push to stable (#1960)

* Output afl-clang-fast stuffs only if necessary (#1912) * afl-cc header * afl-cc common declarations - Add afl-cc-state.c - Strip includes, find_object, debug/be_quiet/have_*/callname setting from afl-cc.c - Use debugf_args in main - Modify execvp stuffs to fit new aflcc struct * afl-cc show usage * afl-cc mode selecting 1. compiler_mode by callname in argv[0] 2. compiler_mode by env "AFL_CC_COMPILER" 3. compiler_mode/instrument_mode by command line options "--afl-..." 4. instrument_mode/compiler_mode by various env vars including "AFL_LLVM_INSTRUMENT" 5. final checking steps 6. print "... - mode: %s-%s\n" 7. determine real argv[0] according to compiler_mode * afl-cc macro defs * afl-cc linking behaviors * afl-cc fsanitize behaviors * afl-cc misc * afl-cc body update * afl-cc all-in-one formated with custom-format.py * nits --------- Co-authored-by: vanhauser-thc <vh@thc.org> * changelog * update grammar mutator * lto llvm 12+ * docs(custom_mutators): fix missing ':' (#1953) * Fix broken LTO mode and response file support (#1948) * Strip `-Wl,-no-undefined` during compilation (#1952) Make the compiler wrapper stripping `-Wl,-no-undefined` in addition to `-Wl,--no-undefined`. Both versions of the flag are accepted by clang and, therefore, used by building systems in the wild (e.g., samba will not build without this fix). * Remove dead code in write_to_testcase (#1955) The custom_mutators_count check in if case is duplicate with if condition. The else case is custom_mutators_count == 0, neither custom_mutator_list iteration nor sent check needed. Signed-off-by: Xeonacid <h.dwwwwww@gmail.com> * update qemuafl * WIP: Add ability to generate drcov trace using QEMU backend (#1956) * Document new drcov QEMU plugin * Add link to lightkeeper for QEMU drcov file loading --------- Co-authored-by: Jean-Romain Garnier <jean-romain.garnier@airbus.com> * code format * changelog * sleep on uid != 0 afl-system-config * fix segv about skip_next, warn on unsupported cases of linking options (#1958) * todos * ensure afl-cc only allows available compiler modes * update grammar mutator * disable aslr on apple * fix for arm64 --------- Signed-off-by: Xeonacid <h.dwwwwww@gmail.com> Co-authored-by: Sonic <50692172+SonicStark@users.noreply.github.com> Co-authored-by: Xeonacid <h.dwwwwww@gmail.com> Co-authored-by: Nils Bars <nils.bars@rub.de> Co-authored-by: Jean-Romain Garnier <7504819+JRomainG@users.noreply.github.com> Co-authored-by: Jean-Romain Garnier <jean-romain.garnier@airbus.com>
2025-06-10 17:21:33 +00:00 · 2024-01-18 16:17:48 +01:00 · 2024-01-18 16:17:48 +01:00 · 0c054f520e
commit 0c054f520e
parent 358cd1b062
13 changed files with 2750 additions and 2326 deletions
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -51,7 +51,7 @@ LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]
 LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 )
 LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 )
 LLVM_13_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[3-9]' && echo 1 || echo 0 )
-LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[1-9]' && echo 1 || echo 0 )
+LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[2-9]' && echo 1 || echo 0 )
 LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
 LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
 LLVM_STDCXX = gnu++11
@ -95,12 +95,12 @@ ifeq "$(LLVM_NEWER_API)" "1"
 endif

 ifeq "$(LLVM_HAVE_LTO)" "1"
-  $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation)
+  $(info [+] llvm_mode detected llvm 12+, enabling afl-lto LTO implementation)
  LLVM_LTO = 1
 endif

 ifeq "$(LLVM_LTO)" "0"
-  $(info [+] llvm_mode detected llvm < 11, afl-lto LTO will not be build.)
+  $(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.)
 endif

 ifeq "$(LLVM_APPLE_XCODE)" "1"
--- a/8
+++ b/8
@ -38,6 +38,7 @@ fi

 echo
 PLATFORM=`uname -s`
+ARCH=`uname -m`

 # check that we're on Mac
 if [[ "$PLATFORM" = "Darwin" ]] ; then
@ -87,6 +88,13 @@ if [[ "$PLATFORM" = "Darwin" ]] ; then
 </plist>
 EOF

