push to stable (#1960)

* Output afl-clang-fast stuffs only if necessary (#1912) * afl-cc header * afl-cc common declarations - Add afl-cc-state.c - Strip includes, find_object, debug/be_quiet/have_*/callname setting from afl-cc.c - Use debugf_args in main - Modify execvp stuffs to fit new aflcc struct * afl-cc show usage * afl-cc mode selecting 1. compiler_mode by callname in argv[0] 2. compiler_mode by env "AFL_CC_COMPILER" 3. compiler_mode/instrument_mode by command line options "--afl-..." 4. instrument_mode/compiler_mode by various env vars including "AFL_LLVM_INSTRUMENT" 5. final checking steps 6. print "... - mode: %s-%s\n" 7. determine real argv[0] according to compiler_mode * afl-cc macro defs * afl-cc linking behaviors * afl-cc fsanitize behaviors * afl-cc misc * afl-cc body update * afl-cc all-in-one formated with custom-format.py * nits --------- Co-authored-by: vanhauser-thc <vh@thc.org> * changelog * update grammar mutator * lto llvm 12+ * docs(custom_mutators): fix missing ':' (#1953) * Fix broken LTO mode and response file support (#1948) * Strip `-Wl,-no-undefined` during compilation (#1952) Make the compiler wrapper stripping `-Wl,-no-undefined` in addition to `-Wl,--no-undefined`. Both versions of the flag are accepted by clang and, therefore, used by building systems in the wild (e.g., samba will not build without this fix). * Remove dead code in write_to_testcase (#1955) The custom_mutators_count check in if case is duplicate with if condition. The else case is custom_mutators_count == 0, neither custom_mutator_list iteration nor sent check needed. Signed-off-by: Xeonacid <h.dwwwwww@gmail.com> * update qemuafl * WIP: Add ability to generate drcov trace using QEMU backend (#1956) * Document new drcov QEMU plugin * Add link to lightkeeper for QEMU drcov file loading --------- Co-authored-by: Jean-Romain Garnier <jean-romain.garnier@airbus.com> * code format * changelog * sleep on uid != 0 afl-system-config * fix segv about skip_next, warn on unsupported cases of linking options (#1958) * todos * ensure afl-cc only allows available compiler modes * update grammar mutator * disable aslr on apple * fix for arm64 --------- Signed-off-by: Xeonacid <h.dwwwwww@gmail.com> Co-authored-by: Sonic <50692172+SonicStark@users.noreply.github.com> Co-authored-by: Xeonacid <h.dwwwwww@gmail.com> Co-authored-by: Nils Bars <nils.bars@rub.de> Co-authored-by: Jean-Romain Garnier <7504819+JRomainG@users.noreply.github.com> Co-authored-by: Jean-Romain Garnier <jean-romain.garnier@airbus.com>
2025-06-13 10:38:07 +00:00 · 2024-01-18 16:17:48 +01:00
parent 358cd1b062
commit 0c054f520e
13 changed files with 2750 additions and 2326 deletions
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -51,7 +51,7 @@ LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]
 LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 )
 LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 )
 LLVM_13_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[3-9]' && echo 1 || echo 0 )
-LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[1-9]' && echo 1 || echo 0 )
+LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[2-9]' && echo 1 || echo 0 )
 LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
 LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
 LLVM_STDCXX = gnu++11
@ -95,12 +95,12 @@ ifeq "$(LLVM_NEWER_API)" "1"
 endif
 ifeq "$(LLVM_HAVE_LTO)" "1"
-  $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation)
+  $(info [+] llvm_mode detected llvm 12+, enabling afl-lto LTO implementation)
  LLVM_LTO = 1
 endif
 ifeq "$(LLVM_LTO)" "0"
-  $(info [+] llvm_mode detected llvm < 11, afl-lto LTO will not be build.)
