTO_EXTRAS条目进行排序 */ qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), sizeof(struct extra_data), compare_extras_len); @@ -1904,7 +1861,7 @@ sort_a_extras: } -/* Save automatically generated extras. */ +/* 保存自动生成的附加内容 */ static void save_auto(void) { @@ -1932,7 +1889,7 @@ static void save_auto(void) { } -/* Load automatically generated extras. */ +/* 加载自动生成的附加内容 */ static void load_auto(void) { @@ -1954,8 +1911,7 @@ static void load_auto(void) { } - /* We read one byte more to cheaply detect tokens that are too - long (and skip them). */ + /* 我们多读了一个字节,以低成本检测过长的标记(并跳过它们) */ len = read(fd, tmp, MAX_AUTO_EXTRA + 1); @@ -1975,7 +1931,7 @@ static void load_auto(void) { } -/* Destroy extras. */ +/* 销毁额外的数据 */ static void destroy_extras(void) { @@ -1994,13 +1950,12 @@ static void destroy_extras(void) { } -/* Spin up fork server (instrumented mode only). The idea is explained here: +/* 启动fork服务器(仅在插桩模式下)。这个想法在这里有解释: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html +http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html - In essence, the instrumentation allows us to skip execve(), and just keep - cloning a stopped child. So, we just execute once, and then send commands - through a pipe. The other part of this logic is in afl-as.h. */ +本质上,插桩允许我们跳过execve(),只需持续克隆一个已停止的子进程。 +因此,我们只需要执行一次,然后通过管道发送命令。这部分逻辑的另一部分在afl-as.h中。 */ EXP_ST void init_forkserver(char** argv) { @@ -2021,13 +1976,12 @@ EXP_ST void init_forkserver(char** argv) { struct rlimit r; - /* Umpf. On OpenBSD, the default fd limit for root users is set to - soft 128. Let's try to fix that... */ + /* 在OpenBSD上,默认的文件描述符(fd)限制对于root用户设置为软限制128。让我们尝试修复这个问题... */ if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + setrlimit(RLIMIT_NOFILE, &r); /* 忽略错误 */ } @@ -2037,13 +1991,12 @@ EXP_ST void init_forkserver(char** argv) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ #else - /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but - according to reliable sources, RLIMIT_DATA covers anonymous - maps - so we should be getting good protection against OOM bugs. */ + /* 这考虑到了OpenBSD,它没有RLIMIT_AS,但根据可靠来源, + RLIMIT_DATA涵盖了匿名映射——因此我们应该能够很好地防止内存溢出(OOM)错误。 */ setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ @@ -2052,15 +2005,13 @@ EXP_ST void init_forkserver(char** argv) { } - /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered - before the dump is complete. */ + /* 转储核心(core dumping)是缓慢的,如果在转储完成之前发送了SIGKILL信号,可能会导致异常。 */ r.rlim_max = r.rlim_cur = 0; setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,会克隆out_fd。*/ setsid(); @@ -2078,7 +2029,7 @@ EXP_ST void init_forkserver(char** argv) { } - /* Set up control and status pipes, close the unneeded original fds. */ + /* 建立控制和状态管道,关闭不需要的原始文件。 */ if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); @@ -2093,20 +2044,19 @@ EXP_ST void init_forkserver(char** argv) { close(dev_urandom_fd); close(fileno(plot_file)); - /* This should improve performance a bit, since it stops the linker from - doing extra work post-fork(). */ + /* 这应该会稍微提高性能,因为它阻止了链接器在fork()之后进行额外的工作。 */ if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - /* Set sane defaults for ASAN if nothing else specified. */ + /* 如果没有其他指定,则为ASAN设置相同的默认值。 */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" "symbolize=0:" "allocator_may_return_null=1", 0); - /* MSAN is tricky, because it doesn't support abort_on_error=1 at this - point. So, we do this in a very hacky way. */ + /* MSAN(MemorySanitizer)有点棘手,因为目前它不支持abort_on_error=1这个选项。 + 因此,我们用一种非常hacky(即临时、不正规)的方式来实现这一点。 */ setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" @@ -2116,15 +2066,14 @@ EXP_ST void init_forkserver(char** argv) { execv(target_path, argv); - /* Use a distinctive bitmap signature to tell the parent about execv() - falling through. */ + /* 使用一个独特的位图签名来告诉父进程execv()调用已经成功执行。*/ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); } - /* Close the unneeded endpoints. */ + /* 关闭不需要的端点 */ close(ctl_pipe[0]); close(st_pipe[1]); @@ -2132,7 +2081,7 @@ EXP_ST void init_forkserver(char** argv) { fsrv_ctl_fd = ctl_pipe[1]; fsrv_st_fd = st_pipe[0]; - /* Wait for the fork server to come up, but don't wait too long. */ + /* 等待分叉服务器启动,但不要等待太久 */ it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; @@ -2146,8 +2095,7 @@ EXP_ST void init_forkserver(char** argv) { setitimer(ITIMER_REAL, &it, NULL); - /* If we have a four-byte "hello" message from the server, we're all set. - Otherwise, try to figure out what went wrong. */ + /* 如果我们从服务器收到了一个四字节的'hello'消息,那么一切就绪。否则,尝试弄清楚出了什么问题。 */ if (rlen == 4) { OKF("All right - fork server is up."); @@ -2284,8 +2232,7 @@ EXP_ST void init_forkserver(char** argv) { } -/* Execute target application, monitoring for timeouts. Return status - information. The called program will update trace_bits[]. */ +/* 执行目标应用程序,监控超时情况。返回状态信息。被调用的程序将更新trace_bits[] */ static u8 run_target(char** argv, u32 timeout) { @@ -2298,17 +2245,13 @@ static u8 run_target(char** argv, u32 timeout) { child_timed_out = 0; - /* After this memset, trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ + /* 在这次memset之后,trace_bits[]实际上变成了易失性的,因此我们必须阻止任何早期操作进入该领域。 */ memset(trace_bits, 0, MAP_SIZE); MEM_BARRIER(); - /* If we're running in "dumb" mode, we can't rely on the fork server - logic compiled into the target program, so we will just keep calling - execve(). There is a bit of code duplication between here and - init_forkserver(), but c'est la vie. */ + /* 如果我们在‘dump’模式下运行,我们不能依赖于目标程序中编译的fork服务器逻辑,所以我们将不断调用execve()。 + 这里的代码和init_forkserver()之间有一些重复,但这就是生活。 */ if (dumb_mode == 1 || no_forkserver) { @@ -2326,11 +2269,11 @@ static u8 run_target(char** argv, u32 timeout) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ #else - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + setrlimit(RLIMIT_DATA, &r); /* 忽略错误 */ #endif /* ^RLIMIT_AS */ @@ -2338,10 +2281,9 @@ static u8 run_target(char** argv, u32 timeout) { r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + setrlimit(RLIMIT_CORE, &r); /* 忽略错误 */ - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,将克隆out_fd。 */ setsid(); @@ -2359,14 +2301,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ + /* 在Linux上,使用O_CLOEXEC会更快。也许TODO */ close(dev_null_fd); close(out_dir_fd); close(dev_urandom_fd); close(fileno(plot_file)); - /* Set sane defaults for ASAN if nothing else specified. */ + /* 如果没有其他指定,则为ASAN设置相同的默认值 */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -2379,8 +2321,7 @@ static u8 run_target(char** argv, u32 timeout) { execv(target_path, argv); - /* Use a distinctive bitmap value to tell the parent about execv() - falling through. */ + /* 使用一个独特的位图值来告知父进程execv()调用已经顺利执行 */ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); @@ -2391,8 +2332,7 @@ static u8 run_target(char** argv, u32 timeout) { s32 res; - /* In non-dumb mode, we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ + /* 在non-dump模式下,我们的fork服务器正在运行,所以只需告诉它开始执行,然后读取返回的PID。 */ if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { @@ -2412,14 +2352,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* Configure timeout, as requested by user, then wait for child to terminate. */ + /* 根据用户的要求配置超时,然后等待子进程终止 */ it.it_value.tv_sec = (timeout / 1000); it.it_value.tv_usec = (timeout % 1000) * 1000; setitimer(ITIMER_REAL, &it, NULL); - /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ + /* SIGALRM处理程序只是终止child_pid并设置child_timed_out */ if (dumb_mode == 1 || no_forkserver) { @@ -2451,9 +2391,8 @@ static u8 run_target(char** argv, u32 timeout) { total_execs++; - /* Any subsequent operations on trace_bits must not be moved by the - compiler below this point. Past this location, trace_bits[] behave - very normally and do not have to be treated as volatile. */ + /* 编译器不能将对trace_bits的任何后续操作移动到这一点以下。 + 在这个位置之后,trace_bits[]表现得非常正常,不需要被当作易失性的处理。 */ MEM_BARRIER(); @@ -2467,7 +2406,7 @@ static u8 run_target(char** argv, u32 timeout) { prev_timed_out = child_timed_out; - /* Report outcome to caller. */ + /* 向调用者报告结果 */ if (WIFSIGNALED(status) && !stop_soon) { @@ -2479,8 +2418,7 @@ static u8 run_target(char** argv, u32 timeout) { } - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ + /* 这是针对MSAN的一个有点恶劣的hack,因为MSAN不支持abort_on_error,必须使用一个特殊的退出代码。 */ if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { kill_signal = 0; @@ -2490,8 +2428,7 @@ static u8 run_target(char** argv, u32 timeout) { if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) return FAULT_ERROR; - /* It makes sense to account for the slowest units only if the testcase was run - under the user defined timeout. */ + /* 只有在测试用例在用户定义的超时下运行时,才有必要只考虑最慢的单元 */ if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { slowest_exec_ms = exec_ms; } @@ -2501,9 +2438,7 @@ static u8 run_target(char** argv, u32 timeout) { } -/* Write modified data to file for testing. If out_file is set, the old file - is unlinked and a new one is created. Otherwise, out_fd is rewound and - truncated. */ +/* 将修改后的数据写入文件以进行测试。如果设置了out_file,旧文件将被解除链接,并创建一个新的文件。否则,out_fd将被回卷并截断。 */ static void write_to_testcase(void* mem, u32 len) { @@ -2531,7 +2466,7 @@ static void write_to_testcase(void* mem, u32 len) { } -/* The same, but with an adjustable gap. Used for trimming. */ +/* 相同的,但有一个可调节的间隙。用于修剪。 */ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { @@ -2564,9 +2499,8 @@ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { static void show_stats(void); -/* Calibrate a new test case. This is done when processing the input directory - to warn about flaky or otherwise problematic test cases early on; and when - new paths are discovered to detect variable behavior and so on. */ +/* 校准一个新的测试用例。这在处理输入目录时完成,目的是为了提早警告 +关于不稳定或其他有问题的测试用例;以及在发现新路径时,用于检测可变行为等。 */ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 handicap, u8 from_queue) { @@ -2582,9 +2516,8 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 use_tmout = exec_tmout; u8* old_sn = stage_name; - /* Be a bit more generous about timeouts when resuming sessions, or when - trying to calibrate already-added finds. This helps avoid trouble due - to intermittent latency. */ + /* 在恢复会话或尝试校准已经添加的发现时,对超时更加宽容一些。 + 这有助于避免由于间歇性延迟引起的问题。 */ if (!from_queue || resuming_fuzz) use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, @@ -2595,8 +2528,7 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, stage_name = "calibration"; stage_max = fast_cal ? 3 : CAL_CYCLES; - /* Make sure the forkserver is up before we do anything, and let's not - count its spin-up time toward binary calibration. */ + /* 在我们做任何事情之前,确保fork服务器已经启动,并且我们不将其启动时间计入二进制校准。 */ if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) init_forkserver(argv); @@ -2621,8 +2553,7 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, fault = run_target(argv, use_tmout); - /* stop_soon is set by the handler for Ctrl+C. When it's pressed, - we want to bail out quickly. */ + /* 如果按下Ctrl+C,stop_soon会被设置,我们希望快速退出。 */ if (stop_soon || fault != crash_mode) goto abort_calibration; @@ -2671,8 +2602,8 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, total_cal_us += stop_us - start_us; total_cal_cycles += stage_max; - /* OK, let's collect some stats about the performance of this test case. - This is used for fuzzing air time calculations in calculate_score(). */ + /* 好的,我们来收集一些关于这个测试用例性能的统计数据。 + 这将用于在calculate_score()中计算模糊测试的时间。 */ q->exec_us = (stop_us - start_us) / stage_max; q->bitmap_size = count_bytes(trace_bits); @@ -2684,9 +2615,8 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, update_bitmap_score(q); - /* If this case didn't result in new output from the instrumentation, tell - parent. This is a non-critical problem, but something to warn the user - about. */ + /* 如果这个案例没有产生新的来自插桩的输出,告诉父进程。 + 这是一个非关键性问题,但值得警告用户。 */ if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; @@ -2697,7 +2627,7 @@ abort_calibration: queued_with_cov++; } - /* Mark variable paths. */ + /* 标记可变路径。 */ if (var_detected) { @@ -2721,7 +2651,7 @@ abort_calibration: } -/* Examine map coverage. Called once, for first test case. */ +/* 检查地图覆盖率。为第一个测试用例调用一次。 */ static void check_map_coverage(void) { @@ -2737,8 +2667,7 @@ static void check_map_coverage(void) { } -/* Perform dry run of all test cases to confirm that the app is working as - expected. This is done only for the initial inputs, and only once. */ +/* 对所有测试用例执行一次不实际执行的预运行,以确认应用程序按预期工作。这只针对初始输入进行,并且只执行一次。 */ static void perform_dry_run(char** argv) { @@ -2789,9 +2718,7 @@ static void perform_dry_run(char** argv) { if (timeout_given) { - /* The -t nn+ syntax in the command line sets timeout_given to '2' and - instructs afl-fuzz to tolerate but skip queue entries that time - out. */ + /* 命令行中的 -t nn+ 语法将 timeout_given 设置为 '2',并且指示 afl-fuzz 容忍但跳过超时的队列条目。 */ if (timeout_given > 1) { WARNF("Test case results in a timeout (skipping)"); @@ -2942,7 +2869,7 @@ static void perform_dry_run(char** argv) { } -/* Helper function: link() if possible, copy otherwise. */ +/* 辅助函数:link(),如果可能,复制 */ static void link_or_copy(u8* old_path, u8* new_path) { @@ -2974,8 +2901,7 @@ static void link_or_copy(u8* old_path, u8* new_path) { static void nuke_resume_dir(void); -/* Create hard links for input test cases in the output directory, choosing - good names and pivoting accordingly. */ +/* 在输出目录中为输入测试用例创建硬链接,选择合适的名字并相应地进行调整。 */ static void pivot_inputs(void) { @@ -2991,9 +2917,7 @@ static void pivot_inputs(void) { if (!rsl) rsl = q->fname; else rsl++; - /* If the original file name conforms to the syntax and the recorded - ID matches the one we'd assign, just use the original file name. - This is valuable for resuming fuzzing runs. */ + /* 如果原始文件名符合语法,并且记录的ID与我们要分配的ID匹配,就直接使用原始文件名。这对于恢复模糊测试运行非常有价值。 */ #ifndef SIMPLE_FILES # define CASE_PREFIX "id:" @@ -3010,8 +2934,7 @@ static void pivot_inputs(void) { resuming_fuzz = 1; nfn = alloc_printf("%s/queue/%s", out_dir, rsl); - /* Since we're at it, let's also try to find parent and figure out the - appropriate depth for this entry. */ + /* 既然我们已经在做了,让我们也尝试找到父项,并确定这个条目的适当深度。 */ src_str = strchr(rsl + 3, ':'); @@ -3027,8 +2950,7 @@ static void pivot_inputs(void) { } else { - /* No dice - invent a new name, capturing the original one as a - substring. */ + /* 没有成功 - 创建一个新名字,并将原始名字作为子字符串包含在内。 */ #ifndef SIMPLE_FILES @@ -3045,13 +2967,13 @@ static void pivot_inputs(void) { } - /* Pivot to the new queue entry. */ + /* 转向新的队列条目。 */ link_or_copy(q->fname, nfn); ck_free(q->fname); q->fname = nfn; - /* Make sure that the passed_det value carries over, too. */ + /* 确保passd_det值也被传递。 */ if (q->passed_det) mark_as_det_done(q); @@ -3067,8 +2989,7 @@ static void pivot_inputs(void) { #ifndef SIMPLE_FILES -/* Construct a file name for a new test case, capturing the operation - that led to its discovery. Uses a static buffer. */ +/* 为新测试用例构造一个包含导致其被发现的操作的文件名。使用一个静态缓冲区。 */ static u8* describe_op(u8 hnb) { @@ -3109,7 +3030,7 @@ static u8* describe_op(u8 hnb) { #endif /* !SIMPLE_FILES */ -/* Write a message accompanying the crash directory :-) */ +/* 为崩溃目录写一个伴随消息:-) */ static void write_crash_readme(void) { @@ -3120,7 +3041,7 @@ static void write_crash_readme(void) { fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); ck_free(fn); - /* Do not die on errors here - that would be impolite. */ + /* 不要死于错误——那是不礼貌的 */ if (fd < 0) return; @@ -3156,9 +3077,8 @@ static void write_crash_readme(void) { } -/* Check if the result of an execve() during routine fuzzing is interesting, - save or queue the input test case for further analysis if so. Returns 1 if - entry is saved, 0 otherwise. */ +/* 检查在常规模糊测试期间的execve()结果是否有趣,如果有趣,则保存 +或将输入测试用例排队以进行进一步分析。如果条目被保存,则返回1,否则返回0。 */ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { @@ -3169,8 +3089,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { if (fault == crash_mode) { - /* Keep only if there are new bits in the map, add to queue for - future fuzzing, etc. */ + /* 仅当映射中有新的位时才保留,将其添加到队列中以供将来的模糊测试等。 */ if (!