v2.62c

Fix hanging fork and child with -V -E

.custom-format.py

@@ -6,7 +6,7 @@
 # Written and maintaned by Andrea Fioraldi <andreafioraldi@gmail.com>
 #
 # Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
-# Copyright 2019 AFLplusplus Project. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,26 +27,31 @@ with open(".clang-format") as f:
 
 CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
 if CLANG_FORMAT_BIN is None:
-    p = subprocess.Popen(["clang-format", "--version"], stdout=subprocess.PIPE)
-    o, _ = p.communicate()
-    o = str(o, "utf-8")
-    o = o[len("clang-format version "):].strip()
-    o = o[:o.find(".")]
-    o = int(o)
-    if o < 7:
-        if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
-            CLANG_FORMAT_BIN = 'clang-format-7'
-        elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
-            CLANG_FORMAT_BIN = 'clang-format-8'
-        elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
-            CLANG_FORMAT_BIN = 'clang-format-9'
-        elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0:
-            CLANG_FORMAT_BIN = 'clang-format-10'
-        else:
-            print ("clang-format 7 or above is needed. Aborted.")
-            exit(1)
+    o = 0
+    try:
+        p = subprocess.Popen(["clang-format-8", "--version"], stdout=subprocess.PIPE)
+        o, _ = p.communicate()
+        o = str(o, "utf-8")
+        o = o[len("clang-format version "):].strip()
+        o = o[:o.find(".")]
+        o = int(o)
+    except:
+        print ("clang-format-8 is needed. Aborted.")
+        exit(1)
+    #if o < 7:
+    #    if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-7'
+    #    elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-8'
+    #    elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-9'
+    #    elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-10'
+    #    else:
+    #        print ("clang-format 7 or above is needed. Aborted.")
+    #        exit(1)
     else:
-        CLANG_FORMAT_BIN = 'clang-format'
+        CLANG_FORMAT_BIN = 'clang-format-8'
             
 COLUMN_LIMIT = 80
 for line in fmt.split("\n"):

.gitignore

@@ -23,6 +23,8 @@ afl-clang-fast.8
 afl-cmin.8
 afl-fuzz.8
 afl-gcc.8
+afl-gcc-fast.8
+afl-g++-fast.8
 afl-gotcpu.8
 afl-plot.8
 afl-showmap.8
@@ -32,6 +34,7 @@ afl-whatsup.8
 qemu_mode/libcompcov/compcovtest
 as
 qemu_mode/qemu-*
-unicorn_mode/unicorn
-unicorn_mode/unicorn-*
-unicorn_mode/*.tar.gz
+unicorn_mode/unicornafl/
+unicorn_mode/samples/*/\.test-*
+unicorn_mode/samples/*/output/
+core\.*

.travis.yml

@@ -1,11 +1,53 @@
 language: c
 
+sudo: required
+
+branches:
+  only:
+    - master
+
+matrix:
+  include:
+  - os: linux
+    dist: bionic
+    env: NAME="bionic-amd64" MODERN="yes" GCC="7"
+  - os: linux
+    dist: xenial
+    env: NAME="xenial-amd64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0"
+  - os: linux
+    dist: trusty
+    env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
+#  - os: linux # until travis can fix this!
+#    dist: xenial
+#    arch: arm64
+#    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
+#  - os: osx
+#    osx_image: xcode11.2
+#    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
+
+jobs:
+  allow_failures:
+    - os: osx
+
 env:
-  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1
+  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_STOP_MANUALLY=1
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1
+ # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1
+
+before_install:
+  # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE}
+  - echo Testing on $NAME
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi
+  - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils ; fi
+  - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils ; fi
 
 script:
-  - make
-  - ./afl-gcc ./test-instr.c -o test-instr
-  - mkdir seeds; mkdir out
-  - echo "" > seeds/nil_seed
-  - timeout --preserve-status 5s ./afl-fuzz -i seeds -o out/ -- ./test-instr
+  - gcc -v
+  - clang -v
+  - sudo -E ./afl-system-config
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ASAN_BUILD=1 ; fi
+  - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
+  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
+  - make tests
+  - travis_terminate 0

Android.bp

@@ -0,0 +1,141 @@
+cc_defaults {
+  name: "afl-defaults",
+
+  cflags: [
+    "-funroll-loops",
+    "-Wno-pointer-sign",
+    "-Wno-pointer-arith",
+    "-Wno-sign-compare",
+    "-Wno-unused-parameter",
+    "-Wno-unused-function",
+    "-Wno-format",
+    "-Wno-user-defined-warnings",
+    "-DUSE_TRACE_PC=1",
+    "-DBIN_PATH=\"out/host/linux-x86/bin\"",
+    "-DDOC_PATH=\"out/host/linux-x86/shared/doc/afl\"",
+    "-D__USE_GNU",
+  ],
+}
+
+cc_binary {
+  name: "afl-fuzz",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-fuzz.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-showmap",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-showmap.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-tmin",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-tmin.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-analyze",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-analyze.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-gotcpu",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-gotcpu.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast++",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_library_static {
+  name: "afl-llvm-rt",
+  compile_multilib: "both",
+  vendor_available: true,
+  host_supported: true,
+  recovery_available: true,
+  sdk_version: "9",
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-llvm-rt.o.c",
+  ],
+}

CONTRIBUTING.md

@@ -6,9 +6,14 @@ Each modified source file, before merging, must be formatted.
 make code-formatter
 ```
 
-This should be fine if you modified one of the file already present in the
+This should be fine if you modified one of the files already present in the
 project, otherwise run:
 
 ```
 ./.custom-format.py -i file-that-you-have-created.c
 ```
+
+Regarding the coding style, please follow the AFL style.
+No camel case at all and use the AFL's macros when possible (e.g. WARNF, FATAL, ...).
+
+Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles (or your patches to our pre-existing Makefiles) to be as much general as possible.

Changelog

@@ -1 +0,0 @@
-docs/ChangeLog

Changelog.md

@@ -0,0 +1 @@
+docs/Changelog.md

Dockerfile

@@ -0,0 +1,37 @@
+FROM ubuntu:eoan
+MAINTAINER David Carlier <devnexen@gmail.com>
+LABEL "about"="AFLplusplus docker image"
+RUN apt-get update && apt-get -y install \
+    --no-install-suggests --no-install-recommends \
+    automake \
+    bison \
+    build-essential \
+    clang \
+    clang-9 \
+    flex \
+    git \
+    python3.7 \
+    python3.7-dev \
+    gcc-9 \
+    gcc-9-plugin-dev \
+    gcc-9-multilib \
+    libc++-9-dev \
+    libtool \
+    libtool-bin \
+    libglib2.0-dev \
+    llvm-9-dev \
+    python-setuptools \
+    python2.7-dev \
+    wget \
+    ca-certificates \
+    libpixman-1-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+ARG CC=gcc-9
+ARG CXX=g++-9
+ARG LLVM_CONFIG=llvm-config-9
+
+RUN git clone https://github.com/vanhauser-thc/AFLplusplus
+
+RUN cd AFLplusplus && make clean && make distrib && \
+    make install && cd .. && rm -rf AFLplusplus

Makefile

@@ -1,8 +1,8 @@
 #
-# american fuzzy lop - makefile
+# american fuzzy lop++ - makefile
 # -----------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 # 
 # Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
 # 
@@ -15,9 +15,9 @@
 
 # For Heiko:
 #TEST_MMAP=1
-
-PROGNAME    = afl
-VERSION     = $(shell grep '^\#define VERSION ' include/config.h | cut -d '"' -f2)
+# the hash character is treated differently in different make versions
+# so use a variable for '#'
+HASH=\#
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin
@@ -26,20 +26,87 @@ DOC_PATH    = $(PREFIX)/share/doc/afl
 MISC_PATH   = $(PREFIX)/share/afl
 MAN_PATH    = $(PREFIX)/man/man8
 
+PROGNAME    = afl
+VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
+
 # PROGS intentionally omit afl-as, which gets installed elsewhere.
 
 PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
-SH_PROGS    = afl-plot afl-cmin afl-whatsup afl-system-config
-MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8)
+SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config
+MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
 
-CFLAGS     ?= -O3 -funroll-loops
-CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ \
-	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-	      -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function
+ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto=full
+else
+ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto=thin
+ else
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -flto -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto
+  endif
+ endif
+endif
+
+ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_OPT = -march=native
+endif
+
+ifneq "$(shell uname -m)" "x86_64"
+ ifneq "$(shell uname -m)" "i386"
+  ifneq "$(shell uname -m)" "amd64"
+   ifneq "$(shell uname -m)" "i86pc"
+	AFL_NO_X86=1
+   endif
+  endif
+ endif
+endif
+
+CFLAGS     ?= -O3 -funroll-loops $(CFLAGS_OPT)
+override CFLAGS     += -Wall -g -Wno-pointer-sign -I include/ \
+              -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+              -DDOC_PATH=\"$(DOC_PATH)\" -Wno-unused-function -fcommon
 
 AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c)
 
-PYTHON_INCLUDE	?= /usr/include/python2.7
+ifneq "$(shell which python3m)" ""
+  ifneq "$(shell which python3m-config)" ""
+    PYTHON_INCLUDE  ?= $(shell python3m-config --includes)
+    PYTHON_VERSION  ?= $(strip $(shell python3m --version 2>&1))
+    # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag.
+    ifeq "$(shell python3m-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
+      PYTHON_LIB      ?= $(shell python3m-config --libs --embed)
+    else
+      PYTHON_LIB      ?= $(shell python3m-config --ldflags)
+    endif
+  endif
+endif
+
+ifneq "$(shell which python3)" ""
+  ifneq "$(shell which python3-config)" ""
+    PYTHON_INCLUDE  ?= $(shell python3-config --includes)
+    PYTHON_VERSION  ?= $(strip $(shell python3 --version 2>&1))
+    # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag.
+    ifeq "$(shell python3-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
+      PYTHON_LIB      ?= $(shell python3-config --libs --embed)
+    else
+      PYTHON_LIB      ?= $(shell python3-config --ldflags)
+    endif
+  endif
+endif
+
+ifneq "$(shell which python)" ""
+  ifneq "$(shell which python-config)" ""
+    PYTHON_INCLUDE  ?= $(shell python-config --includes)
+    PYTHON_LIB      ?= $(shell python-config --ldflags)
+    PYTHON_VERSION  ?= $(strip $(shell python --version 2>&1))
+  endif
+endif
+
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
+else
+    BUILD_DATE ?= $(shell date "+%Y-%m-%d")
+endif
 
 ifneq "$(filter Linux GNU%,$(shell uname))" ""
   LDFLAGS  += -ldl
@@ -47,10 +114,12 @@ endif
 
 ifneq "$(findstring FreeBSD, $(shell uname))" ""
   CFLAGS += -pthread
+  LDFLAGS  += -lpthread
 endif
 
 ifneq "$(findstring NetBSD, $(shell uname))" ""
   CFLAGS += -pthread
+  LDFLAGS  += -lpthread
 endif
 
 ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
@@ -61,10 +130,9 @@ endif
 
 COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
 
-
-ifeq "$(shell echo '\#include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test -I$(PYTHON_INCLUDE) -lpython2.7 2>/dev/null && echo 1 || echo 0 )" "1"
+ifeq "$(shell echo '$(HASH)include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	PYTHON_OK=1
-	PYFLAGS=-DUSE_PYTHON -I$(PYTHON_INCLUDE) -lpython2.7
+	PYFLAGS=-DUSE_PYTHON $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) -DPYTHON_VERSION="\"$(PYTHON_VERSION)\""
 else
 	PYTHON_OK=0
 	PYFLAGS=
@@ -80,7 +148,7 @@ ifdef STATIC
   LDFLAGS += -lm -lrt -lpthread -lz -lutil
 endif
 
-ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
+ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
 	SHMAT_OK=1
 else
 	SHMAT_OK=0
@@ -94,35 +162,58 @@ ifeq "$(TEST_MMAP)" "1"
 	LDFLAGS+=-Wno-deprecated-declarations -lrt
 endif
 
+ifdef ASAN_BUILD
+  CFLAGS+=-fsanitize=address
+	LDFLAGS+=-fsanitize=address
+endif
 
-all:	test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done
+all:	test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
 
 man:    $(MANPAGES) 
 	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
 
 tests:	source-only
 	@cd test ; ./test.sh
+	@rm -f test/errors
+
+performance-tests:	performance-test
+test-performance:	performance-test
+
+performance-test:	source-only
+	@cd test ; ./test-performance.sh
+
 
 help:
 	@echo "HELP --- the following make targets exist:"
 	@echo "=========================================="
 	@echo "all: just the main afl++ binaries"
-	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap"
-	@echo "source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap"
+	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa"
+	@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap, radamsa"
 	@echo "distrib: everything (for both binary-only and source code fuzzing)"
 	@echo "man: creates simple man pages from the help option of the programs"
 	@echo "install: installs everything you have compiled with the build option above"
-	@echo "clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well"
+	@echo "clean: cleans everything. for qemu_mode it means it deletes all downloads as well"
+	@echo "code-format: format the code, do this before you commit and send a PR please!"
 	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
 	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
 	@echo "help: shows these build options :-)"
 	@echo "=========================================="
 	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
-
+	@echo
+	@echo Known build environment options:
+	@echo "=========================================="
+	@echo STATIC - compile AFL++ static
+	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
+	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
+	@echo "=========================================="
+	@echo e.g.: make ASAN_BUILD=1
 
 ifndef AFL_NO_X86
 
 test_x86:
+	@echo "[*] Checking for the default compiler cc..."
+	@which $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
 	@echo "[*] Checking for the ability to compile x86 code..."
 	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
 	@rm -f .test1
@@ -151,14 +242,14 @@ endif
 
 ifeq "$(PYTHON_OK)" "1"
 
-test_python27:
+test_python:
 	@rm -f .test 2> /dev/null
-	@echo "[+] Python 2.7 support seems to be working."
+	@echo "[+] $(PYTHON_VERSION) support seems to be working."
 
 else
 
-test_python27:
-	@echo "[-] You seem to need to install the package python2.7-dev, but it is optional so we continue"
+test_python:
+	@echo "[-] You seem to need to install the package python3-dev or python2-dev (and perhaps python[23]-apt), but it is optional so we continue"
 
 endif
 
@@ -174,26 +265,32 @@ afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
 	ln -sf afl-as as
 
-src/afl-common.o : src/afl-common.c include/common.h
-	$(CC) $(CFLAGS) -c src/afl-common.c -o src/afl-common.o
+src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-common.c -o src/afl-common.o
 
-src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
-	$(CC) $(CFLAGS) -c src/afl-forkserver.c -o src/afl-forkserver.o
+src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-forkserver.c -o src/afl-forkserver.o
 
-src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
-	$(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
+src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 
-afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
+radamsa: src/third_party/libradamsa/libradamsa.so
+	cp src/third_party/libradamsa/libradamsa.so .
+
+src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
+	$(MAKE) -C src/third_party/libradamsa/ CFLAGS="$(CFLAGS)"
+
+afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o | test_x86
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
 
 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
 
 afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
 
 afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
 
 afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
@@ -212,11 +309,17 @@ code-format:
 	./.custom-format.py -i llvm_mode/*.c
 	./.custom-format.py -i llvm_mode/*.h
 	./.custom-format.py -i llvm_mode/*.cc
+	./.custom-format.py -i gcc_plugin/*.c
+	#./.custom-format.py -i gcc_plugin/*.h
+	./.custom-format.py -i gcc_plugin/*.cc
+	./.custom-format.py -i examples/*/*.c
+	./.custom-format.py -i examples/*/*.h
 	./.custom-format.py -i qemu_mode/patches/*.h
 	./.custom-format.py -i qemu_mode/libcompcov/*.c
 	./.custom-format.py -i qemu_mode/libcompcov/*.cc
 	./.custom-format.py -i qemu_mode/libcompcov/*.h
-	./.custom-format.py -i unicorn_mode/patches/*.h
+	./.custom-format.py -i qbdi_mode/*.c
+	./.custom-format.py -i qbdi_mode/*.cpp
 	./.custom-format.py -i *.h
 	./.custom-format.py -i *.c
 
@@ -225,7 +328,7 @@ ifndef AFL_NO_X86
 
 test_build: afl-gcc afl-as afl-showmap
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
+	@unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_DEBUG=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 )
 	./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
@@ -241,42 +344,53 @@ endif
 
 
 all_done: test_build
-	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
+	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi
 	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
 	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
-	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
+	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null
 
 .NOTPARALLEL: clean
 
 clean:
-	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8
-	rm -rf out_dir qemu_mode/qemu-3.1.1 unicorn_mode/unicorn *.dSYM */*.dSYM
+	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so *.8
+	rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM
 	-$(MAKE) -C llvm_mode clean
+	-$(MAKE) -C gcc_plugin clean
 	$(MAKE) -C libdislocator clean
 	$(MAKE) -C libtokencap clean
+	$(MAKE) -C examples/socket_fuzzing clean
+	$(MAKE) -C examples/argv_fuzzing clean
 	$(MAKE) -C qemu_mode/unsigaction clean
 	$(MAKE) -C qemu_mode/libcompcov clean
+	$(MAKE) -C src/third_party/libradamsa/ clean
+	-rm -rf unicorn_mode/unicornafl
 
-distrib: all
+distrib: all radamsa
 	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
 	$(MAKE) -C libdislocator
 	$(MAKE) -C libtokencap
+	$(MAKE) -C examples/socket_fuzzing
+	$(MAKE) -C examples/argv_fuzzing
 	cd qemu_mode && sh ./build_qemu_support.sh
 	cd unicorn_mode && sh ./build_unicorn_support.sh
 
-binary-only: all
+binary-only: all radamsa
 	$(MAKE) -C libdislocator
 	$(MAKE) -C libtokencap
+	$(MAKE) -C examples/socket_fuzzing
+	$(MAKE) -C examples/argv_fuzzing
 	cd qemu_mode && sh ./build_qemu_support.sh
 	cd unicorn_mode && sh ./build_unicorn_support.sh
 
-source-only: all
+source-only: all radamsa
 	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
 	$(MAKE) -C libdislocator
 	$(MAKE) -C libtokencap
 
 %.8:	%
-	@echo .TH $* 8 `date -I` "afl++" > $@
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
 	@echo .SH NAME >> $@
 	@echo .B $* >> $@
 	@echo >> $@
@@ -288,19 +402,19 @@ source-only: all
 	@./$* -h 2>&1 | tail -n +4 >> $@
 	@echo >> $@
 	@echo .SH AUTHOR >> $@
-	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexc0der\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@
 	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> $@
 	@echo >> $@
 	@echo .SH LICENSE >> $@
 	@echo Apache License Version 2.0, January 2004 >> $@
 
 install: all $(MANPAGES)
-	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
 	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
 	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
-	#if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
 ifndef AFL_TRACE_PC
 	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
 else
@@ -314,30 +428,20 @@ endif
 	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libradamsa.so ]; then set -e; install -m 755 libradamsa.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
+	$(MAKE) -C examples/socket_fuzzing install
+	$(MAKE) -C examples/argv_fuzzing install
 
 	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
 	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi
 
 	mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
-	install -m0644 -D *.8 ${DESTDIR}$(MAN_PATH)
+	install -m0644 *.8 ${DESTDIR}$(MAN_PATH)
 
 	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
 	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
-	install -m 644 docs/README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
+	install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH)
 	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
 	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
 
-#publish: clean
-#	test "`basename $$PWD`" = "afl" || exit 1
-#	test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
-#	cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
-#	  tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
-#	chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
-#	( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
-#	cat docs/README.md >~/www/afl/README.txt
-#	cat docs/status_screen.txt >~/www/afl/status_screen.txt
-#	cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
-#	cat docs/technical_details.txt >~/www/afl/technical_details.txt
-#	cat docs/ChangeLog >~/www/afl/ChangeLog.txt
-#	cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
-#	echo -n "$(VERSION)" >~/www/afl/version.txt

PATCHES

@@ -1 +0,0 @@
-docs/PATCHES

QuickStartGuide.md

@@ -0,0 +1 @@
+docs/QuickStartGuide.md

QuickStartGuide.txt

@@ -1 +0,0 @@
-docs/QuickStartGuide.txt

README.md

@@ -1,19 +1,24 @@
 # american fuzzy lop plus plus (afl++)
 
-  Release Version: 2.57c 
+  <img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo">
 
-  Github Version: 2.57d
+  ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master)
+
+  Release Version: 2.62c
+
+  Github Version: 2.62d
 
   includes all necessary/interesting changes from Google's afl 2.56b
 
-
   Originally developed by Michal "lcamtuf" Zalewski.
 
   Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)
 
-  afl++ is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>,
-  Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de> and
-  Andrea Fioraldi <andreafioraldi@gmail.com>.
+  afl++ is maintained by:
+    * Marc "van Hauser" Heuse <mh@mh-sec.de>,
+    * Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de>,
+    * Andrea Fioraldi <andreafioraldi@gmail.com> and
+    * Dominik Maier <mail@dmnk.co>.
 
   Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl),
   it is unlikely to receive any noteable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288)
@@ -25,10 +30,10 @@
   get any feature improvements since November 2017.
 
   Among other changes afl++ has a more performant llvm_mode, supports
-  llvm up to version 9, QEMU 3.1, more speed and crashfixes for QEMU,
+  llvm up to version 11, QEMU 3.1, more speed and crashfixes for QEMU,
   better *BSD and Android support and much, much more.
 
-  Additionally the following patches have been integrated:
+  Additionally the following features and patches have been integrated:
 
   * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
 
@@ -50,20 +55,32 @@
   
   * Win32 PE binary-only fuzzing with QEMU and Wine
 
+  * Radamsa mutator (enable with `-R` to add or `-RR` to run it exclusivly).
+
+  * qbdi_mode: fuzz android native libraries via QBDI framework
+
+  * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf)
+
   A more thorough list is available in the PATCHES file.
 
-  | Feature/Instrumentation | LLVM | GCC | QEMU | Unicorn |
-  | ----------------------- |:----:|:---:|:----:| -------:|
-  | laf-intel / CompCov     |  x   |     |  x   |    x    |
-  | NeverZero               |  x(1)|  x  |  x   |    x    |
-  | Persistent mode         |  x   |     |  x   |         |
-  | Whitelist               |  x   |     |      |         |
-  | InsTrim                 |  x   |     |      |         |
+  | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode        | unicorn_mode |
+  | ----------------------- |:-------:|:---------:|:----------:|:----------------:|:------------:|
+  | NeverZero               |    x    |     x(1)  |      (2)   |         x        |       x      |
+  | Persistent mode         |         |     x     |     x      | x86[_64]/arm[64] |       x      |
+  | laf-intel / CompCov     |         |     x     |            | x86[_64]/arm[64] | x86[_64]/arm |
+  | CmpLog                  |         |     x     |            | x86[_64]/arm[64] |              |
+  | Whitelist               |         |     x     |     x      |        (x)(3)    |              |
+  | InsTrim                 |         |     x     |            |                  |              |
+
+  neverZero:
 
   (1) only in LLVM >= 9.0 due to a bug in llvm in previous versions
 
+  (2) gcc creates non-performant code, hence it is disabled in gcc_plugin
 
-  So all in all this is the best-of AFL that is currently out there :-)
+  (3) partially via AFL_CODE_START/AFL_CODE_END
+
+  So all in all this is the best-of afl that is currently out there :-)
 
   For new versions and additional information, check out:
   [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)
@@ -71,16 +88,30 @@
   To compare notes with other users or get notified about major new features,
   send a mail to <afl-users+subscribe@googlegroups.com>.
 
-  See [docs/QuickStartGuide.txt](docs/QuickStartGuide.txt) if you don't have time to
+  See [docs/QuickStartGuide.md](docs/QuickStartGuide.md) if you don't have time to
   read this file.
 
 
+## Google Summer of Code 2020 (and any other students and enthusiast developers)
+
+We are happy to be part of [Google Summer of Code 2020](https://summerofcode.withgoogle.com/organizations/5100744400699392/)! :-)
+
+We have several ideas we would like to see in AFL++ to make it even better.
+However we already work on so many things that we do not have the time for
+all the big ideas.
+
+This can be your way to support and contribute to AFL++ - extend it to
+something cool
+
+We have an idea list in [docs/ideas.md](docs/ideas.md)
+
 ## 0) Building and installing afl++
 
 afl++ has many build options.
 The easiest is to build and install everything:
 
 ```shell
+$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang
 $ make distrib
 $ sudo make install
 ```
@@ -95,14 +126,15 @@ $ make source-only
 ```
 is what you should choose.
 
-These build options exist:
+These build targets exist:
 
 * all: just the main afl++ binaries
-* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap
-* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap
+* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa
+* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap, radamsa
 * distrib: everything (for both binary-only and source code fuzzing)
 * install: installs everything you have compiled with the build options above
 * clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well
+* code-format: format the code, do this before you commit and send a PR please!
 * tests: runs test cases to ensure that all features are still working as they should
 * help: shows these build options
 
@@ -113,6 +145,24 @@ afl++ binaries by passing the STATIC=1 argument to make:
 $ make all STATIC=1
 ```
 
+These build options exist:
+
+* STATIC - compile AFL++ static
+* ASAN_BUILD - compiles with memory sanitizer for debug purposes
+* AFL_NO_X86 - if compiling on non-intel/amd platforms
+
+e.g.: make ASAN_BUILD=1
+
+
+Note that afl++ is faster and better the newer the compilers used are.
+Hence gcc-9 and especially llvm-9 should be the compilers of choice.
+If your distribution does not have them, you can use the Dockerfile:
+
+```shell
+$ cd AFLplusplus
+$ sudo docker build -t aflplusplus .
+```
+
 
 ## 1) Challenges of guided fuzzing
 
@@ -185,7 +235,7 @@ superior to blind fuzzing or coverage-only tools.
 PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++
 instead of afl-gcc/afl-g++ is much faster and has a few cool features.
 See llvm_mode/ - however few code does not compile with llvm.
-We support llvm versions 3.8.0 to 9.
+We support llvm versions 3.8.0 to 11.
 
 When source code is available, instrumentation can be injected by a companion
 tool that works as a drop-in replacement for gcc or clang in any standard build
@@ -208,7 +258,7 @@ For C++ programs, you'd would also want to set `CXX=/path/to/afl/afl-g++`.
 The clang wrappers (afl-clang and afl-clang++) can be used in the same way;
 clang users may also opt to leverage a higher-performance instrumentation mode,
 as described in [llvm_mode/README.md](llvm_mode/README.md).
-Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 9.
+Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 11.
 
 Using the LAF Intel performance enhancements are also recommended, see 
 [llvm_mode/README.laf-intel.md](llvm_mode/README.laf-intel.md)
@@ -232,7 +282,7 @@ automatically enable code hardening options that make it easier to detect
 simple memory bugs. Libdislocator, a helper library included with AFL (see
 [libdislocator/README.md](libdislocator/README.md)) can help uncover heap corruption issues, too.
 
-PS. ASAN users are advised to review [docs/notes_for_asan.txt](docs/notes_for_asan.txt)
+PS. ASAN users are advised to review [docs/notes_for_asan.md](docs/notes_for_asan.md)
 file for important caveats.
 
 
@@ -252,18 +302,30 @@ $ ./build_qemu_support.sh
 
 For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).
 
+If possible you should use the persistent mode, see [README.persistent.md](README.persistent.md).
+
 The mode is approximately 2-5x slower than compile-time instrumentation, is
-less conductive to parallelization, and may have some other quirks.
+less conducive to parallelization, and may have some other quirks.
 
 If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for
 your binary, then you can use afl-fuzz normally and it will have twice
 the speed compared to qemu_mode.
 
 A more comprehensive description of these and other options can be found in
-[docs/binaryonly_fuzzing.txt](docs/binaryonly_fuzzing.txt)
+[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md)
 
 
-## 5) Power schedules
+## 5) Good examples and writeups
+
+Here are some good writeups to show how to effectibly use AFL++:
+
+ * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/)
+ * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/)
+ * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1)
+
+If you find other good ones, please send them to us :-)
+
+## 6) Power schedules
 
 The power schedules were copied from Marcel Böhme's excellent AFLfast
 implementation and expand on the ability to discover new paths and
@@ -290,14 +352,15 @@ made the default mode).
 
 More details can be found in the paper published at the 23rd ACM Conference on
 Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/)
-## 6) Choosing initial test cases
+
+## 7) Choosing initial test cases
 
 To operate correctly, the fuzzer requires one or more starting file that
 contains a good example of the input data normally expected by the targeted
 application. There are two basic rules:
 
   - Keep the files small. Under 1 kB is ideal, although not strictly necessary.
-    For a discussion of why size matters, see [perf_tips.txt](docs/perf_tips.txt).
+    For a discussion of why size matters, see [perf_tips.md](docs/perf_tips.md).
 
   - Use multiple test cases only if they are functionally different from
     each other. There is no point in using fifty different vacation photos
@@ -311,7 +374,7 @@ the afl-cmin utility to identify a subset of functionally distinct files that
 exercise different code paths in the target binary.
 
 
-## 7) Fuzzing binaries
+## 8) Fuzzing binaries
 
 The fuzzing process itself is carried out by the afl-fuzz utility. This program
 requires a read-only directory with initial test cases, a separate place to
@@ -341,17 +404,16 @@ You can use -t and -m to override the default timeout and memory limit for the
 executed process; rare examples of targets that may need these settings touched
 include compilers and video decoders.
 
-Tips for optimizing fuzzing performance are discussed in [perf_tips.txt](docs/perf_tips.txt).
+Tips for optimizing fuzzing performance are discussed in [perf_tips.md](docs/perf_tips.md).
 
 Note that afl-fuzz starts by performing an array of deterministic fuzzing
 steps, which can take several days, but tend to produce neat test cases. If you
 want quick & dirty results right away - akin to zzuf and other traditional
 fuzzers - add the -d option to the command line.
 
+## 9) Interpreting output
 
-## 8) Interpreting output
-
-See the [docs/status_screen.txt](docs/status_screen.txt) file for information on
+See the [docs/status_screen.md](docs/status_screen.md) file for information on
 how to interpret the displayed stats and monitor the health of the process. Be
 sure to consult this file especially if any UI elements are highlighted in red.
 
@@ -409,20 +471,18 @@ If you have gnuplot installed, you can also generate some pretty graphs for any
 active fuzzing task using afl-plot. For an example of how this looks like,
 see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
 
-
-## 9) Parallelized fuzzing
+## 10) Parallelized fuzzing
 
 Every instance of afl-fuzz takes up roughly one core. This means that on
 multi-core systems, parallelization is necessary to fully utilize the hardware.
 For tips on how to fuzz a common target on multiple cores or multiple networked
-machines, please refer to [docs/parallel_fuzzing.txt](docs/parallel_fuzzing.txt).
+machines, please refer to [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md).
 
 The parallel fuzzing mode also offers a simple way for interfacing AFL to other
 fuzzers, to symbolic or concolic execution engines, and so forth; again, see the
-last section of [docs/parallel_fuzzing.txt](docs/parallel_fuzzing.txt) for tips.
+last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips.
 
-
-## 10) Fuzzer dictionaries
+## 12) Fuzzer dictionaries
 
 By default, afl-fuzz mutation engine is optimized for compact data formats -
 say, images, multimedia, compressed data, regular expression syntax, or shell
@@ -455,10 +515,9 @@ parsers and grammars, but isn't nearly as good as the -x mode.
 
 If a dictionary is really hard to come by, another option is to let AFL run
 for a while, and then use the token capture library that comes as a companion
-utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.md).
+utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md).
 
-
-## 11) Crash triage
+## 13) Crash triage
 
 The coverage-based grouping of crashes usually produces a small data set that
 can be quickly triaged manually or with a very simple GDB or Valgrind script.
@@ -503,10 +562,10 @@ file, attempts to sequentially flip bytes, and observes the behavior of the
 tested program. It then color-codes the input based on which sections appear to
 be critical, and which are not; while not bulletproof, it can often offer quick
 insights into complex file formats. More info about its operation can be found
-near the end of [docs/technical_details.txt](docs/technical_details.txt).
+near the end of [docs/technical_details.md](docs/technical_details.md).
 
 
-## 12) Going beyond crashes
+## 14) Going beyond crashes
 
 Fuzzing is a wonderful and underutilized technique for discovering non-crashing
 design and implementation errors, too. Quite a few interesting bugs have been
@@ -529,8 +588,7 @@ if you are the maintainer of a particular package, you can make this code
 conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also
 shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL).
 
-
-## 13) Common-sense risks
+## 15) Common-sense risks
 
 Please keep in mind that, similarly to many other computationally-intensive
 tasks, fuzzing may put strain on your hardware and on the OS. In particular:
@@ -559,8 +617,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular:
     $ iostat -d 3 -x -k [...optional disk ID...]
 ```
 
-
-## 14) Known limitations & areas for improvement
+## 16) Known limitations & areas for improvement
 
 Here are some of the most important caveats for AFL:
 
@@ -575,12 +632,12 @@ Here are some of the most important caveats for AFL:
     wholly wrap the actual data format to be tested.
 
     To work around this, you can comment out the relevant checks (see
-    experimental/libpng_no_checksum/ for inspiration); if this is not possible,
+    examples/libpng_no_checksum/ for inspiration); if this is not possible,
     you can also write a postprocessor, as explained in
-    experimental/post_library/ (with AFL_POST_LIBRARY)
+    examples/post_library/ (with AFL_POST_LIBRARY)
 
   - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
-    isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.txt](docs/notes_for_asan.txt)
+    isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md)
     for tips.
 
   - There is no direct support for fuzzing network services, background
@@ -600,8 +657,7 @@ Here are some of the most important caveats for AFL:
 
 Beyond this, see INSTALL for platform-specific tips.
 
-
-## 15) Special thanks
+## 17) Special thanks
 
 Many of the improvements to the original afl and afl++ wouldn't be possible
 without feedback, bug reports, or patches from:
@@ -649,12 +705,13 @@ without feedback, bug reports, or patches from:
   Nathan Voss                           Dominik Maier
   Andrea Biondo                         Vincent Le Garrec
   Khaled Yakdan                         Kuang-che Wu
+  Josephine Calliotte                   Konrad Welc
 ```
 
 Thank you!
+(For people sending pull requests - please add yourself to this list :-)
 
-
-## 16) Contact
+## 18) Contact
 
 Questions? Concerns? Bug reports? The contributors can be reached via
 [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)

TODO

@@ -1,60 +0,0 @@
-
-Roadmap 2.60:
-=============
-
-afl-fuzz:
- - radamsa mutator
- - test the libmutator actually works and does not run infinite (need an example though)
-
-gcc_plugin:
- - needs to be rewritten
- - whitelist support
- - skip over uninteresting blocks
- - laf-intel
- - neverZero
-
-qemu_mode:
- - update to 4.x (probably this will be skipped :( )
- - instrim for QEMU mode via static analysis (with r2pipe? or angr?)
-   Idea: The static analyzer outputs a map in which each edge that must be
-   skipped is marked with 1. QEMU loads it at startup in the parent process.
-
-custom_mutators:
- - rip what Superion is doing into custom mutators for js, php, etc.
-
-enhance test/test.sh script for checking if compcov features are working
-correctly (especially float splitting)
-
-
-The far away future:
-====================
-
-Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
-         At afl's default map that means ~16 collisions and ~3 wrappings.
-  Solution #1: increase map size.
-    every +1 decreases fuzzing speed by ~10% and halfs the collisions
-    birthday paradox predicts collisions at this # of edges:
-     mapsize => collisions
-	2^16 = 302
-	2^17 = 427
-	2^18 = 603
-	2^19 = 853
-	2^20 = 1207
-	2^21 = 1706
-	2^22 = 2412
-	2^23 = 3411
-	2^24 = 4823
-    Increasing the map is an easy solution but also not a good one.
-  Solution #2: use dynamic map size and collision free basic block IDs
-    This only works in llvm_mode and llvm >= 9 though
-    A potential good future solution. Heiko/hexcoder follows this up
-  Solution #3: write instruction pointers to a big shared map
-    512kb/1MB shared map and the instrumented code writes the instruction
-    pointer into the map. Map must be big enough but could be command line
-    controlled.
-    Good: complete coverage information, nothing is lost. choice of analysis
-          impacts speed, but this can be decided by user options
-    Neutral: a little bit slower but no loss of coverage
-    Bad: completely changes how afl uses the map and the scheduling.
-    Overall another very good solution, Marc Heuse/vanHauser follows this up
-    

TODO.md

@@ -0,0 +1,92 @@
+# TODO list for AFL++
+
+## Roadmap 2.61
+
+Makefile:
+ - -march=native -Ofast -flto=full (especially for afl-fuzz)
+
+llvm_mode:
+ - using lto + opt to instrument at link time, and using a sat solver to
+   select basic block IDs that do not result in collisions
+   (Solution for "The far away future", see bottom of file)
+
+qemu_mode:
+ - ensure redqueen implementation works fine
+ - ensure no issues in persistent mode
+
+
+## Further down the road
+
+afl-fuzz:
+ - sync_fuzzers(): only masters sync from all, slaves only sync from master
+   (@andrea: be careful, often people run all slaves)
+ - ascii_only mode
+
+gcc_plugin:
+ - laf-intel
+ - better instrumentation
+
+qemu_mode:
+ - update to 4.x (probably this will be skipped :( )
+ - instrim for QEMU mode via static analysis (with r2pipe? or angr?)
+   Idea: The static analyzer outputs a map in which each edge that must be
+   skipped is marked with 1. QEMU loads it at startup in the parent process.
+ - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?)
+ - add AFL_QEMU_EXITPOINT (maybe multiple?)
+ - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM
+ - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses
+
+custom_mutators:
+ - rip what Superion is doing into custom mutators for js, php, etc.
+ - uniform python and custom mutators API
+
+
+## The far away future:
+
+Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
+         At afl's default map that means ~16 collisions and ~3 wrappings.
+
+ - Solution #1: increase map size.
+
+    => speed loss is bad. last resort solution
+
+    every +1 decreases fuzzing speed by ~10% and halfs the collisions
+    birthday paradox predicts collisions at this # of edges:
+    
+    | mapsize | collisions |
+    | :-----: | :--------: |
+    | 2^16    | 302        |
+    | 2^17    | 427        |
+    | 2^18    | 603        |
+    | 2^19    | 853        |
+    | 2^20    | 1207       |
+    | 2^21    | 1706       |
+    | 2^22    | 2412       |
+    | 2^23    | 3411       |
+    | 2^24    | 4823       |
+
+    Increasing the map is an easy solution but also not a good one.
+
+ - Solution #2: use dynamic map size and collision free basic block IDs
+
+    => This works and is the selected solution
+
+    This only works in llvm_mode and llvm >= 9 though
+    A potential good future solution. Heiko/hexcoder follows this up
+
+ - Solution #3: write instruction pointers to a big shared map
+
+    => Tested and it is a dead end
+
+    512kb/1MB shared map and the instrumented code writes the instruction
+    pointer into the map. Map must be big enough but could be command line
+    controlled.
+    
+    Good: complete coverage information, nothing is lost. choice of analysis
+          impacts speed, but this can be decided by user options
+    
+    Neutral: a little bit slower but no loss of coverage
+    
+    Bad: completely changes how afl uses the map and the scheduling.
+    Overall another very good solution, Marc Heuse/vanHauser follows this up
+    

afl-cmin

@@ -1,470 +1,497 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
+THISPATH=`dirname ${0}`
+export PATH="${THISPATH}:$PATH"
+awk -f - -- ${@+"$@"} <<'EOF'
+#!/usr/bin/awk -f
+
+# awk script to minimize a test corpus of input files
 #
-# american fuzzy lop - corpus minimization tool
-# ---------------------------------------------
+# based on afl-cmin bash script written by Michal Zalewski
+# rewritten by Heiko Eißfeldt (hexcoder-)
+# tested with:
+#   gnu awk (x86 Linux)
+#   bsd awk (x86 *BSD)
+#   mawk (arm32 raspbian)
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
-#
-# Copyright 2014, 2015 Google Inc. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# This tool tries to find the smallest subset of files in the input directory
-# that still trigger the full range of instrumentation data points seen in
-# the starting corpus. This has two uses:
-#
-#   - Screening large corpora of input files before using them as a seed for
-#     afl-fuzz. The tool will remove functionally redundant files and likely
-#     leave you with a much smaller set.
-#
-#     (In this case, you probably also want to consider running afl-tmin on
-#     the individual files later on to reduce their size.)
-#
-#   - Minimizing the corpus generated organically by afl-fuzz, perhaps when
-#     planning to feed it to more resource-intensive tools. The tool achieves
-#     this by removing all entries that used to trigger unique behaviors in the
-#     past, but have been made obsolete by later finds.
-#
-# Note that the tool doesn't modify the files themselves. For that, you want
-# afl-tmin.
-#
-# This script must use bash because other shells may have hardcoded limits on
-# array sizes.
+# uses getopt.awk package from Arnold Robbins
 #
+# external tools used by this script:
+# test
+# grep
+# rm
+# mkdir
+# ln
+# cp
+# pwd
+# which
+# cd
+# find
+# stat
+# sort
+# cut
+# and afl-showmap from this project :-)
 
-echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
-echo
+# getopt.awk --- Do C library getopt(3) function in awk
 
-#########
-# SETUP #
-#########
+# External variables:
+#    Optind -- index in ARGV of first nonoption argument
+#    Optarg -- string value of argument to current option
+#    Opterr -- if nonzero, print our own diagnostic
+#    Optopt -- current option letter
 
-# Process command-line options...
+# Returns:
+#    -1     at end of options
+#    "?"    for unrecognized option
+#    <c>    a character representing the current option
 
-MEM_LIMIT=100
-TIMEOUT=none
+# Private Data:
+#    _opti  -- index in multiflag option, e.g., -abc
 
-unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
-  AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE UNICORN_MODE
+function getopt(argc, argv, options,    thisopt, i)
+{
+    if (length(options) == 0)    # no options given
+        return -1
 
-while getopts "+i:o:f:m:t:eQUCh" opt; do
+    if (argv[Optind] == "--") {  # all done
+        Optind++
+        _opti = 0
+        return -1
+    } else if (argv[Optind] !~ /^-[^:\t ]/) {
+        _opti = 0
+        return -1
+    }
+    if (_opti == 0)
+        _opti = 2
+    thisopt = substr(argv[Optind], _opti, 1)
+    Optopt = thisopt
+    i = index(options, thisopt)
+    if (i == 0) {
+        if (Opterr)
+            printf("%c -- invalid option\n", thisopt) > "/dev/stderr"
+        if (_opti >= length(argv[Optind])) {
+            Optind++
+            _opti = 0
+        } else
+            _opti++
+        return "?"
+    }
+    if (substr(options, i + 1, 1) == ":") {
+        # get option argument
+        if (length(substr(argv[Optind], _opti + 1)) > 0)
+            Optarg = substr(argv[Optind], _opti + 1)
+        else
+            Optarg = argv[++Optind]
+        _opti = 0
+    } else
+        Optarg = ""
+    if (_opti == 0 || _opti >= length(argv[Optind])) {
+        Optind++
+        _opti = 0
+    } else
+        _opti++
+    return thisopt
+}
 
-  case "$opt" in 
+function usage() {
+   print \
+"afl-cmin [ options ] -- /path/to/target_app [ ... ]\n" \
+"\n" \
+"Required parameters:\n" \
+"  -i dir        - input directory with starting corpus\n" \
+"  -o dir        - output directory for minimized files\n" \
+"\n" \
+"Execution control settings:\n" \
+"  -f file       - location read by the fuzzed program (stdin)\n" \
+"  -m megs       - memory limit for child process ("mem_limit" MB)\n" \
+"  -t msec       - run time limit for child process (none)\n" \
+"  -Q            - use binary-only instrumentation (QEMU mode)\n" \
+"  -U            - use unicorn-based instrumentation (unicorn mode)\n" \
+"\n" \
+"Minimization settings:\n" \
+"  -C            - keep crashing inputs, reject everything else\n" \
+"  -e            - solve for edge coverage only, ignore hit counts\n" \
+"\n" \
+"For additional tips, please consult docs/README.md\n" \
+"\n" \
+"Environment variables used:\n" \
+"AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
+"AFL_PATH: path for the afl-showmap binary\n" \
+"AFL_SKIP_BIN_CHECK: skip check for target binary\n" \
+"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n"
+   exit 1
+}
 
-    "h")
-	;;
+function exists_and_is_executable(binarypath) {
+  return 0 == system("test -f "binarypath" -a -x "binarypath)
+}
 
-    "i")
-         IN_DIR="$OPTARG"
-         ;;
+BEGIN {
+  print "corpus minimization tool for afl++ (awk version)\n"
 
-    "o")
-         OUT_DIR="$OPTARG"
-         ;;
-    "f")
-         STDIN_FILE="$OPTARG"
-         ;;
-    "m")
-         MEM_LIMIT="$OPTARG"
-         MEM_LIMIT_GIVEN=1
-         ;;
-    "t")
-         TIMEOUT="$OPTARG"
-         ;;
-    "e")
-         EXTRA_PAR="$EXTRA_PAR -e"
-         ;;
-    "C")
-         export AFL_CMIN_CRASHES_ONLY=1
-         ;;
-    "Q")
-         EXTRA_PAR="$EXTRA_PAR -Q"
-         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
-         QEMU_MODE=1
-         ;;
-    "U")
-         EXTRA_PAR="$EXTRA_PAR -U"
-         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
-         UNICORN_MODE=1
-         ;;    
-    "?")
-         exit 1
-         ;;
+  # defaults
+  extra_par = ""
+  # process options
+  Opterr = 1    # default is to diagnose
+  Optind = 1    # skip ARGV[0]
+  while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eCQU?")) != -1) {
+    if (_go_c == "i") {
+      if (!Optarg) usage()
+      if (in_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      in_dir = Optarg
+      continue
+    } else 
+    if (_go_c == "o") {
+      if (!Optarg) usage()
+      if (out_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      out_dir = Optarg
+      continue
+    } else 
+    if (_go_c == "f") {
+      if (!Optarg) usage()
+      if (stdin_file) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      stdin_file = Optarg
+      continue
+    } else 
+    if (_go_c == "m") {
+      if (!Optarg) usage()
+      if (mem_limit) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      mem_limit = Optarg
+      mem_limit_given = 1
+      continue
+    } else 
+    if (_go_c == "t") {
+      if (!Optarg) usage()
+      if (timeout) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      timeout = Optarg
+      continue
+    } else 
+    if (_go_c == "C") {
+      ENVIRON["AFL_CMIN_CRASHES_ONLY"] = 1
+      continue
+    } else 
+    if (_go_c == "e") {
+      extra_par = extra_par " -e"
+      continue
+    } else 
+    if (_go_c == "Q") {
+      if (qemu_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      extra_par = extra_par " -Q"
+      if ( !mem_limit_given ) mem_limit = "250"
+      qemu_mode = 1
+      continue
+    } else 
+    if (_go_c == "U") {
+      if (unicorn_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      extra_par = extra_par " -U"
+      if ( !mem_limit_given ) mem_limit = "250"
+      unicorn_mode = 1
+      continue
+    } else 
+    if (_go_c == "?") {
+      exit 1
+    } else 
+      usage()
+  } # while options
 
-   esac
+  if (!mem_limit) mem_limit = 200
+  if (!timeout) timeout = "none"
 
-done
+  # get program args
+  i = 0
+  prog_args_string = ""
+  for (; Optind < ARGC; Optind++) {
+    prog_args[i++] = ARGV[Optind]
+    if (i > 1)
+      prog_args_string = prog_args_string" "ARGV[Optind]
+  }
 
-shift $((OPTIND-1))
+  # sanity checks
+  if (!prog_args[0] || !in_dir || !out_dir) usage()
 
-TARGET_BIN="$1"
+  target_bin = prog_args[0] 
 
-if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
+  # Do a sanity check to discourage the use of /tmp, since we can't really
+  # handle this safely from an awk script.
 
-  cat 1>&2 <<_EOF_
-Usage: $0 [ options ] -- /path/to/target_app [ ... ]
+  if (!ENVIRON["AFL_ALLOW_TMP"]) {
+    dirlist[0] = in_dir
+    dirlist[1] = target_bin
+    dirlist[2] = out_dir
+    dirlist[3] = stdin_file
+    "pwd" | getline dirlist[4] # current directory
+    for (dirind in dirlist) {
+      dir = dirlist[dirind]
 
-Required parameters:
+      if (dir ~ /^(\/var)?\/tmp/) {
+        print "[-] Error: do not use this script in /tmp or /var/tmp." > "/dev/stderr"
+        exit 1
+      }
+    }
+    delete dirlist
+  }
 
-  -i dir        - input directory with the starting corpus
-  -o dir        - output directory for minimized files
+  # If @@ is specified, but there's no -f, let's come up with a temporary input
+  # file name.
 
-Execution control settings:
+  trace_dir = out_dir "/.traces"
 
-  -f file       - location read by the fuzzed program (stdin)
-  -m megs       - memory limit for child process ($MEM_LIMIT MB)
-  -t msec       - run time limit for child process (none)
-  -Q            - use binary-only instrumentation (QEMU mode)
-  -U            - use unicorn-based instrumentation (Unicorn mode)
+  if (!stdin_file) {
+    found_atat = 0
+    for (prog_args_ind in prog_args) {
+      if ("@@" == prog_args[prog_args_ind]) {
+        found_atat = 1
+        break
+      }
+    }
+    if (found_atat) {
+      stdin_file = trace_dir "/.cur_input"
+    }
+  }
+
+  # Check for obvious errors.
+
+  if (mem_limit && mem_limit != "none" && mem_limit < 5) {
+    print "[-] Error: dangerously low memory limit." > "/dev/stderr"
+    exit 1
+  }
+
+  if (timeout && timeout != "none" && timeout < 10) {
+    print "[-] Error: dangerously low timeout." > "/dev/stderr"
+    exit 1
+  }
+
+  if (target_bin && !exists_and_is_executable(target_bin)) {
+
+    "which "target_bin" 2>/dev/null" | getline tnew
+    if (!tnew || !exists_and_is_executable(tnew)) {
+      print "[-] Error: binary '"target_bin"' not found or not executable." > "/dev/stderr"
+      exit 1
+    }
+    target_bin = tnew
+  }
+
+  if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !unicorn_mode) {
+    if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) {
+      print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr"
+      exit 1
+    }
+  }
+
+  if (0 != system( "test -d "in_dir )) {
+    print "[-] Error: directory '"in_dir"' not found." > "/dev/stderr"
+    exit 1
+  }
+
+  if (0 == system( "test -d "in_dir"/queue" )) {
+    in_dir = in_dir "/queue"
+  }
+
+  system("rm -rf "trace_dir" 2>/dev/null");
+  system("rm "out_dir"/id[:_]* 2>/dev/null")
+
+  "ls "out_dir"/* 2>/dev/null | wc -l" | getline noofentries
+  if (0 == system( "test -d "out_dir" -a "noofentries" -gt 0" )) {
+    print "[-] Error: directory '"out_dir"' exists and is not empty - delete it first." > "/dev/stderr"
+    exit 1
+  }
+
+  # Check for the more efficient way to copy files...
+  if (0 != system("mkdir -p -m 0700 "trace_dir)) {
+    print "[-] Error: Cannot create directory "trace_dir > "/dev/stderr"
+    exit 1
+  }
+
+  if (stdin_file) {
+    # truncate input file
+    printf "" > stdin_file
+    close( stdin_file )
+  }
+
+  if (!ENVIRON["AFL_PATH"]) {
+    if (0 == system("test -f afl-cmin")) {
+      showmap = "./afl-showmap"
+    } else {
+      "which afl-showmap 2>/dev/null" | getline showmap
+    }
+  } else {
+    showmap = ENVIRON["AFL_PATH"] "/afl-showmap"
+  }
+
+  if (!showmap || 0 != system("test -x "showmap )) {
+    print "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." > "/dev/stderr"
+    exit 1
+  }
+
+  # get list of input filenames sorted by size
+  i = 0
+  # yuck, gnu stat is option incompatible to bsd stat
+  # we use a heuristic to differentiate between
+  # GNU stat and other stats
+  "stat --version 2>/dev/null" | getline statversion
+  if (statversion ~ /GNU coreutils/) {
+    stat_format = "-c '%s %n'" # GNU
+  } else {
+    stat_format = "-f '%z %N'" # *BSD, MacOS
+  }
+  cmdline = "cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} \\; | sort -k1n -k2r"
+  cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format") | sort -k1n -k2r"
+  while (cmdline | getline) {
+    sub(/^[0-9]+ (\.\/)?/,"",$0)
+    infilesSmallToBig[i++] = $0
+  }
+  in_count = i
+
+  first_file = infilesSmallToBig[0]
   
-Minimization settings:
+  # Make sure that we're not dealing with a directory.
 
-  -C            - keep crashing inputs, reject everything else
-  -e            - solve for edge coverage only, ignore hit counts
-
-For additional tips, please consult docs/README.
-
-_EOF_
-  exit 1
-fi
-
-# Do a sanity check to discourage the use of /tmp, since we can't really
-# handle this safely from a shell script.
-
-if [ "$AFL_ALLOW_TMP" = "" ]; then
-
-  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
-
-  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
-  T3="$?"
-
-  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
-  T4="$?"
-
-  echo "$PWD" | grep -qE '^(/var)?/tmp/'
-  T5="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
-    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+  if (0 == system("test -d "in_dir"/"first_file)) {
+    print "[-] Error: The input directory contains subdirectories - please fix." > "/dev/stderr"
     exit 1
-  fi
+  }
 
-fi
+  if (0 == system("ln "in_dir"/"first_file" "trace_dir"/.link_test")) {
+    cp_tool = "ln"
+  } else {
+    cp_tool = "cp"
+  }
 
-# If @@ is specified, but there's no -f, let's come up with a temporary input
-# file name.
+  # Make sure that we can actually get anything out of afl-showmap before we
+  # waste too much time.
 
-TRACE_DIR="$OUT_DIR/.traces"
+  print "[*] Testing the target binary..."
 
-if [ "$STDIN_FILE" = "" ]; then
+  if (!stdin_file) {
+    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
+  } else {
+    system("cp "in_dir"/"first_file" "stdin_file)
+    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+  }
 
-  if echo "$*" | grep -qF '@@'; then
-    STDIN_FILE="$TRACE_DIR/.cur_input"
-  fi
+  first_count = 0
 
-fi
+  runtest = trace_dir"/.run_test"
+  while ((getline < runtest) > 0) {
+    ++first_count
+  }
 
-# Check for obvious errors.
-
-if [ ! "$MEM_LIMIT" = "none" ]; then
-
-  if [ "$MEM_LIMIT" -lt "5" ]; then
-    echo "[-] Error: dangerously low memory limit." 1>&2
+  if (first_count) {
+    print "[+] OK, "first_count" tuples recorded."
+  } else {
+    print "[-] Error: no instrumentation output detected (perhaps crash or timeout)." > "/dev/stderr"
+    if (!ENVIRON["AFL_KEEP_TRACES"]) {
+      system("rm -rf "trace_dir" 2>/dev/null")
+    }
     exit 1
-  fi
-
-fi
-
-if [ ! "$TIMEOUT" = "none" ]; then
-
-  if [ "$TIMEOUT" -lt "10" ]; then
-    echo "[-] Error: dangerously low timeout." 1>&2
-    exit 1
-  fi
-
-fi
-
-if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
-
-  TNEW="`which "$TARGET_BIN" 2>/dev/null`"
-
-  if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
-    echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
-    exit 1
-  fi
-
-  TARGET_BIN="$TNEW"
-
-fi
-
-if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$UNICORN_MODE" = "" ]; then
-
-  if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
-    echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
-    exit 1
-  fi
-
-fi
-
-if [ ! -d "$IN_DIR" ]; then
-  echo "[-] Error: directory '$IN_DIR' not found." 1>&2
-  exit 1
-fi
-
-test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
-
-find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
-rm -rf "$TRACE_DIR" 2>/dev/null
-
-rmdir "$OUT_DIR" 2>/dev/null
-
-if [ -d "$OUT_DIR" ]; then
-  echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
-  exit 1
-fi
-
-mkdir -m 700 -p "$TRACE_DIR" || exit 1
-
-if [ ! "$STDIN_FILE" = "" ]; then
-  rm -f "$STDIN_FILE" || exit 1
-  touch "$STDIN_FILE" || exit 1
-fi
-
-if [ "$AFL_PATH" = "" ]; then
-  SHOWMAP="${0%/afl-cmin}/afl-showmap"
-else
-  SHOWMAP="$AFL_PATH/afl-showmap"
-fi
-
-if [ ! -x "$SHOWMAP" ]; then
-  echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
-  rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
-
-if [ "$IN_COUNT" = "0" ]; then
-  echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
-  rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-FIRST_FILE=`ls "$IN_DIR" | head -1`
-
-# Make sure that we're not dealing with a directory.
-
-if [ -d "$IN_DIR/$FIRST_FILE" ]; then
-  echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
-  rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-# Check for the more efficient way to copy files...
-
-if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
-  CP_TOOL=ln
-else
-  CP_TOOL=cp
-fi
-
-# Make sure that we can actually get anything out of afl-showmap before we
-# waste too much time.
-
-echo "[*] Testing the target binary..."
-
-if [ "$STDIN_FILE" = "" ]; then
-
-  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
-
-else
-
-  cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
-  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
-
-fi
-
-FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
-
-if [ "$FIRST_COUNT" -gt "0" ]; then
-
-  echo "[+] OK, $FIRST_COUNT tuples recorded."
-
-else
-
-  echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
-  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
-  exit 1
-
-fi
-
-# Let's roll!
-
-#############################
-# STEP 1: COLLECTING TRACES #
-#############################
-
-echo "[*] Obtaining traces for input files in '$IN_DIR'..."
-
-(
-
-  CUR=0
-
-  if [ "$STDIN_FILE" = "" ]; then
-
-    while read -r fn; do
-
-      CUR=$((CUR+1))
-      printf "\\r    Processing file $CUR/$IN_COUNT... "
-
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
-
-    done < <(ls "$IN_DIR")
-
-  else
-
-    while read -r fn; do
-
-      CUR=$((CUR+1))
-      printf "\\r    Processing file $CUR/$IN_COUNT... "
-
-      cp "$IN_DIR/$fn" "$STDIN_FILE"
-
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
-
-    done < <(ls "$IN_DIR")
-
-
-  fi
-
-)
-
-echo
-
-##########################
-# STEP 2: SORTING TUPLES #
-##########################
-
-# With this out of the way, we sort all tuples by popularity across all
-# datasets. The reasoning here is that we won't be able to avoid the files
-# that trigger unique tuples anyway, so we will want to start with them and
-# see what's left.
-
-echo "[*] Sorting trace sets (this may take a while)..."
-
-ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
-  sort | uniq -c | sort -k 1,1 -n >"$TRACE_DIR/.all_uniq"
-
-TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
-
-echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
-
-#####################################
-# STEP 3: SELECTING CANDIDATE FILES #
-#####################################
-
-# The next step is to find the best candidate for each tuple. The "best"
-# part is understood simply as the smallest input that includes a particular
-# tuple in its trace. Empirical evidence suggests that this produces smaller
-# datasets than more involved algorithms that could be still pulled off in
-# a shell script.
-
-echo "[*] Finding best candidates for each tuple..."
-
-CUR=0
-
-while read -r fn; do
-
-  CUR=$((CUR+1))
-  printf "\\r    Processing file $CUR/$IN_COUNT... "
-
-  sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
-
-done < <(ls -rS "$IN_DIR")
-
-echo
-
-##############################
-# STEP 4: LOADING CANDIDATES #
-##############################
-
-# At this point, we have a file of tuple-file pairs, sorted by file size
-# in ascending order (as a consequence of ls -rS). By doing sort keyed
-# only by tuple (-k 1,1) and configured to output only the first line for
-# every key (-s -u), we end up with the smallest file for each tuple.
-
-echo "[*] Sorting candidate list (be patient)..."
-
-sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
-  sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
-
-if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
-  echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
-  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-# The sed command converted the sorted list to a shell script that populates
-# BEST_FILE[tuple]="fname". Let's load that!
-
-. "$TRACE_DIR/.candidate_script"
-
-##########################
-# STEP 5: WRITING OUTPUT #
-##########################
-
-# The final trick is to grab the top pick for each tuple, unless said tuple is
-# already set due to the inclusion of an earlier candidate; and then put all
-# tuples associated with the newly-added file to the "already have" list. The
-# loop works from least popular tuples and toward the most common ones.
-
-echo "[*] Processing candidates and writing output files..."
-
-CUR=0
-
-touch "$TRACE_DIR/.already_have"
-
-while read -r cnt tuple; do
-
-  CUR=$((CUR+1))
-  printf "\\r    Processing tuple $CUR/$TUPLE_COUNT... "
-
-  # If we already have this tuple, skip it.
-
-  grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
-
-  FN=${BEST_FILE[tuple]}
-
-  $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
-
-  if [ "$((CUR % 5))" = "0" ]; then
-    sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
-    mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
-  else
-    cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
-  fi
-
-done <"$TRACE_DIR/.all_uniq"
-
-echo
-
-OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
-
-if [ "$OUT_COUNT" = "1" ]; then
-  echo "[!] WARNING: All test cases had the same traces, check syntax!"
-fi
-
-echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
-echo
-
-test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
-
-exit 0
+  }
+
+  # Let's roll!
+
+  #############################
+  # STEP 1: Collecting traces #
+  #############################
+
+  print "[*] Obtaining traces for "in_count" input files in '"in_dir"'."
+
+  cur = 0;
+  if (!stdin_file) {
+    print "    Processing "in_count" files (forkserver mode)..."
+    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
+  } else {
+    print "    Processing "in_count" files (forkserver mode)..."
+    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+  }
+
+  #######################################################
+  # STEP 2: register smallest input file for each tuple #
+  # STEP 3: copy that file (at most once)               #
+  #######################################################
+
+  print "[*] Processing traces for input files in '"in_dir"'."
+
+  cur = 0
+  out_count = 0
+  tuple_count = 0
+
+  # from rare to frequent new tuples
+  # get the best (smallest) file for it
+  # and copy it
+  while (cur < in_count) {
+    fn = infilesSmallToBig[cur]
+    ++cur
+    printf "\r    Processing file "cur"/"in_count
+    # create path for the trace file from afl-showmap
+    tracefile_path = trace_dir"/"fn
+    # gather all keys, and count them
+    while ((getline line < tracefile_path) > 0) {
+        key = line
+        if (!(key in key_count)) {
+          ++tuple_count
+        }
+        ++key_count[key]
+        if (! (key in best_file)) {
+            # this is the best file for this key
+            best_file[key] = fn
+#printf "BEST_FILE[%d]=\"%s\"\n",key,fn | "sort -t'[' -k2 > "trace_dir"/.candidate_script"
+        }
+#printf "%d %s\n",key,fn > trace_dir"/.candidate_list"
+    }
+    close(tracefile_path)
+  }
+  print ""
+
+  # sort keys
+  sortedKeys = trace_dir"/.all_uniq"
+  sortKeysCmd = "sort -k1n > "sortedKeys
+  for (key in key_count) {
+     printf "%7d %s\n",key_count[key],key | sortKeysCmd
+  }
+  close(sortKeysCmd)
+
+  # iterate over keys from rare to frequent and
+  # copy best file
+  while ((getline < sortedKeys) > 0) {
+
+    # split
+    nrFields = split($0, field, / +/)
+#print nrFields" Felder: '"field[0]"',  '"field[1]"',  '"field[2]"',  '"field[3]"'"
+    key = field[nrFields]
+
+    ++tcnt;
+    printf "\r    Processing tuple "tcnt"/"tuple_count" with count "key_count[key]"..."
+    if (key in keyAlreadyKnown) {
+      continue
+    }
+
+    fn = best_file[key]
+    # gather all tuples from the best file for this key
+    tracedfn = trace_dir"/"fn
+    while ((getline < tracedfn) > 0) {
+      keyAlreadyKnown[$0] = ""
+    }
+    close(tracedfn)
+
+    # copy file unless already done
+    if (! (fn in file_already_copied)) {
+      system(cp_tool" "in_dir"/"fn" "out_dir"/"fn)
+      file_already_copied[fn] = ""
+      ++out_count
+      #printf "tuple nr %d (%d cnt=%d) -> %s\n",tcnt,key,key_count[key],fn > trace_dir"/.log"
+    }
+  }
+  close(sortedKeys)
+  print ""
+  print "[+] Found "tuple_count" unique tuples across "in_count" files."
+
+  if (out_count == 1) {
+    print "[!] WARNING: All test cases had the same traces, check syntax!"
+  }
+  print "[+] Narrowed down to "out_count" files, saved in '"out_dir"'."
+
+  if (!ENVIRON["AFL_KEEP_TRACES"]) {
+    system("rm -rf "trace_dir" 2>/dev/null")
+  }
+
+  exit 0
+}
+EOF

afl-cmin.bash

@@ -0,0 +1,476 @@
+#!/usr/bin/env bash
+#
+# american fuzzy lop++ - corpus minimization tool
+# ---------------------------------------------
+#
+# Originally written by Michal Zalewski
+#
+# Copyright 2014, 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# This tool tries to find the smallest subset of files in the input directory
+# that still trigger the full range of instrumentation data points seen in
+# the starting corpus. This has two uses:
+#
+#   - Screening large corpora of input files before using them as a seed for
+#     afl-fuzz. The tool will remove functionally redundant files and likely
+#     leave you with a much smaller set.
+#
+#     (In this case, you probably also want to consider running afl-tmin on
+#     the individual files later on to reduce their size.)
+#
+#   - Minimizing the corpus generated organically by afl-fuzz, perhaps when
+#     planning to feed it to more resource-intensive tools. The tool achieves
+#     this by removing all entries that used to trigger unique behaviors in the
+#     past, but have been made obsolete by later finds.
+#
+# Note that the tool doesn't modify the files themselves. For that, you want
+# afl-tmin.
+#
+# This script must use bash because other shells may have hardcoded limits on
+# array sizes.
+#
+
+echo "corpus minimization tool for afl-fuzz by Michal Zalewski"
+echo
+
+#########
+# SETUP #
+#########
+
+# Process command-line options...
+
+MEM_LIMIT=200
+TIMEOUT=none
+
+unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
+  AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE UNICORN_MODE
+
+while getopts "+i:o:f:m:t:eQUCh" opt; do
+
+  case "$opt" in 
+
+    "h")
+	;;
+
+    "i")
+         IN_DIR="$OPTARG"
+         ;;
+
+    "o")
+         OUT_DIR="$OPTARG"
+         ;;
+    "f")
+         STDIN_FILE="$OPTARG"
+         ;;
+    "m")
+         MEM_LIMIT="$OPTARG"
+         MEM_LIMIT_GIVEN=1
+         ;;
+    "t")
+         TIMEOUT="$OPTARG"
+         ;;
+    "e")
+         EXTRA_PAR="$EXTRA_PAR -e"
+         ;;
+    "C")
+         export AFL_CMIN_CRASHES_ONLY=1
+         ;;
+    "Q")
+         EXTRA_PAR="$EXTRA_PAR -Q"
+         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
+         QEMU_MODE=1
+         ;;
+    "U")
+         EXTRA_PAR="$EXTRA_PAR -U"
+         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
+         UNICORN_MODE=1
+         ;;    
+    "?")
+         exit 1
+         ;;
+
+   esac
+
+done
+
+shift $((OPTIND-1))
+
+TARGET_BIN="$1"
+
+if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
+
+  cat 1>&2 <<_EOF_
+Usage: $0 [ options ] -- /path/to/target_app [ ... ]
+
+Required parameters:
+
+  -i dir        - input directory with the starting corpus
+  -o dir        - output directory for minimized files
+
+Execution control settings:
+
+  -f file       - location read by the fuzzed program (stdin)
+  -m megs       - memory limit for child process ($MEM_LIMIT MB)
+  -t msec       - run time limit for child process (none)
+  -Q            - use binary-only instrumentation (QEMU mode)
+  -U            - use unicorn-based instrumentation (Unicorn mode)
+  
+Minimization settings:
+
+  -C            - keep crashing inputs, reject everything else
+  -e            - solve for edge coverage only, ignore hit counts
+
+For additional tips, please consult docs/README.md.
+
+Environment variables used:
+AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory
+AFL_PATH: path for the afl-showmap binary
+AFL_SKIP_BIN_CHECK: skip check for target binary
+AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp
+_EOF_
+  exit 1
+fi
+
+# Do a sanity check to discourage the use of /tmp, since we can't really
+# handle this safely from a shell script.
+
+if [ "$AFL_ALLOW_TMP" = "" ]; then
+
+  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
+  T1="$?"
+
+  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
+  T2="$?"
+
+  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
+  T3="$?"
+
+  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
+  T4="$?"
+
+  echo "$PWD" | grep -qE '^(/var)?/tmp/'
+  T5="$?"
+
+  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
+    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+    exit 1
+  fi
+
+fi
+
+# If @@ is specified, but there's no -f, let's come up with a temporary input
+# file name.
+
+TRACE_DIR="$OUT_DIR/.traces"
+
+if [ "$STDIN_FILE" = "" ]; then
+
+  if echo "$*" | grep -qF '@@'; then
+    STDIN_FILE="$TRACE_DIR/.cur_input"
+  fi
+
+fi
+
+# Check for obvious errors.
+
+if [ ! "$MEM_LIMIT" = "none" ]; then
+
+  if [ "$MEM_LIMIT" -lt "5" ]; then
+    echo "[-] Error: dangerously low memory limit." 1>&2
+    exit 1
+  fi
+
+fi
+
+if [ ! "$TIMEOUT" = "none" ]; then
+
+  if [ "$TIMEOUT" -lt "10" ]; then
+    echo "[-] Error: dangerously low timeout." 1>&2
+    exit 1
+  fi
+
+fi
+
+if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
+
+  TNEW="`which "$TARGET_BIN" 2>/dev/null`"
+
+  if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
+    echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
+    exit 1
+  fi
+
+  TARGET_BIN="$TNEW"
+
+fi
+
+if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$UNICORN_MODE" = "" ]; then
+
+  if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
+    echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
+    exit 1
+  fi
+
+fi
+
+if [ ! -d "$IN_DIR" ]; then
+  echo "[-] Error: directory '$IN_DIR' not found." 1>&2
+  exit 1
+fi
+
+test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
+
+find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
+rm -rf "$TRACE_DIR" 2>/dev/null
+
+rmdir "$OUT_DIR" 2>/dev/null
+
+if [ -d "$OUT_DIR" ]; then
+  echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
+  exit 1
+fi
+
+mkdir -m 700 -p "$TRACE_DIR" || exit 1
+
+if [ ! "$STDIN_FILE" = "" ]; then
+  rm -f "$STDIN_FILE" || exit 1
+  touch "$STDIN_FILE" || exit 1
+fi
+
+if [ "$AFL_PATH" = "" ]; then
+  SHOWMAP="${0%/afl-cmin}/afl-showmap"
+else
+  SHOWMAP="$AFL_PATH/afl-showmap"
+fi
+
+if [ ! -x "$SHOWMAP" ]; then
+  echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
+  rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
+
+if [ "$IN_COUNT" = "0" ]; then
+  echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
+  rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+FIRST_FILE=`ls "$IN_DIR" | head -1`
+
+# Make sure that we're not dealing with a directory.
+
+if [ -d "$IN_DIR/$FIRST_FILE" ]; then
+  echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
+  rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+# Check for the more efficient way to copy files...
+
+if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
+  CP_TOOL=ln
+else
+  CP_TOOL=cp
+fi
+
+# Make sure that we can actually get anything out of afl-showmap before we
+# waste too much time.
+
+echo "[*] Testing the target binary..."
+
+if [ "$STDIN_FILE" = "" ]; then
+
+  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
+
+else
+
+  cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
+  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
+
+fi
+
+FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
+
+if [ "$FIRST_COUNT" -gt "0" ]; then
+
+  echo "[+] OK, $FIRST_COUNT tuples recorded."
+
+else
+
+  echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
+  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
+  exit 1
+
+fi
+
+# Let's roll!
+
+#############################
+# STEP 1: COLLECTING TRACES #
+#############################
+
+echo "[*] Obtaining traces for input files in '$IN_DIR'..."
+
+(
+
+  CUR=0
+
+  if [ "$STDIN_FILE" = "" ]; then
+
+    ls "$IN_DIR" | while read -r fn; do
+
+      CUR=$((CUR+1))
+      printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
+
+    done
+
+  else
+
+    ls "$IN_DIR" | while read -r fn; do
+