+  $(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.)
 endif
 ifeq "$(LLVM_APPLE_XCODE)" "1"
--- a/8
+++ b/8
@ -38,6 +38,7 @@ fi
 echo
 PLATFORM=`uname -s`
 ARCH=`uname -m`
 # check that we're on Mac
 if [[ "$PLATFORM" = "Darwin" ]] ; then
@ -87,6 +88,13 @@ if [[ "$PLATFORM" = "Darwin" ]] ; then
 </plist>
 EOF
  if [[ "$ARCH" = "x86_64" ]]; then
    echo "Disabling ASLR system wide"
    nvram boot-args="no_aslr=1"
  else
    echo NOTICE: on ARM64 we do not know currently how to disable system wide ASLR, please report if you know how.
  fi
  echo
  echo "Reboot and enjoy your fuzzing"
  exit 0
--- a/1
+++ b/1
@ -25,6 +25,7 @@ echo "WARNING: this reduces the security of the system!"
 echo
 if [ '!' "$EUID" = 0 ] && [ '!' `id -u` = 0 ] ; then
 	echo "Warning: you need to be root to run this!"
 	sleep 1
 	# we do not exit as other mechanisms exist that allows to do this than
 	# being root. let the errors speak for themselves.
 fi
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -9,15 +9,23 @@
      explore is slightly better now.
    - fixed minor issues in the mutation engine, thanks to @futhewo for
      reporting!
  - afl-cc:
    - large rewrite by @SonicStark which fixes a few corner cases, thanks!
    - LTO mode now requires llvm 12+
  - instrumentation:
    - LLVM 18 support, thanks to @devnexen!
    - Injection (SQL, LDAP, XSS) feature now available, see
      `instrumentation/README.injections.md` how to activate/use/expand.
    - compcov/LAF-intel:
      - floating point splitting bug fix by @hexcoder
-      - due a bug in LLVM 17 integer splitting is disabled!
+      - due a bug in LLVM 17 integer splitting is disabled there!
      - when splitting floats was selected, integers were always split as well,
-        fixed to require AFL_LLVM_LAF_SPLIT_COMPARES as it should
+        fixed to require AFL_LLVM_LAF_SPLIT_COMPARES or _ALL as it should
  - qemu_mode:
    - plugins are now activated by default and a new module is included that
      produces drcov compatible traces for lighthouse/lightkeeper/...
      thanks to @JRomainG to submitting!
  - updated the custom grammar mutator
 ### Version ++4.09c (release)
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@ -73,7 +73,7 @@ def init(seed):
 def fuzz_count(buf):
    return cnt
-def splice_optout()
+def splice_optout():
    pass
 def fuzz(buf, add_buf, max_size):
--- a/include/envs.h
+++ b/include/envs.h
@ -16,255 +16,104 @@ static char *afl_environment_deprecated[] = {
 static char *afl_environment_variables[] = {
-    "AFL_ALIGNED_ALLOC",
+    "AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS",
-    "AFL_ALLOW_TMP",
+    "AFL_AUTORESUME", "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE",
-    "AFL_ANALYZE_HEX",
+    "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CC_COMPILER",
-    "AFL_AS",
+    "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMPLOG_ONLY_NEW",
-    "AFL_AUTORESUME",
+    "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME",
-    "AFL_AS_FORCE_INSTRUMENT",
+    "AFL_COMPCOV_LEVEL", "AFL_CRASH_EXITCODE",
-    "AFL_BENCH_JUST_ONE",
+    "AFL_CRASHING_SEEDS_AS_NEW_CRASH", "AFL_CUSTOM_MUTATOR_LIBRARY",
-    "AFL_BENCH_UNTIL_CRASH",
+    "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_INFO_PROGRAM",
-    "AFL_CAL_FAST",
+    "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_INFO_PROGRAM_INPUT",
-    "AFL_CC",
+    "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG",
-    "AFL_CC_COMPILER",
+    "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN", "AFL_DISABLE_TRIM",
-    "AFL_CMIN_ALLOW_ANY",
+    "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE",
-    "AFL_CMIN_CRASHES_ONLY",
+    "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV",
-    "AFL_CMPLOG_ONLY_NEW",
+    "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE",
-    "AFL_CODE_END",
+    "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL",
-    "AFL_CODE_START",
+    "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS",
-    "AFL_COMPCOV_BINNAME",
+    "AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES",
-    "AFL_COMPCOV_LEVEL",
+    "AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
-    "AFL_CRASH_EXITCODE",
+    "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE",
-    "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
+    "AFL_FRIDA_INST_INSN", "AFL_FRIDA_INST_JIT", "AFL_FRIDA_INST_NO_CACHE",
-    "AFL_CUSTOM_MUTATOR_LIBRARY",
+    "AFL_FRIDA_INST_NO_DYNAMIC_LOAD", "AFL_FRIDA_INST_NO_OPTIMIZE",
-    "AFL_CUSTOM_MUTATOR_ONLY",
+    "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
    "AFL_CUSTOM_INFO_PROGRAM",
    "AFL_CUSTOM_INFO_PROGRAM_ARGV",
    "AFL_CUSTOM_INFO_PROGRAM_INPUT",
    "AFL_CUSTOM_INFO_OUT",
    "AFL_CXX",
    "AFL_CYCLE_SCHEDULES",
    "AFL_DEBUG",
    "AFL_DEBUG_CHILD",
    "AFL_DEBUG_GDB",
    "AFL_DEBUG_UNICORN",
    "AFL_DISABLE_TRIM",
    "AFL_DISABLE_LLVM_INSTRUMENTATION",
    "AFL_DONT_OPTIMIZE",
    "AFL_DRIVER_STDERR_DUPLICATE_FILENAME",
    "AFL_DUMB_FORKSRV",
    "AFL_EARLY_FORKSERVER",
    "AFL_ENTRYPOINT",
    "AFL_EXIT_WHEN_DONE",
    "AFL_EXIT_ON_TIME",
    "AFL_EXIT_ON_SEED_ISSUES",
    "AFL_FAST_CAL",
    "AFL_FINAL_SYNC",
    "AFL_FORCE_UI",
    "AFL_FRIDA_DEBUG_MAPS",
    "AFL_FRIDA_DRIVER_NO_HOOK",
    "AFL_FRIDA_EXCLUDE_RANGES",
    "AFL_FRIDA_INST_CACHE_SIZE",
    "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
    "AFL_FRIDA_INST_COVERAGE_FILE",
    "AFL_FRIDA_INST_DEBUG_FILE",
    "AFL_FRIDA_INST_INSN",
    "AFL_FRIDA_INST_JIT",
    "AFL_FRIDA_INST_NO_CACHE",
    "AFL_FRIDA_INST_NO_DYNAMIC_LOAD",
    "AFL_FRIDA_INST_NO_OPTIMIZE",
    "AFL_FRIDA_INST_NO_PREFETCH",
    "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
    "AFL_FRIDA_INST_NO_SUPPRESS"
    "AFL_FRIDA_INST_RANGES",
-    "AFL_FRIDA_INST_REGS_FILE",
+    "AFL_FRIDA_INST_REGS_FILE", "AFL_FRIDA_INST_SEED", "AFL_FRIDA_INST_TRACE",
-    "AFL_FRIDA_INST_SEED",
+    "AFL_FRIDA_INST_TRACE_UNIQUE", "AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE",
-    "AFL_FRIDA_INST_TRACE",
+    "AFL_FRIDA_JS_SCRIPT", "AFL_FRIDA_OUTPUT_STDOUT", "AFL_FRIDA_OUTPUT_STDERR",
-    "AFL_FRIDA_INST_TRACE_UNIQUE",
+    "AFL_FRIDA_PERSISTENT_ADDR", "AFL_FRIDA_PERSISTENT_CNT",
-    "AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE",
+    "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK",
-    "AFL_FRIDA_JS_SCRIPT",
+    "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
-    "AFL_FRIDA_OUTPUT_STDOUT",
+    "AFL_FRIDA_STALKER_IC_ENTRIES", "AFL_FRIDA_STALKER_NO_BACKPATCH",
-    "AFL_FRIDA_OUTPUT_STDERR",
+    "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", "AFL_FRIDA_TRACEABLE",
    "AFL_FRIDA_PERSISTENT_ADDR",
    "AFL_FRIDA_PERSISTENT_CNT",
    "AFL_FRIDA_PERSISTENT_DEBUG",
    "AFL_FRIDA_PERSISTENT_HOOK",
    "AFL_FRIDA_PERSISTENT_RET",
    "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",
    "AFL_FRIDA_STALKER_IC_ENTRIES",
    "AFL_FRIDA_STALKER_NO_BACKPATCH",
    "AFL_FRIDA_STATS_FILE",
    "AFL_FRIDA_STATS_INTERVAL",
    "AFL_FRIDA_TRACEABLE",
    "AFL_FRIDA_VERBOSE",
    "AFL_FUZZER_ARGS",  // oss-fuzz
-    "AFL_FUZZER_STATS_UPDATE_INTERVAL",
+    "AFL_FUZZER_STATS_UPDATE_INTERVAL", "AFL_GDB", "AFL_GCC_ALLOWLIST",
-    "AFL_GDB",
+    "AFL_GCC_DENYLIST", "AFL_GCC_BLOCKLIST", "AFL_GCC_INSTRUMENT_FILE",
-    "AFL_GCC_ALLOWLIST",
+    "AFL_GCC_OUT_OF_LINE", "AFL_GCC_SKIP_NEVERZERO", "AFL_GCJ",
-    "AFL_GCC_DENYLIST",
+    "AFL_HANG_TMOUT", "AFL_FORKSRV_INIT_TMOUT", "AFL_HARDEN",
-    "AFL_GCC_BLOCKLIST",
+    "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_PROBLEMS",
-    "AFL_GCC_INSTRUMENT_FILE",
+    "AFL_IGNORE_PROBLEMS_COVERAGE", "AFL_IGNORE_SEED_PROBLEMS",
-    "AFL_GCC_OUT_OF_LINE",
+    "AFL_IGNORE_TIMEOUTS", "AFL_IGNORE_UNKNOWN_ENVS", "AFL_IMPORT_FIRST",
-    "AFL_GCC_SKIP_NEVERZERO",
+    "AFL_INPUT_LEN_MIN", "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO",
-    "AFL_GCJ",
+    "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", "AFL_FORK_SERVER_KILL_SIGNAL",
-    "AFL_HANG_TMOUT",
+    "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", "AFL_LD_HARD_FAIL",
-    "AFL_FORKSRV_INIT_TMOUT",
+    "AFL_LD_LIMIT_MB", "AFL_LD_NO_CALLOC_OVER", "AFL_LD_PASSTHROUGH",
-    "AFL_HARDEN",
+    "AFL_REAL_LD", "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", "AFL_LLVM_ALLOWLIST",
-    "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
+    "AFL_LLVM_DENYLIST", "AFL_LLVM_BLOCKLIST", "AFL_CMPLOG", "AFL_LLVM_CMPLOG",
-    "AFL_IGNORE_PROBLEMS",
+    "AFL_GCC_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CALLER", "AFL_LLVM_CTX",
-    "AFL_IGNORE_PROBLEMS_COVERAGE",
+    "AFL_LLVM_CTX_K", "AFL_LLVM_DICT2FILE", "AFL_LLVM_DICT2FILE_NO_MAIN",
-    "AFL_IGNORE_SEED_PROBLEMS",
+    "AFL_LLVM_DOCUMENT_IDS", "AFL_LLVM_INSTRIM_LOOPHEAD", "AFL_LLVM_INSTRUMENT",
-    "AFL_IGNORE_TIMEOUTS",
+    "AFL_LLVM_LTO_AUTODICTIONARY", "AFL_LLVM_AUTODICTIONARY",
    "AFL_IGNORE_UNKNOWN_ENVS",
    "AFL_IMPORT_FIRST",
    "AFL_INPUT_LEN_MIN",
    "AFL_INPUT_LEN_MAX",
    "AFL_INST_LIBS",
    "AFL_INST_RATIO",
    "AFL_KEEP_TIMEOUTS",
    "AFL_KILL_SIGNAL",
    "AFL_FORK_SERVER_KILL_SIGNAL",
    "AFL_KEEP_TRACES",
    "AFL_KEEP_ASSEMBLY",
    "AFL_LD_HARD_FAIL",
    "AFL_LD_LIMIT_MB",
    "AFL_LD_NO_CALLOC_OVER",
    "AFL_LD_PASSTHROUGH",
    "AFL_REAL_LD",
    "AFL_LD_PRELOAD",
    "AFL_LD_VERBOSE",
    "AFL_LLVM_ALLOWLIST",
    "AFL_LLVM_DENYLIST",
    "AFL_LLVM_BLOCKLIST",
    "AFL_CMPLOG",
    "AFL_LLVM_CMPLOG",
    "AFL_GCC_CMPLOG",
    "AFL_LLVM_INSTRIM",
    "AFL_LLVM_CALLER",
    "AFL_LLVM_CTX",
    "AFL_LLVM_CTX_K",
    "AFL_LLVM_DICT2FILE",
    "AFL_LLVM_DICT2FILE_NO_MAIN",
    "AFL_LLVM_DOCUMENT_IDS",
    "AFL_LLVM_INSTRIM_LOOPHEAD",
    "AFL_LLVM_INSTRUMENT",
    "AFL_LLVM_LTO_AUTODICTIONARY",
    "AFL_LLVM_AUTODICTIONARY",
    "AFL_LLVM_SKIPSINGLEBLOCK",
    // Marker: ADD_TO_INJECTIONS
-    "AFL_LLVM_INJECTIONS_ALL",
+    "AFL_LLVM_INJECTIONS_ALL", "AFL_LLVM_INJECTIONS_SQL",
-    "AFL_LLVM_INJECTIONS_SQL",
+    "AFL_LLVM_INJECTIONS_LDAP", "AFL_LLVM_INJECTIONS_XSS",
-    "AFL_LLVM_INJECTIONS_LDAP",
+    "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES",
-    "AFL_LLVM_INJECTIONS_XSS",
+    "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS",
-    "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK",
+    "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_ALL",
-    "AFL_LLVM_LAF_SPLIT_COMPARES",
+    "AFL_LLVM_LAF_TRANSFORM_COMPARES", "AFL_LLVM_MAP_ADDR",
-    "AFL_LLVM_LAF_SPLIT_COMPARES_BITW",
+    "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE",