(hnb = has_new_bits(virgin_bits))) { if (crash_mode) total_crashes++; @@ -3197,8 +3116,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* Try to calibrate inline; this also calls update_bitmap_score() when - successful. */ + /* 尝试进行内联校准;成功时也会调用update_bitmap_score()。 */ res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); @@ -3218,10 +3136,8 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { case FAULT_TMOUT: - /* Timeouts are not very interesting, but we're still obliged to keep - a handful of samples. We use the presence of new bits in the - hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we - just keep everything. */ + /* 超时并不是很有趣的情况,但我们仍然需要保留一些样本。我们使用在特定挂起的 + 位图中出现的新位作为独特性的信号。在“哑”模式下,我们只是保留所有内容。 */ total_tmouts++; @@ -3241,9 +3157,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { unique_tmouts++; - /* Before saving, we make sure that it's a genuine hang by re-running - the target with a more generous timeout (unless the default timeout - is already generous). */ + /* 在保存之前,我们通过使用更宽裕的超时时间重新运行目标程序来确保这是一个真正的挂起(除非默认的超时时间已经足够宽裕)。*/ if (exec_tmout < hang_tmout) { @@ -3251,9 +3165,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { write_to_testcase(mem, len); new_fault = run_target(argv, hang_tmout); - /* A corner case that one user reported bumping into: increasing the - timeout actually uncovers a crash. Make sure we don't discard it if - so. */ + /* 一个用户报告的特殊情况:增加超时时间实际上揭示了一个崩溃。确保如果出现这种情况,我们不会丢弃它。 */ if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; @@ -3283,9 +3195,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { keep_as_crash: - /* This is handled in a manner roughly similar to timeouts, - except for slightly different limits and no need to re-run test - cases. */ + /* 这与处理超时的方式大致相似,只是限制略有不同,并且不需要重新运行测试用例。 */ total_crashes++; @@ -3330,8 +3240,7 @@ keep_as_crash: } - /* If we're here, we apparently want to save the crash or hang - test case, too. */ + /* 如果我们在这里,显然我们也想要保存崩溃或挂起的测试用例。 */ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", fn); @@ -3345,12 +3254,11 @@ keep_as_crash: } -/* When resuming, try to find the queue position to start from. This makes sense - only when resuming, and when we can find the original fuzzer_stats. */ +/* 在恢复时,尝试找到开始的队列位置。这只在恢复时有意义,并且当我们能找到原始的fuzzer_stats时。 */ static u32 find_start_position(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* 对任何人来说都足够了 */ u8 *fn, *off; s32 fd, i; @@ -3379,13 +3287,11 @@ static u32 find_start_position(void) { } -/* The same, but for timeouts. The idea is that when resuming sessions without - -t given, we don't want to keep auto-scaling the timeout over and over - again to prevent it from growing due to random flukes. */ +/* 同样,但针对超时情况。想法是在没有给定-t参数的情况下恢复会话时,我们不想一遍又一遍地自动调整超时时间,以防止它因为随机的异常而不断增长。 */ static void find_timeout(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* 对任何人来说都足够了 */ u8 *fn, *off; s32 fd, i; @@ -3416,7 +3322,7 @@ static void find_timeout(void) { } -/* Update stats file for unattended monitoring. */ +/* 更新无人值守监控的统计文件 */ static void write_stats_file(double bitmap_cvg, double stability, double eps) { @@ -3437,8 +3343,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { if (!f) PFATAL("fdopen() failed"); - /* Keep last values in case we're called from another context - where exec/sec stats and such are not readily available. */ + /* 保留最后的值,以防我们被调用到另一个上下文中,那里每秒执行次数的统计数据等并不立即可用。 */ if (!bitmap_cvg && !stability && !eps) { bitmap_cvg = last_bcvg; @@ -3461,7 +3366,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "paths_found : %u\n" "paths_imported : %u\n" "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ + "cur_path : %u\n" /* 必须匹配find_start_position() */ "pending_favs : %u\n" "pending_total : %u\n" "variable_paths : %u\n" @@ -3473,7 +3378,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "last_crash : %llu\n" "last_hang : %llu\n" "execs_since_crash : %llu\n" - "exec_timeout : %u\n" /* Must match find_timeout() */ + "exec_timeout : %u\n" /* 必须匹配find_timeout() */ "afl_banner : %s\n" "afl_version : " VERSION "\n" "target_mode : %s%s%s%s%s%s%s\n" @@ -3495,9 +3400,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { orig_cmdline, slowest_exec_ms); /* ignore errors */ - /* Get rss value from the children - We must have killed the forkserver process and called waitpid - before calling getrusage */ + /* 从子进程中获取rss值。在调用getrusage之前,我们必须已经杀死了fork服务器进程并调用了waitpid。 */ if (getrusage(RUSAGE_CHILDREN, &usage)) { WARNF("getrusage failed"); } else if (usage.ru_maxrss == 0) { @@ -3515,7 +3418,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { } -/* Update the plot file if there is a reason to. */ +/* 如果有必要,请更新情节文件。 */ static void maybe_update_plot_file(double bitmap_cvg, double eps) { @@ -3536,7 +3439,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { prev_uh = unique_hangs; prev_md = max_depth; - /* Fields in the file: + /* 文件中的字段包括:: unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, @@ -3554,8 +3457,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { -/* A helper function for maybe_delete_out_dir(), deleting all prefixed - files in a directory. */ +/* maybe_delete_out_dir()的辅助函数,用于删除目录中所有具有特定前缀的文件 */ static u8 delete_files(u8* path, u8* prefix) { @@ -3586,7 +3488,7 @@ static u8 delete_files(u8* path, u8* prefix) { } -/* Get the number of runnable processes, with some simple smoothing. */ +/* 通过一些简单的平滑,获得可运行进程的数量。 */ static double get_runnable_processes(void) { @@ -3594,17 +3496,13 @@ static double get_runnable_processes(void) { #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - /* I don't see any portable sysctl or so that would quickly give us the - number of runnable processes; the 1-minute load average can be a - semi-decent approximation, though. */ + /*我没有看到任何可移植的sysctl命令或其他工具可以快速给出可运行进程的数量;不过,1分钟负载平均值可以作为一个半像样的近似值。 */ if (getloadavg(&res, 1) != 1) return 0; #else - /* On Linux, /proc/stat is probably the best way; load averages are - computed in funny ways and sometimes don't reflect extremely short-lived - processes well. */ + /* 在Linux上,/proc/stat可能是最佳方式;负载平均值的计算方式有些奇特,有时不能很好地反映非常短暂的进程。 */ FILE* f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -3639,7 +3537,7 @@ static double get_runnable_processes(void) { } -/* Delete the temporary directory used for in-place session resume. */ +/* 删除用于就地恢复会话的临时目录。*/ static void nuke_resume_dir(void) { @@ -3678,17 +3576,14 @@ dir_cleanup_failed: } -/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer - is not currently running, and if the last run time isn't too great. */ +/* 如果识别输出目录为我们的,并且fuzzer当前没有在运行,以及上次运行时间不是很长,就删除fuzzer的输出目录。 */ static void maybe_delete_out_dir(void) { FILE* f; u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); - /* See if the output directory is locked. If yes, bail out. If not, - create a lock that will persist for the lifetime of the process - (this requires leaving the descriptor open).*/ + /* 检查输出目录是否被锁定。如果是,就退出。如果不是,创建一个在进程生命周期内持续存在的锁(这需要保持描述符打开)。*/ out_dir_fd = open(out_dir, O_RDONLY); if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); @@ -3721,7 +3616,7 @@ static void maybe_delete_out_dir(void) { fclose(f); - /* Let's see how much work is at stake. */ + /* 让我们看看有多少工作要做 */ if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { @@ -3743,11 +3638,9 @@ static void maybe_delete_out_dir(void) { ck_free(fn); - /* The idea for in-place resume is pretty simple: we temporarily move the old - queue/ to a new location that gets deleted once import to the new queue/ - is finished. If _resume/ already exists, the current queue/ may be - incomplete due to an earlier abort, so we want to use the old _resume/ - dir instead, and we let rename() fail silently. */ + /* 就地恢复的想法非常简单:我们暂时将旧的queue/移动到一个新位置, + 一旦导入到新queue/完成,这个新位置就会被删除。如果_resume/已经存在, + 当前的queue/可能因为之前的中断而不完整,所以我们想使用旧的_resume/目录,我们让rename()默默失败。 */ if (in_place_resume) { @@ -3769,8 +3662,7 @@ static void maybe_delete_out_dir(void) { ACTF("Deleting old session data..."); - /* Okay, let's get the ball rolling! First, we need to get rid of the entries - in /.synced/.../id:*, if any are present. */ + /* 好的,让我们开始吧!首先,如果存在,我们需要清除/.synced/.../id:*中的条目。 */ if (!in_place_resume) { @@ -3780,7 +3672,7 @@ static void maybe_delete_out_dir(void) { } - /* Next, we need to clean up /queue/.state/ subdirectories: */ + /* 接下来,我们需要清理 /queue/.state/ 子目录: */ fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; @@ -3798,8 +3690,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* Then, get rid of the .state subdirectory itself (should be empty by now) - and everything matching /queue/id:*. */ + /* 然后,删除 .state 子目录本身(现在应该已经为空),以及所有匹配 /queue/id:* 的内容。 */ fn = alloc_printf("%s/queue/.state", out_dir); if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3809,7 +3700,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* All right, let's do /crashes/id:* and /hangs/id:*. */ + /* 好的,让我们处理 /crashes/id:* 和 /hangs/id:* */ if (!in_place_resume) { @@ -3821,8 +3712,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/crashes", out_dir); - /* Make backup of the crashes directory if it's not empty and if we're - doing in-place resume. */ + /* 如果在进行就地恢复,并且crashes目录不为空,则备份该目录。 */ if (in_place_resume && rmdir(fn)) { @@ -3853,7 +3743,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/hangs", out_dir); - /* Backup hangs, too. */ + /* 备份也挂起了 */ if (in_place_resume && rmdir(fn)) { @@ -3882,7 +3772,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* And now, for some finishing touches. */ + /* 现在,做一些收尾工作 */ fn = alloc_printf("%s/.cur_input", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3904,7 +3794,7 @@ static void maybe_delete_out_dir(void) { OKF("Output dir cleanup successful."); - /* Wow... is that all? If yes, celebrate! */ + /* 哇……就这些吗?如果是,那就庆祝吧! */ return; @@ -3927,8 +3817,7 @@ dir_cleanup_failed: static void check_term_size(void); -/* A spiffy retro stats screen! This is called every stats_update_freq - execve() calls, plus in several other circumstances. */ +/* 一个时髦的复古统计屏幕!这在每stats_update_freq次execve()调用时被调用,以及在其他几种情况下。 */ static void show_stats(void) { @@ -3944,15 +3833,15 @@ static void show_stats(void) { cur_ms = get_cur_time(); - /* If not enough time has passed since last UI update, bail out. */ + /* 如果上次UI更新后没有经过足够的时间,就退出。 */ if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; - /* Check if we're past the 10 minute mark. */ + /* 检查我们是否过了10分钟。 */ if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; - /* Calculate smoothed exec speed stats. */ + /* 计算平滑执行速度统计。 */ if (!last_execs) { @@ -3963,8 +3852,7 @@ static void show_stats(void) { double cur_avg = ((double)(total_execs - last_execs)) * 1000 / (cur_ms - last_ms); - /* If there is a dramatic (5x+) jump in speed, reset the indicator - more quickly. */ + /* 如果速度有显著(超过5倍)的提升,那么更快速地重置指示器。 */ if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) avg_exec = cur_avg; @@ -3977,12 +3865,12 @@ static void show_stats(void) { last_ms = cur_ms; last_execs = total_execs; - /* Tell the callers when to contact us (as measured in execs). */ + /* 告诉来电者何时与我们联系(以高管为衡量标准) */ stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); if (!stats_update_freq) stats_update_freq = 1; - /* Do some bitmap stats. */ + /* 做一些位图统计 */ t_bytes = count_non_255_bytes(virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; @@ -3992,7 +3880,7 @@ static void show_stats(void) { else stab_ratio = 100; - /* Roughly every minute, update fuzzer stats and save auto tokens. */ + /* 大约每分钟更新fuzzer统计数据并保存自动标记。 */ if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { @@ -4003,7 +3891,7 @@ static void show_stats(void) { } - /* Every now and then, write plot data. */ + /* 每隔一段时间,写一些情节数据。 */ if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { @@ -4012,22 +3900,22 @@ static void show_stats(void) { } - /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ + /* 尊重AFL_EXIT_WHEN_DONE和AFL_BENCH_UNTIL_CRASH。 */ if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; - /* If we're not on TTY, bail out. */ + /* 如果我们不在TTY(终端)上,就退出。 */ if (not_on_tty) return; - /* Compute some mildly useful bitmap stats. */ + /* 计算一些稍微有用的位图统计。 */ t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); - /* Now, for the visuals... */ + /* 现在,对于视觉效果… */ if (clear_screen) { @@ -4049,7 +3937,7 @@ static void show_stats(void) { } - /* Let's start by drawing a centered banner. */ + /* 让我们从绘制居中横幅开始。*/ banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); banner_pad = (80 - banner_len) / 2; @@ -4061,7 +3949,7 @@ static void show_stats(void) { SAYF("\n%s\n\n", tmp); - /* "Handy" shortcuts for drawing boxes... */ + /* "Handy" 快捷键绘制框… */ #define bSTG bSTART cGRA #define bH2 bH bH @@ -4086,17 +3974,17 @@ static void show_stats(void) { u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; - /* First queue cycle: don't stop now! */ + /* 第一个排队周期:现在不要停下来! */ if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else - /* Subsequent cycles, but we're still making finds. */ + /* 在后续的测试周期中,但我们仍在发现新问题。 */ if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else - /* No finds for a long time and no test cases to try. */ + /* 很长一段时间没有发现,也没有测试用例可以尝试。 */ if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) strcpy(tmp, cLGN); - /* Default: cautiously OK to stop? */ + /* 默认情况:谨慎地询问是否可以停止? */ else strcpy(tmp, cLBL); } @@ -4105,8 +3993,7 @@ static void show_stats(void) { " cycles done : %s%-5s " bSTG bV "\n", DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); - /* We want to warn people about not seeing new paths after a full cycle, - except when resuming fuzzing or running in non-instrumented mode. */ + /* 我们想要警告人们,在完成一个完整周期后没有看到新路径的情况,除非是在恢复模糊测试或在非插桩模式下运行。 */ if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || in_bitmap || crash_mode)) { @@ -4131,8 +4018,7 @@ static void show_stats(void) { SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", DI(queued_paths)); - /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH - limit with a '+' appended to the count. */ + /* 如果在发现崩溃时用红色高亮显示,并在超过KEEP_UNIQUE_CRASH限制时,在计数后追加一个'+'符号来表示。*/ sprintf(tmp, "%s%s", DI(unique_crashes), (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); @@ -4152,9 +4038,8 @@ static void show_stats(void) { SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); - /* This gets funny because we want to print several variable-length variables - together, but then cram them into a fixed-width field - so we need to - put them in a temporary buffer first. */ + /* 这有点有趣,因为我们想要一起打印几个可变长度的变量,但随后又想将它们 + 塞进一个固定宽度的字段——所以我们需要先将它们放入一个临时缓冲区。*/ sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), queue_cur->favored ? "" : "*", @@ -4184,7 +4069,7 @@ static void show_stats(void) { sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); - /* Yeah... it's still going on... halp? */ + /* 是的……它还在继续……帮忙? */ SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); @@ -4224,7 +4109,7 @@ static void show_stats(void) { } - /* Show a warning about slow execution. */ + /* 显示关于缓慢执行的警告。 */ if (avg_exec < 100) { @@ -4245,7 +4130,7 @@ static void show_stats(void) { SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); - /* Aaaalmost there... hold on! */ + /* Aaaalmost那里……坚持住! */ SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); @@ -4350,7 +4235,7 @@ static void show_stats(void) { SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); - /* Provide some CPU utilization stats. */ + /* 提供一些CPU利用率统计信息。 */ if (cpu_core_count) { @@ -4359,12 +4244,12 @@ static void show_stats(void) { u8* cpu_color = cCYA; - /* If we could still run one or more processes, use green. */ + /* 如果我们仍然可以运行一个或多个进程,则使用绿色。 */ if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) cpu_color = cLGN; - /* If we're clearly oversubscribed, use red. */ + /* 如果我们明显超额认购,就用红色。 */ if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; @@ -4399,9 +4284,8 @@ static void show_stats(void) { } -/* Display quick statistics at the end of processing the input directory, - plus a bunch of warnings. Some calibration stuff also ended up here, - along with several hardcoded constants. Maybe clean up eventually. */ +/* 在处理完输入目录后显示快速统计信息,以及一堆警告。一些校准内容也 +最终放在这里,连同几个硬编码的常数。也许最终会清理一下。 */ static void show_init_stats(void) { @@ -4433,7 +4317,7 @@ static void show_init_stats(void) { WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", doc_path); - /* Let's keep things moving with slow binaries. */ + /* 让我们继续使用慢二进制代码。 */ if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ @@ -4469,12 +4353,9 @@ static void show_init_stats(void) { if (!timeout_given) { - /* Figure out the appropriate timeout. The basic idea is: 5x average or - 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. + /* 确定合适的超时时间。基本思路是:5倍的平均值或者1倍的最大值,四舍五入到EXEC_TM_ROUND毫秒,并限制在1秒内。 - If the program is slow, the multiplier is lowered to 2x or 3x, because - random scheduler jitter is less likely to have any impact, and because - our patience is wearing thin =) */ +如果程序运行缓慢,乘数会降低到2倍或3倍,因为随机调度抖动不太可能有任何影响,而且我们的耐心正在逐渐减少=) */ if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; @@ -4496,8 +4377,7 @@ static void show_init_stats(void) { } - /* In dumb mode, re-running every timing out test case with a generous time - limit is very expensive, so let's select a more conservative default. */ + /* 在dump模式下,用宽裕的时间限制重新运行每个超时的测试用例代价很高,因此我们选择一个更保守的默认值。 */ if (dumb_mode && !getenv("AFL_HANG_TMOUT")) hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); @@ -4507,7 +4387,7 @@ static void show_init_stats(void) { } -/* Find first power of two greater or equal to val (assuming val under +/* 求大于等于val的2的第一次幂(假设val小于 2^31). */ static u32 next_p2(u32 val) { @@ -4519,9 +4399,8 @@ static u32 next_p2(u32 val) { } -/* Trim all new test cases to save cycles when doing deterministic checks. The - trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of - file size, to keep the stage short and sweet. */ +/* 在进行确定性检查时,修剪所有新的测试用例以节省周期。修剪器使用二的幂次方增加 +量,范围在文件大小的1/16到1/1024之间,以保持这个阶段简短而高效。 */ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { @@ -4533,23 +4412,20 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { u32 remove_len; u32 len_p2; - /* Although the trimmer will be less useful when variable behavior is - detected, it will still work to some extent, so we don't check for - this. */ + /* 尽管在检测到可变行为时,修剪器的效用会降低,但它仍然会有一定程度的作用,因此我们不对此进行检查。 */ if (q->len < 5) return 0; stage_name = tmp; bytes_trim_in += q->len; - /* Select initial chunk len, starting with large steps. */ + /* 选择初始块len,从较大的步骤开始。*/ len_p2 = next_p2(q->len); remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); - /* Continue until the number of steps gets too high or the stepover - gets too small. */ + /* 继续进行,直到步骤数变得过高或步长变得过小。 */ while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { @@ -4572,14 +4448,12 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; - /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ + /* 请注意,我们在这里不跟踪崩溃或挂起;也许做? */ cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* If the deletion had no impact on the trace, make it permanent. This - isn't perfect for variable-path inputs, but we're just making a - best-effort pass, so it's not a big deal if we end up with false - negatives every now and then. */ + /* 如果删除对跟踪没有影响,使其成为永久性的。这对于变量路径输入来说并不 + 完美,但我们只是在尽力而为,所以如果我们偶尔出现假阴性,也不是什么大问题。 */ if (cksum == q->exec_cksum) { @@ -4591,8 +4465,7 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, move_tail); - /* Let's save a clean trace, which will be needed by - update_bitmap_score once we're done with the trimming stuff. */ + /* 让我们保存一个干净的跟踪信息,在我们完成修剪工作后,update_bitmap_score函数将会需要它。*/ if (!needs_write) { @@ -4603,7 +4476,7 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { } else remove_pos += remove_len; - /* Since this can be slow, update the screen every now and then. */ + /* 因为这可能很慢,所以要时不时地更新屏幕。 */ if (!(trim_exec++ % stats_update_freq)) show_stats(); stage_cur++; @@ -4614,8 +4487,7 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { } - /* If we have made changes to in_buf, we also need to update the on-disk - version of the test case. */ + /* 如果我们对in_buf做了更改,我们还需要更新磁盘上的测试用例版本。 */ if (needs_write) { @@ -4643,9 +4515,8 @@ abort_trimming: } -/* Write a modified test case, run program, process results. Handle - error conditions, returning 1 if it's time to bail out. This is - a helper function for fuzz_one(). */ +/* 写入一个修改后的测试用例,运行程序,处理结果。处理错误条件,如果到 +了该退出的时候则返回1。这是fuzz_one()的辅助函数。 */ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { @@ -4673,8 +4544,7 @@ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { } else subseq_tmouts = 0; - /* Users can hit us with SIGUSR1 to request the current input - to be abandoned. */ + /* 用户可以通过发送SIGUSR1信号来请求放弃当前的输入。 */ if (skip_requested) { @@ -4684,7 +4554,7 @@ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { } - /* This handles FAULT_ERROR for us: */ + /* 这将为我们处理FAULT_ERROR: */ queued_discovered += save_if_interesting(argv, out_buf, len, fault); @@ -4696,8 +4566,7 @@ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { } -/* Helper to choose random block len for block operations in fuzz_one(). - Doesn't return zero, provided that max_len is > 0. */ +/* 在fuzz_one()中用于选择块操作的随机块长度的辅助函数。只要最大长度max_len大于0,就不会返回零。 */ static u32 choose_block_len(u32 limit) { @@ -4739,9 +4608,7 @@ static u32 choose_block_len(u32 limit) { } -/* Calculate case desirability score to adjust the length of havoc fuzzing. - A helper function for fuzz_one(). Maybe some of these constants should - go into config.h. */ +/* 计算案例的期望分数,以调整havoc模糊测试的长度。这是fuzz_one()的辅助函数。也许这些常数中的一些应该放入config.h中。*/ static u32 calculate_score(struct queue_entry* q) { @@ -4749,9 +4616,7 @@ static u32 calculate_score(struct queue_entry* q) { u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; u32 perf_score = 100; - /* Adjust score based on execution speed of this path, compared to the - global average. Multiplier ranges from 0.1x to 3x. Fast inputs are - less expensive to fuzz, so we're giving them more air time. */ + /* 根据此路径的执行速度与全局平均速度的比较,调整分数。乘数范围从0.1x到3x。快速输入的模糊测试成本较低,因此我们给予它们更多的测试时间。 */ if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; @@ -4761,8 +4626,7 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; - /* Adjust score based on bitmap size. The working theory is that better - coverage translates to better targets. Multiplier from 0.25x to 3x. */ + /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。乘数从0.25x到3x。 */ if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; @@ -4771,9 +4635,7 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; - /* Adjust score based on handicap. Handicap is proportional to how late - in the game we learned about this path. Latecomers are allowed to run - for a bit longer until they catch up with the rest. */ + /* 根据handicap(障碍)调整分数。Handicap与我们在游戏中了解这条路径的时间成比例。后来者被允许运行更长时间,直到它们赶上其他路径。 */ if (q->handicap >= 4) { @@ -4787,9 +4649,7 @@ static u32 calculate_score(struct queue_entry* q) { } - /* Final adjustment based on input depth, under the assumption that fuzzing - deeper test cases is more likely to reveal stuff that can't be - discovered with traditional fuzzers. */ + /* 基于输入深度的最终调整,假设模糊测试更深层的测试用例更有可能揭示传统模糊测试工具无法发现的问题。 */ switch (q->depth) { @@ -4801,7 +4661,7 @@ static u32 calculate_score(struct queue_entry* q) { } - /* Make sure that we don't go over limit. */ + /* 确保我们不超过极限 */ if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; @@ -4810,12 +4670,10 @@ static u32 calculate_score(struct queue_entry* q) { } -/* Helper function to see if a particular change (xor_val = old ^ new) could - be a product of deterministic bit flips with the lengths and stepovers - attempted by afl-fuzz. This is used to avoid dupes in some of the - deterministic fuzzing operations that follow bit flips. We also - return 1 if xor_val is zero, which implies that the old and attempted new - values are identical and the exec would be a waste of time. */ +/* 辅助函数,用于检查特定的变化(xor_val = old ^ new)是否可能是由afl-fuzz尝试的长度 +和步长确定性位翻转产生的结果。这用于避免在一些跟随位翻转的确定性模糊测试操作中的重复 +项。如果xor_val为零,我们也返回1,这意味着旧值和尝试的新值是相同的,执行将是一种时间 +浪费。*/ static u8 could_be_bitflip(u32 xor_val) { @@ -4823,16 +4681,15 @@ static u8 could_be_bitflip(u32 xor_val) { if (!xor_val) return 1; - /* Shift left until first bit set. */ + /* 左移直到第一个位设置 */ while (!(xor_val & 1)) { sh++; xor_val >>= 1; } - /* 1-, 2-, and 4-bit patterns are OK anywhere. */ + /* 1-、2-和4-bit模式在任何地方都是可以的。 */ if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; - /* 8-, 16-, and 32-bit patterns are OK only if shift factor is - divisible by 8, since that's the stepover for these ops. */ + /* 8-,、16-、和 32-bit模式只有当位移因子能被8整除时,模式才有效,因为这是这些操作的步长。 */ if (sh & 7) return 0; @@ -4844,8 +4701,7 @@ static u8 could_be_bitflip(u32 xor_val) { } -/* Helper function to see if a particular value is reachable through - arithmetic operations. Used for similar purposes. */ +/* 辅助函数,用于检查是否可以通过算术操作达到某个特定值。用于类似的目的。 */ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { @@ -4853,7 +4709,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (old_val == new_val) return 1; - /* See if one-byte adjustments to any byte could produce this result. */ + /* 看看对任何字节进行一个字节的调整是否会产生此结果。 */ for (i = 0; i < blen; i++) { @@ -4864,7 +4720,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } - /* If only one byte differs and the values are within range, return 1. */ + /* 如果只有一个字节不同并且值在范围内,则返回1。*/ if (diffs == 1) { @@ -4875,7 +4731,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (blen == 1) return 0; - /* See if two-byte adjustments to any byte would produce this result. */ + /* 看看对任何字节进行两个字节的调整是否会产生此结果。 */ diffs = 0; @@ -4888,7 +4744,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } - /* If only one word differs and the values are within range, return 1. */ + /* 如果只有一个字不同且值在范围内,则返回1。 */ if (diffs == 1) { @@ -4902,7 +4758,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } - /* Finally, let's do the same thing for dwords. */ + /* 最后,让我们对dwords做同样的事情。 */ if (blen == 4) { @@ -4922,11 +4778,9 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } -/* Last but not least, a similar helper to see if insertion of an - interesting integer is redundant given the insertions done for - shorter blen. The last param (check_le) is set if the caller - already executed LE insertion for current blen and wants to see - if BE variant passed in new_val is unique. */ +/* 最后但同样重要的是,一个类似的辅助函数,用于检查在给定较短blen的插入操作后, +插入一个有趣的整数是否是多余的。最后一个参数(check_le)如果设置,意味着调用者 +已经为当前blen执行了LE(小端)插入,并希望查看传入的新值中的BE(大端)变体是否是唯一的。 */ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {