determinstic fuzzing is now disabled by default

README.md

@@ -43,9 +43,13 @@ behaviours:
     worth it.
   * When instrumenting targets, afl-cc will not supersede optimizations. This
     allows to fuzz targets as same as they are built for debug or release.
-  * afl-fuzz' `-i` option now descends into subdirectories.
+  * afl-fuzz':
+    * `-i` option now descends into subdirectories.
+    * -m none is now default, set memory limits (in MB) with e.g. -m 250
+    * deterministic fuzzing is now disabled by default (unless using -M) and
+      can be enabled with -D
   * afl-fuzz will skip over empty dictionaries and too-large test cases instead
-    of failing.
+    of failing, and use them as a source for splicing mutations
 
 ## Contents
 

docs/Changelog.md

@@ -15,6 +15,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
   - afl-fuzz
     - memory limits are now disabled by default, set them with -m if required
+    - deterministic fuzzing is now disabled by default and can be enabled with
+      -D. It is still enabled by default for -M.
     - statsd support by Edznux, thanks a lot!
     - Marcel Boehme submitted a patch that improves all AFFast schedules :)
     - reading testcases from -i now descends into subdirectories

docs/life_pro_tips.md

@@ -85,6 +85,3 @@ You can find a simple solution in examples/argv_fuzzing.
 Remove the checksum-checking code or use a postprocessor!
 See examples/custom_mutators/ for more.
 
-## Dealing with a very slow target or hoping for instant results? 
-
-Specify `-d` when calling afl-fuzz!

docs/status_screen.md

@@ -86,10 +86,7 @@ Every fuzzing session should be allowed to complete at least one cycle; and
 ideally, should run much longer than that.
 
 As noted earlier, the first pass can take a day or longer, so sit back and
-relax. If you want to get broader but more shallow coverage right away, try
-the `-d` option - it gives you a more familiar experience by skipping the
-deterministic fuzzing steps. It is, however, inferior to the standard mode in
-a couple of subtle ways.
+relax. 
 
 To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded.
 It is shown in magenta during the first pass, progresses to yellow if new finds
@@ -118,9 +115,6 @@ inputs it decided to ditch because they were persistently timing out.
 The "*" suffix sometimes shown in the first line means that the currently
 processed path is not "favored" (a property discussed later on).
 
-If you feel that the fuzzer is progressing too slowly, see the note about the
-`-d` option in this doc.
-
 ### Map coverage
 
 ```

src/afl-fuzz-state.c

@@ -101,6 +101,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   afl->hang_tmout = EXEC_TIMEOUT;
   afl->stats_update_freq = 1;
   afl->stats_avg_exec = -1;
+  afl->skip_deterministic = 1;
+  afl->use_splicing = 1;
 
 #ifdef HAVE_AFFINITY
   afl->cpu_aff = -1;                    /* Selected CPU core                */

src/afl-fuzz.c

@@ -103,6 +103,7 @@ static void usage(u8 *argv0, int more_help) {
       "mode)\n\n"
 
       "Mutator settings:\n"
+      "  -D            - enable deterministic fuzzing (once per queue entry)\n"
       "  -L minutes    - use MOpt(imize) mode and set the time limit for "
       "entering the\n"
       "                  pacemaker mode (minutes of no new paths). 0 = "
@@ -116,7 +117,6 @@ static void usage(u8 *argv0, int more_help) {
       "Fuzzing behavior settings:\n"
       "  -N            - do not unlink the fuzzing input file (for devices "
       "etc.)\n"
-      "  -d            - quick & dirty mode (skips deterministic steps)\n"
       "  -n            - fuzz without instrumentation (non-instrumented mode)\n"
       "  -x dict_file  - fuzzer dictionary (see README.md, specify up to 4 "
       "times)\n\n"
@@ -136,6 +136,7 @@ static void usage(u8 *argv0, int more_help) {
       "  -F path       - sync to a foreign fuzzer queue directory (requires "
       "-M, can\n"
       "                  be specified up to %u times)\n"
+      "  -d            - skip deterministic fuzzing in -M mode\n"
       "  -T text       - text banner to show on the screen\n"
       "  -I command    - execute this command/script when a new crash is "
       "found\n"
@@ -403,6 +404,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
         if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
         afl->sync_id = ck_strdup(optarg);
+        afl->skip_deterministic = 0;
 
         if ((c = strchr(afl->sync_id, ':'))) {
 
@@ -431,8 +433,6 @@ int main(int argc, char **argv_orig, char **envp) {
         if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
         afl->sync_id = ck_strdup(optarg);
         afl->is_secondary_node = 1;
-        afl->skip_deterministic = 1;
-        afl->use_splicing = 1;
         break;
 
       case 'F':                                         /* foreign sync dir */
@@ -557,7 +557,6 @@ int main(int argc, char **argv_orig, char **envp) {
       case 'd':                                       /* skip deterministic */
 
         afl->skip_deterministic = 1;
-        afl->use_splicing = 1;
         break;
 
       case 'B':                                              /* load bitmap */