-    "AFL_LLVM_LAF_SPLIT_FLOATS",
+    "AFL_LLVM_NO_RPATH", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_INSTRUMENT_FILE",
-    "AFL_LLVM_LAF_SPLIT_SWITCHES",
+    "AFL_LLVM_THREADSAFE_INST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY",
-    "AFL_LLVM_LAF_ALL",
+    "AFL_TRY_AFFINITY", "AFL_LLVM_LTO_DONTWRITEID",
    "AFL_LLVM_LAF_TRANSFORM_COMPARES",
    "AFL_LLVM_MAP_ADDR",
    "AFL_LLVM_MAP_DYNAMIC",
    "AFL_LLVM_NGRAM_SIZE",
    "AFL_NGRAM_SIZE",
    "AFL_LLVM_NO_RPATH",
    "AFL_LLVM_NOT_ZERO",
    "AFL_LLVM_INSTRUMENT_FILE",
    "AFL_LLVM_THREADSAFE_INST",
    "AFL_LLVM_SKIP_NEVERZERO",
    "AFL_NO_AFFINITY",
    "AFL_TRY_AFFINITY",
    "AFL_LLVM_LTO_DONTWRITEID",
    "AFL_LLVM_LTO_SKIPINIT"
    "AFL_LLVM_LTO_STARTID",
-    "AFL_FUZZER_LOOPCOUNT",
+    "AFL_FUZZER_LOOPCOUNT", "AFL_NO_ARITH", "AFL_NO_AUTODICT", "AFL_NO_BUILTIN",
    "AFL_NO_ARITH",
    "AFL_NO_AUTODICT",
    "AFL_NO_BUILTIN",
 #if defined USE_COLOR && !defined ALWAYS_COLORED
-    "AFL_NO_COLOR",
+    "AFL_NO_COLOR", "AFL_NO_COLOUR",
    "AFL_NO_COLOUR",
 #endif
    "AFL_NO_CPU_RED",
    "AFL_NO_CFG_FUZZING",  // afl.rs rust crate option
-    "AFL_NO_CRASH_README",
+    "AFL_NO_CRASH_README", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON",
-    "AFL_NO_FORKSRV",
+    "AFL_NO_STARTUP_CALIBRATION", "AFL_NO_WARN_INSTABILITY",
-    "AFL_NO_UI",
+    "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_MAP_SIZE", "AFL_MAPSIZE",
    "AFL_NO_PYTHON",
    "AFL_NO_STARTUP_CALIBRATION",
    "AFL_NO_WARN_INSTABILITY",
    "AFL_UNTRACER_FILE",
    "AFL_LLVM_USE_TRACE_PC",
    "AFL_MAP_SIZE",
    "AFL_MAPSIZE",
    "AFL_MAX_DET_EXTRAS",
    "AFL_NO_X86",  // not really an env but we dont want to warn on it
-    "AFL_NOOPT",
+    "AFL_NOOPT", "AFL_NYX_AUX_SIZE", "AFL_NYX_DISABLE_SNAPSHOT_MODE",
-    "AFL_NYX_AUX_SIZE",
+    "AFL_NYX_LOG", "AFL_NYX_REUSE_SNAPSHOT", "AFL_PASSTHROUGH", "AFL_PATH",
-    "AFL_NYX_DISABLE_SNAPSHOT_MODE",
+    "AFL_PERFORMANCE_FILE", "AFL_PERSISTENT_RECORD",
-    "AFL_NYX_LOG",
+    "AFL_POST_PROCESS_KEEP_ORIGINAL", "AFL_PRELOAD", "AFL_TARGET_ENV",
-    "AFL_NYX_REUSE_SNAPSHOT",
+    "AFL_PYTHON_MODULE", "AFL_QEMU_CUSTOM_BIN", "AFL_QEMU_COMPCOV",
-    "AFL_PASSTHROUGH",
+    "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE",
-    "AFL_PATH",
+    "AFL_QEMU_DRIVER_NO_HOOK", "AFL_QEMU_FORCE_DFL", "AFL_QEMU_PERSISTENT_ADDR",
-    "AFL_PERFORMANCE_FILE",
+    "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR",
-    "AFL_PERSISTENT_RECORD",
+    "AFL_QEMU_PERSISTENT_HOOK", "AFL_QEMU_PERSISTENT_MEM",
-    "AFL_POST_PROCESS_KEEP_ORIGINAL",
+    "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RETADDR_OFFSET",