+      CUR=$((CUR+1))
+      printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+      cp "$IN_DIR/$fn" "$STDIN_FILE"
+
+      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
+
+    done
+
+
+  fi
+
+)
+
+echo
+
+##########################
+# STEP 2: SORTING TUPLES #
+##########################
+
+# With this out of the way, we sort all tuples by popularity across all
+# datasets. The reasoning here is that we won't be able to avoid the files
+# that trigger unique tuples anyway, so we will want to start with them and
+# see what's left.
+
+echo "[*] Sorting trace sets (this may take a while)..."
+
+ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
+  sort | uniq -c | sort -k 1,1 -n >"$TRACE_DIR/.all_uniq"
+
+TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
+
+echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
+
+#####################################
+# STEP 3: SELECTING CANDIDATE FILES #
+#####################################
+
+# The next step is to find the best candidate for each tuple. The "best"
+# part is understood simply as the smallest input that includes a particular
+# tuple in its trace. Empirical evidence suggests that this produces smaller
+# datasets than more involved algorithms that could be still pulled off in
+# a shell script.
+
+echo "[*] Finding best candidates for each tuple..."
+
+CUR=0
+
+ls -rS "$IN_DIR" | while read -r fn; do
+
+  CUR=$((CUR+1))
+  printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+  sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
+
+done
+
+echo
+
+##############################
+# STEP 4: LOADING CANDIDATES #
+##############################
+
+# At this point, we have a file of tuple-file pairs, sorted by file size
+# in ascending order (as a consequence of ls -rS). By doing sort keyed
+# only by tuple (-k 1,1) and configured to output only the first line for
+# every key (-s -u), we end up with the smallest file for each tuple.
+
+echo "[*] Sorting candidate list (be patient)..."
+
+sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
+  sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
+
+if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
+  echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
+  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+# The sed command converted the sorted list to a shell script that populates
+# BEST_FILE[tuple]="fname". Let's load that!
+
+. "$TRACE_DIR/.candidate_script"
+
+##########################
+# STEP 5: WRITING OUTPUT #
+##########################
+
+# The final trick is to grab the top pick for each tuple, unless said tuple is
+# already set due to the inclusion of an earlier candidate; and then put all
+# tuples associated with the newly-added file to the "already have" list. The
+# loop works from least popular tuples and toward the most common ones.
+
+echo "[*] Processing candidates and writing output files..."
+
+CUR=0
+
+touch "$TRACE_DIR/.already_have"
+
+while read -r cnt tuple; do
+
+  CUR=$((CUR+1))
+  printf "\\r    Processing tuple $CUR/$TUPLE_COUNT with count $cnt... "
+
+  # If we already have this tuple, skip it.
+
+  grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
+
+  FN=${BEST_FILE[tuple]}
+
+#  echo "tuple nr $CUR ($tuple cnt=$cnt) -> $FN" >> "$TRACE_DIR/.log"
+  $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
+
+  if [ "$((CUR % 5))" = "0" ]; then
+    sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
+    mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
+  else
+    cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
+  fi
+
+done <"$TRACE_DIR/.all_uniq"
+
+echo
+
+OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
+
+if [ "$OUT_COUNT" = "1" ]; then
+  echo "[!] WARNING: All test cases had the same traces, check syntax!"
+fi
+
+echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
+echo
+
+test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
+
+exit 0

afl-plot

@@ -1,9 +1,9 @@
 #!/bin/sh
 #
-# american fuzzy lop - Advanced Persistent Graphing
+# american fuzzy lop++ - Advanced Persistent Graphing
 # -------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 # Based on a design & prototype by Michael Rash.
 #
 # Copyright 2014, 2015 Google Inc. All rights reserved.
@@ -15,7 +15,7 @@
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 
-echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
+echo "progress plotting utility for afl-fuzz by Michal Zalewski"
 echo
 
 if [ ! "$#" = "2" ]; then
@@ -32,6 +32,8 @@ an empty directory where this tool can write the resulting plots to.
 The program will put index.html and three PNG images in the output directory;
 you should be able to view it with any web browser of your choice.
 
+Environment variables used:
+AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories
 _EOF_
 
   exit 1

afl-system-config

@@ -1,6 +1,6 @@
 #!/bin/sh
 test "$1" = "-h" && {
-  echo afl-system-config by Marc Heuse
+  echo 'afl-system-config by Marc Heuse <mh@mh-sec.de>'
   echo
   echo $0
   echo
@@ -12,55 +12,72 @@ test "$1" = "-h" && {
   exit 1
 }
 
+DONE=
 PLATFORM=`uname -s`
-echo This reconfigures the system to have a better fuzzing performance
+echo This reconfigures the system to have a better fuzzing performance.
 if [ '!' "$EUID" = 0 ] && [ '!' `id -u` = 0 ] ; then
-	echo Error you need to be root to run this
-	exit 1
+	echo "Warning: you need to be root to run this!"
+	# we do not exit as other mechanisms exist that allows to do this than
+	# being root. let the errors speak for themselves.
 fi
 if [ "$PLATFORM" = "Linux" ] ; then
-sysctl -w kernel.core_pattern=core
-sysctl -w kernel.randomize_va_space=0
-sysctl -w kernel.sched_child_runs_first=1
-sysctl -w kernel.sched_autogroup_enabled=1
-sysctl -w kernel.sched_migration_cost_ns=50000000
-sysctl -w kernel.sched_latency_ns=250000000
-echo never > /sys/kernel/mm/transparent_hugepage/enabled
-test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor
-test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
-test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
-test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
-test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost
-echo
-echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-echo '/etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"'
+{
+  sysctl -w kernel.core_pattern=core
+  sysctl -w kernel.randomize_va_space=0
+  sysctl -w kernel.sched_child_runs_first=1
+  sysctl -w kernel.sched_autogroup_enabled=1
+  sysctl -w kernel.sched_migration_cost_ns=50000000
+  sysctl -w kernel.sched_latency_ns=250000000
+  echo never > /sys/kernel/mm/transparent_hugepage/enabled
+  test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor
+  test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
+  test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+  test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
+  test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost
+} > /dev/null
+  echo Settings applied.
+  dmesg | egrep -q 'nospectre_v2|spectre_v2=off' || {
+    echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
+    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"'
+  }
+  DONE=1
 fi
 if [ "$PLATFORM" = "FreeBSD" ] ; then
-sysctl kern.elf32.aslr.enable=0
-sysctl kern.elf64.aslr.enable=0
-echo
-echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-echo 'sysctl hw.ibrs_disable=1'
-echo
-echo 'Setting kern.pmap.pg_ps_enabled=0 into /boot/loader.conf might be helpful too.'
+{
+  sysctl kern.elf32.aslr.enable=0
+  sysctl kern.elf64.aslr.enable=0
+} > /dev/null
+  echo Settings applied.
+  echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
+  echo '  sysctl hw.ibrs_disable=1'
+  echo 'Setting kern.pmap.pg_ps_enabled=0 into /boot/loader.conf might be helpful too.'
+  DONE=1
 fi
 if [ "$PLATFORM" = "OpenBSD" ] ; then
-echo
-echo 'System security features cannot be disabled on OpenBSD.'
+  echo
+  echo 'System security features cannot be disabled on OpenBSD.'
+  DONE=1
 fi
 if [ "$PLATFORM" = "NetBSD" ] ; then
-echo
-echo It is recommended to enable unprivileged users to set cpu affinity
-echo to be able to use afl-gotcpu meaningfully.
-/sbin/sysctl -w security.models.extensions.user_set_cpu_affinity=1
+{
+  #echo It is recommended to enable unprivileged users to set cpu affinity
+  #echo to be able to use afl-gotcpu meaningfully.
+  /sbin/sysctl -w security.models.extensions.user_set_cpu_affinity=1
+} > /dev/null
+  echo Settings applied.
+  DONE=1
 fi
 if [ "$PLATFORM" = "Darwin" ] ; then
   if [ $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') ] ; then
-echo We unload the default crash reporter here
-SL=/System/Library; PL=com.apple.ReportCrash
-launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
-sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist
+    echo We unload the default crash reporter here
+    SL=/System/Library; PL=com.apple.ReportCrash
+    launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
+    sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist
+    echo Settings applied.
+  else
+    echo Nothing to do.
   fi
+  DONE=1
 fi
-echo
-echo Also use AFL_TMPDIR to use a tmpfs for the input file
+test -z "$DONE" && echo Error: Unknown platform: $PLATFORM
+test -z "$AFL_TMPDIR" && echo Also use AFL_TMPDIR and point it to a tmpfs for the input file caching

afl-whatsup

@@ -1,11 +1,12 @@
 #!/bin/sh
 #
-# american fuzzy lop - status check tool
-# --------------------------------------
+# american fuzzy lop++ - status check tool
+# ----------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 #
 # Copyright 2015 Google Inc. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,12 +18,13 @@
 # instances of afl-fuzz.
 #
 
-echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
+echo "$0 status check tool for afl-fuzz by Michal Zalewski"
 echo
 test "$1" = "-h" && {
-  echo $0
+  echo $0 [-s] output_directory
   echo
-  echo afl-whatsup has no command line options
+  echo Options:
+  echo   -s  -  skip details and output summary results only
   echo
   exit 1
 }
@@ -44,7 +46,7 @@ if [ "$DIR" = "" ]; then
   echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2
   echo 1>&2
   echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
-  echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2
+  echo "just the summary results. See docs/parallel_fuzzing.md for additional tips." 1>&2
   echo 1>&2
   exit 1
 
@@ -61,7 +63,7 @@ fi
 
 CUR_TIME=`date +%s`
 
-TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
+TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
 
 ALIVE_CNT=0
 DEAD_CNT=0

afl-wine-trace

@@ -4,9 +4,10 @@ import os
 import sys
 import pefile
 import shutil
+import subprocess
 
 if len(sys.argv) < 2:
-    print("[afl-wine-trace] usage: wine-cov binary [args...]\n")
+    print("[afl-wine-trace] usage: ./afl-wine-trace binary [args...]\n")
     exit(1)
 
 if os.getenv("AFL_PATH"):
@@ -42,14 +43,20 @@ else:
     elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
         qemu_path += "i386"
     else:
-        print ("[wine-cov] unsuppoted architecture\n")
+        print ("[afl-wine-trace] unsuppoted architecture\n")
         exit(1)
     qemu_path = shutil.which(qemu_path)
 
-if os.getenv("WINECOV_WINE_PATH"):
-    wine_path = os.getenv("WINECOV_WINE_PATH")
+wine_path = None
+if os.getenv("AFL_WINE_PATH"):
+    wine_path = os.getenv("AFL_WINE_PATH")
 else:
-    wine_path = "/usr/lib/wine/wine"
+    if not wine_path and shutil.which("wine"):
+        wine_path = shutil.which("wine")
+    if not wine_path and os.path.exists("/usr/bin/wine"):
+        wine_path = "/usr/bin/wine"
+    if not wine_path and os.path.exists("/usr/lib/wine/wine"):
+        wine_path = "/usr/lib/wine/wine"
     if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
         wine_path += "64"
     elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
@@ -58,4 +65,11 @@ else:
         print ("[afl-wine-trace] unsopported architecture\n")
         exit(1)
 
-os.execve(qemu_path, [qemu_path, wine_path] + sys.argv[1:], os.environ)
+argv = sys.argv[1:]
+for i in range(len(argv)):
+    if ".cur_input" in argv[i]:
+        argv[i] = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout
+        break
+
+print("[afl-wine-trace] exec:", " ".join([qemu_path, wine_path] + argv))
+os.execve(qemu_path, [qemu_path, wine_path] + argv, os.environ)

custom_mutators/README

@@ -1,2 +0,0 @@
-This is a simple example for the AFL_CUSTOM_MUTATOR_LIBRARY feature.
-For more information see docs/custom_mutator.txt

dictionaries/gif.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for GIF images
 # -----------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_87a="87a"

dictionaries/html_tags.dict

@@ -5,7 +5,7 @@
 # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
 # include any attributes or attribute values.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 tag_a="<a>"

dictionaries/jpeg.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for JPEG images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_jfif="JFIF\x00"

dictionaries/js.dict

@@ -4,7 +4,7 @@
 #
 # Contains basic reserved keywords and syntax building blocks.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 keyword_arguments="arguments"

dictionaries/png.dict

@@ -5,7 +5,7 @@
 # Just the basic, standard-originating sections; does not include vendor
 # extensions.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_png="\x89PNG\x0d\x0a\x1a\x0a"

dictionaries/regexp.dict

@@ -0,0 +1,603 @@
+#
+# AFL dictionary for regex
+# --------------------------
+#
+# Contains various regular expressions.
+#
+# Created by Yang Guo <yangguo@chromium.org>
+#
+# Contributed by Dhiraj Mishra <dhiraj@inputzero.io>
+#
+"?"
+"abc"
+"()"
+"[]"
+"abc|def"
+"abc|def|ghi"
+"^xxx$"
+"ab\\b\\d\\bcd"
+"\\w|\\d"
+"a*?"
+"abc+"
+"abc+?"
+"xyz?"
+"xyz??"
+"xyz{0,1}"
+"xyz{0,1}?"
+"xyz{93}"
+"xyz{1,32}"
+"xyz{1,32}?"
+"xyz{1,}"
+"xyz{1,}?"
+"a\\fb\\nc\\rd\\te\\vf"
+"a\\nb\\bc"
+"(?:foo)"
+"(?: foo )"
+"foo|(bar|baz)|quux"
+"foo(?=bar)baz"
+"foo(?!bar)baz"
+"foo(?<=bar)baz"
+"foo(?<!bar)baz"
+"()"
+"(?=)"
+"[]"
+"[x]"
+"[xyz]"
+"[a-zA-Z0-9]"
+"[-123]"
+"[^123]"
+"]"
+"}"
+"[a-b-c]"
+"[x\\dz]"
+"[\\d-z]"
+"[\\d-\\d]"
+"[z-\\d]"
+"\\cj\\cJ\\ci\\cI\\ck\\cK"
+"\\c!"
+"\\c_"
+"\\c~"
+"[\\c!]"
+"[\\c_]"
+"[\\c~]"
+"[\\ca]"
+"[\\cz]"
+"[\\cA]"
+"[\\cZ]"
+"[\\c1]"
+"\\[\\]\\{\\}\\(\\)\\%\\^\\#\\ "
+"[\\[\\]\\{\\}\\(\\)\\%\\^\\#\\ ]"
+"\\8"
+"\\9"
+"\\11"
+"\\11a"
+"\\011"
+"\\118"
+"\\111"
+"\\1111"
+"(x)(x)(x)\\1"
+"(x)(x)(x)\\2"
+"(x)(x)(x)\\3"
+"(x)(x)(x)\\4"
+"(x)(x)(x)\\1*"
+"(x)(x)(x)\\3*"
+"(x)(x)(x)\\4*"
+"(x)(x)(x)(x)(x)(x)(x)(x)(x)(x)\\10"
+"(x)(x)(x)(x)(x)(x)(x)(x)(x)(x)\\11"
+"(a)\\1"
+"(a\\1)"
+"(\\1a)"
+"(\\2)(\\1)"
+"(?=a){0,10}a"
+"(?=a){1,10}a"
+"(?=a){9,10}a"
+"(?!a)?a"
+"\\1(a)"
+"(?!(a))\\1"
+"(?!\\1(a\\1)\\1)\\1"
+"\\1\\2(a(?:\\1(b\\1\\2))\\2)\\1"
+"[\\0]"
+"[\\11]"
+"[\\11a]"
+"[\\011]"
+"[\\00011]"
+"[\\118]"
+"[\\111]"
+"[\\1111]"
+"\\x60"
+"\\x3z"
+"\\c"
+"\\u0034"
+"\\u003z"
+"foo[z]*"
+"\\u{12345}"
+"\\u{12345}\\u{23456}"
+"\\u{12345}{3}"
+"\\u{12345}*"
+"\\ud808\\udf45*"
+"[\\ud808\\udf45-\\ud809\\udccc]"
+"a"
+"a|b"
+"a\\n"
+"a$"
+"a\\b!"
+"a\\Bb"
+"a*?"
+"a?"
+"a??"
+"a{0,1}?"
+"a{1,2}?"
+"a+?"
+"(a)"
+"(a)\\1"
+"(\\1a)"
+"\\1(a)"
+"a\\s"
+"a\\S"
+"a\\D"
+"a\\w"
+"a\\W"
+"a."
+"a\\q"
+"a[a]"
+"a[^a]"
+"a[a-z]"
+"a(?:b)"
+"a(?=b)"
+"a(?!b)"
+"\\x60"
+"\\u0060"
+"\\cA"
+"\\q"
+"\\1112"
+"(a)\\1"
+"(?!a)?a\\1"
+"(?:(?=a))a\\1"
+"a{}"
+"a{,}"
+"a{"
+"a{z}"
+"a{12z}"
+"a{12,"
+"a{12,3b"
+"{}"
+"{,}"
+"{"
+"{z}"
+"{1z}"
+"{12,"
+"{12,3b"
+"a"
+"abc"
+"a[bc]d"
+"a|bc"
+"ab|c"
+"a||bc"
+"(?:ab)"
+"(?:ab|cde)"
+"(?:ab)|cde"
+"(ab)"
+"(ab|cde)"
+"(ab)\\1"
+"(ab|cde)\\1"
+"(?:ab)?"
+"(?:ab)+"
+"a?"
+"a+"
+"a??"
+"a*?"
+"a+?"
+"(?:a?)?"
+"(?:a+)?"
+"(?:a?)+"
+"(?:a*)+"
+"(?:a+)+"
+"(?:a?)*"
+"(?:a*)*"
+"(?:a+)*"
+"a{0}"
+"(?:a+){0,0}"
+"a*b"
+"a+b"
+"a*b|c"
+"a+b|c"
+"(?:a{5,1000000}){3,1000000}"
+"(?:ab){4,7}"
+"a\\bc"
+"a\\sc"
+"a\\Sc"
+"a(?=b)c"
+"a(?=bbb|bb)c"
+"a(?!bbb|bb)c"
+"\xe2\x81\xa3"
+"[\xe2\x81\xa3]"
+"\xed\xb0\x80"
+"\xed\xa0\x80"
+"(\xed\xb0\x80)\x01"
+"((\xed\xa0\x80))\x02"
+"\xf0\x9f\x92\xa9"
+"\x01"
+"\x0f"
+"[-\xf0\x9f\x92\xa9]+"
+"[\xf0\x9f\x92\xa9-\xf4\x8f\xbf\xbf]"
+"(?<=)"
+"(?<=a)"
+"(?<!)"
+"(?<!a)"
+"(?<a>)"
+"(?<a>.)"
+"(?<a>.)\\k<a>"
+"\\p{Script=Greek}"
+"\\P{sc=Greek}"
+"\\p{Script_Extensions=Greek}"
+"\\P{scx=Greek}"
+"\\p{General_Category=Decimal_Number}"
+"\\P{gc=Decimal_Number}"
+"\\p{gc=Nd}"
+"\\P{Decimal_Number}"
+"\\p{Nd}"
+"\\P{Any}"
+"\\p{Changes_When_NFKC_Casefolded}"
+"L~"
+"P{scx=Greek}??"
+"Q~"
+"R??"
+"R!??oo(E=?ar)baz-"
+"Sc?Sc{?{?"
+"U~"
+"V~"
+"W~"
+"Xdtc"
+"X~"
+"X?"
+"[-123],}"
+"[-????]+,}"
+"[00011],}"
+"[011],}"
+"[0],}"
+"[1111],}"
+"[111],}"
+"[118],}"
+"[11],}"
+"[11a],}"
+"[[]{}()%^# ],}"
+"[]"
+"[],}"
+"[]{}()%^# ,}"
+"[^123],}"
+"[a-b-c],}"
+"[a-zA-Z0-9],}"
+"[b"
+"[bfoo(?!bar)baz"
+"[c!],}"
+"[c1],}"
+"[cA],}"
+"[cZ],}"
+"[c_],}"
+"[ca],}"
+"[cz],}"
+"[c~],}"
+"[c~]w"
+"[d-d],}"
+"[d-z],}"
+"[u???[11<([c?]?:u??<a>)dccc]"
+"[ud808udf45-ud809udccc],}"
+"[x"
+"[x],}"
+"[xdz],}"
+"[xyz],}"
+"[x?"
+"[x?n4n4"
+"[x??19?"
+"[z-d],}"
+"[~?"
+"[?????"
+"[?"
+"[???],}"
+"[????-????],}"
+"[????"
+"]"
+"],}"
+"]QrC[w~]Qr"
+"]}"
+"]~"
+"^?000???????????????????????????x60?"
+"^12(a(?:1(b12))2)1dyb?9"
+"^xi!q"
+"^xxx$,}"
+"abc"
+"abc60,0}?{?"
+"aic"
+"b~"
+"c"
+"c!,}"
+"c,}"
+"cA,}"
+"c_,}"
+"cjcJcicIckcK,}"
+"c~"
+"c~,}"
+"d"
+"d?"
+"d??"
+"d(?:ab[]?9}"
+"dpN?(?<a>.)?"
+"duu{123a?"
+"d{1,9"
+"d~"
+"e"
+"e~"
+"e?}"
+"f~"
+"g~"
+"h~"
+"i~"
+"j~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xx?~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxb~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxc~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxd~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxe~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxf~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxg~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxh~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxi~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxj~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxk~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxl~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxm~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxn~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxo~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxp~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxq~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxr~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxs~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxt~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxu~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxv~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxw~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxx~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxy~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxz~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xx?~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxn~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxo~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxp~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxq~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxr~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxs~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxt~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxu~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxv~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxw~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxx~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxy~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxz~"
+"k?@a(?=bbb.~"
+"k?@a(?=bbbb~"
+"k?@a(?=bbbc~"
+"k?@a(?=bbbd~"
+"k?@a(?=bbbe~"
+"k?@a(?=bbbf~"
+"k?@a(?=bbbg~"
+"k?@a(?=bbbh~"
+"k?@a(?=bbbi~"
+"k?@a(?=bbbj~"
+"k?@a(?=bbbk~"
+"k?@a(?=bbbl~"
+"k?@a(?=bbbm~"
+"k?@a(?=bbbn~"
+"k?@a(?=bbbo~"
+"k?@a(?=bbbp~"
+"k?@a(?=bbbq~"
+"k?@a(?=bbbr~"
+"k?@a(?=bbbs~"
+"k?@a(?=bbbt~"
+"k?@a(?=bbbu~"
+"k?@a(?=bbbv~"
+"k?@a(?=bbbw~"
+"k?@a(?=bbbx~"
+"k?@a(?=bbby~"
+"k?@a(?=bbbz~"
+"k?@a(?=by?bC?:!k??????????????b~"
+"k?@a(?=by?bC?:!k??????????????c~"
+"k?@a(?=by?bC?:!k??????????????d~"
+"k?@a(?=by?bC?:!k??????????????e~"
+"k?@a(?=by?bC?:!k??????????????f~"
+"k?@a(?=by?bC?:!k??????????????g~"
+"k?@a(?=by?bC?:!k??????????????h~"
+"k?@a(?=by?bC?:!k??????????????i~"
+"k?@a(?=by?bC?:!k??????????????j~"
+"k?@a(?=by?bC?:!k??????????????k~"
+"k?@a(?=by?bC?:!k??????????????l~"
+"k?@a(?=by?bC?:!k??????????????m~"
+"k?@a(?=by?bC?:!k??????????????n~"
+"k?@a(?=by?bC?:!k??????????????o~"
+"k?@a(?=by?bC?:!k??????????????p~"
+"k?@a(?=by?bC?:!k??????????????q~"
+"k?@a(?=by?bC?:!k??????????????r~"
+"k?@a(?=by?bC?:!k??????????????s~"
+"k?@a(?=by?bC?:!k??????????????t~"
+"k?@a(?=by?bC?:!k??????????????u~"
+"k?@a(?=by?bC?:!k??????????????v~"
+"k?@a(?=by?bC?:!k??????????????w~"
+"k?@a(?=by?bC?:!k??????????????x~"
+"k?@a(?=by?bC?:!k??????????????y~"
+"k?@a(?=by?bC?:!k??????????????z~"
+"k?@a(?=by?bC?:!k???????????????~"
+"k?@a(?~"
+"k?@a(b~"
+"k?@a(c~"
+"k?@a(d~"
+"k?@a(e~"
+"k?@a(f~"
+"k?@a(g~"
+"k?@a(h~"
+"k?@a(i~"
+"k?@a(j~"
+"k?@a(k~"
+"k?@a(l~"
+"k?@a(m~"
+"k?@a(n~"
+"k?@a(o~"
+"k?@a(p~"
+"k?@a(q~"
+"k?@a(r~"
+"k?@a(s~"
+"k?@a(t~"
+"k?@a(u~"
+"k?@a(v~"
+"k?@a(w~"
+"k?@a(x~"
+"k?@a(y~"
+"k?@a(z~"
+"k0X@ab~"
+"k0X@ac~"
+"k0X@ad~"
+"k0X@ae~"
+"k0X@af~"
+"k0X@ag~"
+"k0X@ah~"
+"k0X@ai~"
+"k0X@aj~"
+"k0X@ak~"
+"k0X@al~"
+"k0X@am~"
+"k0X@an~"
+"k0X@ao~"
+"k0X@ap~"
+"k0X@aq~"
+"k0X@ar~"
+"k0X@as~"
+"k0X@at~"
+"k0X@au~"
+"k0X@av~"
+"k0X@aw~"
+"k0X@ax~"
+"k0X@ay~"
+"k0X@az~"
+"k0X@a?~"
+"k~"
+"l~"
+"m~"
+"n~"
+"o~"
+"p~"
+"q,}"
+"q~"
+"r~"
+"r?[c~]"
+"s~"
+"t~"
+"u0034,}"
+"u003z,}"
+"u0060,}"
+"ud808udf45*,}"
+"u~"
+"v~"
+"w"
+"w~"
+"x3z,}"
+"x60,}"
+"xyz?9"
+"x~"
+"y~"
+"z~"
+"{"
+"{??"
+"{ ,,?"
+"{-"
+"{0,d?????!"
+"{12345}pu{234:P}?"
+"{1?5"
+"{@"
+"{M,??"
+"{M,P{scx=Greek}???sn"
+"{M,??"
+"{M,??"
+"{M,?M,??"
+"{O"
+"{r~"
+"{s~"
+"{t~"
+"{u~"
+"{v~"
+"{w~"
+"{x~"
+"{y~"
+"{z~"
+"{}"
+"{}~"
+"{??@"
+"{?~"
+"},}"
+"}}"
+"}}}}}?}!}}}}}}}}}}}}}}}}}?},}"
+"}~"
+"}?w~???"
+"~~"
+"?!~"
+"?$"
+"?*?9?nnRnnn?"
+"?.~"
+"?123222222??"
+"?:??"
+"?R"
+"?b~"
+"?c~"
+"?d~"
+"?d???"
+"?e~"
+"?f~"
+"?g~"
+"?h~"
+"?i~"
+"?j~"
+"?k~"
+"?l~"
+"?m~"
+"?n~"
+"?o~"
+"?p~"
+"?q~"
+"?r~"
+"?s~"
+"?t~"
+"?u~"
+"?v~"
+"?v~?v"
+"?w~"
+"?x~"
+"?y~"
+"?z~"
+"?}"
+"??~"
+"?????????dadi(?!bbb"
+"??~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxq~>>>>>>>>>>>>>>>>>>"
+"?f??123222222??"
+"?fP{gc=Decimal_Number}"
+"?f2jq?oo@ooooh??"
+"?[???],}f?"
+"?[???],}nbbc2jocom"
+"?[]"
+"?[],}?"
+"?[],}f?"
+"?[]f?"
+"?[]{}()%^#"
+"?[^123],}f?"
+"?[^123]nbbc2jocom"
+"?[a-b-c],}f?"
+"?[a-b-c]nbbc2jocom"
+"?[a-zA-Z0-9],}f?"
+"?[a-zA-Z0-9],}jocom"
+"?[a-zA-Z0-9]c2jocom"
+"?[bfoo(?!bar)bazcom"
+"?[bfoo(?!bar)bazf?"
+"(?:a?)??"
+"a?)"xyz{93}"
+"{93}"
+"a{12za?)?"
+"[\x8f]"
+"[\xf0\x9f\x92\xa9-\xf4\x8f\xbf\x92\xa9-\xf4\x8f\xbf\xbf]"
+"[\x92\xa9-\xf4\x8f\xbf\xbf]"

dictionaries/sql.dict

@@ -11,7 +11,7 @@
 # standpoint, because they are usually not allowed in non-privileged
 # contexts).
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 function_abs=" abs(1)"

dictionaries/tiff.dict

@@ -5,7 +5,7 @@
 # Just the basic, standard-originating sections; does not include vendor
 # extensions.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_ii="II*\x00"

dictionaries/webp.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for WebP images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_RIFF="RIFF"

dictionaries/xml.dict

@@ -4,7 +4,7 @@
 #
 # Several basic syntax elements and attributes, modeled on libxml2.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 attr_encoding=" encoding=\"1\""

docs/INSTALL.md

@@ -1,28 +1,30 @@
-=========================
-Installation instructions
-=========================
+# Installation instructions
 
   This document provides basic installation instructions and discusses known
-  issues for a variety of platforms. See README for the general instruction
+  issues for a variety of platforms. See README.md for the general instruction
   manual.
 
-1) Linux on x86
+## 1) Linux on x86
 ---------------
 
 This platform is expected to work well. Compile the program with:
 
-$ make
+```bash
+make
+```
 
 You can start using the fuzzer without installation, but it is also possible to
 install it with:
 
-# make install
+```bash
+make install
+```
 
 There are no special dependencies to speak of; you will need GNU make and a
 working compiler (gcc or clang). Some of the optional scripts bundled with the
 program may depend on bash, gdb, and similar basic tools.
 
-If you are using clang, please review llvm_mode/README.llvm; the LLVM
+If you are using clang, please review llvm_mode/README.md; the LLVM
 integration mode can offer substantial performance gains compared to the
 traditional approach.
 
@@ -30,27 +32,30 @@ You may have to change several settings to get optimal results (most notably,
 disable crash reporting utilities and switch to a different CPU governor), but
 afl-fuzz will guide you through that if necessary.
 
-2) OpenBSD, FreeBSD, NetBSD on x86
-----------------------------------
+## OpenBSD, FreeBSD, NetBSD on x86
 
 Similarly to Linux, these platforms are expected to work well and are
 regularly tested. Compile everything with GNU make:
 
-$ gmake
+```bash
+gmake
+```
 
 Note that BSD make will *not* work; if you do not have gmake on your system,
 please install it first. As on Linux, you can use the fuzzer itself without
 installation, or install it with:
 
-# gmake install
+```
+gmake install
+```
 
 Keep in mind that if you are using csh as your shell, the syntax of some of the
-shell commands given in the README and other docs will be different.
+shell commands given in the README.md and other docs will be different.
 
-The llvm_mode requires a dynamically linked, fully-operational installation of
+The `llvm_mode` requires a dynamically linked, fully-operational installation of
 clang. At least on FreeBSD, the clang binaries are static and do not include
 some of the essential tools, so if you want to make it work, you may need to
-follow the instructions in llvm_mode/README.llvm.
+follow the instructions in llvm_mode/README.md.
 
 Beyond that, everything should work as advertised.
 
@@ -58,8 +63,7 @@ The QEMU mode is currently supported only on Linux. I think it's just a QEMU
 problem, I couldn't get a vanilla copy of user-mode emulation support working
 correctly on BSD at all.
 
-3) MacOS X on x86
------------------
+## 3. MacOS X on x86
 
 MacOS X should work, but there are some gotchas due to the idiosyncrasies of
 the platform. On top of this, I have limited release testing capabilities
@@ -69,8 +73,8 @@ To build AFL, install Xcode and follow the general instructions for Linux.
 
 The Xcode 'gcc' tool is just a wrapper for clang, so be sure to use afl-clang
 to compile any instrumented binaries; afl-gcc will fail unless you have GCC
-installed from another source (in which case, please specify AFL_CC and
-AFL_CXX to point to the "real" GCC binaries).
+installed from another source (in which case, please specify `AFL_CC` and
+`AFL_CXX` to point to the "real" GCC binaries).
 
 Only 64-bit compilation will work on the platform; porting the 32-bit
 instrumentation would require a fair amount of work due to the way OS X
@@ -80,47 +84,45 @@ The crash reporting daemon that comes by default with MacOS X will cause
 problems with fuzzing. You need to turn it off by following the instructions
 provided here: http://goo.gl/CCcd5u
 
-The fork() semantics on OS X are a bit unusual compared to other unix systems
+The `fork()` semantics on OS X are a bit unusual compared to other unix systems
 and definitely don't look POSIX-compliant. This means two things:
 
   - Fuzzing will be probably slower than on Linux. In fact, some folks report
     considerable performance gains by running the jobs inside a Linux VM on
     MacOS X.
-
   - Some non-portable, platform-specific code may be incompatible with the
-    AFL forkserver. If you run into any problems, set AFL_NO_FORKSRV=1 in the
+    AFL forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the
     environment before starting afl-fuzz.
 
 User emulation mode of QEMU does not appear to be supported on MacOS X, so
-black-box instrumentation mode (-Q) will not work.
+black-box instrumentation mode (`-Q`) will not work.
 
 The llvm_mode requires a fully-operational installation of clang. The one that
 comes with Xcode is missing some of the essential headers and helper tools.
-See llvm_mode/README.llvm for advice on how to build the compiler from scratch.
+See llvm_mode/README.md for advice on how to build the compiler from scratch.
 
-4) Linux or *BSD on non-x86 systems
------------------------------------
+## 4. Linux or *BSD on non-x86 systems
 
 Standard build will fail on non-x86 systems, but you should be able to
 leverage two other options:
 
-  - The LLVM mode (see llvm_mode/README.llvm), which does not rely on
+  - The LLVM mode (see llvm_mode/README.md), which does not rely on
     x86-specific assembly shims. It's fast and robust, but requires a
     complete installation of clang.
-
-  - The QEMU mode (see qemu_mode/README.qemu), which can be also used for
+  - The QEMU mode (see qemu_mode/README.md), which can be also used for
     fuzzing cross-platform binaries. It's slower and more fragile, but
     can be used even when you don't have the source for the tested app.
 
 If you're not sure what you need, you need the LLVM mode. To get it, try:
 
-$ AFL_NO_X86=1 gmake && gmake -C llvm_mode
+```bash
+AFL_NO_X86=1 gmake && gmake -C llvm_mode
+```
 
 ...and compile your target program with afl-clang-fast or afl-clang-fast++
 instead of the traditional afl-gcc or afl-clang wrappers.
 
-5) Solaris on x86
------------------
+## 5. Solaris on x86
 
 The fuzzer reportedly works on Solaris, but I have not tested this first-hand,
 and the user base is fairly small, so I don't have a lot of feedback.
@@ -128,36 +130,39 @@ and the user base is fairly small, so I don't have a lot of feedback.
 To get the ball rolling, you will need to use GNU make and GCC or clang. I'm
 being told that the stock version of GCC that comes with the platform does not
 work properly due to its reliance on a hardcoded location for 'as' (completely
-ignoring the -B parameter or $PATH).
+ignoring the `-B` parameter or `$PATH`).
 
 To fix this, you may want to build stock GCC from the source, like so:
 
-$ ./configure --prefix=$HOME/gcc --with-gnu-as --with-gnu-ld \
+```sh
+./configure --prefix=$HOME/gcc --with-gnu-as --with-gnu-ld \
   --with-gmp-include=/usr/include/gmp --with-mpfr-include=/usr/include/mpfr
-$ make
-$ sudo make install
+make
+sudo make install
+```
 
-Do *not* specify --with-as=/usr/gnu/bin/as - this will produce a GCC binary that
-ignores the -B flag and you will be back to square one.
+Do *not* specify `--with-as=/usr/gnu/bin/as` - this will produce a GCC binary that
+ignores the `-B` flag and you will be back to square one.
 
 Note that Solaris reportedly comes with crash reporting enabled, which causes
 problems with crashes being misinterpreted as hangs, similarly to the gotchas
 for Linux and MacOS X. AFL does not auto-detect crash reporting on this
 particular platform, but you may need to run the following command:
 
-$ coreadm -d global -d global-setid -d process -d proc-setid \
+```sh
+coreadm -d global -d global-setid -d process -d proc-setid \
   -d kzone -d log
+```
 
 User emulation mode of QEMU is not available on Solaris, so black-box
-instrumentation mode (-Q) will not work.
+instrumentation mode (`-Q`) will not work.
 
-6) Everything else
-------------------
+## 6. Everything else
 
 You're on your own. On POSIX-compliant systems, you may be able to compile and
 run the fuzzer; and the LLVM mode may offer a way to instrument non-x86 code.
 
-The fuzzer will not run on Windows. It will also not work under Cygwin. It
+The fuzzer will run on Windows in WSL only. It will not work under Cygwin on in the normal Windows world. It
 could be ported to the latter platform fairly easily, but it's a pretty bad
 idea, because Cygwin is extremely slow. It makes much more sense to use
 VirtualBox or so to run a hardware-accelerated Linux VM; it will run around
@@ -171,13 +176,15 @@ It's possible that all you need is this workaround:
   https://github.com/pelya/android-shmem
 
 Joshua J. Drake notes that the Android linker adds a shim that automatically
-intercepts SIGSEGV and related signals. To fix this issue and be able to see
+intercepts `SIGSEGV` and related signals. To fix this issue and be able to see
 crashes, you need to put this at the beginning of the fuzzed program:
 
+```sh
   signal(SIGILL, SIG_DFL);
   signal(SIGABRT, SIG_DFL);
   signal(SIGBUS, SIG_DFL);
   signal(SIGFPE, SIG_DFL);
   signal(SIGSEGV, SIG_DFL);
+```
 
-You may need to #include <signal.h> first.
+You may need to `#include <signal.h>` first.

docs/PATCHES.md

@@ -1,9 +1,11 @@
+# Applied Patches
+
 The following patches from https://github.com/vanhauser-thc/afl-patches
 have been installed or not installed:
 
 
-INSTALLED
-=========
+## INSTALLED
+```
 afl-llvm-fix.diff			by kcwu(at)csie(dot)org
 afl-sort-all_uniq-fix.diff		by legarrec(dot)vincent(at)gmail(dot)com
 laf-intel.diff				by heiko(dot)eissfeldt(at)hexco(dot)de
@@ -16,6 +18,7 @@ afl-qemu-ppc64.diff			by william(dot)barsse(at)airbus(dot)com
 afl-qemu-optimize-entrypoint.diff	by mh(at)mh-sec(dot)de
 afl-qemu-speed.diff			by abiondo on github
 afl-qemu-optimize-map.diff		by mh(at)mh-sec(dot)de
+```
 
 + Custom mutator (native library) (by kyakdan)
 + unicorn_mode (modernized and updated by domenukk)
@@ -28,10 +31,12 @@ afl-qemu-optimize-map.diff		by mh(at)mh-sec(dot)de
 + forkserver patch for afl-tmin (github.com/nccgroup/TriforceAFL)
 
 
-NOT INSTALLED
-=============
+## NOT INSTALLED
+
+```
 afl-fuzz-context_sensitive.diff	- changes too much of the behaviour
 afl-tmpfs.diff - same as afl-fuzz-tmpdir.diff but more complex
 afl-cmin-reduce-dataset.diff - unsure of the impact
 afl-llvm-fix2.diff - not needed with the other patches
+```
 

docs/QuickStartGuide.md

@@ -1,11 +1,9 @@
-=====================
-AFL quick start guide
-=====================
+# AFL quick start guide
 
-You should read docs/README.md - it's pretty short. If you really can't, here's
+You should read [README.md](README.md) - it's pretty short. If you really can't, here's
 how to hit the ground running:
 
-1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips.
+1) Compile AFL with 'make'. If build fails, see [INSTALL.md](INSTALL.md) for tips.
 
 2) Find or write a reasonably fast and simple program that takes data from
    a file or stdin, processes it in a test-worthy way, then exits cleanly.
@@ -17,7 +15,7 @@ how to hit the ground running:
 
    The program must crash properly when a fault is encountered. Watch out for
    custom SIGSEGV or SIGABRT handlers and background processes. For tips on
-   detecting non-crashing flaws, see section 11 in docs/README.md .
+   detecting non-crashing flaws, see section 11 in [README.md](README.md) .
 
 3) Compile the program / library to be fuzzed using afl-gcc. A common way to
    do this would be:
@@ -29,7 +27,7 @@ how to hit the ground running:
 
 4) Get a small but valid input file that makes sense to the program. When
    fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
-   dictionaries/README.dictionaries, too.
+   dictionaries/README.md, too.
 
 5) If the program reads from stdin, run 'afl-fuzz' like so:
 
@@ -40,15 +38,17 @@ how to hit the ground running:
    command line; AFL will put an auto-generated file name in there for you.
 
 6) Investigate anything shown in red in the fuzzer UI by promptly consulting
-   docs/status_screen.txt.
+   [status_screen.md](status_screen.md).
 
 7) compile and use llvm_mode (afl-clang-fast/afl-clang-fast++) as it is way
    faster and has a few cool features
 
+8) There is a basic docker build with 'docker build -t aflplusplus .'
+
 That's it. Sit back, relax, and - time permitting - try to skim through the
 following files:
 
-  - docs/README.md            - A general introduction to AFL,
-  - docs/perf_tips.txt        - Simple tips on how to fuzz more quickly,
-  - docs/status_screen.txt    - An explanation of the tidbits shown in the UI,
-  - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores.
+  - README.md                 - A general introduction to AFL,
+  - docs/perf_tips.md         - Simple tips on how to fuzz more quickly,
+  - docs/status_screen.md     - An explanation of the tidbits shown in the UI,
+  - docs/parallel_fuzzing.md  - Advice on running AFL on multiple cores.

docs/README.md

@@ -1 +0,0 @@
-../README.md

docs/README.md

@@ -0,0 +1,682 @@
+# american fuzzy lop plus plus (afl++)
+
+  ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master)
+
+  Release Version: 2.60c 
+
+  Github Version: 2.60d
+
+  includes all necessary/interesting changes from Google's afl 2.56b
+
+
+  Originally developed by Michal "lcamtuf" Zalewski.
+
+  Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)
+
+  afl++ is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>,
+  Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <mail@dmnk.co>.
+
+  Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl),
+  it is unlikely to receive any noteable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288)
+
+
+## The enhancements compared to the original stock afl
+
+  Many improvements were made over the official afl release - which did not
+  get any feature improvements since November 2017.
+
+  Among other changes afl++ has a more performant llvm_mode, supports
+  llvm up to version 11, QEMU 3.1, more speed and crashfixes for QEMU,
+  better *BSD and Android support and much, much more.
+
+  Additionally the following features and patches have been integrated:
+
+  * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
+
+  * The new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
+
+  * InsTrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim)
+
+  * C. Holler's afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl)
+
+  * Custom mutator by a library (instead of Python) by kyakdan
+
+  * unicorn_mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk)
+
+  * laf-intel or CompCov support for llvm_mode, qemu_mode and unicorn_mode
+
+  * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage
+  
+  * Persistent mode and deferred forkserver for qemu_mode
+  
+  * Win32 PE binary-only fuzzing with QEMU and Wine
+
+  * Radamsa mutator (enable with `-R` to add or `-RR` to run it exclusivly).
+
+  * qbdi_mode: fuzz android native libraries via QBDI framework
+
+
+  A more thorough list is available in the PATCHES file.
+
+  | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode |
+  | ----------------------- |:-------:|:---------:|:----------:|:---------:|:------------:|
