add feature list

README.md

@@ -28,6 +28,8 @@ terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details.
 
 Here is some information to get you started:
 
+* To get you started with tutorials, go to
+  [docs/tutorials.md](docs/tutorials.md).
 * For releases, see the
   [Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases) and
   [branches](#branches). The best branches to use are however `stable` or
@@ -41,8 +43,6 @@ Here is some information to get you started:
   `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
   default configuration on Google's
   [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
-* To get you started with tutorials, go to
-  [docs/tutorials.md](docs/tutorials.md).
 
 ## Building and installing AFL++
 
@@ -58,7 +58,8 @@ This image is automatically generated when a push to the stable repo happens
 (see [branches](#branches)). You will find your target source code in `/src` in
 the container.
 
-To build AFL++ yourself, continue at [docs/INSTALL.md](docs/INSTALL.md).
+To build AFL++ yourself - which we recommend - continue at
+[docs/INSTALL.md](docs/INSTALL.md).
 
 ## Quick start: Fuzzing with AFL++
 
@@ -128,12 +129,12 @@ Questions? Concerns? Bug reports?
 * Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important
   question missing, submit it via
   [https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
-* There is a mailing list for the AFL/AFL++ project
+* Best: join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
+* There is a (not really used)  mailing list for the AFL/AFL++ project
   ([browse archive](https://groups.google.com/group/afl-users)). To compare
   notes with other users or to get notified about major new features, send an
   email to <afl-users+subscribe@googlegroups.com>, but note that this is not
   managed by us.
-* Best: join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
 
 ## Branches
 

docs/features.md

@@ -5,19 +5,55 @@ QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full
 *BSD, Mac OS, Solaris and Android support and much, much, much more.
 
 | Feature/Instrumentation       | afl-gcc | llvm      | gcc_plugin | FRIDA mode(9)    | QEMU mode(10)    |unicorn_mode(10)  |nyx_mode(12)|coresight_mode(11)|
-| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
-| Threadsafe counters      |         |     x(3)  |            |                  |                  |                  |     x      |                  |
-| NeverZero                | x86[_64]|     x(1)  |     x      |         x        |         x        |         x        |            |                  |
-| Persistent Mode          |         |     x     |     x      | x86[_64]/arm64   | x86[_64]/arm[64] |         x        |            |                  |
-| LAF-Intel / CompCov      |         |     x     |            |                  | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64]   |                  |
-| CmpLog                   |         |     x     |            | x86[_64]/arm64   | x86[_64]/arm[64] |                  |            |                  |
-| Selective Instrumentation|         |     x     |     x      |         x        |         x        |                  |            |                  |
-| Non-Colliding Coverage   |         |     x(4)  |            |                  |        (x)(5)    |                  |            |                  |
-| Ngram prev_loc Coverage  |         |     x(6)  |            |                  |                  |                  |            |                  |
-| Context Coverage         |         |     x(6)  |            |                  |                  |                  |            |                  |
-| Auto Dictionary          |         |     x(7)  |            |                  |                  |                  |            |                  |
-| Snapshot Support         |         |    (x)(8) |    (x)(8)  |                  |        (x)(5)    |                  |     x      |                  |
-| Shared Memory Test cases |         |     x     |     x      | x86[_64]/arm64   |         x        |         x        |     x      |                  |
+| ------------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
+| Threadsafe counters [A]       |         |     x(3)  |            |                  |                  |                  |     x      |                  |
+| NeverZero           [B]       | x86[_64]|     x(1)  |     x      |         x        |         x        |         x        |            |                  |
+| Persistent Mode     [C]       |         |     x     |     x      | x86[_64]/arm64   | x86[_64]/arm[64] |         x        |            |                  |
+| LAF-Intel / CompCov [D]       |         |     x     |            |                  | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64]   |                  |
+| CmpLog              [E]       |         |     x     |            | x86[_64]/arm64   | x86[_64]/arm[64] |                  |            |                  |
+| Selective Instrumentation [F] |         |     x     |     x      |         x        |         x        |                  |            |                  |
+| Non-Colliding Coverage    [G] |         |     x(4)  |            |                  |        (x)(5)    |                  |            |                  |
+| Ngram prev_loc Coverage   [H] |         |     x(6)  |            |                  |                  |                  |            |                  |
+| Context Coverage    [I]       |         |     x(6)  |            |                  |                  |                  |            |                  |
+| Auto Dictionary     [J]       |         |     x(7)  |            |                  |                  |                  |            |                  |
+| Snapshot Support    (K)       |         |    (x)(8) |    (x)(8)  |                  |        (x)(5)    |                  |     x      |                  |
+| Shared Memory Test cases  [L] |         |     x     |     x      | x86[_64]/arm64   |         x        |         x        |     x      |                  |
+
+A. Default is not thread-safe coverage counter updates for better performance,
+   see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
+B. On wrapping coverage counters (255 + 1) skip the 0 value and jump to 1
+   instead. This has shown to give better coverage data and is the default;
+   see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
+C. Instead of forking, reiterate the fuzz target function in a loop (like
+   `LLVMFuzzerTestOneInput`. Great speed increase but only work with target
+   functions that does not keep state, leak memory or exit;
+   see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
+D. Split any non-8-bit comparison to 8 bit comparison;
+   see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
+E. CmpLog is our enhanced [Redqueen](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/)
+   implementation, see see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
+F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but
+   for all llvm versions and all our compile modes, only instrument what should
+   be instrumented, for more speed, directed fuzzing and less instability;
+   see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
+G. Vanilla AFL uses coverage where edges could collide to the same coverage
+   bytes the larger the target is. Our default instrumentation in LTO and
+   afl-clang-fast (PCGUARD) uses non-colliding coverage that also makes it
+   faster. Vanilla AFL style is available with `AFL_LLVM_INSTRUMENT=AFL`;
+   see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
+H.+I. Alternative coverage based on previous edges (NGRAM) or depending on the
+   caller (CTX), based on 
+   [https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf);
+   see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
+J. An LTO feature that creates a fuzzing dictionary based on comparisons found
+   during compilation/instrumentation. Automatic feature :)
+   See [instrumentation/README.lto.md](../instrumentation/README.lto.md)
+K. The snapshot feature requires a kernel module that was a lot of work to get
+   right and maintained so it is no longer supported. We have
+   [nyx_mode](../nyx_mode/README.md) instead.
+L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase
+   delivery, see
+   [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
 
 1. default for LLVM >= 9.0, environment variable for older version due an
    efficiency bug in previous llvm versions

instrumentation/README.cmplog.md

@@ -42,4 +42,4 @@ For example:
 afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@
 ```
 
-Be sure to use `-m none` because CmpLog can map a lot of pages.
+Be careful with the usage of `-m` because CmpLog can map a lot of pages.