+  if [[ "$ARCH" = "x86_64" ]]; then
+    echo "Disabling ASLR system wide"
+    nvram boot-args="no_aslr=1"
+  else
+    echo NOTICE: on ARM64 we do not know currently how to disable system wide ASLR, please report if you know how.
+  fi
+
  echo
  echo "Reboot and enjoy your fuzzing"
  exit 0
--- a/1
+++ b/1
@ -25,6 +25,7 @@ echo "WARNING: this reduces the security of the system!"
 echo
 if [ '!' "$EUID" = 0 ] && [ '!' `id -u` = 0 ] ; then
 	echo "Warning: you need to be root to run this!"
+	sleep 1
 	# we do not exit as other mechanisms exist that allows to do this than
 	# being root. let the errors speak for themselves.
 fi
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -9,15 +9,23 @@
      explore is slightly better now.
    - fixed minor issues in the mutation engine, thanks to @futhewo for
      reporting!
+  - afl-cc:
+    - large rewrite by @SonicStark which fixes a few corner cases, thanks!
+    - LTO mode now requires llvm 12+
  - instrumentation:
    - LLVM 18 support, thanks to @devnexen!
    - Injection (SQL, LDAP, XSS) feature now available, see
      `instrumentation/README.injections.md` how to activate/use/expand.
    - compcov/LAF-intel:
      - floating point splitting bug fix by @hexcoder
-      - due a bug in LLVM 17 integer splitting is disabled!
+      - due a bug in LLVM 17 integer splitting is disabled there!
      - when splitting floats was selected, integers were always split as well,
-        fixed to require AFL_LLVM_LAF_SPLIT_COMPARES as it should
+        fixed to require AFL_LLVM_LAF_SPLIT_COMPARES or _ALL as it should
+  - qemu_mode:
+    - plugins are now activated by default and a new module is included that
+      produces drcov compatible traces for lighthouse/lightkeeper/...
+      thanks to @JRomainG to submitting!
+  - updated the custom grammar mutator


 ### Version ++4.09c (release)
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@ -73,7 +73,7 @@ def init(seed):
 def fuzz_count(buf):
    return cnt

-def splice_optout()
+def splice_optout():
    pass

 def fuzz(buf, add_buf, max_size):
--- a/include/envs.h
+++ b/include/envs.h
@ -16,255 +16,104 @@ static char *afl_environment_deprecated[] = {

 static char *afl_environment_variables[] = {

-    "AFL_ALIGNED_ALLOC",
-    "AFL_ALLOW_TMP",
-    "AFL_ANALYZE_HEX",
-    "AFL_AS",
-    "AFL_AUTORESUME",
-    "AFL_AS_FORCE_INSTRUMENT",
-    "AFL_BENCH_JUST_ONE",
-    "AFL_BENCH_UNTIL_CRASH",
-    "AFL_CAL_FAST",
-    "AFL_CC",
-    "AFL_CC_COMPILER",
-    "AFL_CMIN_ALLOW_ANY",
-    "AFL_CMIN_CRASHES_ONLY",
-    "AFL_CMPLOG_ONLY_NEW",
-    "AFL_CODE_END",
-    "AFL_CODE_START",
-    "AFL_COMPCOV_BINNAME",
-    "AFL_COMPCOV_LEVEL",
-    "AFL_CRASH_EXITCODE",
-    "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
-    "AFL_CUSTOM_MUTATOR_LIBRARY",
-    "AFL_CUSTOM_MUTATOR_ONLY",
-    "AFL_CUSTOM_INFO_PROGRAM",
-    "AFL_CUSTOM_INFO_PROGRAM_ARGV",
-    "AFL_CUSTOM_INFO_PROGRAM_INPUT",
-    "AFL_CUSTOM_INFO_OUT",
-    "AFL_CXX",
-    "AFL_CYCLE_SCHEDULES",
-    "AFL_DEBUG",
-    "AFL_DEBUG_CHILD",
-    "AFL_DEBUG_GDB",
-    "AFL_DEBUG_UNICORN",
-    "AFL_DISABLE_TRIM",
-    "AFL_DISABLE_LLVM_INSTRUMENTATION",
-    "AFL_DONT_OPTIMIZE",
-    "AFL_DRIVER_STDERR_DUPLICATE_FILENAME",
-    "AFL_DUMB_FORKSRV",
-    "AFL_EARLY_FORKSERVER",
-    "AFL_ENTRYPOINT",
-    "AFL_EXIT_WHEN_DONE",
-    "AFL_EXIT_ON_TIME",
-    "AFL_EXIT_ON_SEED_ISSUES",
-    "AFL_FAST_CAL",
-    "AFL_FINAL_SYNC",
-    "AFL_FORCE_UI",
-    "AFL_FRIDA_DEBUG_MAPS",
-    "AFL_FRIDA_DRIVER_NO_HOOK",
-    "AFL_FRIDA_EXCLUDE_RANGES",
-    "AFL_FRIDA_INST_CACHE_SIZE",
-    "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
-    "AFL_FRIDA_INST_COVERAGE_FILE",
-    "AFL_FRIDA_INST_DEBUG_FILE",
-    "AFL_FRIDA_INST_INSN",
-    "AFL_FRIDA_INST_JIT",
-    "AFL_FRIDA_INST_NO_CACHE",
-    "AFL_FRIDA_INST_NO_DYNAMIC_LOAD",
-    "AFL_FRIDA_INST_NO_OPTIMIZE",
-    "AFL_FRIDA_INST_NO_PREFETCH",
-    "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
+    "AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS",
+    "AFL_AUTORESUME", "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE",
+    "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CC_COMPILER",
+    "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMPLOG_ONLY_NEW",
+    "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME",
+    "AFL_COMPCOV_LEVEL", "AFL_CRASH_EXITCODE",
+    "AFL_CRASHING_SEEDS_AS_NEW_CRASH", "AFL_CUSTOM_MUTATOR_LIBRARY",
+    "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_INFO_PROGRAM",
+    "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_INFO_PROGRAM_INPUT",
+    "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG",
+    "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN", "AFL_DISABLE_TRIM",
+    "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE",