+  | laf-intel / CompCov     |         |     x     |            |  x86/arm  |   x86/arm    |
+  | NeverZero               |    x    |     x(1)  |      (2)   |     x     |      x       |
+  | Persistent mode         |         |     x     |     x      |    x86    |      x       |
+  | Whitelist               |         |     x     |     x      |           |              |
+  | InsTrim                 |         |     x     |            |           |              |
+
+  neverZero:
+
+  (1) only in LLVM >= 9.0 due to a bug in llvm in previous versions
+
+  (2) gcc creates non-performant code, hence it is disabled in gcc_plugin
+
+  So all in all this is the best-of afl that is currently out there :-)
+
+  For new versions and additional information, check out:
+  [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)
+
+  To compare notes with other users or get notified about major new features,
+  send a mail to <afl-users+subscribe@googlegroups.com>.
+
+  See [docs/QuickStartGuide.md](docs/QuickStartGuide.md) if you don't have time to
+  read this file.
+
+
+## 0) Building and installing afl++
+
+afl++ has many build options.
+The easiest is to build and install everything:
+
+```shell
+$ make distrib
+$ sudo make install
+```
+
+Note that "make distrib" also builds llvm_mode, qemu_mode, unicorn_mode and
+more. If you just want plain afl then do "make all", however compiling and
+using at least llvm_mode is highly recommended for much better results -
+hence in this case 
+
+```shell
+$ make source-only
+```
+is what you should choose.
+
+These build options exist:
+
+* all: just the main afl++ binaries
+* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa
+* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap, radamsa
+* distrib: everything (for both binary-only and source code fuzzing)
+* install: installs everything you have compiled with the build options above
+* clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well
+* code-format: format the code, do this before you commit and send a PR please!
+* tests: runs test cases to ensure that all features are still working as they should
+* help: shows these build options
+
+[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html) you can also build statically linked versions of the 
+afl++ binaries by passing the STATIC=1 argument to make:
+
+```shell
+$ make all STATIC=1
+```
+
+Note that afl++ is faster and better the newer the compilers used are.
+Hence gcc-9 and especially llvm-9 should be the compilers of choice.
+If your distribution does not have them, you can use the Dockerfile:
+
+```shell
+$ docker build -t aflplusplus
+```
+
+
+## 1) Challenges of guided fuzzing
+
+Fuzzing is one of the most powerful and proven strategies for identifying
+security issues in real-world software; it is responsible for the vast
+majority of remote code execution and privilege escalation bugs found to date
+in security-critical software.
+
+Unfortunately, fuzzing is also relatively shallow; blind, random mutations
+make it very unlikely to reach certain code paths in the tested code, leaving
+some vulnerabilities firmly outside the reach of this technique.
+
+There have been numerous attempts to solve this problem. One of the early
+approaches - pioneered by Tavis Ormandy - is corpus distillation. The method
+relies on coverage signals to select a subset of interesting seeds from a
+massive, high-quality corpus of candidate files, and then fuzz them by
+traditional means. The approach works exceptionally well, but requires such
+a corpus to be readily available. In addition, block coverage measurements
+provide only a very simplistic understanding of program state, and are less
+useful for guiding the fuzzing effort in the long haul.
+
+Other, more sophisticated research has focused on techniques such as program
+flow analysis ("concolic execution"), symbolic execution, or static analysis.
+All these methods are extremely promising in experimental settings, but tend
+to suffer from reliability and performance problems in practical uses - and
+currently do not offer a viable alternative to "dumb" fuzzing techniques.
+
+
+## 2) The afl-fuzz approach
+
+American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple
+but rock-solid instrumentation-guided genetic algorithm. It uses a modified
+form of edge coverage to effortlessly pick up subtle, local-scale changes to
+program control flow.
+
+Simplifying a bit, the overall algorithm can be summed up as:
+
+  1) Load user-supplied initial test cases into the queue,
+
+  2) Take next input file from the queue,
+
+  3) Attempt to trim the test case to the smallest size that doesn't alter
+     the measured behavior of the program,
+
+  4) Repeatedly mutate the file using a balanced and well-researched variety
+     of traditional fuzzing strategies,
+
+  5) If any of the generated mutations resulted in a new state transition
+     recorded by the instrumentation, add mutated output as a new entry in the
+     queue.
+
+  6) Go to 2.
+
+The discovered test cases are also periodically culled to eliminate ones that
+have been obsoleted by newer, higher-coverage finds; and undergo several other
+instrumentation-driven effort minimization steps.
+
+As a side result of the fuzzing process, the tool creates a small,
+self-contained corpus of interesting test cases. These are extremely useful
+for seeding other, labor- or resource-intensive testing regimes - for example,
+for stress-testing browsers, office applications, graphics suites, or
+closed-source tools.
+
+The fuzzer is thoroughly tested to deliver out-of-the-box performance far
+superior to blind fuzzing or coverage-only tools.
+
+
+## 3) Instrumenting programs for use with AFL
+
+PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++
+instead of afl-gcc/afl-g++ is much faster and has a few cool features.
+See llvm_mode/ - however few code does not compile with llvm.
+We support llvm versions 3.8.0 to 11.
+
+When source code is available, instrumentation can be injected by a companion
+tool that works as a drop-in replacement for gcc or clang in any standard build
+process for third-party code.
+
+The instrumentation has a fairly modest performance impact; in conjunction with
+other optimizations implemented by afl-fuzz, most programs can be fuzzed as fast
+or even faster than possible with traditional tools.
+
+The correct way to recompile the target program may vary depending on the
+specifics of the build process, but a nearly-universal approach would be:
+
+```shell
+$ CC=/path/to/afl/afl-gcc ./configure
+$ make clean all
+```
+
+For C++ programs, you'd would also want to set `CXX=/path/to/afl/afl-g++`.
+
+The clang wrappers (afl-clang and afl-clang++) can be used in the same way;
+clang users may also opt to leverage a higher-performance instrumentation mode,
+as described in [llvm_mode/README.md](llvm_mode/README.md).
+Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 11.
+
+Using the LAF Intel performance enhancements are also recommended, see 
+[llvm_mode/README.laf-intel.md](llvm_mode/README.laf-intel.md)
+
+Using partial instrumentation is also recommended, see
+[llvm_mode/README.whitelist.md](llvm_mode/README.whitelist.md)
+
+When testing libraries, you need to find or write a simple program that reads
+data from stdin or from a file and passes it to the tested library. In such a
+case, it is essential to link this executable against a static version of the
+instrumented library, or to make sure that the correct .so file is loaded at
+runtime (usually by setting `LD_LIBRARY_PATH`). The simplest option is a static
+build, usually possible via:
+
+```shell
+$ CC=/path/to/afl/afl-gcc ./configure --disable-shared
+```
+
+Setting `AFL_HARDEN=1` when calling 'make' will cause the CC wrapper to
+automatically enable code hardening options that make it easier to detect
+simple memory bugs. Libdislocator, a helper library included with AFL (see
+[libdislocator/README.md](libdislocator/README.md)) can help uncover heap corruption issues, too.
+
+PS. ASAN users are advised to review [docs/notes_for_asan.md](docs/notes_for_asan.md)
+file for important caveats.
+
+
+## 4) Instrumenting binary-only apps
+
+When source code is *NOT* available, the fuzzer offers experimental support for
+fast, on-the-fly instrumentation of black-box binaries. This is accomplished
+with a version of QEMU running in the lesser-known "user space emulation" mode.
+
+QEMU is a project separate from AFL, but you can conveniently build the
+feature by doing:
+
+```shell
+$ cd qemu_mode
+$ ./build_qemu_support.sh
+```
+
+For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).
+
+The mode is approximately 2-5x slower than compile-time instrumentation, is
+less conducive to parallelization, and may have some other quirks.
+
+If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for
+your binary, then you can use afl-fuzz normally and it will have twice
+the speed compared to qemu_mode.
+
+A more comprehensive description of these and other options can be found in
+[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md)
+
+
+## 5) Power schedules
+
+The power schedules were copied from Marcel Böhme's excellent AFLfast
+implementation and expand on the ability to discover new paths and
+therefore may increase the code coverage.
+
+The available schedules are:
+ 
+ - explore (default)
+ - fast
+ - coe
+ - quad
+ - lin
+ - exploit
+
+In parallel mode (-M/-S, several instances with shared queue), we suggest to
+run the master using the exploit schedule (-p exploit) and the slaves with a
+combination of cut-off-exponential (-p coe), exponential (-p fast; default),
+and explore (-p explore) schedules.
+
+In single mode, using -p fast is usually more beneficial than the default
+explore mode.
+(We don't want to change the default behaviour of afl, so "fast" has not been
+made the default mode).
+
+More details can be found in the paper published at the 23rd ACM Conference on
+Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/)
+## 6) Choosing initial test cases
+
+To operate correctly, the fuzzer requires one or more starting file that
+contains a good example of the input data normally expected by the targeted
+application. There are two basic rules:
+
+  - Keep the files small. Under 1 kB is ideal, although not strictly necessary.
+    For a discussion of why size matters, see [perf_tips.md](docs/perf_tips.md).
+
+  - Use multiple test cases only if they are functionally different from
+    each other. There is no point in using fifty different vacation photos
+    to fuzz an image library.
+
+You can find many good examples of starting files in the testcases/ subdirectory
+that comes with this tool.
+
+PS. If a large corpus of data is available for screening, you may want to use
+the afl-cmin utility to identify a subset of functionally distinct files that
+exercise different code paths in the target binary.
+
+
+## 7) Fuzzing binaries
+
+The fuzzing process itself is carried out by the afl-fuzz utility. This program
+requires a read-only directory with initial test cases, a separate place to
+store its findings, plus a path to the binary to test.
+
+For target binaries that accept input directly from stdin, the usual syntax is:
+
+```shell
+$ ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program [...params...]
+```
+
+For programs that take input from a file, use '@@' to mark the location in
+the target's command line where the input file name should be placed. The
+fuzzer will substitute this for you:
+
+```shell
+$ ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@
+```
+
+You can also use the -f option to have the mutated data written to a specific
+file. This is useful if the program expects a particular file extension or so.
+
+Non-instrumented binaries can be fuzzed in the QEMU mode (add -Q in the command
+line) or in a traditional, blind-fuzzer mode (specify -n).
+
+You can use -t and -m to override the default timeout and memory limit for the
+executed process; rare examples of targets that may need these settings touched
+include compilers and video decoders.
+
+Tips for optimizing fuzzing performance are discussed in [perf_tips.md](docs/perf_tips.md).
+
+Note that afl-fuzz starts by performing an array of deterministic fuzzing
+steps, which can take several days, but tend to produce neat test cases. If you
+want quick & dirty results right away - akin to zzuf and other traditional
+fuzzers - add the -d option to the command line.
+
+
+## 8) Interpreting output
+
+See the [docs/status_screen.md](docs/status_screen.md) file for information on
+how to interpret the displayed stats and monitor the health of the process. Be
+sure to consult this file especially if any UI elements are highlighted in red.
+
+The fuzzing process will continue until you press Ctrl-C. At minimum, you want
+to allow the fuzzer to complete one queue cycle, which may take anywhere from a
+couple of hours to a week or so.
+
+There are three subdirectories created within the output directory and updated
+in real time:
+
+  - queue/   - test cases for every distinctive execution path, plus all the
+               starting files given by the user. This is the synthesized corpus
+               mentioned in section 2.
+
+               Before using this corpus for any other purposes, you can shrink
+               it to a smaller size using the afl-cmin tool. The tool will find
+               a smaller subset of files offering equivalent edge coverage.
+
+  - crashes/ - unique test cases that cause the tested program to receive a
+               fatal signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are 
+               grouped by the received signal.
+
+  - hangs/   - unique test cases that cause the tested program to time out. The
+               default time limit before something is classified as a hang is
+               the larger of 1 second and the value of the -t parameter.
+               The value can be fine-tuned by setting AFL_HANG_TMOUT, but this
+               is rarely necessary.
+
+Crashes and hangs are considered "unique" if the associated execution paths
+involve any state transitions not seen in previously-recorded faults. If a
+single bug can be reached in multiple ways, there will be some count inflation
+early in the process, but this should quickly taper off.
+
+The file names for crashes and hangs are correlated with parent, non-faulting
+queue entries. This should help with debugging.
+
+When you can't reproduce a crash found by afl-fuzz, the most likely cause is
+that you are not setting the same memory limit as used by the tool. Try:
+
+```shell
+$ LIMIT_MB=50
+$ ( ulimit -Sv $[LIMIT_MB << 10]; /path/to/tested_binary ... )
+```
+
+Change LIMIT_MB to match the -m parameter passed to afl-fuzz. On OpenBSD,
+also change -Sv to -Sd.
+
+Any existing output directory can be also used to resume aborted jobs; try:
+
+```shell
+$ ./afl-fuzz -i- -o existing_output_dir [...etc...]
+```
+
+If you have gnuplot installed, you can also generate some pretty graphs for any
+active fuzzing task using afl-plot. For an example of how this looks like,
+see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
+
+
+## 9) Parallelized fuzzing
+
+Every instance of afl-fuzz takes up roughly one core. This means that on
+multi-core systems, parallelization is necessary to fully utilize the hardware.
+For tips on how to fuzz a common target on multiple cores or multiple networked
+machines, please refer to [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md).
+
+The parallel fuzzing mode also offers a simple way for interfacing AFL to other
+fuzzers, to symbolic or concolic execution engines, and so forth; again, see the
+last section of [docs/parallel_fuzzing.md](docs/parallel_fuzzing.md) for tips.
+
+
+## 10) Fuzzer dictionaries
+
+By default, afl-fuzz mutation engine is optimized for compact data formats -
+say, images, multimedia, compressed data, regular expression syntax, or shell
+scripts. It is somewhat less suited for languages with particularly verbose and
+redundant verbiage - notably including HTML, SQL, or JavaScript.
+
+To avoid the hassle of building syntax-aware tools, afl-fuzz provides a way to
+seed the fuzzing process with an optional dictionary of language keywords,
+magic headers, or other special tokens associated with the targeted data type
+-- and use that to reconstruct the underlying grammar on the go:
+
+  [http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html](http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html)
+
+To use this feature, you first need to create a dictionary in one of the two
+formats discussed in [dictionaries/README.md](dictionaries/README.md);
+and then point the fuzzer to it via the -x option in the command line.
+
+(Several common dictionaries are already provided in that subdirectory, too.)
+
+There is no way to provide more structured descriptions of the underlying
+syntax, but the fuzzer will likely figure out some of this based on the
+instrumentation feedback alone. This actually works in practice, say:
+
+  [http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html](http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html)
+
+PS. Even when no explicit dictionary is given, afl-fuzz will try to extract
+existing syntax tokens in the input corpus by watching the instrumentation
+very closely during deterministic byte flips. This works for some types of
+parsers and grammars, but isn't nearly as good as the -x mode.
+
+If a dictionary is really hard to come by, another option is to let AFL run
+for a while, and then use the token capture library that comes as a companion
+utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md).
+
+
+## 11) Crash triage
+
+The coverage-based grouping of crashes usually produces a small data set that
+can be quickly triaged manually or with a very simple GDB or Valgrind script.
+Every crash is also traceable to its parent non-crashing test case in the
+queue, making it easier to diagnose faults.
+
+Having said that, it's important to acknowledge that some fuzzing crashes can be
+difficult to quickly evaluate for exploitability without a lot of debugging and
+code analysis work. To assist with this task, afl-fuzz supports a very unique
+"crash exploration" mode enabled with the -C flag.
+
+In this mode, the fuzzer takes one or more crashing test cases as the input,
+and uses its feedback-driven fuzzing strategies to very quickly enumerate all
+code paths that can be reached in the program while keeping it in the
+crashing state.
+
+Mutations that do not result in a crash are rejected; so are any changes that
+do not affect the execution path.
+
+The output is a small corpus of files that can be very rapidly examined to see
+what degree of control the attacker has over the faulting address, or whether
+it is possible to get past an initial out-of-bounds read - and see what lies
+beneath.
+
+Oh, one more thing: for test case minimization, give afl-tmin a try. The tool
+can be operated in a very simple way:
+
+```shell
+$ ./afl-tmin -i test_case -o minimized_result -- /path/to/program [...]
+```
+
+The tool works with crashing and non-crashing test cases alike. In the crash
+mode, it will happily accept instrumented and non-instrumented binaries. In the
+non-crashing mode, the minimizer relies on standard AFL instrumentation to make
+the file simpler without altering the execution path.
+
+The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with
+afl-fuzz.
+
+Another recent addition to AFL is the afl-analyze tool. It takes an input
+file, attempts to sequentially flip bytes, and observes the behavior of the
+tested program. It then color-codes the input based on which sections appear to
+be critical, and which are not; while not bulletproof, it can often offer quick
+insights into complex file formats. More info about its operation can be found
+near the end of [docs/technical_details.md](docs/technical_details.md).
+
+
+## 12) Going beyond crashes
+
+Fuzzing is a wonderful and underutilized technique for discovering non-crashing
+design and implementation errors, too. Quite a few interesting bugs have been
+found by modifying the target programs to call abort() when, say:
+
+  - Two bignum libraries produce different outputs when given the same
+    fuzzer-generated input,
+
+  - An image library produces different outputs when asked to decode the same
+    input image several times in a row,
+
+  - A serialization / deserialization library fails to produce stable outputs
+    when iteratively serializing and deserializing fuzzer-supplied data,
+
+  - A compression library produces an output inconsistent with the input file
+    when asked to compress and then decompress a particular blob.
+
+Implementing these or similar sanity checks usually takes very little time;
+if you are the maintainer of a particular package, you can make this code
+conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also
+shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL).
+
+
+## 13) Common-sense risks
+
+Please keep in mind that, similarly to many other computationally-intensive
+tasks, fuzzing may put strain on your hardware and on the OS. In particular:
+
+  - Your CPU will run hot and will need adequate cooling. In most cases, if
+    cooling is insufficient or stops working properly, CPU speeds will be
+    automatically throttled. That said, especially when fuzzing on less
+    suitable hardware (laptops, smartphones, etc), it's not entirely impossible
+    for something to blow up.
+
+  - Targeted programs may end up erratically grabbing gigabytes of memory or
+    filling up disk space with junk files. AFL tries to enforce basic memory
+    limits, but can't prevent each and every possible mishap. The bottom line
+    is that you shouldn't be fuzzing on systems where the prospect of data loss
+    is not an acceptable risk.
+
+  - Fuzzing involves billions of reads and writes to the filesystem. On modern
+    systems, this will be usually heavily cached, resulting in fairly modest
+    "physical" I/O - but there are many factors that may alter this equation.
+    It is your responsibility to monitor for potential trouble; with very heavy
+    I/O, the lifespan of many HDDs and SSDs may be reduced.
+
+    A good way to monitor disk I/O on Linux is the 'iostat' command:
+
+```shell
+    $ iostat -d 3 -x -k [...optional disk ID...]
+```
+
+
+## 14) Known limitations & areas for improvement
+
+Here are some of the most important caveats for AFL:
+
+  - AFL detects faults by checking for the first spawned process dying due to
+    a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for
+    these signals may need to have the relevant code commented out. In the same
+    vein, faults in child processed spawned by the fuzzed target may evade
+    detection unless you manually add some code to catch that.
+
+  - As with any other brute-force tool, the fuzzer offers limited coverage if
+    encryption, checksums, cryptographic signatures, or compression are used to
+    wholly wrap the actual data format to be tested.
+
+    To work around this, you can comment out the relevant checks (see
+    examples/libpng_no_checksum/ for inspiration); if this is not possible,
+    you can also write a postprocessor, as explained in
+    examples/post_library/ (with AFL_POST_LIBRARY)
+
+  - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
+    isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md)
+    for tips.
+
+  - There is no direct support for fuzzing network services, background
+    daemons, or interactive apps that require UI interaction to work. You may
+    need to make simple code changes to make them behave in a more traditional
+    way. Preeny may offer a relatively simple option, too - see:
+    [https://github.com/zardus/preeny](https://github.com/zardus/preeny)
+
+    Some useful tips for modifying network-based services can be also found at:
+    [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
+
+  - AFL doesn't output human-readable coverage data. If you want to monitor
+    coverage, use afl-cov from Michael Rash: [https://github.com/mrash/afl-cov](https://github.com/mrash/afl-cov)
+
+  - Occasionally, sentient machines rise against their creators. If this
+    happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
+
+Beyond this, see INSTALL for platform-specific tips.
+
+
+## 15) Special thanks
+
+Many of the improvements to the original afl and afl++ wouldn't be possible
+without feedback, bug reports, or patches from:
+
+```
+  Jann Horn                             Hanno Boeck
+  Felix Groebert                        Jakub Wilk
+  Richard W. M. Jones                   Alexander Cherepanov
+  Tom Ritter                            Hovik Manucharyan
+  Sebastian Roschke                     Eberhard Mattes
+  Padraig Brady                         Ben Laurie
+  @dronesec                             Luca Barbato
+  Tobias Ospelt                         Thomas Jarosch
+  Martin Carpenter                      Mudge Zatko
+  Joe Zbiciak                           Ryan Govostes
+  Michael Rash                          William Robinet
+  Jonathan Gray                         Filipe Cabecinhas
+  Nico Weber                            Jodie Cunningham
+  Andrew Griffiths                      Parker Thompson
+  Jonathan Neuschaefer                  Tyler Nighswander
+  Ben Nagy                              Samir Aguiar
+  Aidan Thornton                        Aleksandar Nikolich
+  Sam Hakim                             Laszlo Szekeres
+  David A. Wheeler                      Turo Lamminen
+  Andreas Stieger                       Richard Godbee
+  Louis Dassy                           teor2345
+  Alex Moneger                          Dmitry Vyukov
+  Keegan McAllister                     Kostya Serebryany
+  Richo Healey                          Martijn Bogaard
+  rc0r                                  Jonathan Foote
+  Christian Holler                      Dominique Pelle
+  Jacek Wielemborek                     Leo Barnes
+  Jeremy Barnes                         Jeff Trull
+  Guillaume Endignoux                   ilovezfs
+  Daniel Godas-Lopez                    Franjo Ivancic
+  Austin Seipp                          Daniel Komaromy
+  Daniel Binderman                      Jonathan Metzman
+  Vegard Nossum                         Jan Kneschke
+  Kurt Roeckx                           Marcel Boehme
+  Van-Thuan Pham                        Abhik Roychoudhury
+  Joshua J. Drake                       Toby Hutton
+  Rene Freingruber                      Sergey Davidoff
+  Sami Liedes                           Craig Young
+  Andrzej Jackowski                     Daniel Hodson
+  Nathan Voss                           Dominik Maier
+  Andrea Biondo                         Vincent Le Garrec
+  Khaled Yakdan                         Kuang-che Wu
+```
+
+Thank you!
+
+
+## 16) Contact
+
+Questions? Concerns? Bug reports? The contributors can be reached via
+[https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)
+
+There is also a mailing list for the afl project; to join, send a mail to
+<afl-users+subscribe@googlegroups.com>. Or, if you prefer to browse
+archives first, try: [https://groups.google.com/group/afl-users](https://groups.google.com/group/afl-users)

docs/README.radamsa.md

@@ -0,0 +1,9 @@
+# libradamsa
+
+Pretranslated radamsa library. This code belongs to the radamsa author.
+
+> Original repository: https://gitlab.com/akihe/radamsa
+
+> Source commit: 7b2cc2d0
+
+> The code here is adapted for AFL++ with minor changes respect the original version

docs/binaryonly_fuzzing.md

@@ -0,0 +1,194 @@
+# Fuzzing binary-only programs with afl++
+
+  afl++, libfuzzer and others are great if you have the source code, and
+  it allows for very fast and coverage guided fuzzing.
+
+  However, if there is only the binary program and no source code available,
+  then standard `afl-fuzz -n` (dumb mode) is not effective.
+
+  The following is a description of how these binaries can be fuzzed with afl++
+
+## TL;DR:
+
+  qemu_mode in persistent mode is the fastest - if the stability is
+  high enough. Otherwise try retrowrite, afl-dyninst and if these
+  fail too then standard qemu_mode with AFL_ENTRYPOINT to where you need it.
+
+
+## QEMU
+
+  Qemu is the "native" solution to the program.
+  It is available in the ./qemu_mode/ directory and once compiled it can
+  be accessed by the afl-fuzz -Q command line option.
+  It is the easiest to use alternative and even works for cross-platform binaries.
+
+  The speed decrease is at about 50%.
+  However various options exist to increase the speed:
+   - using AFL_ENTRYPOINT to move the forkserver to a later basic block in
+     the binary (+5-10% speed)
+   - using persistent mode [qemu_mode/README.persistent.md](../qemu_mode/README.persistent.md)
+     this will result in 150-300% overall speed - so 3-8x the original
+     qemu_mode speed!
+   - using AFL_CODE_START/AFL_CODE_END to only instrument specific parts
+
+  Note that there is also honggfuzz: [https://github.com/google/honggfuzz](https://github.com/google/honggfuzz)
+  which now has a qemu_mode, but its performance is just 1.5% ...
+
+  As it is included in afl++ this needs no URL.
+
+
+## WINE+QEMU
+
+  Wine mode can run Win32 PE binaries with the QEMU instrumentation.
+  It needs Wine, python3 and the pefile python package installed.
+
+  As it is included in afl++ this needs no URL.
+
+
+## UNICORN
+
+  Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar.
+  In contrast to QEMU, Unicorn does not offer a full system or even userland
+  emulation. Runtime environment and/or loaders have to be written from scratch,
+  if needed. On top, block chaining has been removed. This means the speed boost
+  introduced in  the patched QEMU Mode of afl++ cannot simply be ported over to
+  Unicorn. For further information, check out [unicorn_mode/README.md](../unicorn_mode/README.md).
+
+  As it is included in afl++ this needs no URL.
+
+
+## DYNINST
+
+  Dyninst is a binary instrumentation framework similar to Pintool and
+  Dynamorio (see far below). However whereas Pintool and Dynamorio work at
+  runtime, dyninst instruments the target at load time, and then let it run -
+  or save the  binary with the changes.
+  This is great for some things, e.g. fuzzing, and not so effective for others,
+  e.g. malware analysis.
+
+  So what we can do with dyninst is taking every basic block, and put afl's
+  instrumention code in there - and then save the binary.
+  Afterwards we can just fuzz the newly saved target binary with afl-fuzz.
+  Sounds great? It is. The issue though - it is a non-trivial problem to
+  insert instructions, which change addresses in the process space, so that
+  everything is still working afterwards. Hence more often than not binaries
+  crash when they are run.
+
+  The speed decrease is about 15-35%, depending on the optimization options
+  used with afl-dyninst.
+
+  So if Dyninst works, it is the best option available. Otherwise it just
+  doesn't work well.
+
+  [https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst)
+
+
+## RETROWRITE
+
+  If you have an x86/x86_64 binary that still has it's symbols, is compiled
+  with position independant code (PIC/PIE) and does not use most of the C++
+  features then the retrowrite solution might be for you.
+  It decompiles to ASM files which can then be instrumented with afl-gcc.
+
+  It is at about 80-85% performance.
+
+  [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite)
+
+
+## MCSEMA
+
+  Theoretically you can also decompile to llvm IR with mcsema, and then
+  use llvm_mode to instrument the binary.
+  Good luck with that.
+
+  [https://github.com/lifting-bits/mcsema](https://github.com/lifting-bits/mcsema)
+
+
+## INTEL-PT
+
+  If you have a newer Intel CPU, you can make use of Intels processor trace.
+  The big issue with Intel's PT is the small buffer size and the complex
+  encoding of the debug information collected through PT.
+  This makes the decoding very CPU intensive and hence slow.
+  As a result, the overall speed decrease is about 70-90% (depending on
+  the implementation and other factors).
+
+  There are two afl intel-pt implementations:
+
+  1. [https://github.com/junxzm1990/afl-pt](https://github.com/junxzm1990/afl-pt)
+     => this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel.
+
+  2. [https://github.com/hunter-ht-2018/ptfuzzer](https://github.com/hunter-ht-2018/ptfuzzer)
+     => this needs a 4.14 or 4.15 kernel. the "nopti" kernel boot option must
+        be used. This one is faster than the other.
+
+  Note that there is also honggfuzz: https://github.com/google/honggfuzz
+  But its IPT performance is just 6%!
+
+
+## CORESIGHT
+
+  Coresight is ARM's answer to Intel's PT.
+  There is no implementation so far which handle coresight and getting
+  it working on an ARM Linux is very difficult due to custom kernel building
+  on embedded systems is difficult. And finding one that has coresight in
+  the ARM chip is difficult too.
+  My guess is that it is slower than Qemu, but faster than Intel PT.
+
+  If anyone finds any coresight implementation for afl please ping me: vh@thc.org
+
+
+## FRIDA
+
+  Frida is a dynamic instrumentation engine like Pintool, Dyninst and Dynamorio.
+  What is special is that it is written Python, and scripted with Javascript.
+  It is mostly used to reverse binaries on mobile phones however can be used
+  everywhere.
+
+  There is a WIP fuzzer available at [https://github.com/andreafioraldi/frida-fuzzer](https://github.com/andreafioraldi/frida-fuzzer)
+
+  There is also an early implementation in an AFL++ test branch:
+  [https://github.com/vanhauser-thc/AFLplusplus/tree/frida](https://github.com/vanhauser-thc/AFLplusplus/tree/frida)
+
+
+## PIN & DYNAMORIO
+
+  Pintool and Dynamorio are dynamic instrumentation engines, and they can be
+  used for getting basic block information at runtime.
+  Pintool is only available for Intel x32/x64 on Linux, Mac OS and Windows
+  whereas Dynamorio is additionally available for ARM and AARCH64.
+  Dynamorio is also 10x faster than Pintool.
+
+  The big issue with Dynamorio (and therefore Pintool too) is speed.
+  Dynamorio has a speed decrease of 98-99%
+  Pintool has a speed decrease of 99.5%
+
+  Hence Dynamorio is the option to go for if everything fails, and Pintool
+  only if Dynamorio fails too.
+
+  Dynamorio solutions:
+  * [https://github.com/vanhauser-thc/afl-dynamorio](https://github.com/vanhauser-thc/afl-dynamorio)
+  * [https://github.com/mxmssh/drAFL](https://github.com/mxmssh/drAFL)
+  * [https://github.com/googleprojectzero/winafl/](https://github.com/googleprojectzero/winafl/) <= very good but windows only
+
+  Pintool solutions:
+  * [https://github.com/vanhauser-thc/afl-pin](https://github.com/vanhauser-thc/afl-pin)
+  * [https://github.com/mothran/aflpin](https://github.com/mothran/aflpin)
+  * [https://github.com/spinpx/afl_pin_mode](https://github.com/spinpx/afl_pin_mode) <= only old Pintool version supported
+
+
+## Non-AFL solutions
+
+  There are many binary-only fuzzing frameworks.
+  Some are great for CTFs but don't work with large binaries, others are very
+  slow but have good path discovery, some are very hard to set-up ...
+
+  * QSYM: [https://github.com/sslab-gatech/qsym](https://github.com/sslab-gatech/qsym)
+  * Manticore: [https://github.com/trailofbits/manticore](https://github.com/trailofbits/manticore)
+  * S2E: [https://github.com/S2E](https://github.com/S2E)
+  *  ... please send me any missing that are good
+
+
+## Closing words
+
+  That's it! News, corrections, updates? Send an email to vh@thc.org

docs/binaryonly_fuzzing.txt

@@ -1,144 +0,0 @@
-
-Fuzzing binary-only programs with afl++
-=======================================
-
-afl++, libfuzzer and others are great if you have the source code, and
-it allows for very fast and coverage guided fuzzing.
-
-However, if there is only the binary program and not source code available,
-then standard afl++ (dumb mode) is not effective.
-
-The following is a description of how these can be fuzzed with afl++
-
-!!!!!
-TL;DR: try DYNINST with afl-dyninst. If it produces too many crashes then
-      use afl -Q qemu_mode, or better: use both in parallel.
-!!!!!
-
-
-QEMU
-----
-Qemu is the "native" solution to the program.
-It is available in the ./qemu_mode/ directory and once compiled it can
-be accessed by the afl-fuzz -Q command line option.
-The speed decrease is at about 50%
-It is the easiest to use alternative and even works for cross-platform binaries.
-
-As it is included in afl++ this needs no URL.
-
-WINE+QEMU
----------
-Wine mode can run Win32 PE with the QEMU instrumentation.
-It needs Wine, python3 and the pefile python package installed.
-
-UNICORN
--------
-Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar.
-In contrast to QEMU, Unicorn does not offer a full system or even userland emulation.
-Runtime environment and/or loaders have to be written from scratch, if needed.
-On top, block chaining has been removed. This means the speed boost introduced in 
-to the patched QEMU Mode of afl++ cannot simply be ported over to Unicorn.
-For further information, check out ./unicorn_mode.txt.
-
-
-DYNINST
--------
-Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio
-(see far below). However whereas Pintool and Dynamorio work at runtime, dyninst
-instruments the target at load time, and then let it run.
-This is great for some things, e.g. fuzzing, and not so effective for others,
-e.g. malware analysis.
-
-So what we can do with dyninst is taking every basic block, and put afl's
-instrumention code in there - and then save the binary.
-Afterwards we can just fuzz the newly saved target binary with afl-fuzz.
-Sounds great? It is. The issue though - it is a non-trivial problem to
-insert instructions, which change addresses in the process space, so
-everything is still working afterwards. Hence more often than not binaries
-crash when they are run (because of instrumentation).
-
-The speed decrease is about 15-35%, depending on the optimization options
-used with afl-dyninst.
-
-So if dyninst works, it is the best option available. Otherwise it just doesn't
-work well.
-
-https://github.com/vanhauser-thc/afl-dyninst
-
-
-INTEL-PT
---------
-If you have a newer Intel CPU, you can make use of Intels processor trace.
-The big issue with Intel's PT is the small buffer size and the complex
-encoding of the debug information collected through PT.
-This makes the decoding very CPU intensive and hence slow.
-As a result, the overall speed decrease is about 70-90% (depending on
-the implementation and other factors).
-
-There are two afl intel-pt implementations:
-
-1. https://github.com/junxzm1990/afl-pt
- => this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel.
-
-2. https://github.com/hunter-ht-2018/ptfuzzer
- => this needs a 4.14 or 4.15 kernel. the "nopti" kernel boot option must
