Feature request: separate hangs from crashes

[dkasak]

It would be nice if there was a third parameter, analogous to --crash-dir and --all-tests-dir, for specifying a directory where hangs would be stored. Currently hangs end up mixed with crashes, necessitating another filtering step.

[MarkusTeufelberger]

This was/is not possible to do in a clean way because afl-showmap only returns either 0 (for success), 2 (for a crash) or 1 (otherwise). There might be a way to return 3 (crash + timeout?!), I have yet to see that one though. (https://github.com/mcarpenter/afl/blob/master/afl-showmap.c#L760)

I will try splitting by return codes, but this could still include instances where afl-showmap crashes or doesn't work for other reasons ("afl-showmap foo" returns 1, not -1 or something else), so filtering might still be necessary.

[dkasak]

I think putting return codes 2 and 3 into crashes and 1 into hangs (or some other directory name) might already be an improvement on the current situation. Then whatever ends up in hangs is a hang or a problematic test case on which afl-showmap failed for some reason and crashes contains only true crashes. This is a much better situation since, as it is now, most of the things that end up in ¢rashes end up being hangs instead in my use case.