+    "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV",
+    "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE",
+    "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL",
+    "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS",
+    "AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES",
+    "AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
+    "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE",
+    "AFL_FRIDA_INST_INSN", "AFL_FRIDA_INST_JIT", "AFL_FRIDA_INST_NO_CACHE",
+    "AFL_FRIDA_INST_NO_DYNAMIC_LOAD", "AFL_FRIDA_INST_NO_OPTIMIZE",
+    "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
    "AFL_FRIDA_INST_NO_SUPPRESS"
    "AFL_FRIDA_INST_RANGES",
-    "AFL_FRIDA_INST_REGS_FILE",
-    "AFL_FRIDA_INST_SEED",
-    "AFL_FRIDA_INST_TRACE",
-    "AFL_FRIDA_INST_TRACE_UNIQUE",
-    "AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE",
-    "AFL_FRIDA_JS_SCRIPT",
-    "AFL_FRIDA_OUTPUT_STDOUT",
-    "AFL_FRIDA_OUTPUT_STDERR",
-    "AFL_FRIDA_PERSISTENT_ADDR",
-    "AFL_FRIDA_PERSISTENT_CNT",
-    "AFL_FRIDA_PERSISTENT_DEBUG",
-    "AFL_FRIDA_PERSISTENT_HOOK",
-    "AFL_FRIDA_PERSISTENT_RET",
-    "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
-    "AFL_FRIDA_STALKER_IC_ENTRIES",
-    "AFL_FRIDA_STALKER_NO_BACKPATCH",
-    "AFL_FRIDA_STATS_FILE",
-    "AFL_FRIDA_STATS_INTERVAL",
-    "AFL_FRIDA_TRACEABLE",
+    "AFL_FRIDA_INST_REGS_FILE", "AFL_FRIDA_INST_SEED", "AFL_FRIDA_INST_TRACE",
+    "AFL_FRIDA_INST_TRACE_UNIQUE", "AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE",
+    "AFL_FRIDA_JS_SCRIPT", "AFL_FRIDA_OUTPUT_STDOUT", "AFL_FRIDA_OUTPUT_STDERR",
+    "AFL_FRIDA_PERSISTENT_ADDR", "AFL_FRIDA_PERSISTENT_CNT",
+    "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK",
+    "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
+    "AFL_FRIDA_STALKER_IC_ENTRIES", "AFL_FRIDA_STALKER_NO_BACKPATCH",
+    "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", "AFL_FRIDA_TRACEABLE",
    "AFL_FRIDA_VERBOSE",
    "AFL_FUZZER_ARGS",  // oss-fuzz
-    "AFL_FUZZER_STATS_UPDATE_INTERVAL",
-    "AFL_GDB",
-    "AFL_GCC_ALLOWLIST",
-    "AFL_GCC_DENYLIST",
-    "AFL_GCC_BLOCKLIST",
-    "AFL_GCC_INSTRUMENT_FILE",
-    "AFL_GCC_OUT_OF_LINE",
-    "AFL_GCC_SKIP_NEVERZERO",
-    "AFL_GCJ",
-    "AFL_HANG_TMOUT",
-    "AFL_FORKSRV_INIT_TMOUT",
-    "AFL_HARDEN",
-    "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
-    "AFL_IGNORE_PROBLEMS",
-    "AFL_IGNORE_PROBLEMS_COVERAGE",
-    "AFL_IGNORE_SEED_PROBLEMS",
-    "AFL_IGNORE_TIMEOUTS",
-    "AFL_IGNORE_UNKNOWN_ENVS",
-    "AFL_IMPORT_FIRST",
-    "AFL_INPUT_LEN_MIN",
-    "AFL_INPUT_LEN_MAX",
-    "AFL_INST_LIBS",