-    be used. This one is faster than the other.
-
-
-CORESIGHT
----------
-
-Coresight is ARM's answer to Intel's PT.
-There is no implementation so far which handle coresight and getting
-it working on an ARM Linux is very difficult due to custom kernel building
-on embedded systems is difficult. And finding one that has coresight in
-the ARM chip is difficult too.
-My guess is that it is slower than Qemu, but faster than Intel PT.
-If anyone finds any coresight implementation for afl please ping me:
-vh@thc.org
-
-
-PIN & DYNAMORIO
----------------
-
-Pintool and Dynamorio are dynamic instrumentation engines, and they can be
-used for getting basic block information at runtime.
-Pintool is only available for Intel x32/x64 on Linux, Mac OS and Windows
-whereas Dynamorio is additionally available for ARM and AARCH64.
-Dynamorio is also 10x faster than Pintool.
-
-The big issue with Dynamorio (and therefore Pintool too) is speed.
-Dynamorio has a speed decrease of 98-99%
-Pintool has a speed decrease of 99.5%
-
-Hence Dynamorio is the option to go for if everything fails, and Pintool
-only if Dynamorio fails too.
-
-Dynamorio solutions:
-  https://github.com/vanhauser-thc/afl-dynamorio
-  https://github.com/mxmssh/drAFL
-  https://github.com/googleprojectzero/winafl/ <= very good but windows only
-
-Pintool solutions:
-  https://github.com/vanhauser-thc/afl-pin
-  https://github.com/mothran/aflpin
-  https://github.com/spinpx/afl_pin_mode  <= only old Pintool version supported
-
-
-Non-AFL solutions
------------------
-
-There are many binary-only fuzzing frameworks. Some are great for CTFs but don't
-work with large binaries, others are very slow but have good path discovery,
-some are very hard to set-up ...
-
-QSYM: https://github.com/sslab-gatech/qsym
-Manticore: https://github.com/trailofbits/manticore
-S2E: https://github.com/S2E
-<please send me any missing that are good>
-
-
-
-That's it!
-News, corrections, updates?
-Email vh@thc.org

docs/custom_mutator.md

@@ -1,13 +1,10 @@
-==================================================
-Adding custom mutators to AFL using
-==================================================
+# Adding custom mutators to AFL
+
 This file describes how you can implement custom mutations to be used in AFL.
 
 Implemented by Khaled Yakdan from Code Intelligence <yakdan@code-intelligence.de>
 
-
-1) Description
---------------
+## 1) Description
 
 Custom mutator libraries can be passed to afl-fuzz to perform custom mutations
 on test cases beyond those available in AFL - for example, to enable structure-aware
@@ -34,6 +31,6 @@ is then transforms the data into the format expected by the API before executing
 afl_pre_save_handler is optional and does not have to be implemented if its functionality
 is not needed.
 
-2) Example
-----------
-A simple example is provided in ../custom_mutators/
+## 2) Example
+
+A simple example is provided in ../examples/custom_mutators/

docs/env_variables.md

@@ -1,18 +1,20 @@
-=======================
-Environmental variables
-=======================
+# Environmental variables
 
-  This document discusses the environment variables used by American Fuzzy Lop
+  This document discusses the environment variables used by American Fuzzy Lop++
   to expose various exotic functions that may be (rarely) useful for power
-  users or for some types of custom fuzzing setups. See README for the general
+  users or for some types of custom fuzzing setups. See README.md for the general
   instruction manual.
 
-1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast
-----------------------------------------------------------------------------
+## 1) Settings for afl-gcc, afl-clang, and afl-as - and gcc_plugin afl-gcc-fast
 
 Because they can't directly accept command-line options, the compile-time
 tools make fairly broad use of environmental variables:
 
+  - Most afl tools do not print any ouput if stout/stderr are redirected.
+    If you want to have the output into a file then set the AFL_DEBUG
+    environment variable.
+    This is sadly necessary for various build processes which fail otherwise.
+
   - Setting AFL_HARDEN automatically adds code hardening options when invoking
     the downstream compiler. This currently includes -D_FORTIFY_SOURCE=2 and
     -fstack-protector-all. The setting is useful for catching non-crashing
@@ -25,19 +27,18 @@ tools make fairly broad use of environmental variables:
 
   - Setting AFL_USE_ASAN automatically enables ASAN, provided that your
     compiler supports that. Note that fuzzing with ASAN is mildly challenging
-    - see notes_for_asan.txt.
+    - see [notes_for_asan.md](notes_for_asan.md).
 
     (You can also enable MSAN via AFL_USE_MSAN; ASAN and MSAN come with the
-    same gotchas; the modes are mutually exclusive. UBSAN and other exotic
-    sanitizers are not officially supported yet, but are easy to get to work
-    by hand.)
+    same gotchas; the modes are mutually exclusive. UBSAN can be enabled
+    similarly by setting the environment variable AFL_USE_UBSAN=1)
 
   - Setting AFL_CC, AFL_CXX, and AFL_AS lets you use alternate downstream
     compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries
     in your $PATH.
 
   - AFL_PATH can be used to point afl-gcc to an alternate location of afl-as.
-    One possible use of this is experimental/clang_asm_normalize/, which lets
+    One possible use of this is examples/clang_asm_normalize/, which lets
     you instrument hand-written assembly when compiling clang code by plugging
     a normalizer into the chain. (There is no equivalent feature for GCC.)
 
@@ -65,17 +66,20 @@ tools make fairly broad use of environmental variables:
     mkdir assembly_here
     TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all
 
+  - If you are a weird person that wants to compile and instrument asm
+    text files then use the AFL_AS_FORCE_INSTRUMENT variable:
+      AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo
+
   - Setting AFL_QUIET will prevent afl-cc and afl-as banners from being
     displayed during compilation, in case you find them distracting.
 
   - Setting AFL_CAL_FAST will speed up the initial calibration, if the
     application is very slow
 
-2) Settings for afl-clang-fast / afl-clang-fast++
--------------------------------------------------
+## 2) Settings for afl-clang-fast / afl-clang-fast++ / afl-gcc-fast / afl-g++-fast
 
-The native LLVM instrumentation helper accepts a subset of the settings
-discussed in section #1, with the exception of:
+The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset
+of the settings discussed in section #1, with the exception of:
 
   - AFL_AS, since this toolchain does not directly invoke GNU as.
 
@@ -87,8 +91,8 @@ discussed in section #1, with the exception of:
 
 Then there are a few specific features that are only available in llvm_mode:
 
-  LAF-INTEL
-  =========
+### LAF-INTEL
+
     This great feature will split compares to series of single byte comparisons
     to allow afl-fuzz to find otherwise rather impossible paths. It is not
     restricted to Intel CPUs ;-)
@@ -100,19 +104,19 @@ Then there are a few specific features that are only available in llvm_mode:
     - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split all floating point and
       64, 32 and 16 bit integer CMP instructions
 
-    See llvm_mode/README.laf-intel for more information. 
+    See llvm_mode/README.laf-intel.md for more information. 
+
+### WHITELIST
 
-  WHITELIST
-  =========
     This feature allows selectively instrumentation of the source
 
     - Setting AFL_LLVM_WHITELIST with a filename will only instrument those
       files that match the names listed in this file.
 
-    See llvm_mode/README.whitelist for more information.
+    See llvm_mode/README.whitelist.md for more information.
+
+### INSTRIM
 
-  INSTRIM
-  =======
     This feature increases the speed by whopping 20% but at the cost of a
     lower path discovery and therefore coverage.
 
@@ -122,10 +126,9 @@ Then there are a few specific features that are only available in llvm_mode:
       afl-fuzz will only be able to see the path the loop took, but not how
       many times it was called (unless it is a complex loop).
 
-    See llvm_mode/README.instrim
+    See llvm_mode/README.instrim.md
 
-  NOT_ZERO
-  ========
+### NOT_ZERO
 
     - Setting AFL_LLVM_NOT_ZERO=1 during compilation will use counters
       that skip zero on overflow. This is the default for llvm >= 9,
@@ -133,10 +136,27 @@ Then there are a few specific features that are only available in llvm_mode:
       slowdown due a performance issue that is only fixed in llvm 9+.
       This feature increases path discovery by a little bit.
 
-    See llvm_mode/README.neverzero
+    See llvm_mode/README.neverzero.md
 
-3) Settings for afl-fuzz
-------------------------
+### CMPLOG
+
+    - Setting AFL_LLVM_CMPLOG=1 during compilation will tell afl-clang-fast to
+      produce a CmpLog binary. See llvm_mode/README.cmplog.md
+
+    See llvm_mode/README.neverzero.md
+
+Then there are a few specific features that are only available in the gcc_plugin:
+
+### WHITELIST
+
+    This feature allows selective instrumentation of the source
+
+    - Setting AFL_GCC_WHITELIST with a filename will only instrument those
+      files that match the names listed in this file (one filename per line).
+
+    See gcc_plugin/README.whitelist.md for more information.
+
+## 3) Settings for afl-fuzz
 
 The main fuzzer binary accepts several options that disable a couple of sanity
 checks or alter some of the more exotic semantics of the tool:
@@ -199,16 +219,16 @@ checks or alter some of the more exotic semantics of the tool:
     Beyond counter aesthetics, not much else should change.
 
   - Setting AFL_POST_LIBRARY allows you to configure a postprocessor for
-    mutated files - say, to fix up checksums. See experimental/post_library/
+    mutated files - say, to fix up checksums. See examples/post_library/
     for more.
 
   - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with
     afl_custom_mutator() export run additional mutations though this library.
     If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be
-    performed with/from the libary. see docs/custom_mutator.txt
+    performed with/from the libary. see [custom_mutator.md](custom_mutator.md)
 
   - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled
-    with -DUSE_PYTHON. Please see docs/python_mutators.txt
+    with -DUSE_PYTHON. Please see [python_mutators.md](python_mutators.md)
     This feature allows to configure custom mutators which can be very helpful
     in e.g. fuzzing XML or other highly flexible structured input.
 
@@ -242,8 +262,7 @@ checks or alter some of the more exotic semantics of the tool:
   - Setting AFL_DEBUG_CHILD_OUTPUT will not suppress the child output.
     Not pretty but good for debugging purposes.
 
-4) Settings for afl-qemu-trace
-------------------------------
+## 4) Settings for afl-qemu-trace
 
 The QEMU wrapper used to instrument binary-only code supports several settings:
 
@@ -257,7 +276,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
   - Setting AFL_COMPCOV_LEVEL enables the CompareCoverage tracing of all cmp
     and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp,
     memcmp, ...) when libcompcov is preloaded using AFL_PRELOAD.
-    More info at qemu_mode/libcompcov/README.compcov.
+    More info at qemu_mode/libcompcov/README.md.
     There are two levels at the moment, AFL_COMPCOV_LEVEL=1 that instruments
     only comparisons with immediate values / read-only memory and
     AFL_COMPCOV_LEVEL=2 that instruments all the comparions. Level 2 is more
@@ -280,9 +299,24 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
     binary (this can be very good for the performance!).
     The entrypoint is specified as hex address, e.g. 0x4004110
     Note that the address must be the address of a basic block.
+  
+  - When the target is i386/x86_64 you can specify the address of the function
+    that has to be the body of the persistent loop using
+    AFL_QEMU_PERSISTENT_ADDR=`start addr`.
+  
+  - Another modality to execute the persistent loop is to specify also the
+    AFL_QEMU_PERSISTENT_RET=`end addr` env variable.
+    With this variable assigned, instead of patching the return address, the
+    specified instruction is transformed to a jump towards `start addr`.
+    
+  - AFL_QEMU_PERSISTENT_GPR=1 QEMU will save the original value of general
+    purpose registers and restore them in each persistent cycle.
+  
+  - With AFL_QEMU_PERSISTENT_RETADDR_OFFSET you can specify the offset from the
+    stack pointer in which QEMU can find the return address when `start addr` is
+    hitted.
 
-5) Settings for afl-cmin
-------------------------
+## 5) Settings for afl-cmin
 
 The corpus minimization script offers very little customization:
 
@@ -297,8 +331,7 @@ The corpus minimization script offers very little customization:
     a modest security risk on multi-user systems with rogue users, but should
     be safe on dedicated fuzzing boxes.
 
-6) Settings for afl-tmin
-------------------------
+# #6) Settings for afl-tmin
 
 Virtually nothing to play with. Well, in QEMU mode (-Q), AFL_PATH will be
 searched for afl-qemu-trace. In addition to this, TMPDIR may be used if a
@@ -309,16 +342,14 @@ to match when minimizing crashes. This will make minimization less useful, but
 may prevent the tool from "jumping" from one crashing condition to another in
 very buggy software. You probably want to combine it with the -e flag.
 
-7) Settings for afl-analyze
----------------------------
+## 7) Settings for afl-analyze
 
 You can set AFL_ANALYZE_HEX to get file offsets printed as hexadecimal instead
 of decimal.
 
-8) Settings for libdislocator.so
---------------------------------
+## 8) Settings for libdislocator
 
-The library honors three environmental variables:
+The library honors these environmental variables:
 
   - AFL_LD_LIMIT_MB caps the size of the maximum heap usage permitted by the
     library, in megabytes. The default value is 1 GB. Once this is exceeded,
@@ -334,15 +365,16 @@ The library honors three environmental variables:
   - AFL_LD_NO_CALLOC_OVER inhibits abort() on calloc() overflows. Most
     of the common allocators check for that internally and return NULL, so
     it's a security risk only in more exotic setups.
+  
+  - AFL_ALIGNED_ALLOC=1 will force the alignment of the allocation size to
+    max_align_t to be compliant with the C standard.
 
-9) Settings for libtokencap.so
-------------------------------
+## 9) Settings for libtokencap
 
 This library accepts AFL_TOKEN_FILE to indicate the location to which the
 discovered tokens should be written.
 
-10) Third-party variables set by afl-fuzz & other tools
--------------------------------------------------------
+## 10) Third-party variables set by afl-fuzz & other tools
 
 Several variables are not directly interpreted by afl-fuzz, but are set to
 optimal values if not already present in the environment:
@@ -356,6 +388,7 @@ optimal values if not already present in the environment:
 
     abort_on_error=1
     detect_leaks=0
+    malloc_context_size=0
     symbolize=0
     allocator_may_return_null=1
 

docs/historical_notes.md

@@ -1,17 +1,14 @@
-================
-Historical notes
-================
+# Historical notes
 
   This doc talks about the rationale of some of the high-level design decisions
   for American Fuzzy Lop. It's adopted from a discussion with Rob Graham.
-  See README for the general instruction manual, and technical_details.txt for
+  See README.md for the general instruction manual, and technical_details.md for
   additional implementation-level insights.
 
-1) Influences
--------------
+## 1) Influences
 
-In short, afl-fuzz is inspired chiefly by the work done by Tavis Ormandy back
-in 2007. Tavis did some very persuasive experiments using gcov block coverage
+In short, `afl-fuzz` is inspired chiefly by the work done by Tavis Ormandy back
+in 2007. Tavis did some very persuasive experiments using `gcov` block coverage
 to select optimal test cases out of a large corpus of data, and then using
 them as a starting point for traditional fuzzing workflows.
 
@@ -22,7 +19,7 @@ In parallel to this, both Tavis and I were interested in evolutionary fuzzing.
 Tavis had his experiments, and I was working on a tool called bunny-the-fuzzer,
 released somewhere in 2007.
 
-Bunny used a generational algorithm not much different from afl-fuzz, but
+Bunny used a generational algorithm not much different from `afl-fuzz`, but
 also tried to reason about the relationship between various input bits and
 the internal state of the program, with hopes of deriving some additional value
 from that. The reasoning / correlation part was probably in part inspired by
@@ -43,7 +40,7 @@ coverage-driven fuzzer that relied on coverage as a fitness function.
 Jared's approach was by no means identical to what afl-fuzz does, but it was in
 the same ballpark. His fuzzer tried to explicitly solve for the maximum coverage
 with a single input file; in comparison, afl simply selects for cases that do
-something new (which yields better results - see technical_details.txt).
+something new (which yields better results - see [technical_details.md](technical_details.md)).
 
 A few years later, Gabriel Campana released fuzzgrind, a tool that relied purely
 on Valgrind and a constraint solver to maximize coverage without any brute-force
@@ -75,8 +72,7 @@ But I digress; ultimately, attribution is hard, and glorying the fundamental
 concepts behind AFL is probably a waste of time. The devil is very much in the
 often-overlooked details, which brings us to...
 
-2) Design goals for afl-fuzz
-----------------------------
+## 2. Design goals for afl-fuzz
 
 In short, I believe that the current implementation of afl-fuzz takes care of
 several itches that seemed impossible to scratch with other tools:
@@ -86,7 +82,7 @@ several itches that seemed impossible to scratch with other tools:
    likely to find a bug, but runs 100x slower, your users are getting a bad
    deal.
 
-   To avoid starting with a handicap, afl-fuzz is meant to let you fuzz most of
+   To avoid starting with a handicap, `afl-fuzz` is meant to let you fuzz most of
    the intended targets at roughly their native speed - so even if it doesn't
    add value, you do not lose much.
 
@@ -107,7 +103,7 @@ several itches that seemed impossible to scratch with other tools:
    them strictly worse than "dumb" tools, and such degradation can be difficult
    for less experienced users to notice and correct.
 
-   In contrast, afl-fuzz is designed to be rock solid, chiefly by keeping it
+   In contrast, `afl-fuzz` is designed to be rock solid, chiefly by keeping it
    simple. In fact, at its core, it's designed to be just a very good
    traditional fuzzer with a wide range of interesting, well-researched
    strategies to go by. The fancy parts just help it focus the effort in
@@ -137,11 +133,11 @@ several itches that seemed impossible to scratch with other tools:
    corpora of interesting test cases that can be fed into a manual testing
    process or a UI harness later on.
 
-As mentioned in technical_details.txt, AFL does all this not by systematically
+As mentioned in [technical_details.md](technical_details.md), AFL does all this not by systematically
 applying a single overarching CS concept, but by experimenting with a variety
 of small, complementary methods that were shown to reliably yields results
 better than chance. The use of instrumentation is a part of that toolkit, but is
 far from being the most important one.
 
-Ultimately, what matters is that afl-fuzz is designed to find cool bugs - and
+Ultimately, what matters is that `afl-fuzz` is designed to find cool bugs - and
 has a pretty robust track record of doing just that.

docs/ideas.md

@@ -0,0 +1,105 @@
+# Ideas for afl++
+
+In the following, we describe a variety of ideas that could be implemented
+for future AFL++ versions.
+
+## Flexible Grammar Mutator
+
+Currently, AFL++'s mutation does not have deeper knowledge about the fuzzed
+binary, apart from feedback, even though the developer may have insights
+about the target.
+
+A developer may choose to provide dictionaries and implement own mutations
+in python or C, but an easy mutator that behaves according to a given grammar,
+does not exist.
+
+State-of-the-art research on grammar fuzzing has some problems in their
+implementations like code quality, scalability, or ease of use and other
+common issues of the academic code.
+
+We aim to develop a pluggable grammar mutator for afl++ that combines
+various results.
+
+Mentor: andreafioraldi 
+
+## Expand on the MOpt mutator
+
+Work on the MOpt mutator that is already in AFL++.
+
+This is an excellent mutations scheduler based on Particle Swarm
+Optimization but the current implementation schedule only the mutations
+that were present on AFL.
+
+AFL++ added a lost of optional mutators like the Input-2-State one based
+on Redqueen, the Radamsa mutator, the Custom mutator (the user can define
+its own mutator) and the work is to generalize MOpt for all the current
+and future mutators.
+
+Mentor: vanhauser-thc or andreafioraldi
+
+## perf-fuzz Linux Kernel Module
+
+Port the parts of the Linux Kernel modified by 
+[perf-fuzz](https://gts3.org/assets/papers/2017/xu:os-fuzz.pdf)
+into a linux kernel module, so no source in the kernel needs to be changed.
+Or write your worn LKM from scratch to do this.
+The perf-fuzz kernel can be found at [https://github.com/sslab-gatech/perf-fuzz](https://github.com/sslab-gatech/perf-fuzz)
+There also is/was a FreeBSD project at [https://github.com/veracode-research/freebsd-perf-fuzz](https://github.com/veracode-research/freebsd-perf-fuzz)
+
+This enables snapshot fuzzing on Linux with an incredible performance!
+
+Mentor: any
+
+## QEMU 4-based Instrumentation
+
+First tests to use QEMU 4 for binary-only AFL++ showed that caching behavior
+changed, which vastly decreases fuzzing speeds.
+
+This is the cause why, right now, we cannot switch to QEMU 4.2.
+
+Understanding the current instrumentation and fixing the current caching
+issues will be needed.
+
+Mentor: andreafioraldi
+
+## WASM Instrumentation
+
+Currently, AFL++ can be used for source code fuzzing and traditional binaries.
+With the rise of WASM as compile target, however, a novel way of
+instrumentation needs to be implemented for binaries compiled to Webassembly.
+This can either be done by inserting instrumentation directly into the
+WASM AST, or by patching feedback into a WASM VMs of choice, similar to
+the current Unicorn instrumentation.
+
+Mentor: any
+
+## Machine Learning
+
+Something with machine learning, better than [NEUZZ](https://github.com/dongdongshe/neuzz) :-)
+Either improve a single mutator thorugh learning of many different bugs
+(a bug class) or gather deep insights about a single target beforehand
+(CFG, DFG, VFG, ...?) and improve performance for a single target.
+
+Mentor: domenukk
+
+## Reengineer `afl-fuzz` as Thread Safe, Embeddable Library
+
+Right now, afl-fuzz is single threaded, cannot safely be embedded in tools, and not multi-threaded. It makes use of a large number of globals, must always be the parent process and exec child processes. 
+Instead, afl-fuzz could be refactored to contain no global state and globals.
+This allows for different use cases that could be implemented during this project.
+
+Mentor: hexcoder- or vanhauser-thc
+
+## Collision-free Binary-Only Maps
+
+AFL++ supports collison-free maps using an LTO (link-time-optimization) pass.
+This should be possile to implement for QEMU and Unicorn instrumentations.
+As the forkserver parent caches just in time translated translation blocks, adding a simple counter between jumps should be doable.
+
+Mentor: andreafioraldi or domenukk
+
+## Your idea!
+
+Finally, we are open to proposals!
+Create an issue at https://github.com/vanhauser-thc/AFLplusplus/issues and let's discuss :-)
+

docs/life_pro_tips.md

@@ -0,0 +1,90 @@
+# AFL "Life Pro Tips"
+
+Bite-sized advice for those who understand the basics, but can't be bothered
+to read or memorize every other piece of documentation for AFL.
+
+## Get more bang for your buck by using fuzzing dictionaries.
+
+See [dictionaries/README.md](../dictionaries/README.md) to learn how.
+
+## You can get the most out of your hardware by parallelizing AFL jobs.
+
+See [parallel_fuzzing.md](parallel_fuzzing.md) for step-by-step tips.
+
+## Improve the odds of spotting memory corruption bugs with libdislocator.so!
+
+It's easy. Consult [libdislocator/README.md](../libdislocator/README.md) for usage tips.
+
+## Want to understand how your target parses a particular input file?
+
+Try the bundled `afl-analyze` tool; it's got colors and all!
+
+## You can visually monitor the progress of your fuzzing jobs.
+
+Run the bundled `afl-plot` utility to generate browser-friendly graphs.
+
+## Need to monitor AFL jobs programmatically? 
+Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`.
+
+## Puzzled by something showing up in red or purple in the AFL UI?
+It could be important - consult docs/status_screen.md right away!
+
+## Know your target? Convert it to persistent mode for a huge performance gain!
+Consult section #5 in llvm_mode/README.md for tips.
+
+## Using clang? 
+Check out llvm_mode/ for a faster alternative to afl-gcc!
+
+## Did you know that AFL can fuzz closed-source or cross-platform binaries?
+Check out qemu_mode/README.md and unicorn_mode/README.md for more.
+
+## Did you know that afl-fuzz can minimize any test case for you?
+Try the bundled `afl-tmin` tool - and get small repro files fast!
+
+## Not sure if a crash is exploitable? AFL can help you figure it out. Specify
+`-C` to enable the peruvian were-rabbit mode.
+
+## Trouble dealing with a machine uprising? Relax, we've all been there.
+
+Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
+
+## Want to automatically spot non-crashing memory handling bugs?
+
+Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
+
+## Good selection of input files is critical to a successful fuzzing job.
+
+See docs/perf_tips.md for pro tips.
+
+## You can improve the odds of automatically spotting stack corruption issues.
+
+Specify `AFL_HARDEN=1` in the environment to enable hardening flags.
+
+## Bumping into problems with non-reproducible crashes? 
+It happens, but usually
+isn't hard to diagnose. See section #7 in README.md for tips.
+
+## Fuzzing is not just about memory corruption issues in the codebase. 
+Add some
+sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bugs.
+
+## Hey kid... pssst... want to figure out how AFL really works?
+
+Check out docs/technical_details.md for all the gory details in one place!
+
+## There's a ton of third-party helper tools designed to work with AFL!
+
+Be sure to check out docs/sister_projects.md before writing your own.
+
+## Need to fuzz the command-line arguments of a particular program?
+
+You can find a simple solution in examples/argv_fuzzing.
+
+## Attacking a format that uses checksums? 
+
+Remove the checksum-checking code or
+use a postprocessor! See examples/post_library/ for more.
+
+## Dealing with a very slow target or hoping for instant results? 
+
+Specify `-d` when calling afl-fuzz!

docs/life_pro_tips.txt

@@ -1,128 +0,0 @@
-# ===================
-# AFL "Life Pro Tips"
-# ===================
-#
-# Bite-sized advice for those who understand the basics, but can't be bothered
-# to read or memorize every other piece of documentation for AFL.
-#
-
-%
-
-Get more bang for your buck by using fuzzing dictionaries.
-See dictionaries/README.dictionaries to learn how.
-
-%
-
-You can get the most out of your hardware by parallelizing AFL jobs.
-See docs/parallel_fuzzing.txt for step-by-step tips.
-
-%
-
-Improve the odds of spotting memory corruption bugs with libdislocator.so!
-It's easy. Consult libdislocator/README.dislocator for usage tips.
-
-%
-
-Want to understand how your target parses a particular input file?
-Try the bundled afl-analyze tool; it's got colors and all!
-
-%
-
-You can visually monitor the progress of your fuzzing jobs.
-Run the bundled afl-plot utility to generate browser-friendly graphs.
-
-%
-
-Need to monitor AFL jobs programmatically? Check out the fuzzer_stats file
-in the AFL output dir or try afl-whatsup.
-
-%
-
-Puzzled by something showing up in red or purple in the AFL UI?
-It could be important - consult docs/status_screen.txt right away!
-
-%
-
-Know your target? Convert it to persistent mode for a huge performance gain!
-Consult section #5 in llvm_mode/README.llvm for tips.
-
-%
-
-Using clang? Check out llvm_mode/ for a faster alternative to afl-gcc!
-
-%
-
-Did you know that AFL can fuzz closed-source or cross-platform binaries?
-Check out qemu_mode/README.qemu for more.
-
-%
-
-Did you know that afl-fuzz can minimize any test case for you?
-Try the bundled afl-tmin tool - and get small repro files fast!
-
-%
-
-Not sure if a crash is exploitable? AFL can help you figure it out. Specify
--C to enable the peruvian were-rabbit mode. See section #10 in README for more.
-
-%
-
-Trouble dealing with a machine uprising? Relax, we've all been there.
-Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
-
-%
-
-AFL-generated corpora can be used to power other testing processes.
-See section #2 in README for inspiration - it tends to pay off!
-
-%
-
-Want to automatically spot non-crashing memory handling bugs?
-Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
-
-%
-
-Good selection of input files is critical to a successful fuzzing job.
-See section #5 in README (or docs/perf_tips.txt) for pro tips.
-
-%
-
-You can improve the odds of automatically spotting stack corruption issues.
-Specify AFL_HARDEN=1 in the environment to enable hardening flags.
-
-%
-
-Bumping into problems with non-reproducible crashes? It happens, but usually
-isn't hard to diagnose. See section #7 in README for tips.
-
-%
-
-Fuzzing is not just about memory corruption issues in the codebase. Add some
-sanity-checking assert() / abort() statements to effortlessly catch logic bugs.
-
-%
-
-Hey kid... pssst... want to figure out how AFL really works?
-Check out docs/technical_details.txt for all the gory details in one place!
-
-%
-
-There's a ton of third-party helper tools designed to work with AFL!
-Be sure to check out docs/sister_projects.txt before writing your own.
-
-%
-
-Need to fuzz the command-line arguments of a particular program?
-You can find a simple solution in experimental/argv_fuzzing.
-
-%
-
-Attacking a format that uses checksums? Remove the checksum-checking code or
-use a postprocessor! See experimental/post_library/ for more.
-
-%
-
-Dealing with a very slow target or hoping for instant results? Specify -d
-when calling afl-fuzz!
-
-%

docs/notes_for_asan.md

@@ -1,12 +1,9 @@
-==================================
-Notes for using ASAN with afl-fuzz
-==================================
+# Notes for using ASAN with afl-fuzz
 
   This file discusses some of the caveats for fuzzing under ASAN, and suggests
-  a handful of alternatives. See README for the general instruction manual.
+  a handful of alternatives. See README.md for the general instruction manual.
 
-1) Short version
-----------------
+## 1) Short version
 
 ASAN on 64-bit systems requests a lot of memory in a way that can't be easily
 distinguished from a misbehaving program bent on crashing your system.
@@ -23,7 +20,7 @@ Because of this, fuzzing with ASAN is recommended only in four scenarios:
     - Precisely gauge memory needs using http://jwilk.net/software/recidivm .
 
     - Limit the memory available to process using cgroups on Linux (see
-      experimental/asan_cgroups).
+      examples/asan_cgroups).
 
 To compile with ASAN, set AFL_USE_ASAN=1 before calling 'make clean all'. The
 afl-gcc / afl-clang wrappers will pick that up and add the appropriate flags.
@@ -34,11 +31,10 @@ Note that ASAN is incompatible with -static, so be mindful of that.
 There is also the option of generating a corpus using a non-ASAN binary, and
 then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
 and can give you somewhat comparable results. You can also try using
-libdislocator (see libdislocator/README.dislocator in the parent directory) as a
+libdislocator (see libdislocator/README.dislocator.md in the parent directory) as a
 lightweight and hassle-free (but less thorough) alternative.
 
-2) Long version
----------------
+## 2) Long version
 
 ASAN allocates a huge region of virtual address space for bookkeeping purposes.
 Most of this is never actually accessed, so the OS never has to allocate any
@@ -74,7 +70,7 @@ There are also cgroups, but they are Linux-specific, not universally available
 even on Linux systems, and they require root permissions to set up; I'm a bit
 hesitant to make afl-fuzz require root permissions just for that. That said,
 if you are on Linux and want to use cgroups, check out the contributed script
-that ships in experimental/asan_cgroups/.
+that ships in examples/asan_cgroups/.
 
 In settings where cgroups aren't available, we have no nice, portable way to
 avoid counting the ASAN allocation toward the limit. On 32-bit systems, or for
@@ -105,16 +101,19 @@ examine them with ASAN, Valgrind, or other heavy-duty tools in a more
 controlled setting; or compile the target program with -m32 (32-bit mode)
 if your system supports that.
 
-3) Interactions with the QEMU mode
-----------------------------------
+## 3) Interactions with the QEMU mode
 
 ASAN, MSAN, and other sanitizers appear to be incompatible with QEMU user
 emulation, so please do not try to use them with the -Q option; QEMU doesn't
 seem to appreciate the shadow VM trick used by these tools, and will likely
 just allocate all your physical memory, then crash.
 
-4) ASAN and OOM crashes
------------------------
+You can, however, use QASan to run binaries that are not instrumented with ASan
+under QEMU with the AFL++ instrumentation.
+
+https://github.com/andreafioraldi/qasan
+
+## 4) ASAN and OOM crashes
 
 By default, ASAN treats memory allocation failures as fatal errors, immediately
 causing the program to crash. Since this is a departure from normal POSIX
@@ -129,15 +128,19 @@ want to cc: yourself on this bug:
 
   https://bugs.llvm.org/show_bug.cgi?id=22026
 
-5) What about UBSAN?
---------------------
+## 5) What about UBSAN?
 
-Some folks expressed interest in fuzzing with UBSAN. This isn't officially
-supported, because many installations of UBSAN don't offer a consistent way
-to abort() on fault conditions or to terminate with a distinctive exit code.
+New versions of UndefinedBehaviorSanitizer offers the
+-fsanitize=undefined-trap-on-error compiler flag that tells UBSan to insert an
+istruction that will cause SIGILL (ud2 on x86) when an undefined behaviour
+is detected. This is the option that you want to use when combining AFL++
+and UBSan.
 
-That said, some versions of the library can be binary-patched to address this
-issue, while newer releases support explicit compile-time flags - see this
-mailing list thread for tips:
+AFL_USE_UBSAN=1 env var will add this compiler flag to afl-clang-fast,
+afl-gcc-fast and afl-gcc for you.
 
-  https://groups.google.com/forum/#!topic/afl-users/GyeSBJt4M38
+Old versions of UBSAN don't offer a consistent way
+to abort() on fault conditions or to terminate with a distinctive exit code
+but there are some versions of the library can be binary-patched to address this
+issue. You can also preload a shared library that substitute all the UBSan
+routines used to report errors with abort().

docs/parallel_fuzzing.md

@@ -1,12 +1,9 @@
-=========================
-Tips for parallel fuzzing
-=========================
+# Tips for parallel fuzzing
 
   This document talks about synchronizing afl-fuzz jobs on a single machine
-  or across a fleet of systems. See README for the general instruction manual.
+  or across a fleet of systems. See README.md for the general instruction manual.
 
-1) Introduction
----------------
+## 1) Introduction
 
 Every copy of afl-fuzz will take up one CPU core. This means that on an
 n-core system, you can almost always run around n concurrent fuzzing jobs with
@@ -28,13 +25,12 @@ cases on the fly.
 
 Note that afl++ has AFLfast's power schedules implemented.
 It is therefore a good idea to use different power schedules if you run
-several instances in parallel. See docs/power_schedules.txt
+several instances in parallel. See [power_schedules.md](power_schedules.md)
 
 Alternatively running other AFL spinoffs in parallel can be of value,
 e.g. Angora (https://github.com/AngoraFuzzer/Angora/)
 
-2) Single-system parallelization
---------------------------------
+## 2) Single-system parallelization
 
 If you wish to parallelize a single job across multiple cores on a local
 system, simply create a new, empty output directory ("sync dir") that will be
@@ -43,12 +39,16 @@ for every instance - say, "fuzzer01", "fuzzer02", etc.
 
 Run the first one ("master", -M) like this:
 
+```
 $ ./afl-fuzz -i testcase_dir -o sync_dir -M fuzzer01 [...other stuff...]
+```
 
 ...and then, start up secondary (-S) instances like this:
 
+```
 $ ./afl-fuzz -i testcase_dir -o sync_dir -S fuzzer02 [...other stuff...]
 $ ./afl-fuzz -i testcase_dir -o sync_dir -S fuzzer03 [...other stuff...]
+```
 
 Each fuzzer will keep its state in a separate subdirectory, like so:
 
@@ -68,9 +68,11 @@ Note that running multiple -M instances is wasteful, although there is an
 experimental support for parallelizing the deterministic checks. To leverage
 that, you need to create -M instances like so:
 
+```
 $ ./afl-fuzz -i testcase_dir -o sync_dir -M masterA:1/3 [...]
 $ ./afl-fuzz -i testcase_dir -o sync_dir -M masterB:2/3 [...]
 $ ./afl-fuzz -i testcase_dir -o sync_dir -M masterC:3/3 [...]
+```
 
 ...where the first value after ':' is the sequential ID of a particular master
 instance (starting at 1), and the second value is the total number of fuzzers to
@@ -86,15 +88,16 @@ WARNING: Exercise caution when explicitly specifying the -f option. Each fuzzer
 must use a separate temporary file; otherwise, things will go south. One safe
 example may be:
 
+```
 $ ./afl-fuzz [...] -S fuzzer10 -f file10.txt ./fuzzed/binary @@
 $ ./afl-fuzz [...] -S fuzzer11 -f file11.txt ./fuzzed/binary @@
 $ ./afl-fuzz [...] -S fuzzer12 -f file12.txt ./fuzzed/binary @@
+```
 
 This is not a concern if you use @@ without -f and let afl-fuzz come up with the
 file name.
 
-3) Multi-system parallelization
--------------------------------
+## 3) Multi-system parallelization
 
 The basic operating principle for multi-system parallelization is similar to
 the mechanism explained in section 2. The key difference is that you need to
@@ -106,20 +109,24 @@ write a simple script that performs two actions:
     that includes host name in the fuzzer ID, so that you can do something
     like:
 