-    "AFL_PRELOAD",
+    "AFL_QEMU_PERSISTENT_EXITS", "AFL_QEMU_INST_RANGES",
-    "AFL_TARGET_ENV",
+    "AFL_QEMU_EXCLUDE_RANGES", "AFL_QEMU_SNAPSHOT", "AFL_QEMU_TRACK_UNSTABLE",
-    "AFL_PYTHON_MODULE",
+    "AFL_QUIET", "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH",
-    "AFL_QEMU_CUSTOM_BIN",
+    "AFL_SHUFFLE_QUEUE", "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ",
-    "AFL_QEMU_COMPCOV",
+    "AFL_SKIP_CRASHES", "AFL_SKIP_OSSFUZZ", "AFL_STATSD", "AFL_STATSD_HOST",
-    "AFL_QEMU_COMPCOV_DEBUG",
+    "AFL_STATSD_PORT", "AFL_STATSD_TAGS_FLAVOR", "AFL_SYNC_TIME",
-    "AFL_QEMU_DEBUG_MAPS",
+    "AFL_TESTCACHE_SIZE", "AFL_TESTCACHE_ENTRIES", "AFL_TMIN_EXACT",
-    "AFL_QEMU_DISABLE_CACHE",
+    "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC", "AFL_USE_ASAN",
-    "AFL_QEMU_DRIVER_NO_HOOK",
+    "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN", "AFL_USE_TSAN",
-    "AFL_QEMU_FORCE_DFL",
+    "AFL_USE_CFISAN", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT",
-    "AFL_QEMU_PERSISTENT_ADDR",
+    "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN",
-    "AFL_QEMU_PERSISTENT_CNT",
+    "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", NULL
    "AFL_QEMU_PERSISTENT_GPR",
    "AFL_QEMU_PERSISTENT_HOOK",
    "AFL_QEMU_PERSISTENT_MEM",
    "AFL_QEMU_PERSISTENT_RET",
    "AFL_QEMU_PERSISTENT_RETADDR_OFFSET",
    "AFL_QEMU_PERSISTENT_EXITS",
    "AFL_QEMU_INST_RANGES",
    "AFL_QEMU_EXCLUDE_RANGES",
    "AFL_QEMU_SNAPSHOT",
    "AFL_QEMU_TRACK_UNSTABLE",
    "AFL_QUIET",
    "AFL_RANDOM_ALLOC_CANARY",
    "AFL_REAL_PATH",
    "AFL_SHUFFLE_QUEUE",
    "AFL_SKIP_BIN_CHECK",
    "AFL_SKIP_CPUFREQ",
    "AFL_SKIP_CRASHES",
    "AFL_SKIP_OSSFUZZ",
    "AFL_STATSD",
    "AFL_STATSD_HOST",
    "AFL_STATSD_PORT",
    "AFL_STATSD_TAGS_FLAVOR",
    "AFL_SYNC_TIME",
    "AFL_TESTCACHE_SIZE",
    "AFL_TESTCACHE_ENTRIES",
    "AFL_TMIN_EXACT",
    "AFL_TMPDIR",
    "AFL_TOKEN_FILE",
    "AFL_TRACE_PC",
    "AFL_USE_ASAN",
    "AFL_USE_MSAN",
    "AFL_USE_TRACE_PC",
    "AFL_USE_UBSAN",
    "AFL_USE_TSAN",
    "AFL_USE_CFISAN",
    "AFL_USE_LSAN",
    "AFL_WINE_PATH",
    "AFL_NO_SNAPSHOT",
    "AFL_EXPAND_HAVOC_NOW",
    "AFL_USE_FASAN",
    "AFL_USE_QASAN",
    "AFL_PRINT_FILENAMES",
    "AFL_PIZZA_MODE",
    NULL
 };
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@ -1 +1 @@
-a1321713c7
+e63c9af193
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@ -193,12 +193,39 @@ Comparative measurements of execution speed or instrumentation coverage will be
 fairly meaningless if the optimization levels or instrumentation scopes don't
 match.