-    "AFL_INST_RATIO",
-    "AFL_KEEP_TIMEOUTS",
-    "AFL_KILL_SIGNAL",
-    "AFL_FORK_SERVER_KILL_SIGNAL",
-    "AFL_KEEP_TRACES",
-    "AFL_KEEP_ASSEMBLY",
-    "AFL_LD_HARD_FAIL",
-    "AFL_LD_LIMIT_MB",
-    "AFL_LD_NO_CALLOC_OVER",
-    "AFL_LD_PASSTHROUGH",
-    "AFL_REAL_LD",
-    "AFL_LD_PRELOAD",
-    "AFL_LD_VERBOSE",
-    "AFL_LLVM_ALLOWLIST",
-    "AFL_LLVM_DENYLIST",
-    "AFL_LLVM_BLOCKLIST",
-    "AFL_CMPLOG",
-    "AFL_LLVM_CMPLOG",
-    "AFL_GCC_CMPLOG",
-    "AFL_LLVM_INSTRIM",
-    "AFL_LLVM_CALLER",
-    "AFL_LLVM_CTX",
-    "AFL_LLVM_CTX_K",
-    "AFL_LLVM_DICT2FILE",
-    "AFL_LLVM_DICT2FILE_NO_MAIN",
-    "AFL_LLVM_DOCUMENT_IDS",
-    "AFL_LLVM_INSTRIM_LOOPHEAD",
-    "AFL_LLVM_INSTRUMENT",
-    "AFL_LLVM_LTO_AUTODICTIONARY",
-    "AFL_LLVM_AUTODICTIONARY",
+    "AFL_FUZZER_STATS_UPDATE_INTERVAL", "AFL_GDB", "AFL_GCC_ALLOWLIST",
+    "AFL_GCC_DENYLIST", "AFL_GCC_BLOCKLIST", "AFL_GCC_INSTRUMENT_FILE",
+    "AFL_GCC_OUT_OF_LINE", "AFL_GCC_SKIP_NEVERZERO", "AFL_GCJ",
+    "AFL_HANG_TMOUT", "AFL_FORKSRV_INIT_TMOUT", "AFL_HARDEN",
+    "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_PROBLEMS",
+    "AFL_IGNORE_PROBLEMS_COVERAGE", "AFL_IGNORE_SEED_PROBLEMS",
+    "AFL_IGNORE_TIMEOUTS", "AFL_IGNORE_UNKNOWN_ENVS", "AFL_IMPORT_FIRST",
+    "AFL_INPUT_LEN_MIN", "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO",
+    "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_FORK_SERVER_KILL_SIGNAL",
+    "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", "AFL_LD_HARD_FAIL",
+    "AFL_LD_LIMIT_MB", "AFL_LD_NO_CALLOC_OVER", "AFL_LD_PASSTHROUGH",
+    "AFL_REAL_LD", "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", "AFL_LLVM_ALLOWLIST",
+    "AFL_LLVM_DENYLIST", "AFL_LLVM_BLOCKLIST", "AFL_CMPLOG", "AFL_LLVM_CMPLOG",
+    "AFL_GCC_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CALLER", "AFL_LLVM_CTX",
+    "AFL_LLVM_CTX_K", "AFL_LLVM_DICT2FILE", "AFL_LLVM_DICT2FILE_NO_MAIN",
+    "AFL_LLVM_DOCUMENT_IDS", "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_INSTRUMENT",
+    "AFL_LLVM_LTO_AUTODICTIONARY", "AFL_LLVM_AUTODICTIONARY",
    "AFL_LLVM_SKIPSINGLEBLOCK",
    // Marker: ADD_TO_INJECTIONS
-    "AFL_LLVM_INJECTIONS_ALL",
-    "AFL_LLVM_INJECTIONS_SQL",
-    "AFL_LLVM_INJECTIONS_LDAP",
-    "AFL_LLVM_INJECTIONS_XSS",
-    "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK",
-    "AFL_LLVM_LAF_SPLIT_COMPARES",
-    "AFL_LLVM_LAF_SPLIT_COMPARES_BITW",
-    "AFL_LLVM_LAF_SPLIT_FLOATS",
-    "AFL_LLVM_LAF_SPLIT_SWITCHES",
-    "AFL_LLVM_LAF_ALL",
-    "AFL_LLVM_LAF_TRANSFORM_COMPARES",
-    "AFL_LLVM_MAP_ADDR",
-    "AFL_LLVM_MAP_DYNAMIC",
-    "AFL_LLVM_NGRAM_SIZE",
-    "AFL_NGRAM_SIZE",
-    "AFL_LLVM_NO_RPATH",
-    "AFL_LLVM_NOT_ZERO",
-    "AFL_LLVM_INSTRUMENT_FILE",
-    "AFL_LLVM_THREADSAFE_INST",
-    "AFL_LLVM_SKIP_NEVERZERO",
-    "AFL_NO_AFFINITY",
-    "AFL_TRY_AFFINITY",
-    "AFL_LLVM_LTO_DONTWRITEID",
+    "AFL_LLVM_INJECTIONS_ALL", "AFL_LLVM_INJECTIONS_SQL",
+    "AFL_LLVM_INJECTIONS_LDAP", "AFL_LLVM_INJECTIONS_XSS",
+    "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES",
+    "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS",
+    "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_ALL",
+    "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_MAP_ADDR",
+    "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE",
+    "AFL_LLVM_NO_RPATH", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_INSTRUMENT_FILE",
+    "AFL_LLVM_THREADSAFE_INST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY",
+    "AFL_TRY_AFFINITY", "AFL_LLVM_LTO_DONTWRITEID",
    "AFL_LLVM_LTO_SKIPINIT"
    "AFL_LLVM_LTO_STARTID",
-    "AFL_FUZZER_LOOPCOUNT",
-    "AFL_NO_ARITH",
-    "AFL_NO_AUTODICT",
-    "AFL_NO_BUILTIN",
+    "AFL_FUZZER_LOOPCOUNT", "AFL_NO_ARITH", "AFL_NO_AUTODICT", "AFL_NO_BUILTIN",
 #if defined USE_COLOR && !defined ALWAYS_COLORED
-    "AFL_NO_COLOR",
-    "AFL_NO_COLOUR",
+    "AFL_NO_COLOR", "AFL_NO_COLOUR",
 #endif
    "AFL_NO_CPU_RED",
    "AFL_NO_CFG_FUZZING",  // afl.rs rust crate option
-    "AFL_NO_CRASH_README",
-    "AFL_NO_FORKSRV",
-    "AFL_NO_UI",
-    "AFL_NO_PYTHON",
-    "AFL_NO_STARTUP_CALIBRATION",
-    "AFL_NO_WARN_INSTABILITY",
-    "AFL_UNTRACER_FILE",
-    "AFL_LLVM_USE_TRACE_PC",
-    "AFL_MAP_SIZE",
-    "AFL_MAPSIZE",
+    "AFL_NO_CRASH_README", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON",
+    "AFL_NO_STARTUP_CALIBRATION", "AFL_NO_WARN_INSTABILITY",
+    "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_MAP_SIZE", "AFL_MAPSIZE",
    "AFL_MAX_DET_EXTRAS",
    "AFL_NO_X86",  // not really an env but we dont want to warn on it
-    "AFL_NOOPT",
-    "AFL_NYX_AUX_SIZE",
-    "AFL_NYX_DISABLE_SNAPSHOT_MODE",
-    "AFL_NYX_LOG",
-    "AFL_NYX_REUSE_SNAPSHOT",
-    "AFL_PASSTHROUGH",
-    "AFL_PATH",
-    "AFL_PERFORMANCE_FILE",
-    "AFL_PERSISTENT_RECORD",
-    "AFL_POST_PROCESS_KEEP_ORIGINAL",
-    "AFL_PRELOAD",
-    "AFL_TARGET_ENV",
-    "AFL_PYTHON_MODULE",
-    "AFL_QEMU_CUSTOM_BIN",
-    "AFL_QEMU_COMPCOV",
-    "AFL_QEMU_COMPCOV_DEBUG",
-    "AFL_QEMU_DEBUG_MAPS",
-    "AFL_QEMU_DISABLE_CACHE",
-    "AFL_QEMU_DRIVER_NO_HOOK",
-    "AFL_QEMU_FORCE_DFL",
-    "AFL_QEMU_PERSISTENT_ADDR",
-    "AFL_QEMU_PERSISTENT_CNT",
-    "AFL_QEMU_PERSISTENT_GPR",
-    "AFL_QEMU_PERSISTENT_HOOK",