+    ```sh
     for s in {1..10}; do
       ssh user@host${s} "tar -czf - sync/host${s}_fuzzid*/[qf]*" >host${s}.tgz
     done
+    ```
 
   - Distributes and unpacks these files on all the remaining machines, e.g.:
 
+    ```sh
     for s in {1..10}; do
       for d in {1..10}; do
         test "$s" = "$d" && continue
         ssh user@host${d} 'tar -kxzf -' <host${s}.tgz
       done
     done
+    ```
 
-There is an example of such a script in experimental/distributed_fuzzing/;
+There is an example of such a script in examples/distributed_fuzzing/;
 you can also find a more featured, experimental tool developed by
 Martijn Bogaard at:
 
@@ -167,8 +174,7 @@ It is *not* advisable to skip the synchronization script and run the fuzzers
 directly on a network filesystem; unexpected latency and unkillable processes
 in I/O wait state can mess things up.
 
-4) Remote monitoring and data collection
-----------------------------------------
+## 4) Remote monitoring and data collection
 
 You can use screen, nohup, tmux, or something equivalent to run remote
 instances of afl-fuzz. If you redirect the program's output to a file, it will
@@ -192,8 +198,7 @@ Keep in mind that crashing inputs are *not* automatically propagated to the
 master instance, so you may still want to monitor for crashes fleet-wide
 from within your synchronization or health checking scripts (see afl-whatsup).
 
-5) Asymmetric setups
---------------------
+## 5) Asymmetric setups
 
 It is perhaps worth noting that all of the following is permitted:
 

docs/perf_tips.md

@@ -1,12 +1,9 @@
-=================================
-Tips for performance optimization
-=================================
+## Tips for performance optimization
 
   This file provides tips for troubleshooting slow or wasteful fuzzing jobs.
-  See README for the general instruction manual.
+  See README.md for the general instruction manual.
 
-1) Keep your test cases small
------------------------------
+## 1. Keep your test cases small
 
 This is probably the single most important step to take! Large test cases do
 not merely take more time and memory to be parsed by the tested binary, but
@@ -29,33 +26,33 @@ as high as 500x or so.
 
 In practice, this means that you shouldn't fuzz image parsers with your
 vacation photos. Generate a tiny 16x16 picture instead, and run it through
-jpegtran or pngcrunch for good measure. The same goes for most other types
+`jpegtran` or `pngcrunch` for good measure. The same goes for most other types
 of documents.
 
-There's plenty of small starting test cases in ../testcases/* - try them out
+There's plenty of small starting test cases in ../testcases/ - try them out
 or submit new ones!
 
-If you want to start with a larger, third-party corpus, run afl-cmin with an
+If you want to start with a larger, third-party corpus, run `afl-cmin` with an
 aggressive timeout on that data set first.
 
-2) Use a simpler target
------------------------
+## 2. Use a simpler target
 
 Consider using a simpler target binary in your fuzzing work. For example, for
-image formats, bundled utilities such as djpeg, readpng, or gifhisto are
-considerably (10-20x) faster than the convert tool from ImageMagick - all while
-exercising roughly the same library-level image parsing code.
+image formats, bundled utilities such as `djpeg`, `readpng`, or `gifhisto` are
+considerably (10-20x) faster than the convert tool from ImageMagick - all while exercising roughly the same library-level image parsing code.
 
 Even if you don't have a lightweight harness for a particular target, remember
 that you can always use another, related library to generate a corpus that will
 be then manually fed to a more resource-hungry program later on.
 
-3) Use LLVM instrumentation
----------------------------
+Also note that reading the fuzzing input via stdin is faster than reading from
+a file.
 
-When fuzzing slow targets, you can gain 2x performance improvement by using
-the LLVM-based instrumentation mode described in llvm_mode/README.llvm. Note
-that this mode requires the use of clang and will not work with GCC.
+## 3. Use LLVM instrumentation
+
+When fuzzing slow targets, you can gain 20-100% performance improvement by
+using the LLVM-based instrumentation mode described in [the llvm_mode README](../llvm_mode/README.md).
+Note that this mode requires the use of clang and will not work with GCC.
 
 The LLVM mode also offers a "persistent", in-process fuzzing mode that can
 work well for certain types of self-contained libraries, and for fast targets,
@@ -64,22 +61,26 @@ that can offer huge benefits for programs with high startup overhead. Both
 modes require you to edit the source code of the fuzzed program, but the
 changes often amount to just strategically placing a single line or two.
 
-If there are important data comparisons performed (e.g. strcmp(ptr, MAGIC_HDR)
-then using laf-intel (see llvm_mode/README.laf-intel) will help afl-fuzz a lot
+If there are important data comparisons performed (e.g. `strcmp(ptr, MAGIC_HDR)`)
+then using laf-intel (see llvm_mode/README.laf-intel.md) will help `afl-fuzz` a lot
 to get to the important parts in the code.
 
-If you are only intested in specific parts of the code being fuzzed, you can
+If you are only interested in specific parts of the code being fuzzed, you can
 whitelist the files that are actually relevant. This improves the speed and
-accuracy of afl. See llvm_mode/README.whitelist
+accuracy of afl. See llvm_mode/README.whitelist.md
 
-4) Profile and optimize the binary
-----------------------------------
+Also use the InsTrim mode on larger binaries, this improves performance and
+coverage a lot.
+
+## 4. Profile and optimize the binary
 
 Check for any parameters or settings that obviously improve performance. For
 example, the djpeg utility that comes with IJG jpeg and libjpeg-turbo can be
 called with:
 
+```bash
   -dct fast -nosmooth -onepass -dither none -scale 1/4
+```
 
 ...and that will speed things up. There is a corresponding drop in the quality
 of decoded images, but it's probably not something you care about.
@@ -92,129 +93,132 @@ With some laid-back parsers, enabling "strict" mode (i.e., bailing out after
 first error) may result in smaller files and improved run time without
 sacrificing coverage; for example, for sqlite, you may want to specify -bail.
 
-If the program is still too slow, you can use strace -tt or an equivalent
+If the program is still too slow, you can use `strace -tt` or an equivalent
 profiling tool to see if the targeted binary is doing anything silly.
-Sometimes, you can speed things up simply by specifying /dev/null as the
+Sometimes, you can speed things up simply by specifying `/dev/null` as the
 config file, or disabling some compile-time features that aren't really needed
-for the job (try ./configure --help). One of the notoriously resource-consuming
-things would be calling other utilities via exec*(), popen(), system(), or
+for the job (try `./configure --help`). One of the notoriously resource-consuming
+things would be calling other utilities via `exec*()`, `popen()`, `system()`, or
 equivalent calls; for example, tar can invoke external decompression tools
 when it decides that the input file is a compressed archive.
 
-Some programs may also intentionally call sleep(), usleep(), or nanosleep();
-vim is a good example of that. Other programs may attempt fsync() and so on.
+Some programs may also intentionally call `sleep()`, `usleep()`, or `nanosleep()`;
+vim is a good example of that. Other programs may attempt `fsync()` and so on.
 There are third-party libraries that make it easy to get rid of such code,
 e.g.:
 
   https://launchpad.net/libeatmydata
 
 In programs that are slow due to unavoidable initialization overhead, you may
-want to try the LLVM deferred forkserver mode (see llvm_mode/README.llvm),
+want to try the LLVM deferred forkserver mode (see llvm_mode/README.md),
 which can give you speed gains up to 10x, as mentioned above.
 
 Last but not least, if you are using ASAN and the performance is unacceptable,
 consider turning it off for now, and manually examining the generated corpus
 with an ASAN-enabled binary later on.
 
-5) Instrument just what you need
---------------------------------
+## 5. Instrument just what you need
 
 Instrument just the libraries you actually want to stress-test right now, one
 at a time. Let the program use system-wide, non-instrumented libraries for
 any functionality you don't actually want to fuzz. For example, in most
-cases, it doesn't make to instrument libgmp just because you're testing a
+cases, it doesn't make to instrument `libgmp` just because you're testing a
 crypto app that relies on it for bignum math.
 
 Beware of programs that come with oddball third-party libraries bundled with
-their source code (Spidermonkey is a good example of this). Check ./configure
+their source code (Spidermonkey is a good example of this). Check `./configure`
 options to use non-instrumented system-wide copies instead.
 
-6) Parallelize your fuzzers
----------------------------
+## 6. Parallelize your fuzzers
 
 The fuzzer is designed to need ~1 core per job. This means that on a, say,
 4-core system, you can easily run four parallel fuzzing jobs with relatively
-little performance hit. For tips on how to do that, see parallel_fuzzing.txt.
+little performance hit. For tips on how to do that, see parallel_fuzzing.md.
 
-The afl-gotcpu utility can help you understand if you still have idle CPU
+The `afl-gotcpu` utility can help you understand if you still have idle CPU
 capacity on your system. (It won't tell you about memory bandwidth, cache
 misses, or similar factors, but they are less likely to be a concern.)
 
-7) Keep memory use and timeouts in check
-----------------------------------------
+## 7. Keep memory use and timeouts in check
 
-If you have increased the -m or -t limits more than truly necessary, consider
+If you have increased the `-m` or `-t` limits more than truly necessary, consider
 dialing them back down.
 
 For programs that are nominally very fast, but get sluggish for some inputs,
-you can also try setting -t values that are more punishing than what afl-fuzz
-dares to use on its own. On fast and idle machines, going down to -t 5 may be
+you can also try setting `-t` values that are more punishing than what `afl-fuzz`
+dares to use on its own. On fast and idle machines, going down to `-t 5` may be
 a viable plan.
 
-The -m parameter is worth looking at, too. Some programs can end up spending
+The `-m` parameter is worth looking at, too. Some programs can end up spending
 a fair amount of time allocating and initializing megabytes of memory when
-presented with pathological inputs. Low -m values can make them give up sooner
+presented with pathological inputs. Low `-m` values can make them give up sooner
 and not waste CPU time.
 
-8) Check OS configuration
--------------------------
+## 8. Check OS configuration
 
 There are several OS-level factors that may affect fuzzing speed:
 
+  - If you have no risk of power loss then run your fuzzing on a tmpfs
+    partition. This increases the performance noticably.
+    Alternatively you can use `AFL_TMPDIR` to point to a tmpfs location to
+    just write the input file to a tmpfs.
   - High system load. Use idle machines where possible. Kill any non-essential
     CPU hogs (idle browser windows, media players, complex screensavers, etc).
-
   - Network filesystems, either used for fuzzer input / output, or accessed by
     the fuzzed binary to read configuration files (pay special attention to the
     home directory - many programs search it for dot-files).
-
-  - On-demand CPU scaling. The Linux 'ondemand' governor performs its analysis
+  - On-demand CPU scaling. The Linux `ondemand` governor performs its analysis
     on a particular schedule and is known to underestimate the needs of
-    short-lived processes spawned by afl-fuzz (or any other fuzzer). On Linux,
+    short-lived processes spawned by `afl-fuzz` (or any other fuzzer). On Linux,
     this can be fixed with:
 
+``` bash
     cd /sys/devices/system/cpu
     echo performance | tee cpu*/cpufreq/scaling_governor
+```
 
     On other systems, the impact of CPU scaling will be different; when fuzzing,
     use OS-specific tools to find out if all cores are running at full speed.
-
-  - Transparent huge pages. Some allocators, such as jemalloc, can incur a
+  - Transparent huge pages. Some allocators, such as `jemalloc`, can incur a
     heavy fuzzing penalty when transparent huge pages (THP) are enabled in the
     kernel. You can disable this via:
 
+```bash
     echo never > /sys/kernel/mm/transparent_hugepage/enabled
+```
 
   - Suboptimal scheduling strategies. The significance of this will vary from
     one target to another, but on Linux, you may want to make sure that the
     following options are set:
 
+```bash
     echo 1 >/proc/sys/kernel/sched_child_runs_first
     echo 1 >/proc/sys/kernel/sched_autogroup_enabled
+```
 
     Setting a different scheduling policy for the fuzzer process - say
-    SCHED_RR - can usually speed things up, too, but needs to be done with
+    `SCHED_RR` - can usually speed things up, too, but needs to be done with
     care.
-
-  - Use the afl-system-config script to set all proc/sys settings above
-
+  - Use the `afl-system-config` script to set all proc/sys settings above in one go.
   - Disable all the spectre, meltdown etc. security countermeasures in the
     kernel if your machine is properly separated:
-    "ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off
-     no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable
-     nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off
-     spectre_v2=off stf_barrier=off"
-    In most Linux distributions you can put this into a /etc/default/grub
+
+```
+ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off
+no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable
+nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off
+spectre_v2=off stf_barrier=off
+```
+    In most Linux distributions you can put this into a `/etc/default/grub`
     variable.
 
-9) If all other options fail, use -d
-------------------------------------
+## 9. If all other options fail, use `-d`
 
 For programs that are genuinely slow, in cases where you really can't escape
 using huge input files, or when you simply want to get quick and dirty results
-early on, you can always resort to the -d mode.
+early on, you can always resort to the `-d` mode.
 
-The mode causes afl-fuzz to skip all the deterministic fuzzing steps, which
+The mode causes `afl-fuzz` to skip all the deterministic fuzzing steps, which
 makes output a lot less neat and can ultimately make the testing a bit less
 in-depth, but it will give you an experience more familiar from other fuzzing
 tools.

docs/power_schedules.md

@@ -1,8 +1,9 @@
-afl++'s power schedules based on AFLfast
+# afl++'s power schedules based on AFLfast
 
-<a href="https://comp.nus.edu.sg/~mboehme/paper/CCS16.pdf"><img src="https://comp.nus.edu.sg/~mboehme/paper/CCS16.png" align="right" width="250"></a>
+<a href="https://mboehme.github.io/paper/CCS16.pdf"><img src="https://mboehme.github.io/paper/CCS16.png" align="right" width="250"></a>
 Power schedules implemented by Marcel Böhme \<marcel.boehme@acm.org\>. 
-AFLFast is an extension of AFL which was written by Michal Zalewski \<lcamtuf@google.com\>.
+AFLFast is an extension of AFL which is written and maintained by 
+Michal Zalewski \<lcamtuf@google.com\>.
 
 AFLfast has helped in the success of Team Codejitsu at the finals of the DARPA Cyber Grand Challenge where their bot Galactica took **2nd place** in terms of #POVs proven (see red bar at https://www.cybergrandchallenge.com/event#results). AFLFast exposed several previously unreported CVEs that could not be exposed by AFL in 24 hours and otherwise exposed vulnerabilities significantly faster than AFL while generating orders of magnitude more unique crashes. 
 

docs/python_mutators.md

@@ -1,6 +1,4 @@
-==================================================
-Adding custom mutators to AFL using Python modules
-==================================================
+# Adding custom mutators to AFL using Python modules
 
   This file describes how you can utilize the external Python API to write
   your own custom mutation routines.
@@ -9,14 +7,15 @@ Adding custom mutators to AFL using Python modules
 
   Implemented by Christian Holler (:decoder) <choller@mozilla.com>.
 
-  NOTE: This is for Python 2.7 !
-  Anyone who wants to add Python 3.7 support is happily welcome :)
+  NOTE: Only cPython 2.7, 3.7 and above are supported, although others may work.
+  Depending on with which version afl-fuzz was compiled against, you must use
+  python2 or python3 syntax in your scripts!
+  After a major version upgrade (e.g. 3.7 -> 3.8), a recompilation of afl-fuzz may be needed.
 
-  For an example and a template see ../python_mutators/
+  For an example and a template see ../examples/python_mutators/
 
 
-1) Description and purpose
---------------------------
+## 1) Description and purpose
 
 While AFLFuzz comes with a good selection of generic deterministic and
 non-deterministic mutation operations, it sometimes might make sense to extend
@@ -38,8 +37,7 @@ See the following information to get a better pictures:
   https://bugs.chromium.org/p/chromium/issues/detail?id=930663
 
 
-2) How the Python module looks like
------------------------------------
+## 2) How the Python module looks like
 
 You can find a simple example in pymodules/example.py including documentation
 explaining each function. In the same directory, you can find another simple
@@ -53,26 +51,26 @@ There is also optional support for a trimming API, see the section below for
 further information about this feature.
 
 
-3) How to compile AFLFuzz with Python support
----------------------------------------------
+## 3) How to compile AFLFuzz with Python support
 
-You must install the python 2.7 development package of your Linux distribution
-before this will work. On Debian/Ubuntu/Kali this can be done with:
-  apt install python2.7-dev
+You must install the python 3 or 2 development package of your Linux
+distribution before this will work. On Debian/Ubuntu/Kali this can be done
+with either:
+  apt install python3-dev
+or
+  apt install python-dev
+Note that for some distributions you might also need the package python[23]-apt
 
 A prerequisite for using this mode is to compile AFLFuzz with Python support.
 
-The afl Makefile performs some magic and detects Python 2.7 if it is in the
-default path and compiles afl-fuzz with the feature if available (which is
-/usr/include/python2.7 for the Python.h include and /usr/lib/x86_64-linux-gnu
-for the libpython2.7.a library)
+The AFL++ Makefile detects Python 3 and 2 through `python-config` if is is in the PATH
+and compiles afl-fuzz with the feature if available.
 
 In case your setup is different set the necessary variables like this:
-PYTHON_INCLUDE=/path/to/python2.7/include LDFLAGS=-L/path/to/python2.7/lib make
+PYTHON_INCLUDE=/path/to/python/include LDFLAGS=-L/path/to/python/lib make
 
 
-4) How to run AFLFuzz with your custom module
----------------------------------------------
+## 4) How to run AFLFuzz with your custom module
 
 You must pass the module name inside the env variable AFL_PYTHON_MODULE.
 
@@ -95,8 +93,7 @@ AFL_DEBUG       - When combined with AFL_NO_UI, this causes the C trimming code
                   of your custom Python trimmer. Use this to see if it works :)
 
 
-5) Order and statistics
------------------------
+## 5) Order and statistics
 
 The Python stage is set to be the first non-deterministic stage (right before
 the havoc stage). In the statistics however, it shows up as the third number
@@ -104,8 +101,7 @@ under "havoc". That's because I'm lazy and I didn't want to mess with the UI
 too much ;)
 
 
-6) Trimming support
--------------------
+## 6) Trimming support
 
 The generic trimming routines implemented in AFLFuzz can easily destroy the
 structure of complex formats, possibly leading to a point where you have a lot

docs/sister_projects.md

@@ -0,0 +1,318 @@
+# Sister projects
+
+This doc lists some of the projects that are inspired by, derived from,
+designed for, or meant to integrate with AFL. See README.md for the general
+instruction manual.
+
+!!!
+!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz
+!!!
+
+## Support for other languages / environments:
+
+### Python AFL (Jakub Wilk)
+
+Allows fuzz-testing of Python programs. Uses custom instrumentation and its
+own forkserver.
+
+http://jwilk.net/software/python-afl
+
+### Go-fuzz (Dmitry Vyukov)
+
+AFL-inspired guided fuzzing approach for Go targets:
+
+https://github.com/dvyukov/go-fuzz
+
+### afl.rs (Keegan McAllister)
+
+Allows Rust features to be easily fuzzed with AFL (using the LLVM mode).
+
+https://github.com/kmcallister/afl.rs
+
+### OCaml support (KC Sivaramakrishnan)
+
+Adds AFL-compatible instrumentation to OCaml programs.
+
+https://github.com/ocamllabs/opam-repo-dev/pull/23
+http://canopy.mirage.io/Posts/Fuzzing
+
+### AFL for GCJ Java and other GCC frontends (-)
+
+GCC Java programs are actually supported out of the box - simply rename
+afl-gcc to afl-gcj. Unfortunately, by default, unhandled exceptions in GCJ do
+not result in abort() being called, so you will need to manually add a
+top-level exception handler that exits with SIGABRT or something equivalent.
+
+Other GCC-supported languages should be fairly easy to get working, but may
+face similar problems. See https://gcc.gnu.org/frontends.html for a list of
+options.
+
+## AFL-style in-process fuzzer for LLVM (Kostya Serebryany)
+
+Provides an evolutionary instrumentation-guided fuzzing harness that allows
+some programs to be fuzzed without the fork / execve overhead. (Similar
+functionality is now available as the "persistent" feature described in
+[the llvm_mode readme](../llvm_mode/README.md))
+
+http://llvm.org/docs/LibFuzzer.html
+
+## AFL fixup shim (Ben Nagy)
+
+Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages
+that don't have C / .so bindings. Includes examples in Go.
+
+https://github.com/bnagy/aflfix
+
+## TriforceAFL (Tim Newsham and Jesse Hertz)
+
+Leverages QEMU full system emulation mode to allow AFL to target operating
+systems and other alien worlds:
+
+https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/
+
+## WinAFL (Ivan Fratric)
+
+As the name implies, allows you to fuzz Windows binaries (using DynamoRio).
+
+https://github.com/ivanfratric/winafl
+
+Another Windows alternative may be:
+
+https://github.com/carlosgprado/BrundleFuzz/
+
+## Network fuzzing
+
+### Preeny (Yan Shoshitaishvili)
+
+Provides a fairly simple way to convince dynamically linked network-centric
+programs to read from a file or not fork. Not AFL-specific, but described as
+useful by many users. Some assembly required.
+
+https://github.com/zardus/preeny
+
+## Distributed fuzzing and related automation
+
+### roving (Richo Healey)
+
+A client-server architecture for effortlessly orchestrating AFL runs across
+a fleet of machines. You don't want to use this on systems that face the
+Internet or live in other untrusted environments.
+
+https://github.com/richo/roving
+
+### Distfuzz-AFL (Martijn Bogaard)
+
+Simplifies the management of afl-fuzz instances on remote machines. The
+author notes that the current implementation isn't secure and should not
+be exposed on the Internet.
+
+https://github.com/MartijnB/disfuzz-afl
+
+### AFLDFF (quantumvm)
+
+A nice GUI for managing AFL jobs.
+
+https://github.com/quantumvm/AFLDFF
+
+### afl-launch (Ben Nagy)
+
+Batch AFL launcher utility with a simple CLI.
+
+https://github.com/bnagy/afl-launch
+
+### AFL Utils (rc0r)
+
+Simplifies the triage of discovered crashes, start parallel instances, etc.
+
+https://github.com/rc0r/afl-utils
+
+Another crash triage tool:
+
+https://github.com/floyd-fuh/afl-crash-analyzer
+
+### afl-fuzzing-scripts (Tobias Ospelt)
+
+Simplifies starting up multiple parallel AFL jobs.
+
+https://github.com/floyd-fuh/afl-fuzzing-scripts/
+
+### afl-sid (Jacek Wielemborek)
+
+Allows users to more conveniently build and deploy AFL via Docker.
+
+https://github.com/d33tah/afl-sid
+
+Another Docker-related project:
+
+https://github.com/ozzyjohnson/docker-afl
+
+### afl-monitor (Paul S. Ziegler)
+
+Provides more detailed and versatile statistics about your running AFL jobs.
+
+https://github.com/reflare/afl-monitor
+
+### FEXM (Security in Telecommunications)
+
+Fully automated fuzzing framework, based on AFL
+
+https://github.com/fgsect/fexm
+
+## Crash triage, coverage analysis, and other companion tools:
+
+### afl-crash-analyzer (Tobias Ospelt)
+
+Makes it easier to navigate and annotate crashing test cases.
+
+https://github.com/floyd-fuh/afl-crash-analyzer/
+
+### Crashwalk (Ben Nagy)
+
+AFL-aware tool to annotate and sort through crashing test cases.
+
+https://github.com/bnagy/crashwalk
+
+### afl-cov (Michael Rash)
+
+Produces human-readable coverage data based on the output queue of afl-fuzz.
+
+https://github.com/mrash/afl-cov
+
+### afl-sancov (Bhargava Shastry)
+
+Similar to afl-cov, but uses clang sanitizer instrumentation.
+
+https://github.com/bshastry/afl-sancov
+
+### RecidiVM (Jakub Wilk)
+
+Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
+
+http://jwilk.net/software/recidivm
+
+### aflize (Jacek Wielemborek)
+
+Automatically build AFL-enabled versions of Debian packages.
+
+https://github.com/d33tah/aflize
+
+### afl-ddmin-mod (Markus Teufelberger)
+
+A variant of afl-tmin that uses a more sophisticated (but slower)
+minimization algorithm.
+
+https://github.com/MarkusTeufelberger/afl-ddmin-mod
+
+### afl-kit (Kuang-che Wu)
+
+Replacements for afl-cmin and afl-tmin with additional features, such
+as the ability to filter crashes based on stderr patterns.
+
+https://github.com/kcwu/afl-kit
+
+## Narrow-purpose or experimental:
+
+### Cygwin support (Ali Rizvi-Santiago)
+
+Pretty self-explanatory. As per the author, this "mostly" ports AFL to
+Windows. Field reports welcome!
+
+https://github.com/arizvisa/afl-cygwin
+
+### Pause and resume scripts (Ben Nagy)
+
+Simple automation to suspend and resume groups of fuzzing jobs.
+
+https://github.com/bnagy/afl-trivia
+
+### Static binary-only instrumentation (Aleksandar Nikolich)
+
+Allows black-box binaries to be instrumented statically (i.e., by modifying
+the binary ahead of the time, rather than translating it on the run). Author
+reports better performance compared to QEMU, but occasional translation
+errors with stripped binaries.
+
+https://github.com/vanhauser-thc/afl-dyninst
+
+### AFL PIN (Parker Thompson)
+
+Early-stage Intel PIN instrumentation support (from before we settled on
+faster-running QEMU).
+
+https://github.com/mothran/aflpin
+
+### AFL-style instrumentation in llvm (Kostya Serebryany)
+
+Allows AFL-equivalent instrumentation to be injected at compiler level.
+This is currently not supported by AFL as-is, but may be useful in other
+projects.
+
+https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters
+
+### AFL JS (Han Choongwoo)
+
+One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely
+superseded by LLVM deferred forkserver init - see llvm_mode/README.md).
+
+https://github.com/tunz/afl-fuzz-js
+
+### AFL harness for fwknop (Michael Rash)
+
+An example of a fairly involved integration with AFL.
+
+https://github.com/mrash/fwknop/tree/master/test/afl
+
+### Building harnesses for DNS servers (Jonathan Foote, Ron Bowes)
+
+Two articles outlining the general principles and showing some example code.
+
+https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop
+https://goo.gl/j9EgFf
+
+### Fuzzer shell for SQLite (Richard Hipp)
+
+A simple SQL shell designed specifically for fuzzing the underlying library.
+
+http://www.sqlite.org/src/artifact/9e7e273da2030371
+
+### Support for Python mutation modules (Christian Holler)
+
+now integrated in AFL++, originally from here
+https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt
+
+### Support for selective instrumentation (Christian Holler)
+
+now integrated in AFL++, originally from here
+https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt
+
+### Syzkaller (Dmitry Vyukov)
+
+A similar guided approach as applied to fuzzing syscalls:
+
+https://github.com/google/syzkaller/wiki/Found-Bugs
+https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
+http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
+
+
+### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications)
+
+https://github.com/fgsect/unicorefuzz
+
+### Android support (ele7enxxh)
+
+Based on a somewhat dated version of AFL:
+
+https://github.com/ele7enxxh/android-afl
+
+### CGI wrapper (floyd)
+
+Facilitates the testing of CGI scripts.
+
+https://github.com/floyd-fuh/afl-cgi-wrapper
+
+### Fuzzing difficulty estimation (Marcel Boehme)
+
+A fork of AFL that tries to quantify the likelihood of finding additional
+paths or crashes at any point in a fuzzing job.
+
+https://github.com/mboehme/pythia

docs/sister_projects.txt

@@ -1,358 +0,0 @@
-===============
-Sister projects
-===============
-
-  This doc lists some of the projects that are inspired by, derived from,
-  designed for, or meant to integrate with AFL. See README for the general
-  instruction manual.
-
-!!!
-!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz
-!!!
-
--------------------------------------------
-Support for other languages / environments:
--------------------------------------------
-
-Python AFL (Jakub Wilk)
------------------------
-
-  Allows fuzz-testing of Python programs. Uses custom instrumentation and its
-  own forkserver.
-
-  http://jwilk.net/software/python-afl
-
-Go-fuzz (Dmitry Vyukov)
------------------------
-
-  AFL-inspired guided fuzzing approach for Go targets:
-
-  https://github.com/dvyukov/go-fuzz
-
-afl.rs (Keegan McAllister)
---------------------------
-
-  Allows Rust features to be easily fuzzed with AFL (using the LLVM mode).
-
-  https://github.com/kmcallister/afl.rs
-
-OCaml support (KC Sivaramakrishnan)
------------------------------------
-
-  Adds AFL-compatible instrumentation to OCaml programs.
-
-  https://github.com/ocamllabs/opam-repo-dev/pull/23
-  http://canopy.mirage.io/Posts/Fuzzing
-
-AFL for GCJ Java and other GCC frontends (-)
---------------------------------------------
-
-  GCC Java programs are actually supported out of the box - simply rename
-  afl-gcc to afl-gcj. Unfortunately, by default, unhandled exceptions in GCJ do
-  not result in abort() being called, so you will need to manually add a
-  top-level exception handler that exits with SIGABRT or something equivalent.
-
-  Other GCC-supported languages should be fairly easy to get working, but may
-  face similar problems. See https://gcc.gnu.org/frontends.html for a list of
-  options.
-
-AFL-style in-process fuzzer for LLVM (Kostya Serebryany)
---------------------------------------------------------
-
-  Provides an evolutionary instrumentation-guided fuzzing harness that allows
-  some programs to be fuzzed without the fork / execve overhead. (Similar
-  functionality is now available as the "persistent" feature described in
-  ../llvm_mode/README.llvm.)
-
-  http://llvm.org/docs/LibFuzzer.html
-
-AFL fixup shim (Ben Nagy)
--------------------------
-
-  Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages
-  that don't have C / .so bindings. Includes examples in Go.
-
-  https://github.com/bnagy/aflfix
-
-TriforceAFL (Tim Newsham and Jesse Hertz)
------------------------------------------
-
-  Leverages QEMU full system emulation mode to allow AFL to target operating
-  systems and other alien worlds:
-
-  https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/
-
-WinAFL (Ivan Fratric)
----------------------
-
-  As the name implies, allows you to fuzz Windows binaries (using DynamoRio).
-
-  https://github.com/ivanfratric/winafl
-
-  Another Windows alternative may be:
-
-  https://github.com/carlosgprado/BrundleFuzz/
-
-----------------
-Network fuzzing:
-----------------
-
-Preeny (Yan Shoshitaishvili)
-----------------------------
-
-  Provides a fairly simple way to convince dynamically linked network-centric
-  programs to read from a file or not fork. Not AFL-specific, but described as
-  useful by many users. Some assembly required.
-
-  https://github.com/zardus/preeny
-
--------------------------------------------
-Distributed fuzzing and related automation:
--------------------------------------------
-
-roving (Richo Healey)
----------------------
-
-  A client-server architecture for effortlessly orchestrating AFL runs across
-  a fleet of machines. You don't want to use this on systems that face the
-  Internet or live in other untrusted environments.
-
-  https://github.com/richo/roving
-
-Distfuzz-AFL (Martijn Bogaard)
-------------------------------
-
-  Simplifies the management of afl-fuzz instances on remote machines. The
-  author notes that the current implementation isn't secure and should not
-  be exposed on the Internet.
-
-  https://github.com/MartijnB/disfuzz-afl
-
-AFLDFF (quantumvm)
-------------------
-
-  A nice GUI for managing AFL jobs.
-
-  https://github.com/quantumvm/AFLDFF
-
-afl-launch (Ben Nagy)
----------------------
-
-  Batch AFL launcher utility with a simple CLI.
-
-  https://github.com/bnagy/afl-launch
-
-AFL Utils (rc0r)
-----------------
-
-  Simplifies the triage of discovered crashes, start parallel instances, etc.
-
-  https://github.com/rc0r/afl-utils
-
-  Another crash triage tool:
-
-  https://github.com/floyd-fuh/afl-crash-analyzer
-
-afl-fuzzing-scripts (Tobias Ospelt)
------------------------------------
-
-  Simplifies starting up multiple parallel AFL jobs.
-
-  https://github.com/floyd-fuh/afl-fuzzing-scripts/
-
-afl-sid (Jacek Wielemborek)
----------------------------
-
-  Allows users to more conveniently build and deploy AFL via Docker.
-
-  https://github.com/d33tah/afl-sid
-
-  Another Docker-related project:
-
-  https://github.com/ozzyjohnson/docker-afl
-
-afl-monitor (Paul S. Ziegler)
------------------------------
-
-  Provides more detailed and versatile statistics about your running AFL jobs.
-
-  https://github.com/reflare/afl-monitor
-
------------------------------------------------------------
-Crash triage, coverage analysis, and other companion tools:
------------------------------------------------------------
-
-afl-crash-analyzer (Tobias Ospelt)
-----------------------------------
-
-  Makes it easier to navigate and annotate crashing test cases.
-
-  https://github.com/floyd-fuh/afl-crash-analyzer/
-
-Crashwalk (Ben Nagy)
---------------------
-
-  AFL-aware tool to annotate and sort through crashing test cases.
-
-  https://github.com/bnagy/crashwalk
-
-afl-cov (Michael Rash)
-----------------------
-
-  Produces human-readable coverage data based on the output queue of afl-fuzz.
-
-  https://github.com/mrash/afl-cov
-
-afl-sancov (Bhargava Shastry)
------------------------------
-
-  Similar to afl-cov, but uses clang sanitizer instrumentation.
-
-  https://github.com/bshastry/afl-sancov
-
-RecidiVM (Jakub Wilk)
----------------------
-
-  Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
-
-  http://jwilk.net/software/recidivm
-
-aflize (Jacek Wielemborek)
---------------------------
-
-  Automatically build AFL-enabled versions of Debian packages.
-
-  https://github.com/d33tah/aflize
-
-afl-ddmin-mod (Markus Teufelberger)
------------------------------------
-
-  A variant of afl-tmin that uses a more sophisticated (but slower)
-  minimization algorithm.
-
-  https://github.com/MarkusTeufelberger/afl-ddmin-mod
-
-afl-kit (Kuang-che Wu)
-----------------------
-
-  Replacements for afl-cmin and afl-tmin with additional features, such
-  as the ability to filter crashes based on stderr patterns.
-
-  https://github.com/kcwu/afl-kit
-
--------------------------------
-Narrow-purpose or experimental:
--------------------------------
-
-Cygwin support (Ali Rizvi-Santiago)
------------------------------------
-
-  Pretty self-explanatory. As per the author, this "mostly" ports AFL to
-  Windows. Field reports welcome!
-
-  https://github.com/arizvisa/afl-cygwin
-
-Pause and resume scripts (Ben Nagy)
------------------------------------
-
-  Simple automation to suspend and resume groups of fuzzing jobs.
-
-  https://github.com/bnagy/afl-trivia
-
-Static binary-only instrumentation (Aleksandar Nikolich)
---------------------------------------------------------
-
-  Allows black-box binaries to be instrumented statically (i.e., by modifying
-  the binary ahead of the time, rather than translating it on the run). Author
-  reports better performance compared to QEMU, but occasional translation
-  errors with stripped binaries.
-
-  https://github.com/vanhauser-thc/afl-dyninst
-
-AFL PIN (Parker Thompson)
--------------------------
-
-  Early-stage Intel PIN instrumentation support (from before we settled on
-  faster-running QEMU).
-
-  https://github.com/mothran/aflpin
-
-AFL-style instrumentation in llvm (Kostya Serebryany)
------------------------------------------------------
-
-  Allows AFL-equivalent instrumentation to be injected at compiler level.
-  This is currently not supported by AFL as-is, but may be useful in other
-  projects.
-
-  https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters
-
-AFL JS (Han Choongwoo)
-----------------------
-
-  One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely
-  superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm).
-
-  https://github.com/tunz/afl-fuzz-js
-
-AFL harness for fwknop (Michael Rash)
--------------------------------------
-
-  An example of a fairly involved integration with AFL.
-
-  https://github.com/mrash/fwknop/tree/master/test/afl
-
-Building harnesses for DNS servers (Jonathan Foote, Ron Bowes)
---------------------------------------------------------------
-
-  Two articles outlining the general principles and showing some example code.
-
-  https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop
-  https://goo.gl/j9EgFf
-
-Fuzzer shell for SQLite (Richard Hipp)
---------------------------------------
-
-  A simple SQL shell designed specifically for fuzzing the underlying library.
-
-  http://www.sqlite.org/src/artifact/9e7e273da2030371
-
-Support for Python mutation modules (Christian Holler)
-------------------------------------------------------
-
-  https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt
-
-Support for selective instrumentation (Christian Holler)
---------------------------------------------------------
-
-  https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt
-
-Kernel fuzzing (Dmitry Vyukov)
-------------------------------
-
-  A similar guided approach as applied to fuzzing syscalls:
-
-  https://github.com/google/syzkaller/wiki/Found-Bugs
-  https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
