improve docs, enable laf compare if float is set

README.md

@@ -436,6 +436,9 @@ more useful.
 If you just use one CPU for fuzzing, then you are fuzzing just for fun and not
 seriously :-)
 
+Pro tip: load the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) before start afl-fuzz as this improves
+performance by a x2 speed increase!
+
 #### a) running afl-fuzz
 
 Before to do even a test run of afl-fuzz execute `sudo afl-system-config` (on
@@ -562,6 +565,15 @@ then you can expect that your fuzzing won't be fruitful anymore.
 However often this just means that you should switch out secondaries for
 others, e.g. custom mutator modules, sync to very different fuzzers, etc.
 
+#### f) improve the speed!
+
+ * Use [persistent mode](llvm_mode/README.persistent_mode.md) (x2-x20 speed increase)
+ * Use the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase)
+ * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [docs/env_variables.md](docs/env_variables.md)
+ * Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure)
+ * Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
+ * Use your cores! [3.b) Using multiple cores/threads](#b-using-multiple-coresthreads)
+
 ### The End
 
 Check out the [docs/FAQ](docs/FAQ.md) if it maybe answers your question (that

docs/Changelog.md

@@ -23,6 +23,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      - LTO: autodictionary mode is a default
      - LTO: instrim instrumentation disabled, only classic support used
             as it is always better
+     - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates
+       AFL_LLVM_LAF_SPLIT_COMPARES
   - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
   - added afl-frida gum solution to examples/afl_frida (mostly imported
     from https://github.com/meme/hotwax/)

docs/FAQ.md

@@ -2,13 +2,24 @@
 
 ## Contents
 
-  1. [What is an edge?](#what-is-an-edge)
-  2. [Why is my stability below 100%?](#why-is-my-stability-below-100)
-  3. [How can I improve the stability value](#how-can-i-improve-the-stability-value)
+  1. [How to improve the fuzzing speed?](#how-to-improve-the-fuzzing-speed)
+  2. [What is an edge?](#what-is-an-edge)
+  3. [Why is my stability below 100%?](#why-is-my-stability-below-100)
+  4. [How can I improve the stability value](#how-can-i-improve-the-stability-value)
 
 If you find an interesting or important question missing, submit it via
 [https://github.com/AFLplusplus/AFLplusplus/issues](https://github.com/AFLplusplus/AFLplusplus/issues)
 
+## How to improve the fuzzing speed
+
+  1. use [llvm_mode](docs/llvm_mode/README.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended)
+  2. Use [persistent mode](llvm_mode/README.persistent_mode.md) (x2-x20 speed increase)
+  3. Use the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase)
+  4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [docs/env_variables.md](docs/env_variables.md)
+  5. Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure)
+  6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
+  7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads)
+
 ## What is an "edge"
 
 A program contains `functions`, `functions` contain the compiled machine code.

docs/binaryonly_fuzzing.md

@@ -8,12 +8,17 @@
 
   The following is a description of how these binaries can be fuzzed with afl++
 
+
 ## TL;DR:
 
   qemu_mode in persistent mode is the fastest - if the stability is
   high enough. Otherwise try retrowrite, afl-dyninst and if these
   fail too then standard qemu_mode with AFL_ENTRYPOINT to where you need it.
 
+  If your a target is library use examples/afl_frida/.
+
+  If your target is non-linux then use unicorn_mode/
+
 
 ## QEMU
 
@@ -57,6 +62,20 @@
   As it is included in afl++ this needs no URL.
 
 
+## AFL FRIDA
+
+   If you want to fuzz a binary-only shared library then you can fuzz it with
+   frida-gum via examples/afl_frida/, you will have to write a harness to
+   call the target function in the library, use afl-frida.c as a template.
+
+
+## AFL UNTRACER
+
+   If you want to fuzz a binary-only shared library then you can fuzz it with
+   examples/afl_untracer/, use afl-untracer.c as a template.
+   It is slower than AFL FRIDA (see above).
+
+
 ## DYNINST
 
   Dyninst is a binary instrumentation framework similar to Pintool and

llvm_mode/README.laf-intel.md

@@ -35,8 +35,8 @@ bit_width may be 64, 32 or 16.
 A new experimental feature is splitting floating point comparisons into a
 series of sign, exponent and mantissa comparisons followed by splitting each
 of them into 8 bit comparisons when necessary.
-It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting, available only
-when `AFL_LLVM_LAF_SPLIT_COMPARES` is set.
+It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting.
+Note that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES`
 
 You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled :-)
 

llvm_mode/afl-clang-fast.c

@@ -268,7 +268,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
 
   }
 
-  if (getenv("LAF_SPLIT_COMPARES") || getenv("AFL_LLVM_LAF_SPLIT_COMPARES")) {
+  if (getenv("LAF_SPLIT_COMPARES") || getenv("AFL_LLVM_LAF_SPLIT_COMPARES") ||
+      getenv("AFL_LLVM_LAF_SPLIT_FLOATS")) {
 
     cc_params[cc_par_cnt++] = "-Xclang";
     cc_params[cc_par_cnt++] = "-load";