-    "AFL_QEMU_PERSISTENT_MEM",
-    "AFL_QEMU_PERSISTENT_RET",
-    "AFL_QEMU_PERSISTENT_RETADDR_OFFSET",
-    "AFL_QEMU_PERSISTENT_EXITS",
-    "AFL_QEMU_INST_RANGES",
-    "AFL_QEMU_EXCLUDE_RANGES",
-    "AFL_QEMU_SNAPSHOT",
-    "AFL_QEMU_TRACK_UNSTABLE",
-    "AFL_QUIET",
-    "AFL_RANDOM_ALLOC_CANARY",
-    "AFL_REAL_PATH",
-    "AFL_SHUFFLE_QUEUE",
-    "AFL_SKIP_BIN_CHECK",
-    "AFL_SKIP_CPUFREQ",
-    "AFL_SKIP_CRASHES",
-    "AFL_SKIP_OSSFUZZ",
-    "AFL_STATSD",
-    "AFL_STATSD_HOST",
-    "AFL_STATSD_PORT",
-    "AFL_STATSD_TAGS_FLAVOR",
-    "AFL_SYNC_TIME",
-    "AFL_TESTCACHE_SIZE",
-    "AFL_TESTCACHE_ENTRIES",
-    "AFL_TMIN_EXACT",
-    "AFL_TMPDIR",
-    "AFL_TOKEN_FILE",
-    "AFL_TRACE_PC",
-    "AFL_USE_ASAN",
-    "AFL_USE_MSAN",
-    "AFL_USE_TRACE_PC",
-    "AFL_USE_UBSAN",
-    "AFL_USE_TSAN",
-    "AFL_USE_CFISAN",
-    "AFL_USE_LSAN",
-    "AFL_WINE_PATH",
-    "AFL_NO_SNAPSHOT",
-    "AFL_EXPAND_HAVOC_NOW",
-    "AFL_USE_FASAN",
-    "AFL_USE_QASAN",
-    "AFL_PRINT_FILENAMES",
-    "AFL_PIZZA_MODE",
-    NULL
+    "AFL_NOOPT", "AFL_NYX_AUX_SIZE", "AFL_NYX_DISABLE_SNAPSHOT_MODE",
+    "AFL_NYX_LOG", "AFL_NYX_REUSE_SNAPSHOT", "AFL_PASSTHROUGH", "AFL_PATH",
+    "AFL_PERFORMANCE_FILE", "AFL_PERSISTENT_RECORD",
+    "AFL_POST_PROCESS_KEEP_ORIGINAL", "AFL_PRELOAD", "AFL_TARGET_ENV",
+    "AFL_PYTHON_MODULE", "AFL_QEMU_CUSTOM_BIN", "AFL_QEMU_COMPCOV",
+    "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE",
+    "AFL_QEMU_DRIVER_NO_HOOK", "AFL_QEMU_FORCE_DFL", "AFL_QEMU_PERSISTENT_ADDR",
+    "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR",
+    "AFL_QEMU_PERSISTENT_HOOK", "AFL_QEMU_PERSISTENT_MEM",
+    "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RETADDR_OFFSET",
+    "AFL_QEMU_PERSISTENT_EXITS", "AFL_QEMU_INST_RANGES",
+    "AFL_QEMU_EXCLUDE_RANGES", "AFL_QEMU_SNAPSHOT", "AFL_QEMU_TRACK_UNSTABLE",
+    "AFL_QUIET", "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH",
+    "AFL_SHUFFLE_QUEUE", "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ",
+    "AFL_SKIP_CRASHES", "AFL_SKIP_OSSFUZZ", "AFL_STATSD", "AFL_STATSD_HOST",
+    "AFL_STATSD_PORT", "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME",
+    "AFL_TESTCACHE_SIZE", "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT",
+    "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN",
+    "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", "AFL_USE_TSAN",
+    "AFL_USE_CFISAN", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT",
+    "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN",
+    "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", NULL

