added more env var docs, fsrv fixes for cmin, tmin

docs/Changelog.md

@@ -14,6 +14,10 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - Fix for auto dictionary entries found during fuzzing to not throw out
       a -x dictionary
     - added total execs done to plot file
+    - AFL_MAX_DET_EXTRAS env variable added to control the amount of deterministic
+      dict entries without recompiling.
+    - AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait for
+      the forkserver to come up without the need to increase the overall timeout.
   - llvm_mode:
     - Ported SanCov to LTO, and made it the default for LTO. better
       instrumentation locations

docs/env_variables.md

@@ -278,6 +278,14 @@ checks or alter some of the more exotic semantics of the tool:
     don't want AFL to spend too much time classifying that stuff and just
     rapidly put all timeouts in that bin.
 
+  - Setting AFL_FORKSRV_INIT_TMOUT allows yout to specify a different timeout
+    to wait for the forkserver to spin up. The default is the `-t` value times
+    `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the
+    default would wait `1000` milis. Setting a different time here is useful
+    if the target has a very slow startup time, for example when doing
+    full-system fuzzing or emulation, but you don't want the actual runs
+    to wait too long for timeouts.
+
   - AFL_NO_ARITH causes AFL to skip most of the deterministic arithmetics.
     This can be useful to speed up the fuzzing of text-based file formats.
 
@@ -361,6 +369,13 @@ checks or alter some of the more exotic semantics of the tool:
     for an existing out folder, even if a different `-i` was provided.
     Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir.
 
+  - Setting AFL_MAX_DET_EXRAS will change the threshold at what number of elements
+    in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will
+    kick off. In probabilistic mode, not all dictionary entires will be used all
+    of the times for fuzzing mutations to not make fuzzing slower by it.
+    The default count is `200` element. So for the 200 + 1st element, there is a
+    1 in 201 chance, that one of the dictionary entry will not be used directly.
+
   - Setting AFL_NO_FORKSRV disables the forkserver optimization, reverting to
     fork + execve() call for every tested input. This is useful mostly when
     working with unruly libraries that create threads or do other crazy

src/afl-showmap.c

@@ -1036,6 +1036,16 @@ int main(int argc, char **argv_orig, char **envp) {
 
     }
 
+    if (getenv("AFL_FORKSRV_INIT_TMOUT")) {
+
+      s32 forksrv_init_tmout = atoi(getenv("AFL_FORKSRV_INIT_TMOUT"));
+      if (forksrv_init_tmout < 1) {
+        FATAL("Bad value specified for AFL_FORKSRV_INIT_TMOUT");
+      }
+      fsrv->init_tmout = (u32) forksrv_init_tmout;
+
+    }
+
     afl_fsrv_start(fsrv, use_argv, &stop_soon,
                    get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0);
     map_size = fsrv->map_size;

src/afl-tmin.c

@@ -1103,6 +1103,16 @@ int main(int argc, char **argv_orig, char **envp) {
   }
 
   SAYF("\n");
+  
+  if (getenv("AFL_FORKSRV_INIT_TMOUT")) {
+
+    s32 forksrv_init_tmout = atoi(getenv("AFL_FORKSRV_INIT_TMOUT"));
+    if (forksrv_init_tmout < 1) {
+      FATAL("Bad value specified for AFL_FORKSRV_INIT_TMOUT");
+    }
+    fsrv->init_tmout = (u32) forksrv_init_tmout;
+
+  }
 
   shm_fuzz = ck_alloc(sizeof(sharedmem_t));