-## 12) Other features
+## 12) Coverage information
 Coverage information about a run of a target binary can be obtained using a
 dedicated QEMU user mode plugin enabled at runtime: the `drcov.c` plugin
 collects coverage information from the target binary and writes it in the Drcov
 format. This file can then be loaded using tools such as
 [lighthouse](https://github.com/gaasedelen/lighthouse),
 [lightkeeper](https://github.com/WorksButNotTested/lightkeeper) or
 [Cartographer](https://github.com/nccgroup/Cartographer).
 To compile the QEMU TCG plugins, run the following command from the `qemuafl`
 directory:
 ```
 make plugins
 ```
 Plugins can be loaded using either the `QEMU_PLUGIN` environment variable or
 using the `-plugin` option. For example:
 ```
 afl-qemu-trace -plugin qemuafl/build/contrib/plugins/libdrcov.so,arg=filename=/tmp/target.drcov.trace <target> <args>
 ```
 This would execute the target binary with the provided arguments and, once done,
 would write coverage information at `/tmp/target.drcov.trace`.
 ## 13) Other features
 With `AFL_QEMU_FORCE_DFL`, you force QEMU to ignore the registered signal
 handlers of the target.
-## 13) Gotchas, feedback, bugs
+## 14) Gotchas, feedback, bugs
 If you need to fix up checksums or do other cleanups on mutated test cases, see
 `afl_custom_post_process` in custom_mutators/examples/example.c for a viable
@ -217,7 +244,7 @@ program may be utilizing. In particular, it does not appear to have full support
 for AVX2/FMA3. Using binaries for older CPUs or recompiling them with
 `-march=core2`, can help.
-## 14) Alternatives: static rewriting
+## 15) Alternatives: static rewriting
 Statically rewriting binaries just once, instead of attempting to translate them
 at run time, can be a faster alternative. That said, static rewriting is fraught
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@ -132,7 +132,10 @@ echo "Building for CPU target $CPU_TARGET"
 # --enable-pie seems to give a couple of exec's a second performance
 # improvement, much to my surprise. Not sure how universal this is..
 # --enable-plugins allows loading TCG plugins at runtime, for example to obtain
 # coverage information, and does not seem to negatively impact performance
 QEMU_CONF_FLAGS=" \
  --enable-plugins \
  --audio-drv-list= \
  --disable-blobs \
  --disable-bochs \
@ -162,7 +165,6 @@ QEMU_CONF_FLAGS=" \
  --disable-numa \
  --disable-opengl \
  --disable-parallels \
  --disable-plugins \
  --disable-qcow1 \
  --disable-qed \
  --disable-rbd \
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -169,20 +169,16 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
    }
-    if (unlikely(afl->custom_mutators_count)) {
+    LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
-      LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
+      if (el->afl_custom_fuzz_send) {
-        if (el->afl_custom_fuzz_send) {
+        el->afl_custom_fuzz_send(el->data, *mem, new_size);
        sent = 1;
-          el->afl_custom_fuzz_send(el->data, *mem, new_size);
+      }
          sent = 1;
-        }
+    });
      });
    }
    if (likely(!sent)) {
@ -203,7 +199,7 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
    }
-  } else {
+  } else {                                   /* !afl->custom_mutators_count */
    if (unlikely(len < afl->min_length && !fix)) {
@ -215,27 +211,8 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
    }
-    if (unlikely(afl->custom_mutators_count)) {
+    /* boring uncustom. */
-
+    afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);
      LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
        if (el->afl_custom_fuzz_send) {
          el->afl_custom_fuzz_send(el->data, *mem, len);
          sent = 1;
        }
      });
    }
    if (likely(!sent)) {
      /* boring uncustom. */
      afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);
    }
  }
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -1812,6 +1812,10 @@ int main(int argc, char **argv_orig, char **envp) {
  check_cpu_governor(afl);
  #endif
  #ifdef __APPLE__
  setenv("DYLD_NO_PIE", "1", 0);
  #endif
  if (getenv("LD_PRELOAD")) {
    WARNF(