 };

--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@ -1 +1 @@
-a1321713c7
+e63c9af193
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@ -193,12 +193,39 @@ Comparative measurements of execution speed or instrumentation coverage will be
 fairly meaningless if the optimization levels or instrumentation scopes don't
 match.

-## 12) Other features
+## 12) Coverage information
+
+Coverage information about a run of a target binary can be obtained using a
+dedicated QEMU user mode plugin enabled at runtime: the `drcov.c` plugin
+collects coverage information from the target binary and writes it in the Drcov
+format. This file can then be loaded using tools such as
+[lighthouse](https://github.com/gaasedelen/lighthouse),
+[lightkeeper](https://github.com/WorksButNotTested/lightkeeper) or
+[Cartographer](https://github.com/nccgroup/Cartographer).
+
+To compile the QEMU TCG plugins, run the following command from the `qemuafl`
+directory:
+
+```
+make plugins
+```
+
+Plugins can be loaded using either the `QEMU_PLUGIN` environment variable or
+using the `-plugin` option. For example:
+
+```
+afl-qemu-trace -plugin qemuafl/build/contrib/plugins/libdrcov.so,arg=filename=/tmp/target.drcov.trace <target> <args>
+```
+
+This would execute the target binary with the provided arguments and, once done,
+would write coverage information at `/tmp/target.drcov.trace`.
+
+## 13) Other features

 With `AFL_QEMU_FORCE_DFL`, you force QEMU to ignore the registered signal
 handlers of the target.

-## 13) Gotchas, feedback, bugs
+## 14) Gotchas, feedback, bugs

 If you need to fix up checksums or do other cleanups on mutated test cases, see
 `afl_custom_post_process` in custom_mutators/examples/example.c for a viable
@ -217,7 +244,7 @@ program may be utilizing. In particular, it does not appear to have full support
 for AVX2/FMA3. Using binaries for older CPUs or recompiling them with
 `-march=core2`, can help.

-## 14) Alternatives: static rewriting
+## 15) Alternatives: static rewriting

 Statically rewriting binaries just once, instead of attempting to translate them
 at run time, can be a faster alternative. That said, static rewriting is fraught
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@ -132,7 +132,10 @@ echo "Building for CPU target $CPU_TARGET"

 # --enable-pie seems to give a couple of exec's a second performance
 # improvement, much to my surprise. Not sure how universal this is..
+# --enable-plugins allows loading TCG plugins at runtime, for example to obtain
+# coverage information, and does not seem to negatively impact performance
 QEMU_CONF_FLAGS=" \
+  --enable-plugins \
  --audio-drv-list= \
  --disable-blobs \
  --disable-bochs \
@ -162,7 +165,6 @@ QEMU_CONF_FLAGS=" \
  --disable-numa \
  --disable-opengl \
  --disable-parallels \
-  --disable-plugins \
  --disable-qcow1 \
  --disable-qed \
  --disable-rbd \
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@ -1 +1 @@
-Subproject commit b0abbe2e74ed74ff6ff25b5ea3110d27ba978001
+Subproject commit e63c9af1937c13163cd1bc8bc276101441cbe70a
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -169,20 +169,16 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {

    }

-    if (unlikely(afl->custom_mutators_count)) {
+    LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {

-      LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
+      if (el->afl_custom_fuzz_send) {

-        if (el->afl_custom_fuzz_send) {
+        el->afl_custom_fuzz_send(el->data, *mem, new_size);
+        sent = 1;

-          el->afl_custom_fuzz_send(el->data, *mem, new_size);
-          sent = 1;
+      }

-        }
-
-      });
-
-    }
+    });

    if (likely(!sent)) {

@ -203,7 +199,7 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {

    }

-  } else {
+  } else {                                   /* !afl->custom_mutators_count */

    if (unlikely(len < afl->min_length && !fix)) {

@ -215,27 +211,8 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {

    }

-    if (unlikely(afl->custom_mutators_count)) {
-
-      LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
-
-        if (el->afl_custom_fuzz_send) {
-
-          el->afl_custom_fuzz_send(el->data, *mem, len);
-          sent = 1;
-
-        }
-
-      });
-
-    }
-
-    if (likely(!sent)) {
-
-      /* boring uncustom. */
-      afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);
-
-    }
+    /* boring uncustom. */
+    afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);

  }

--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -1812,6 +1812,10 @@ int main(int argc, char **argv_orig, char **envp) {
  check_cpu_governor(afl);
  #endif

+  #ifdef __APPLE__
+  setenv("DYLD_NO_PIE", "1", 0);
+  #endif
+
  if (getenv("LD_PRELOAD")) {

    WARNF(