-  http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
-
-Android support (ele7enxxh)
----------------------------
-
-  Based on a somewhat dated version of AFL:
-
-  https://github.com/ele7enxxh/android-afl
-
-CGI wrapper (floyd)
--------------------
-
-  Facilitates the testing of CGI scripts.
-
-  https://github.com/floyd-fuh/afl-cgi-wrapper
-
-Fuzzing difficulty estimation (Marcel Boehme)
----------------------------------------------
-
-  A fork of AFL that tries to quantify the likelihood of finding additional
-  paths or crashes at any point in a fuzzing job.
-
-  https://github.com/mboehme/pythia

docs/status_screen.md

@@ -1,13 +1,10 @@
-===============================
-Understanding the status screen
-===============================
+# Understanding the status screen
 
-  This document provides an overview of the status screen - plus tips for
-  troubleshooting any warnings and red text shown in the UI. See README for
-  the general instruction manual.
+This document provides an overview of the status screen - plus tips for
+troubleshooting any warnings and red text shown in the UI. See README.md for
+the general instruction manual.
 
-0) A note about colors
-----------------------
+## A note about colors
 
 The status screen and error messages use colors to keep things readable and
 attract your attention to the most important details. For example, red almost
@@ -19,21 +16,18 @@ to that.
 
 If you are using inverse video, you may want to change your settings, say:
 
-  - For GNOME Terminal, go to Edit > Profile preferences, select the "colors"
-    tab, and from the list of built-in schemes, choose "white on black".
-
-  - For the MacOS X Terminal app, open a new window using the "Pro" scheme via
-    the Shell > New Window menu (or make "Pro" your default).
+- For GNOME Terminal, go to `Edit > Profile` preferences, select the "colors" tab, and from the list of built-in schemes, choose "white on black". 
+- For the MacOS X Terminal app, open a new window using the "Pro" scheme via the `Shell > New Window` menu (or make "Pro" your default).
 
 Alternatively, if you really like your current colors, you can edit config.h
-to comment out USE_COLORS, then do 'make clean all'.
+to comment out USE_COLORS, then do `make clean all`.
 
 I'm not aware of any other simple way to make this work without causing
 other side effects - sorry about that.
 
 With that out of the way, let's talk about what's actually on the screen...
 
-0) The status bar
+### The status bar
 
 The top line shows you which mode afl-fuzz is running in
 (normal: "american fuzy lop", crash exploration mode: "peruvian rabbit mode")
@@ -43,15 +37,16 @@ either show the binary name being fuzzed, or the -M/-S master/slave name for
 parallel fuzzing.
 Finally, the last item is the power schedule mode being run (default: explore).
 
-1) Process timing
------------------
+### Process timing
 
+```
   +----------------------------------------------------+
   |        run time : 0 days, 8 hrs, 32 min, 43 sec    |
   |   last new path : 0 days, 0 hrs, 6 min, 40 sec     |
   | last uniq crash : none seen yet                    |
   |  last uniq hang : 0 days, 1 hrs, 24 min, 32 sec    |
   +----------------------------------------------------+
+```
 
 This section is fairly self-explanatory: it tells you how long the fuzzer has
 been running and how much time has elapsed since its most recent finds. This is
@@ -67,36 +62,36 @@ There's one important thing to watch out for: if the tool is not finding new
 paths within several minutes of starting, you're probably not invoking the
 target binary correctly and it never gets to parse the input files we're
 throwing at it; another possible explanations are that the default memory limit
-(-m) is too restrictive, and the program exits after failing to allocate a
+(`-m`) is too restrictive, and the program exits after failing to allocate a
 buffer very early on; or that the input files are patently invalid and always
 fail a basic header check.
 
 If there are no new paths showing up for a while, you will eventually see a big
 red warning in this section, too :-)
 
-2) Overall results
-------------------
+### Overall results
 
+```
   +-----------------------+
   |  cycles done : 0      |
   |  total paths : 2095   |
   | uniq crashes : 0      |
   |   uniq hangs : 19     |
   +-----------------------+
+```
 
-The first field in this section gives you the count of queue passes done so far
-- that is, the number of times the fuzzer went over all the interesting test
+The first field in this section gives you the count of queue passes done so far - that is, the number of times the fuzzer went over all the interesting test
 cases discovered so far, fuzzed them, and looped back to the very beginning.
 Every fuzzing session should be allowed to complete at least one cycle; and
 ideally, should run much longer than that.
 
 As noted earlier, the first pass can take a day or longer, so sit back and
 relax. If you want to get broader but more shallow coverage right away, try
-the -d option - it gives you a more familiar experience by skipping the
+the `-d` option - it gives you a more familiar experience by skipping the
 deterministic fuzzing steps. It is, however, inferior to the standard mode in
 a couple of subtle ways.
 
-To help make the call on when to hit Ctrl-C, the cycle counter is color-coded.
+To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded.
 It is shown in magenta during the first pass, progresses to yellow if new finds
 are still being made in subsequent rounds, then blue when that ends - and
 finally, turns green after the fuzzer hasn't been seeing any action for a
@@ -105,33 +100,35 @@ longer while.
 The remaining fields in this part of the screen should be pretty obvious:
 there's the number of test cases ("paths") discovered so far, and the number of
 unique faults. The test cases, crashes, and hangs can be explored in real-time
-by browsing the output directory, as discussed in the README.
+by browsing the output directory, as discussed in README.md.
 
-3) Cycle progress
------------------
+### Cycle progress
 
+```
   +-------------------------------------+
   |  now processing : 1296 (61.86%)     |
   | paths timed out : 0 (0.00%)         |
   +-------------------------------------+
+```
 
 This box tells you how far along the fuzzer is with the current queue cycle: it
 shows the ID of the test case it is currently working on, plus the number of
 inputs it decided to ditch because they were persistently timing out.
 
 The "*" suffix sometimes shown in the first line means that the currently
-processed path is not "favored" (a property discussed later on, in section 6).
+processed path is not "favored" (a property discussed later on).
 
 If you feel that the fuzzer is progressing too slowly, see the note about the
--d option in section 2 of this doc.
+`-d` option in this doc.
 
-4) Map coverage
----------------
+### Map coverage
 
+```
   +--------------------------------------+
   |    map density : 10.15% / 29.07%     |
   | count coverage : 4.03 bits/tuple     |
   +--------------------------------------+
+```
 
 The section provides some trivia about the coverage observed by the
 instrumentation embedded in the target binary.
@@ -148,37 +145,35 @@ Be wary of extremes:
     due to being linked against a non-instrumented copy of the target
     library); or that it is bailing out prematurely on your input test cases.
     The fuzzer will try to mark this in pink, just to make you aware.
-
   - Percentages over 70% may very rarely happen with very complex programs
     that make heavy use of template-generated code.
-
     Because high bitmap density makes it harder for the fuzzer to reliably
     discern new program states, I recommend recompiling the binary with
-    AFL_INST_RATIO=10 or so and trying again (see env_variables.txt).
-
+    `AFL_INST_RATIO=10` or so and trying again (see env_variables.md).
     The fuzzer will flag high percentages in red. Chances are, you will never
     see that unless you're fuzzing extremely hairy software (say, v8, perl,
     ffmpeg).
 
 The other line deals with the variability in tuple hit counts seen in the
 binary. In essence, if every taken branch is always taken a fixed number of
-times for all the inputs we have tried, this will read "1.00". As we manage
+times for all the inputs we have tried, this will read `1.00`. As we manage
 to trigger other hit counts for every branch, the needle will start to move
-toward "8.00" (every bit in the 8-bit map hit), but will probably never
+toward `8.00` (every bit in the 8-bit map hit), but will probably never
 reach that extreme.
 
 Together, the values can be useful for comparing the coverage of several
 different fuzzing jobs that rely on the same instrumented binary.
 
-5) Stage progress
------------------
+### Stage progress
 
+```
   +-------------------------------------+
   |  now trying : interest 32/8         |
   | stage execs : 3996/34.4k (11.62%)   |
   | total execs : 27.4M                 |
   |  exec speed : 891.7/sec             |
   +-------------------------------------+
+```
 
 This part gives you an in-depth peek at what the fuzzer is actually doing right
 now. It tells you about the current stage, which can be any of:
@@ -186,39 +181,31 @@ now. It tells you about the current stage, which can be any of:
   - calibration - a pre-fuzzing stage where the execution path is examined
     to detect anomalies, establish baseline execution speed, and so on. Executed
     very briefly whenever a new find is being made.
-
   - trim L/S - another pre-fuzzing stage where the test case is trimmed to the
     shortest form that still produces the same execution path. The length (L)
     and stepover (S) are chosen in general relationship to file size.
-
   - bitflip L/S - deterministic bit flips. There are L bits toggled at any given
     time, walking the input file with S-bit increments. The current L/S variants
-    are: 1/1, 2/1, 4/1, 8/8, 16/8, 32/8.
-
+    are: `1/1`, `2/1`, `4/1`, `8/8`, `16/8`, `32/8`.
   - arith L/8 - deterministic arithmetics. The fuzzer tries to subtract or add
     small integers to 8-, 16-, and 32-bit values. The stepover is always 8 bits.
-
   - interest L/8 - deterministic value overwrite. The fuzzer has a list of known
     "interesting" 8-, 16-, and 32-bit values to try. The stepover is 8 bits.
-
   - extras - deterministic injection of dictionary terms. This can be shown as
     "user" or "auto", depending on whether the fuzzer is using a user-supplied
-    dictionary (-x) or an auto-created one. You will also see "over" or "insert",
+    dictionary (`-x`) or an auto-created one. You will also see "over" or "insert",
     depending on whether the dictionary words overwrite existing data or are
     inserted by offsetting the remaining data to accommodate their length.
-
   - havoc - a sort-of-fixed-length cycle with stacked random tweaks. The
     operations attempted during this stage include bit flips, overwrites with
     random and "interesting" integers, block deletion, block duplication, plus
     assorted dictionary-related operations (if a dictionary is supplied in the
     first place).
-
   - splice - a last-resort strategy that kicks in after the first full queue
     cycle with no new paths. It is equivalent to 'havoc', except that it first
     splices together two random inputs from the queue at some arbitrarily
     selected midpoint.
-
-  - sync - a stage used only when -M or -S is set (see parallel_fuzzing.txt).
+  - sync - a stage used only when `-M` or `-S` is set (see parallel_fuzzing.md).
     No real fuzzing is involved, but the tool scans the output from other
     fuzzers and imports test cases as necessary. The first time this is done,
     it may take several minutes or so.
@@ -231,18 +218,19 @@ most of the time - and if it stays below 100, the job will probably take very
 long.
 
 The fuzzer will explicitly warn you about slow targets, too. If this happens,
-see the perf_tips.txt file included with the fuzzer for ideas on how to speed
+see the [perf_tips.md](perf_tips.md) file included with the fuzzer for ideas on how to speed
 things up.
 
-6) Findings in depth
---------------------
+### Findings in depth
 
+```
   +--------------------------------------+
   | favored paths : 879 (41.96%)         |
   |  new edges on : 423 (20.19%)         |
   | total crashes : 0 (0 unique)         |
   |  total tmouts : 24 (19 unique)       |
   +--------------------------------------+
+```
 
 This gives you several metrics that are of interest mostly to complete nerds.
 The section includes the number of paths that the fuzzer likes the most based
@@ -255,9 +243,9 @@ Note that the timeout counter is somewhat different from the hang counter; this
 one includes all test cases that exceeded the timeout, even if they did not
 exceed it by a margin sufficient to be classified as hangs.
 
-7) Fuzzing strategy yields
---------------------------
+### Fuzzing strategy yields
 
+```
   +-----------------------------------------------------+
   |   bit flips : 57/289k, 18/289k, 18/288k             |
   |  byte flips : 0/36.2k, 4/35.7k, 7/34.6k             |
@@ -267,6 +255,7 @@ exceed it by a margin sufficient to be classified as hangs.
   |       havoc : 1903/20.0M, 0/0                       |
   |        trim : 20.31%/9201, 17.05%                   |
   +-----------------------------------------------------+
+```
 
 This is just another nerd-targeted section keeping track of how many paths we
 have netted, in proportion to the number of execs attempted, for each of the
@@ -280,9 +269,9 @@ goal. Finally, the third number shows the proportion of bytes that, although
 not possible to remove, were deemed to have no effect and were excluded from
 some of the more expensive deterministic fuzzing steps.
 
-8) Path geometry
-----------------
+### Path geometry
 
+```
   +---------------------+
   |    levels : 5       |
   |   pending : 1570    |
@@ -291,6 +280,7 @@ some of the more expensive deterministic fuzzing steps.
   |  imported : 0       |
   | stability : 100.00% |
   +---------------------+
+```
 
 The first field in this section tracks the path depth reached through the
 guided fuzzing process. In essence: the initial test cases supplied by the
@@ -323,46 +313,40 @@ there are several things to look at:
   - The use of uninitialized memory in conjunction with some intrinsic sources
     of entropy in the tested binary. Harmless to AFL, but could be indicative
     of a security bug.
-
   - Attempts to manipulate persistent resources, such as left over temporary
     files or shared memory objects. This is usually harmless, but you may want
     to double-check to make sure the program isn't bailing out prematurely.
     Running out of disk space, SHM handles, or other global resources can
     trigger this, too.
-
   - Hitting some functionality that is actually designed to behave randomly.
     Generally harmless. For example, when fuzzing sqlite, an input like
-    'select random();' will trigger a variable execution path.
-
+    `select random();` will trigger a variable execution path.
   - Multiple threads executing at once in semi-random order. This is harmless
     when the 'stability' metric stays over 90% or so, but can become an issue
     if not. Here's what to try:
-
-    - Use afl-clang-fast from llvm_mode/ - it uses a thread-local tracking
+    * Use afl-clang-fast from [llvm_mode](../llvm_mode/) - it uses a thread-local tracking
       model that is less prone to concurrency issues,
-
-    - See if the target can be compiled or run without threads. Common
-      ./configure options include --without-threads, --disable-pthreads, or
-      --disable-openmp.
-
-    - Replace pthreads with GNU Pth (https://www.gnu.org/software/pth/), which
+    * See if the target can be compiled or run without threads. Common
+      `./configure` options include `--without-threads`, `--disable-pthreads`, or
+      `--disable-openmp`.
+    * Replace pthreads with GNU Pth (https://www.gnu.org/software/pth/), which
       allows you to use a deterministic scheduler.
-
   - In persistent mode, minor drops in the "stability" metric can be normal,
     because not all the code behaves identically when re-entered; but major
-    dips may signify that the code within __AFL_LOOP() is not behaving
+    dips may signify that the code within `__AFL_LOOP()` is not behaving
     correctly on subsequent iterations (e.g., due to incomplete clean-up or
     reinitialization of the state) and that most of the fuzzing effort goes
     to waste.
 
 The paths where variable behavior is detected are marked with a matching entry
-in the <out_dir>/queue/.state/variable_behavior/ directory, so you can look
+in the `<out_dir>/queue/.state/variable_behavior/` directory, so you can look
 them up easily.
 
-9) CPU load
------------
+### CPU load
 
+```
   [cpu: 25%]
+```
 
 This tiny widget shows the apparent CPU utilization on the local system. It is
 calculated by taking the number of processes in the "runnable" state, and then
@@ -370,7 +354,7 @@ comparing it to the number of logical cores on the system.
 
 If the value is shown in green, you are using fewer CPU cores than available on
 your system and can probably parallelize to improve performance; for tips on
-how to do that, see parallel_fuzzing.txt.
+how to do that, see parallel_fuzzing.md.
 
 If the value is shown in red, your CPU is *possibly* oversubscribed, and
 running additional fuzzers may not give you any benefits.
@@ -380,39 +364,37 @@ are ready to run, but not how resource-hungry they may be. It also doesn't
 distinguish between physical cores, logical cores, and virtualized CPUs; the
 performance characteristics of each of these will differ quite a bit.
 
-If you want a more accurate measurement, you can run the afl-gotcpu utility
-from the command line.
+If you want a more accurate measurement, you can run the `afl-gotcpu` utility from the command line.
 
-10) Addendum: status and plot files
------------------------------------
+### Addendum: status and plot files
 
 For unattended operation, some of the key status screen information can be also
 found in a machine-readable format in the fuzzer_stats file in the output
 directory. This includes:
 
-  - start_time     - unix time indicating the start time of afl-fuzz
-  - last_update    - unix time corresponding to the last update of this file
-  - fuzzer_pid     - PID of the fuzzer process
-  - cycles_done    - queue cycles completed so far
-  - execs_done     - number of execve() calls attempted
-  - execs_per_sec  - current number of execs per second
-  - paths_total    - total number of entries in the queue
-  - paths_found    - number of entries discovered through local fuzzing
-  - paths_imported - number of entries imported from other instances
-  - max_depth      - number of levels in the generated data set
-  - cur_path       - currently processed entry number
-  - pending_favs   - number of favored entries still waiting to be fuzzed
-  - pending_total  - number of all entries waiting to be fuzzed
-  - stability      - percentage of bitmap bytes that behave consistently
-  - variable_paths - number of test cases showing variable behavior
-  - unique_crashes - number of unique crashes recorded
-  - unique_hangs   - number of unique hangs encountered
-  - command_line   - full command line used for the fuzzing session
-  - slowest_exec_ms- real time of the slowest execution in seconds
-  - peak_rss_mb    - max rss usage reached during fuzzing in MB
+  - `start_time`     - unix time indicating the start time of afl-fuzz
+  - `last_update`    - unix time corresponding to the last update of this file
+  - `fuzzer_pid`     - PID of the fuzzer process
+  - `cycles_done`    - queue cycles completed so far
+  - `execs_done`     - number of execve() calls attempted
+  - `execs_per_sec`  - overall number of execs per second
+  - `paths_total`    - total number of entries in the queue
+  - `paths_found`    - number of entries discovered through local fuzzing
+  - `paths_imported` - number of entries imported from other instances
+  - `max_depth`      - number of levels in the generated data set
+  - `cur_path`       - currently processed entry number
+  - `pending_favs`   - number of favored entries still waiting to be fuzzed
+  - `pending_total`  - number of all entries waiting to be fuzzed
+  - `stability      - percentage of bitmap bytes that behave consistently
+  - `variable_paths` - number of test cases showing variable behavior
+  - `unique_crashes` - number of unique crashes recorded
+  - `unique_hangs`   - number of unique hangs encountered
+  - `command_line`   - full command line used for the fuzzing session
+  - `slowest_exec_ms`- real time of the slowest execution in seconds
+  - `peak_rss_mb`    - max rss usage reached during fuzzing in MB
 
 Most of these map directly to the UI elements discussed earlier on.
 
-On top of that, you can also find an entry called 'plot_data', containing a
+On top of that, you can also find an entry called `plot_data`, containing a
 plottable history for most of these fields. If you have gnuplot installed, you
-can turn this into a nice progress report with the included 'afl-plot' tool.
+can turn this into a nice progress report with the included `afl-plot` tool.

docs/technical_details.md

@@ -1,13 +1,10 @@
-===================================
-Technical "whitepaper" for afl-fuzz
-===================================
+# Technical "whitepaper" for afl-fuzz
 
-  This document provides a quick overview of the guts of American Fuzzy Lop.
-  See README for the general instruction manual; and for a discussion of
-  motivations and design goals behind AFL, see historical_notes.txt.
+This document provides a quick overview of the guts of American Fuzzy Lop.
+See README.md for the general instruction manual; and for a discussion of
+motivations and design goals behind AFL, see historical_notes.md.
 
-0) Design statement
--------------------
+## 0. Design statement
 
 American Fuzzy Lop does its best not to focus on any singular principle of
 operation and not be a proof-of-concept for any specific theory. The tool can
@@ -20,28 +17,30 @@ lightweight instrumentation that served as a foundation for the tool, but this
 mechanism should be thought of merely as a means to an end. The only true
 governing principles are speed, reliability, and ease of use.
 
-1) Coverage measurements
-------------------------
+## 1. Coverage measurements
 
 The instrumentation injected into compiled programs captures branch (edge)
 coverage, along with coarse branch-taken hit counts. The code injected at
 branch points is essentially equivalent to:
 
+```c
   cur_location = <COMPILE_TIME_RANDOM>;
   shared_mem[cur_location ^ prev_location]++; 
   prev_location = cur_location >> 1;
+```
 
-The cur_location value is generated randomly to simplify the process of
+The `cur_location` value is generated randomly to simplify the process of
 linking complex projects and keep the XOR output distributed uniformly.
 
-The shared_mem[] array is a 64 kB SHM region passed to the instrumented binary
+The `shared_mem[]` array is a 64 kB SHM region passed to the instrumented binary
 by the caller. Every byte set in the output map can be thought of as a hit for
-a particular (branch_src, branch_dst) tuple in the instrumented code.
+a particular (`branch_src`, `branch_dst`) tuple in the instrumented code.
 
 The size of the map is chosen so that collisions are sporadic with almost all
 of the intended targets, which usually sport between 2k and 10k discoverable
 branch points:
 
+```
    Branch cnt | Colliding tuples | Example targets
   ------------+------------------+-----------------
         1,000 | 0.75%            | giflib, lzo
@@ -50,6 +49,7 @@ branch points:
        10,000 | 7%               | libxml
        20,000 | 14%              | sqlite
        50,000 | 30%              | -
+```
 
 At the same time, its size is small enough to allow the map to be analyzed
 in a matter of microseconds on the receiving end, and to effortlessly fit
@@ -59,8 +59,10 @@ This form of coverage provides considerably more insight into the execution
 path of the program than simple block coverage. In particular, it trivially
 distinguishes between the following execution traces:
 
+```
   A -> B -> C -> D -> E (tuples: AB, BC, CD, DE)
   A -> B -> D -> C -> E (tuples: AB, BD, DC, CE)
+```
 
 This aids the discovery of subtle fault conditions in the underlying code,
 because security vulnerabilities are more often associated with unexpected
@@ -75,8 +77,7 @@ The absence of simple saturating arithmetic opcodes on Intel CPUs means that
 the hit counters can sometimes wrap around to zero. Since this is a fairly
 unlikely and localized event, it's seen as an acceptable performance trade-off.
 
-2) Detecting new behaviors
---------------------------
+### 2. Detecting new behaviors
 
 The fuzzer maintains a global map of tuples seen in previous executions; this
 data can be rapidly compared with individual traces and updated in just a couple
@@ -97,18 +98,24 @@ To illustrate the properties of the algorithm, consider that the second trace
 shown below would be considered substantially new because of the presence of
 new tuples (CA, AE):
 
+```
   #1: A -> B -> C -> D -> E
   #2: A -> B -> C -> A -> E
+```
 
 At the same time, with #2 processed, the following pattern will not be seen
 as unique, despite having a markedly different overall execution path:
 
+```
   #3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E
+```
 
 In addition to detecting new tuples, the fuzzer also considers coarse tuple
 hit counts. These are divided into several buckets:
 
+```
   1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+
+```
 
 To some extent, the number of buckets is an implementation artifact: it allows
 an in-place mapping of an 8-bit counter generated by the instrumentation to
@@ -135,8 +142,7 @@ reject them and hope that the fuzzer will find a less expensive way to reach
 the same code. Empirical testing strongly suggests that more generous time
 limits are not worth the cost.
 
-3) Evolving the input queue
----------------------------
+## 3. Evolving the input queue
 
 Mutated test cases that produced new state transitions within the program are
 added to the input queue and used as a starting point for future rounds of
@@ -146,7 +152,7 @@ In contrast to more greedy genetic algorithms, this approach allows the tool
 to progressively explore various disjoint and possibly mutually incompatible
 features of the underlying data format, as shown in this image:
 
-  http://lcamtuf.coredump.cx/afl/afl_gzip.png
+  ![gzip_coverage](./visualization/afl_gzip.png)
 
 Several practical examples of the results of this algorithm are discussed
 here:
@@ -165,10 +171,11 @@ of new tuples, and the remainder is associated with changes in hit counts.
 
 The following table compares the relative ability to discover file syntax and
 explore program states when using several different approaches to guided
-fuzzing. The instrumented target was GNU patch 2.7.3 compiled with -O3 and
+fuzzing. The instrumented target was GNU patch 2.7k.3 compiled with `-O3` and
 seeded with a dummy text file; the session consisted of a single pass over the
 input queue with afl-fuzz:
 
+```
     Fuzzer guidance | Blocks  | Edges   | Edge hit | Highest-coverage
       strategy used | reached | reached | cnt var  | test case generated
   ------------------+---------+---------+----------+---------------------------
@@ -179,6 +186,7 @@ input queue with afl-fuzz:
      Block coverage | 855     | 1,130   | 1.57     | Almost-valid RCS diff
       Edge coverage | 1,452   | 2,070   | 2.18     | One-chunk -c mode diff
           AFL model | 1,765   | 2,597   | 4.99     | Four-chunk -c mode diff
+```
 
 The first entry for blind fuzzing ("S") corresponds to executing just a single
 round of testing; the second set of figures ("L") shows the fuzzer running in a
@@ -191,6 +199,7 @@ a series of rudimentary, sequential operations such as walking bit flips.
 Because this mode would be incapable of altering the size of the input file,
 the sessions were seeded with a valid unified diff:
 
+```
     Queue extension | Blocks  | Edges   | Edge hit | Number of unique
       strategy used | reached | reached | cnt var  | crashes found
   ------------------+---------+---------+----------+------------------
@@ -200,14 +209,14 @@ the sessions were seeded with a valid unified diff:
      Block coverage | 1,255   | 1,649   | 1.48     | 0
       Edge coverage | 1,259   | 1,734   | 1.72     | 0
           AFL model | 1,452   | 2,040   | 3.16     | 1
+```
 
 At noted earlier on, some of the prior work on genetic fuzzing relied on
 maintaining a single test case and evolving it to maximize coverage. At least
 in the tests described above, this "greedy" approach appears to confer no
 substantial benefits over blind fuzzing strategies.
 
-4) Culling the corpus
----------------------
+### 4. Culling the corpus
 
 The progressive state exploration approach outlined above means that some of
 the test cases synthesized later on in the game may have edge coverage that
@@ -225,11 +234,8 @@ for each tuple.
 The tuples are then processed sequentially using a simple workflow:
 
   1) Find next tuple not yet in the temporary working set,
-
   2) Locate the winning queue entry for this tuple,
-
   3) Register *all* tuples present in that entry's trace in the working set,
-
   4) Go to #1 if there are any missing tuples in the set.
 
 The generated corpus of "favored" entries is usually 5-10x smaller than the
@@ -238,30 +244,26 @@ with varying probabilities when encountered in the queue:
 
   - If there are new, yet-to-be-fuzzed favorites present in the queue, 99%
     of non-favored entries will be skipped to get to the favored ones.
-
   - If there are no new favorites:
-
-    - If the current non-favored entry was fuzzed before, it will be skipped
+    * If the current non-favored entry was fuzzed before, it will be skipped
       95% of the time.
-
-    - If it hasn't gone through any fuzzing rounds yet, the odds of skipping
+    * If it hasn't gone through any fuzzing rounds yet, the odds of skipping
       drop down to 75%.
 
 Based on empirical testing, this provides a reasonable balance between queue
 cycling speed and test case diversity.
 
 Slightly more sophisticated but much slower culling can be performed on input
-or output corpora with afl-cmin. This tool permanently discards the redundant
-entries and produces a smaller corpus suitable for use with afl-fuzz or
+or output corpora with `afl-cmin`. This tool permanently discards the redundant
+entries and produces a smaller corpus suitable for use with `afl-fuzz` or
 external tools.
 
-5) Trimming input files
------------------------
+## 5. Trimming input files
 
 File size has a dramatic impact on fuzzing performance, both because large
 files make the target binary slower, and because they reduce the likelihood
 that a mutation would touch important format control structures, rather than
-redundant data blocks. This is discussed in more detail in perf_tips.txt.
+redundant data blocks. This is discussed in more detail in perf_tips.md.
 
 The possibility that the user will provide a low-quality starting corpus aside,
 some types of mutations can have the effect of iteratively increasing the size
@@ -275,12 +277,12 @@ The built-in trimmer in afl-fuzz attempts to sequentially remove blocks of data
 with variable length and stepover; any deletion that doesn't affect the checksum
 of the trace map is committed to disk. The trimmer is not designed to be
 particularly thorough; instead, it tries to strike a balance between precision
-and the number of execve() calls spent on the process, selecting the block size
+and the number of `execve()` calls spent on the process, selecting the block size
 and stepover to match. The average per-file gains are around 5-20%.
 
-The standalone afl-tmin tool uses a more exhaustive, iterative algorithm, and
+The standalone `afl-tmin` tool uses a more exhaustive, iterative algorithm, and
 also attempts to perform alphabet normalization on the trimmed files. The
-operation of afl-tmin is as follows.
+operation of `afl-tmin` is as follows.
 
 First, the tool automatically selects the operating mode. If the initial input
 crashes the target binary, afl-tmin will run in non-instrumented mode, simply
@@ -293,16 +295,13 @@ The actual minimization algorithm is:
   1) Attempt to zero large blocks of data with large stepovers. Empirically,
      this is shown to reduce the number of execs by preempting finer-grained
      efforts later on.
-
   2) Perform a block deletion pass with decreasing block sizes and stepovers,
      binary-search-style. 
-
   3) Perform alphabet normalization by counting unique characters and trying
      to bulk-replace each with a zero value.
-
   4) As a last result, perform byte-by-byte normalization on non-zero bytes.
 
-Instead of zeroing with a 0x00 byte, afl-tmin uses the ASCII digit '0'. This
+Instead of zeroing with a 0x00 byte, `afl-tmin` uses the ASCII digit '0'. This
 is done because such a modification is much less likely to interfere with
 text parsing, so it is more likely to result in successful minimization of
 text files.
@@ -312,8 +311,7 @@ minimization approaches proposed in academic work, but requires far fewer
 executions and tends to produce comparable results in most real-world
 applications.
 
-6) Fuzzing strategies
----------------------
+## 6. Fuzzing strategies
 
 The feedback provided by the instrumentation makes it easy to understand the
 value of various fuzzing strategies and optimize their parameters so that they
@@ -323,15 +321,13 @@ afl-fuzz are generally format-agnostic and are discussed in more detail here:
   http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
 
 It is somewhat notable that especially early on, most of the work done by
-afl-fuzz is actually highly deterministic, and progresses to random stacked
+`afl-fuzz` is actually highly deterministic, and progresses to random stacked
 modifications and test case splicing only at a later stage. The deterministic
 strategies include:
 
   - Sequential bit flips with varying lengths and stepovers,
-
   - Sequential addition and subtraction of small integers,
-
-  - Sequential insertion of known interesting integers (0, 1, INT_MAX, etc),
+  - Sequential insertion of known interesting integers (`0`, `1`, `INT_MAX`, etc),
 
 The purpose of opening with deterministic steps is related to their tendency to
 produce compact test cases and small diffs between the non-crashing and crashing
@@ -341,10 +337,10 @@ With deterministic fuzzing out of the way, the non-deterministic steps include
 stacked bit flips, insertions, deletions, arithmetics, and splicing of different
 test cases.
 
-The relative yields and execve() costs of all these strategies have been
+The relative yields and `execve()` costs of all these strategies have been
 investigated and are discussed in the aforementioned blog post.
 
-For the reasons discussed in historical_notes.txt (chiefly, performance,
+For the reasons discussed in historical_notes.md (chiefly, performance,
 simplicity, and reliability), AFL generally does not try to reason about the
 relationship between specific mutations and program states; the fuzzing steps
 are nominally blind, and are guided only by the evolutionary design of the
@@ -365,8 +361,7 @@ in force only during deterministic stages that do not alter the size or the
 general layout of the underlying file, this mechanism appears to work very
 reliably and proved to be simple to implement.
 
-7) Dictionaries
----------------
+## 7. Dictionaries
 
 The feedback provided by the instrumentation makes it easy to automatically
 identify syntax tokens in some types of input files, and to detect that certain
@@ -398,31 +393,28 @@ to a predefined value baked into the code. The fuzzer relies on this signal
 to build compact "auto dictionaries" that are then used in conjunction with
 other fuzzing strategies.
 
-8) De-duping crashes
---------------------
+## 8. De-duping crashes
 
 De-duplication of crashes is one of the more important problems for any
 competent fuzzing tool. Many of the naive approaches run into problems; in
 particular, looking just at the faulting address may lead to completely
 unrelated issues being clustered together if the fault happens in a common
-library function (say, strcmp, strcpy); while checksumming call stack
+library function (say, `strcmp`, `strcpy`); while checksumming call stack
 backtraces can lead to extreme crash count inflation if the fault can be
 reached through a number of different, possibly recursive code paths.
 
-The solution implemented in afl-fuzz considers a crash unique if any of two
+The solution implemented in `afl-fuzz` considers a crash unique if any of two
 conditions are met:
 
   - The crash trace includes a tuple not seen in any of the previous crashes,
-
   - The crash trace is missing a tuple that was always present in earlier
     faults.
 
 The approach is vulnerable to some path count inflation early on, but exhibits
 a very strong self-limiting effect, similar to the execution path analysis
-logic that is the cornerstone of afl-fuzz.
+logic that is the cornerstone of `afl-fuzz`.
 
-9) Investigating crashes
-------------------------
+## 9. Investigating crashes
 
 The exploitability of many types of crashes can be ambiguous; afl-fuzz tries
 to address this by providing a crash exploration mode where a known-faulting
@@ -441,13 +433,12 @@ newly-found inputs for human review.
 On the subject of crashes, it is worth noting that in contrast to normal
 queue entries, crashing inputs are *not* trimmed; they are kept exactly as
 discovered to make it easier to compare them to the parent, non-crashing entry
-in the queue. That said, afl-tmin can be used to shrink them at will.
+in the queue. That said, `afl-tmin` can be used to shrink them at will.
 
-10) The fork server
--------------------
+## 10 The fork server
 
-To improve performance, afl-fuzz uses a "fork server", where the fuzzed process
-goes through execve(), linking, and libc initialization only once, and is then
+To improve performance, `afl-fuzz` uses a "fork server", where the fuzzed process
+goes through `execve()`, linking, and libc initialization only once, and is then
 cloned from a stopped process image by leveraging copy-on-write. The
 implementation is described in more detail here:
 
@@ -455,7 +446,7 @@ implementation is described in more detail here:
 
 The fork server is an integral aspect of the injected instrumentation and
 simply stops at the first instrumented function to await commands from
-afl-fuzz.
+`afl-fuzz`.
 
 With fast targets, the fork server can offer considerable performance gains,
 usually between 1.5x and 2x. It is also possible to:
@@ -464,17 +455,14 @@ usually between 1.5x and 2x. It is also possible to:
     user-selected chunks of initialization code. It requires very modest
     code changes to the targeted program, and With some targets, can
     produce 10x+ performance gains.
-
   - Enable "persistent" mode, where a single process is used to try out
-    multiple inputs, greatly limiting the overhead of repetitive fork()
+    multiple inputs, greatly limiting the overhead of repetitive `fork()`
     calls. This generally requires some code changes to the targeted program,
-    but can improve the performance of fast targets by a factor of 5 or more
-    - approximating the benefits of in-process fuzzing jobs while still
+    but can improve the performance of fast targets by a factor of 5 or more - approximating the benefits of in-process fuzzing jobs while still
     maintaining very robust isolation between the fuzzer process and the
     targeted binary.
 
-11) Parallelization
--------------------
+## 11. Parallelization
 
 The parallelization mechanism relies on periodically examining the queues
 produced by independently-running instances on other CPU cores or on remote
@@ -485,10 +473,9 @@ This allows for extreme flexibility in fuzzer setup, including running synced
 instances against different parsers of a common data format, often with
 synergistic effects.
 
-For more information about this design, see parallel_fuzzing.txt.
+For more information about this design, see parallel_fuzzing.md.
 
-12) Binary-only instrumentation
--------------------------------
+## 12. Binary-only instrumentation
 
 Instrumentation of black-box, binary-only targets is accomplished with the
 help of a separately-built version of QEMU in "user emulation" mode. This also
@@ -497,6 +484,7 @@ allows the execution of cross-architecture code - say, ARM binaries on x86.
 QEMU uses basic blocks as translation units; the instrumentation is implemented
 on top of this and uses a model roughly analogous to the compile-time hooks:
 
+```c
   if (block_address > elf_text_start && block_address < elf_text_end) {
 
     cur_location = (block_address >> 4) ^ (block_address << 8);
@@ -504,6 +492,7 @@ on top of this and uses a model roughly analogous to the compile-time hooks:
     prev_location = cur_location >> 1;
 
   }
+```
 
 The shift-and-XOR-based scrambling in the second line is used to mask the
 effects of instruction alignment.
@@ -511,7 +500,7 @@ effects of instruction alignment.
 The start-up of binary translators such as QEMU, DynamoRIO, and PIN is fairly
 slow; to counter this, the QEMU mode leverages a fork server similar to that
 used for compiler-instrumented code, effectively spawning copies of an
-already-initialized process paused at _start.
+already-initialized process paused at `_start`.
 
 First-time translation of a new basic block also incurs substantial latency. To
 eliminate this problem, the AFL fork server is extended by providing a channel
@@ -523,8 +512,7 @@ processes.
 As a result of these two optimizations, the overhead of the QEMU mode is
 roughly 2-5x, compared to 100x+ for PIN.
 
-13) The afl-analyze tool
-------------------------
+## 13. The `afl-analyze` tool
 
 The file format analyzer is a simple extension of the minimization algorithm
 discussed earlier on; instead of attempting to remove no-op blocks, the tool
@@ -536,28 +524,22 @@ It uses the following classification scheme:
   - "No-op blocks" - segments where bit flips cause no apparent changes to
     control flow. Common examples may be comment sections, pixel data within
     a bitmap file, etc.
-
   - "Superficial content" - segments where some, but not all, bitflips
     produce some control flow changes. Examples may include strings in rich
     documents (e.g., XML, RTF).
-
   - "Critical stream" - a sequence of bytes where all bit flips alter control
     flow in different but correlated ways. This may be compressed data, 
     non-atomically compared keywords or magic values, etc.
-
   - "Suspected length field" - small, atomic integer that, when touched in
     any way, causes a consistent change to program control flow, suggestive
     of a failed length check.
-
   - "Suspected cksum or magic int" - an integer that behaves similarly to a
     length field, but has a numerical value that makes the length explanation
     unlikely. This is suggestive of a checksum or other "magic" integer.
-
   - "Suspected checksummed block" - a long block of data where any change 
     always triggers the same new execution path. Likely caused by failing
     a checksum or a similar integrity check before any subsequent parsing
     takes place.
-
   - "Magic value section" - a generic token where changes cause the type
     of binary behavior outlined earlier, but that doesn't meet any of the
     other criteria. May be an atomically compared keyword or so.

examples/README.md

@@ -1,5 +1,11 @@
+# AFL++ Examples
+
 Here's a quick overview of the stuff you can find in this directory:
 
+  - custom_mutstors      - An example custom mutator
+  
+  - python_mutators      - Python mutators examples
+
   - argv_fuzzing         - a simple wrapper to allow cmdline to be fuzzed
                            (e.g., to test setuid programs).
 
@@ -20,7 +26,7 @@ Here's a quick overview of the stuff you can find in this directory:
                            with additional gdb metadata.
 
   - distributed_fuzzing  - a sample script for synchronizing fuzzer instances
-                           across multiple machines (see parallel_fuzzing.txt).
+                           across multiple machines (see parallel_fuzzing.md).
 
   - libpng_no_checksum   - a sample patch for removing CRC checks in libpng.
 
@@ -28,8 +34,11 @@ Here's a quick overview of the stuff you can find in this directory:
                            mode to speed up certain fuzzing jobs.
 
   - post_library         - an example of how to build postprocessors for AFL.
+  
+  - socket_fuzzing       - a LD_PRELOAD library 'redirects' a socket to stdin
+                           for fuzzing access with afl++
 
-Note that the minimize_corpus.sh tool has graduated from the experimental/
+Note that the minimize_corpus.sh tool has graduated from the examples/
 directory and is now available as ../afl-cmin. The LLVM mode has likewise
 graduated to ../llvm_mode/*.
 

examples/argv_fuzzing/Makefile

@@ -0,0 +1,51 @@
+#
+# american fuzzy lop++ - argvfuzz
+# --------------------------------
+#
+# Copyright 2019-2020 Kjell Braden <afflux@pentabarf.de>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared
+
+ifneq "$(filter Linux GNU%,$(shell uname))" ""
+  LDFLAGS  += -ldl
+endif
+
+# on gcc for arm there is no -m32, but -mbe32
+M32FLAG = -m32
+M64FLAG = -m64
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+ ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
+  M32FLAG = -mbe32
+ endif
+endif
+
+
+all: argvfuzz32.so argvfuzz64.so
+
+argvfuzz32.so: argvfuzz.c
+	-$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
+
+argvfuzz64.so: argvfuzz.c
+	-$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz64 build failure (that's fine)"
+
+install: argvfuzz32.so argvfuzz64.so
+	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+	if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+	if [ -f argvfuzz64.so ]; then set -e; install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi
+
+clean:
+	rm -f argvfuzz32.so argvfuzz64.so

examples/argv_fuzzing/README.md

@@ -0,0 +1,16 @@
+# argvfuzz
+
+afl supports fuzzing file inputs or stdin. When source is available,
+`argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin.
+
+`argvfuzz` tries to provide the same functionality for binaries. When loaded
+using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace
+argv using the same logic of `argv-fuzz-inl.h`.
+
+A few conditions need to be fulfilled for this mechanism to work correctly:
+
+1. As it relies on hooking the loader, it cannot work on static binaries.
+2. If the target binary does not use the default libc's `_start` implementation
+   (crt1.o), the hook may not run.
+3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the
+   target binary expects argv to be living on the stack, things may go wrong.

examples/argv_fuzzing/argv-fuzz-inl.h

@@ -1,8 +1,8 @@
 /*
-   american fuzzy lop - sample argv fuzzing wrapper
+   american fuzzy lop++ - sample argv fuzzing wrapper
    ------------------------------------------------
 
-   Written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -17,7 +17,7 @@
 
    #include "/path/to/argv-fuzz-inl.h"
 
-   ...to the file containing main(), ideally placing it after all the 
+   ...to the file containing main(), ideally placing it after all the
    standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of
    main().
 
@@ -36,16 +36,24 @@
 
 #include <unistd.h>
 
-#define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0)
-
-#define AFL_INIT_SET0(_p) do { \
+#define AFL_INIT_ARGV()          \
+  do {                           \
+                                 \
     argv = afl_init_argv(&argc); \
-    argv[0] = (_p); \
-    if (!argc) argc = 1; \
+                                 \
+  } while (0)
+
+#define AFL_INIT_SET0(_p)        \
+  do {                           \
+                                 \
+    argv = afl_init_argv(&argc); \
+    argv[0] = (_p);              \
+    if (!argc) argc = 1;         \
+                                 \
   } while (0)
 
 #define MAX_CMDLINE_LEN 100000
-#define MAX_CMDLINE_PAR 1000
+#define MAX_CMDLINE_PAR 50000
 
 static char** afl_init_argv(int* argc) {
 
@@ -53,17 +61,18 @@ static char** afl_init_argv(int* argc) {
   static char* ret[MAX_CMDLINE_PAR];
 
   char* ptr = in_buf;
-  int   rc  = 0;
+  int   rc = 0;
 
-  if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0);
+  if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {}
 
-  while (*ptr) {
+  while (*ptr && rc < MAX_CMDLINE_PAR) {
 
     ret[rc] = ptr;
     if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
     rc++;
 
-    while (*ptr) ptr++;
+    while (*ptr)
+      ptr++;
     ptr++;
 
   }
@@ -77,4 +86,5 @@ static char** afl_init_argv(int* argc) {
 #undef MAX_CMDLINE_LEN
 #undef MAX_CMDLINE_PAR
 
-#endif /* !_HAVE_ARGV_FUZZ_INL */
+#endif                                              /* !_HAVE_ARGV_FUZZ_INL */
+

examples/argv_fuzzing/argvfuzz.c

@@ -0,0 +1,49 @@
+/*
+   american fuzzy lop++ - LD_PRELOAD for fuzzing argv in binaries
+   ------------------------------------------------------------
+
+   Copyright 2019-2020 Kjell Braden <afflux@pentabarf.de>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ */
+
+#define _GNU_SOURCE                                        /* for RTLD_NEXT */
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "argv-fuzz-inl.h"
+
+int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv,
+                      void (*init)(void), void (*fini)(void),
+                      void (*rtld_fini)(void), void *stack_end) {
+
+  int (*orig)(int (*main)(int, char **, char **), int argc, char **argv,
+              void (*init)(void), void (*fini)(void), void (*rtld_fini)(void),
+              void *stack_end);
+  int    sub_argc;
+  char **sub_argv;
+
+  (void)argc;
+  (void)argv;
+
+  orig = dlsym(RTLD_NEXT, __func__);
+
+  if (!orig) {
+
+    fprintf(stderr, "hook did not find original %s: %s\n", __func__, dlerror());
+    exit(EXIT_FAILURE);
+
+  }
+
+  sub_argv = afl_init_argv(&sub_argc);
+
+  return orig(main, sub_argc, sub_argv, init, fini, rtld_fini, stack_end);
+
+}
+

examples/asan_cgroups/limit_memory.sh

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 #
-# american fuzzy lop - limit memory using cgroups
+# american fuzzy lop++ - limit memory using cgroups
 # -----------------------------------------------
 #
 # Written by Samir Khakimov <samir.hakim@nyu.edu> and
 #            David A. Wheeler <dwheeler@ida.org>
 #
 # Edits to bring the script in line with afl-cmin and other companion scripts
-# by Michal Zalewski <lcamtuf@google.com>. All bugs are my fault.
+# by Michal Zalewski. All bugs are my fault.
 #
 # Copyright 2015 Institute for Defense Analyses.
 #
@@ -20,7 +20,7 @@
 # This tool allows the amount of actual memory allocated to a program
 # to be limited on Linux systems using cgroups, instead of the traditional
 # setrlimit() API. This helps avoid the address space problems discussed in
-# docs/notes_for_asan.txt.
+# docs/notes_for_asan.md.
 #
 # Important: the limit covers *both* afl-fuzz and the fuzzed binary. In some
 # hopefully rare circumstances, afl-fuzz could be killed before the fuzzed

examples/canvas_harness/canvas_harness.html

@@ -1,10 +1,10 @@
 <html>
 <!--
 
-  american fuzzy lop - <canvas> harness
+  american fuzzy lop++ - <canvas> harness
   -------------------------------------
  
-  Written and maintained by Michal Zalewski <lcamtuf@google.com>
+  Originally written by Michal Zalewski
  
   Copyright 2013, 2014 Google Inc. All rights reserved.
  

examples/clang_asm_normalize/as

@@ -1,9 +1,9 @@
 #!/bin/sh
 #
-# american fuzzy lop - clang assembly normalizer
+# american fuzzy lop++ - clang assembly normalizer
 # ----------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 # The idea for this wrapper comes from Ryan Govostes.
 #
 # Copyright 2013, 2014 Google Inc. All rights reserved.

examples/crash_triage/triage_crashes.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 #
-# american fuzzy lop - crash triage utility
+# american fuzzy lop++ - crash triage utility
 # -----------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 #
 # Copyright 2013, 2014, 2017 Google Inc. All rights reserved.
 #
@@ -22,7 +22,7 @@
 # necessary.
 #
 
-echo "crash triage utility for afl-fuzz by <lcamtuf@google.com>"
+echo "crash triage utility for afl-fuzz by Michal Zalewski"
 echo
 
 ulimit -v 100000 2>/dev/null

examples/custom_mutators/README

@@ -0,0 +1,2 @@
+This is a simple example for the AFL_CUSTOM_MUTATOR_LIBRARY feature.
+For more information see [docs/custom_mutator.md](../docs/custom_mutator.md)

examples/distributed_fuzzing/sync_script.sh

@@ -1,11 +1,12 @@
 #!/bin/sh
 #
-# american fuzzy lop - fuzzer synchronization tool
-# ------------------------------------------------
+# american fuzzy lop++ - fuzzer synchronization tool
+# --------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 #
 # Copyright 2014 Google Inc. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

examples/persistent_demo/persistent_demo.c

@@ -1,8 +1,8 @@
 /*
-   american fuzzy lop - persistent mode example
+   american fuzzy lop++ - persistent mode example
    --------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -28,12 +28,11 @@
 #include <signal.h>
 #include <string.h>
 
-
 /* Main entry point. */
 
 int main(int argc, char** argv) {
 
-  ssize_t len;   /* how much input did we read? */
+  ssize_t len;                               /* how much input did we read? */
   char buf[100]; /* Example-only buffer, you'd replace it with other global or
                     local variables appropriate for your use case. */
 
@@ -64,21 +63,28 @@ int main(int argc, char** argv) {
                We just have some trivial inline code that faults on 'foo!'. */
 
     /* do we have enough data? */
-    if (len < 4)
-      return 0;
+    if (len < 4) return 0;
 
     if (buf[0] == 'f') {
+
       printf("one\n");
       if (buf[1] == 'o') {
+
         printf("two\n");
         if (buf[2] == 'o') {
+
           printf("three\n");
           if (buf[3] == '!') {
+
             printf("four\n");
             abort();
+
           }
+
         }
+
       }
+
     }
 
     /*** END PLACEHOLDER CODE ***/
@@ -92,3 +98,4 @@ int main(int argc, char** argv) {
   return 0;
 
 }
+

examples/post_library/post_library.so.c

@@ -1,8 +1,8 @@
 /*
-   american fuzzy lop - postprocessor library example
+   american fuzzy lop++ - postprocessor library example
    --------------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -21,9 +21,9 @@
       in the targeted binary (as shown in ../libpng_no_checksum/). One possible
       exception is the process of fuzzing binary-only software in QEMU mode.
 
-   2) The use of postprocessors for anything other than checksums is questionable
-      and may cause more harm than good. AFL is normally pretty good about
-      dealing with length fields, magic values, etc.
+   2) The use of postprocessors for anything other than checksums is
+   questionable and may cause more harm than good. AFL is normally pretty good
+   about dealing with length fields, magic values, etc.
 
    3) Postprocessors that do anything non-trivial must be extremely robust to
       gracefully handle malformed data and other error conditions - otherwise,
@@ -77,10 +77,10 @@
 /* The actual postprocessor routine called by afl-fuzz: */
 
 const unsigned char* afl_postprocess(const unsigned char* in_buf,
-                                     unsigned int* len) {
+                                     unsigned int*        len) {
 
   static unsigned char* saved_buf;
-  unsigned char* new_buf;
+  unsigned char*        new_buf;
 
   /* Skip execution altogether for buffers shorter than 6 bytes (just to
      show how it's done). We can trust *len to be sane. */
@@ -117,3 +117,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
   return new_buf;
 
 }
+

examples/post_library/post_library_png.so.c

@@ -1,8 +1,8 @@
 /*
-   american fuzzy lop - postprocessor for PNG
+   american fuzzy lop++ - postprocessor for PNG
    ------------------------------------------
 
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
    Copyright 2015 Google Inc. All rights reserved.
 
@@ -36,13 +36,13 @@
 #define UP4K(_i) ((((_i) >> 12) + 1) << 12)
 
 const unsigned char* afl_postprocess(const unsigned char* in_buf,
-                                     unsigned int* len) {
+                                     unsigned int*        len) {
 
   static unsigned char* saved_buf;
   static unsigned int   saved_len;
 
   unsigned char* new_buf = (unsigned char*)in_buf;
-  unsigned int pos = 8;
+  unsigned int   pos = 8;
 
   /* Don't do anything if there's not enough room for the PNG header
      (8 bytes). */
@@ -111,3 +111,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
   return new_buf;
 
 }
+

examples/python_mutators/README

@@ -1,5 +1,8 @@
 These are example and helper files for the AFL_PYTHON_MODULE feature.
-See docs/python_mutators.txt for more information
+See [docs/python_mutators.md](../docs/python_mutators.md) for more information
+
+Note that if you compile with python3.7 you must use python3 scripts, and if
+you use pyton2.7 to compile python2 scripts!
 
 
 example.py	- this is the template you can use, the functions are there

examples/qemu_persistent_hook/README.md

@@ -0,0 +1,20 @@
+# QEMU persistent hook example
+
+Compile the test binary and the library:
+
+```
+gcc -no-pie test.c -o test
+gcc -fPIC -shared read_into_rdi.c -o read_into_rdi.so
+```
+
+Fuzz with:
+
+```
+export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test | grep "T target_func" | awk '{print $1}')
+export AFL_QEMU_PERSISTENT_HOOK=./read_into_rdi.so
+
+mkdir in
+echo 0000 > in/in
+
+../../afl-fuzz -Q -i in -o out -- ./test
+```

examples/qemu_persistent_hook/read_into_rdi.c

@@ -0,0 +1,49 @@
+#include <stdint.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#define g2h(x) ((void*)((unsigned long)(x) + guest_base))
+#define h2g(x) ((uint64_t)(x)-guest_base)
+
+enum {
+
+  R_EAX = 0,
+  R_ECX = 1,
+  R_EDX = 2,
+  R_EBX = 3,
+  R_ESP = 4,
+  R_EBP = 5,
+  R_ESI = 6,
+  R_EDI = 7,
+  R_R8 = 8,
+  R_R9 = 9,
+  R_R10 = 10,
+  R_R11 = 11,
+  R_R12 = 12,
+  R_R13 = 13,
+  R_R14 = 14,
+  R_R15 = 15,
+
+  R_AL = 0,
+  R_CL = 1,
+  R_DL = 2,
+  R_BL = 3,
+  R_AH = 4,
+  R_CH = 5,
+  R_DH = 6,
+  R_BH = 7,
+
+};
+
+void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) {
+
+  // In this example the register RDI is pointing to the memory location
+  // of the target buffer, and the length of the input is in RAX.
+
+  printf("reading into %p\n", regs[R_EDI]);
+  size_t r = read(0, g2h(regs[R_EDI]), 1024);
+  regs[R_EAX] = r;
+  printf("readed %ld bytes\n", r);
+
+}
+

examples/qemu_persistent_hook/test.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+
+int target_func(char *buf, int size) {
+
+  printf("buffer:%p, size:%p\n", buf, size);
+  switch (buf[0]) {
+
+    case 1:
+      if (buf[1] == '\x44') { puts("a"); }
+      break;
+    case 0xff:
+      if (buf[2] == '\xff') {
+
+        if (buf[1] == '\x44') { puts("b"); }
+
+      }
+
+      break;
+    default: break;
+
+  }
+
+  return 1;
+
+}
+
+char data[1024];
+
+int main() {
+
+  target_func(data, 1024);
+
+}
+

examples/socket_fuzzing/Makefile

@@ -0,0 +1,48 @@
+#
+# american fuzzy lop++ - socket_fuzz
+# ----------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared
+
+ifneq "$(filter Linux GNU%,$(shell uname))" ""
+  LDFLAGS  += -ldl
+endif
+
+# on gcc for arm there is no -m32, but -mbe32
+M32FLAG = -m32
+M64FLAG = -m64
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+ ifneq (,$(findstring arm, "$(shell $(CC) -v 2>&1 >/dev/null)"))
+  M32FLAG = -mbe32
+ endif
+endif
+
+all: socketfuzz32.so socketfuzz64.so
+
+socketfuzz32.so: socketfuzz.c
+	-$(CC) $(M32FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
+
+socketfuzz64.so: socketfuzz.c
+	-$(CC) $(M64FLAG) $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz64 build failure (that's fine)"
+
+install: socketfuzz32.so socketfuzz64.so
+	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+	if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+	if [ -f socketfuzz64.so ]; then set -e; install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/; fi
+
+clean:
+	rm -f socketfuzz32.so socketfuzz64.so

examples/socket_fuzzing/README.md

@@ -0,0 +1,11 @@
+# socketfuzz
+
+when you want to fuzz a network service and you can not/do not want to modify
+the source (or just have a binary), then this LD_PRELOAD library will allow
+for sending input to stdin which the target binary will think is coming from
+a network socket.
+
+This is desock_dup.c from the amazing preeny project
+https://github.com/zardus/preeny
+
+It is packaged in afl++ to have it at hand if needed

examples/socket_fuzzing/socketfuzz.c

@@ -0,0 +1,110 @@
+/*
+ * This is desock_dup.c from the amazing preeny project
+ * https://github.com/zardus/preeny
+ *
+ * It is packaged in afl++ to have it at hand if needed
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>   //
+#include <sys/socket.h>  //
+#include <sys/stat.h>    //
+#include <fcntl.h>       //
+#include <netinet/in.h>
+#include <pthread.h>
+#include <signal.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <stdio.h>
+#include <poll.h>
+//#include "logging.h" // switche from preeny_info() to fprintf(stderr, "Info: "
+
+//
+// originals
+//
+int (*original_close)(int);
+int (*original_dup2)(int, int);
+__attribute__((constructor)) void preeny_desock_dup_orig() {
+
+  original_close = dlsym(RTLD_NEXT, "close");
+  original_dup2 = dlsym(RTLD_NEXT, "dup2");
+
+}
+
+int close(int sockfd) {
+
+  if (sockfd <= 2) {
+
+    fprintf(stderr, "Info: Disabling close on %d\n", sockfd);
+    return 0;
+
+  } else {
+
+    return original_close(sockfd);
+
+  }
+
+}
+
+int dup2(int old, int new) {
+
+  if (new <= 2) {
+
+    fprintf(stderr, "Info: Disabling dup from %d to %d\n", old, new);
+    return 0;
+
+  } else {
+
+    return original_dup2(old, new);
+
+  }
+
+}
+
+int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) {
+
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
+  fprintf(stderr, "Info: Emulating accept on %d\n", sockfd);
+  return 0;
+
+}
+
+int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
+  fprintf(stderr, "Info: Emulating bind on port %d\n",
+          ntohs(((struct sockaddr_in *)addr)->sin_port));
+  return 0;
+
+}
+
+int listen(int sockfd, int backlog) {
+
+  (void)sockfd;
+  (void)backlog;
+  return 0;
+
+}
+
+int setsockopt(int sockfd, int level, int optid, const void *optdata,
+               socklen_t optdatalen) {
+
+  (void)sockfd;
+  (void)level;
+  (void)optid;
+  (void)optdata;
+  (void)optdatalen;
+  return 0;
+
+}
+

gcc_plugin/Makefile

@@ -0,0 +1,135 @@
+#
+# american fuzzy lop++ - GCC plugin instrumentation
+# -----------------------------------------------
+#
+# Written by Austin Seipp <aseipp@pobox.com> and
+#            Laszlo Szekeres <lszekeres@google.com> and
+#            Michal Zalewski and
+#            Heiko Eißfeldt  <heiko@hexco.de>
+#
+# GCC integration design is based on the LLVM design, which comes
+# from Laszlo Szekeres.
+#
+# Copyright 2015 Google Inc. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+PREFIX      ?= /usr/local
+HELPER_PATH  = $(PREFIX)/lib/afl
+BIN_PATH     = $(PREFIX)/bin
+
+CFLAGS      ?= -O3 -g -funroll-loops
+CFLAGS      += -Wall -I../include -D_FORTIFY_SOURCE=2 -Wno-pointer-sign \
+               -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+
+CXXFLAGS    ?= -O3 -g -funroll-loops
+CXXEFLAGS   := $(CXXFLAGS) -Wall -D_FORTIFY_SOURCE=2
+
+CC          ?= gcc
+CXX         ?= g++
+
+PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include"
+HASH=\#
+
+ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	SHMAT_OK=1
+else
+	SHMAT_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -lrt
+endif
+
+ifeq "$(TEST_MMAP)" "1"
+	SHMAT_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -lrt
+endif
+
+PROGS        = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o
+
+
+all: test_shm test_deps $(PROGS) afl-gcc-fast.8 test_build all_done
+
+ifeq "$(SHMAT_OK)" "1"
+
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+
+else
+
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+
+endif
+
+
+test_deps:
+	@echo "[*] Checking for working '$(CC)'..."
+	@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
+#	@echo "[*] Checking for gcc for plugin support..."
+#	@$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 )
+	@echo "[*] Checking for gcc plugin development header files..."
+	@test -d `$(CC) -print-file-name=plugin`/include || ( echo "[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'."; exit 1 )
+	@echo "[*] Checking for '../afl-showmap'..."
+	@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
+	@echo "[+] All set and ready to build."
+
+afl-common.o: ../src/afl-common.c
+	$(CC) $(CFLAGS) -c $< -o $@ $(LDFLAGS)
+
+../afl-gcc-fast: afl-gcc-fast.c afl-common.o | test_deps
+	$(CC) -DAFL_GCC_CC=\"$(CC)\" -DAFL_GCC_CXX=\"$(CXX)\" $(CFLAGS) $< afl-common.o -o $@ $(LDFLAGS)
+	ln -sf afl-gcc-fast ../afl-g++-fast
+
+../afl-gcc-pass.so: afl-gcc-pass.so.cc | test_deps
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+
+../afl-gcc-rt.o: afl-gcc-rt.o.c | test_deps
+	$(CC) $(CFLAGS) -fPIC -c $< -o $@
+
+test_build: $(PROGS)
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+#	unset AFL_USE_ASAN AFL_USE_MSAN;             AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+	../afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
+	echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+all_done: test_build
+	@echo "[+] All done! You can now use '../afl-gcc-fast' to compile programs."
+
+.NOTPARALLEL: clean
+
+vpath  % ..
+%.8: %
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .SH NAME >> ../$@
+	@echo .B $* >> ../$@
+	@echo >> ../$@
+	@echo .SH SYNOPSIS >> ../$@
+	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
+	@echo >> ../$@
+	@echo .SH OPTIONS >> ../$@
+	@echo .nf >> ../$@
+	@../$* -h 2>&1 | tail -n +4 >> ../$@
+	@echo >> ../$@
+	@echo .SH AUTHOR >> ../$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@
+	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@
+	@echo >> ../$@
+	@echo .SH LICENSE >> ../$@
+	@echo Apache License Version 2.0, January 2004 >> ../$@
+	ln -sf afl-gcc-fast.8 ../afl-g++-fast.8
+
+clean:
+	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2
+	rm -f $(PROGS) afl-common.o ../afl-g++-fast ../afl-g*-fast.8

gcc_plugin/README.md

@@ -0,0 +1,158 @@
+# GCC-based instrumentation for afl-fuzz
+
+  (See [../README.md](../README.md) for the general instruction manual.)
+  (See [../llvm_mode/README.md](../llvm_mode/README.md) for the LLVM-based instrumentation.)
+
+!!! TODO items are:
+!!!  => inline instrumentation has to work!
+!!!
+
+
+## 1) Introduction
+
+The code in this directory allows you to instrument programs for AFL using
+true compiler-level instrumentation, instead of the more crude
+assembly-level rewriting approach taken by afl-gcc and afl-clang. This has
+several interesting properties:
+
+  - The compiler can make many optimizations that are hard to pull off when
+    manually inserting assembly. As a result, some slow, CPU-bound programs will
+    run up to around faster.
+
+    The gains are less pronounced for fast binaries, where the speed is limited
+    chiefly by the cost of creating new processes. In such cases, the gain will
+    probably stay within 10%.
+
+  - The instrumentation is CPU-independent. At least in principle, you should
+    be able to rely on it to fuzz programs on non-x86 architectures (after
+    building afl-fuzz with AFL_NOX86=1).
+
+  - Because the feature relies on the internals of GCC, it is gcc-specific
+    and will *not* work with LLVM (see ../llvm_mode for an alternative).
+
+Once this implementation is shown to be sufficiently robust and portable, it
+will probably replace afl-gcc. For now, it can be built separately and
+co-exists with the original code.
+
+The idea and much of the implementation comes from Laszlo Szekeres.
+
+## 2) How to use
+
+In order to leverage this mechanism, you need to have modern enough GCC
+(>= version 4.5.0) and the plugin headers installed on your system. That
+should be all you need. On Debian machines, these headers can be acquired by
+installing the `gcc-<VERSION>-plugin-dev` packages.
+
+To build the instrumentation itself, type 'make'. This will generate binaries
+called afl-gcc-fast and afl-g++-fast in the parent directory. 
+If the CC/CXX have been overridden, those compilers will be used from
+those wrappers without using AFL_CXX/AFL_CC settings.
+Once this is done, you can instrument third-party code in a way similar to the
+standard operating mode of AFL, e.g.:
+
+  CC=/path/to/afl/afl-gcc-fast ./configure [...options...]
+  make
+
+Be sure to also include CXX set to afl-g++-fast for C++ code.
+
+The tool honors roughly the same environmental variables as afl-gcc (see
+[env_variables.md](../docs/env_variables.md). This includes AFL_INST_RATIO, AFL_USE_ASAN,
+AFL_HARDEN, and AFL_DONT_OPTIMIZE.
+
+Note: if you want the GCC plugin to be installed on your system for all
+users, you need to build it before issuing 'make install' in the parent
+directory.
+
+## 3) Gotchas, feedback, bugs
+
+This is an early-stage mechanism, so field reports are welcome. You can send bug
+reports to <hexcoder-@github.com>.
+
+## 4) Bonus feature #1: deferred initialization
+
+AFL tries to optimize performance by executing the targeted binary just once,
+stopping it just before main(), and then cloning this "master" process to get
+a steady supply of targets to fuzz.
+
+Although this approach eliminates much of the OS-, linker- and libc-level
+costs of executing the program, it does not always help with binaries that
+perform other time-consuming initialization steps - say, parsing a large config
+file before getting to the fuzzed data.
+
+In such cases, it's beneficial to initialize the forkserver a bit later, once
+most of the initialization work is already done, but before the binary attempts
+to read the fuzzed input and parse it; in some cases, this can offer a 10x+
+performance gain. You can implement delayed initialization in LLVM mode in a
+fairly simple way.
+
+First, locate a suitable location in the code where the delayed cloning can
+take place. This needs to be done with *extreme* care to avoid breaking the
+binary. In particular, the program will probably malfunction if you select
+a location after:
+
+  - The creation of any vital threads or child processes - since the forkserver
+    can't clone them easily.
+
+  - The initialization of timers via setitimer() or equivalent calls.
+
+  - The creation of temporary files, network sockets, offset-sensitive file
+    descriptors, and similar shared-state resources - but only provided that
+    their state meaningfully influences the behavior of the program later on.
+
+  - Any access to the fuzzed input, including reading the metadata about its
+    size.
+
+With the location selected, add this code in the appropriate spot:
+
+```
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+  __AFL_INIT();
+#endif
+```
+
+You don't need the #ifdef guards, but they will make the program still work as
+usual when compiled with a tool other than afl-gcc-fast/afl-clang-fast.
+
+Finally, recompile the program with afl-gcc-fast (afl-gcc or afl-clang will
+*not* generate a deferred-initialization binary) - and you should be all set!
+
+## 5) Bonus feature #2: persistent mode
+
+Some libraries provide APIs that are stateless, or whose state can be reset in
+between processing different input files. When such a reset is performed, a
+single long-lived process can be reused to try out multiple test cases,
+eliminating the need for repeated fork() calls and the associated OS overhead.
+
+The basic structure of the program that does this would be:
+
+```
+  while (__AFL_LOOP(1000)) {
+
+    /* Read input data. */
+    /* Call library code to be fuzzed. */
+    /* Reset state. */
+
+  }
+
+  /* Exit normally */
+```
+
+The numerical value specified within the loop controls the maximum number
+of iterations before AFL will restart the process from scratch. This minimizes
+the impact of memory leaks and similar glitches; 1000 is a good starting point.
+
+A more detailed template is shown in ../examples/persistent_demo/.
+Similarly to the previous mode, the feature works only with afl-gcc-fast or
+afl-clang-fast; #ifdef guards can be used to suppress it when using other
+compilers.
+
+Note that as with the previous mode, the feature is easy to misuse; if you
+do not reset the critical state fully, you may end up with false positives or
+waste a whole lot of CPU power doing nothing useful at all. Be particularly
+wary of memory leaks and the state of file descriptors.
+
+When running in this mode, the execution paths will inherently vary a bit
+depending on whether the input loop is being entered for the first time or
+executed again. To avoid spurious warnings, the feature implies
+AFL_NO_VAR_CHECK and hides the "variable path" warnings in the UI.
+

gcc_plugin/README.whitelist.md

@@ -0,0 +1,73 @@
+========================================
+Using afl++ with partial instrumentation
+========================================
+
+  This file describes how you can selectively instrument only the source files
+  that are interesting to you using the gcc instrumentation provided by
+  afl++.
+
+  Plugin by hexcoder-.
+
+
+## 1) Description and purpose
+
+When building and testing complex programs where only a part of the program is
+the fuzzing target, it often helps to only instrument the necessary parts of
+the program, leaving the rest uninstrumented. This helps to focus the fuzzer
+on the important parts of the program, avoiding undesired noise and
+disturbance by uninteresting code being exercised.
+
+For this purpose, I have added a "partial instrumentation" support to the gcc
+plugin of AFLFuzz that allows you to specify on a source file level which files
+should be compiled with or without instrumentation.
+
+
+## 2) Building the gcc plugin
+
+The new code is part of the existing afl++ gcc plugin in the gcc_plugin/
+subdirectory. There is nothing specifically to do :)
+
+
+## 3) How to use the partial instrumentation mode
+
+In order to build with partial instrumentation, you need to build with
+afl-gcc-fast and afl-g++-fast respectively. The only required change is
+that you need to set the environment variable AFL_GCC_WHITELIST when calling
+the compiler.
+
+The environment variable must point to a file containing all the filenames
+that should be instrumented. For matching, the filename that is being compiled
+must end in the filename entry contained in this whitelist (to avoid breaking
+the matching when absolute paths are used during compilation).
+
+For example if your source tree looks like this:
+
+```
+project/
+project/feature_a/a1.cpp
+project/feature_a/a2.cpp
+project/feature_b/b1.cpp
+project/feature_b/b2.cpp
+```
+
+and you only want to test feature_a, then create a whitelist file containing:
+
+```
+feature_a/a1.cpp
+feature_a/a2.cpp
+```
+
+However if the whitelist file contains only this, it works as well:
+
+```
+a1.cpp
+a2.cpp
+```
+
+but it might lead to files being unwantedly instrumented if the same filename
+exists somewhere else in the project directories.
+
+The created whitelist file is then set to AFL_GCC_WHITELIST when you compile
+your program. For each file that didn't match the whitelist, the compiler will
+issue a warning at the end stating that no blocks were instrumented. If you
+didn't intend to instrument that file, then you can safely ignore that warning.

gcc_plugin/afl-gcc-fast.c

@@ -0,0 +1,371 @@
+/*
+   american fuzzy lop++ - GCC wrapper for GCC plugin
+   ------------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> and
+              Laszlo Szekeres <lszekeres@google.com> and
+              Michal Zalewski
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres.
+
+   Copyright 2015 Google Inc. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This program is a drop-in replacement for gcc, similar in most
+   respects to ../afl-gcc, but with compiler instrumentation through a
+   plugin. It tries to figure out compilation mode, adds a bunch of
+   flags, and then calls the real compiler.
+
+ */
+
+#define AFL_MAIN
+
+#include "config.h"
+#include "types.h"
+#include "debug.h"
+#include "common.h"
+#include "alloc-inl.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+
+static u8*  obj_path;                  /* Path to runtime libraries         */
+static u8** cc_params;                 /* Parameters passed to the real CC  */
+static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
+u8          use_stdin = 0;                                         /* dummy */
+
+/* Try to find the runtime libraries. If that fails, abort. */
+
+static void find_obj(u8* argv0) {
+
+  u8* afl_path = getenv("AFL_PATH");
+  u8 *slash, *tmp;
+
+  if (afl_path) {
+
+    tmp = alloc_printf("%s/afl-gcc-rt.o", afl_path);
+
+    if (!access(tmp, R_OK)) {
+
+      obj_path = afl_path;
+      ck_free(tmp);
+      return;
+
+    }
+
+    ck_free(tmp);
+
+  }
+
+  slash = strrchr(argv0, '/');
+
+  if (slash) {
+
+    u8* dir;
+
+    *slash = 0;
+    dir = ck_strdup(argv0);
+    *slash = '/';
+
+    tmp = alloc_printf("%s/afl-gcc-rt.o", dir);
+
+    if (!access(tmp, R_OK)) {
+
+      obj_path = dir;
+      ck_free(tmp);
+      return;
+
+    }
+
+    ck_free(tmp);
+    ck_free(dir);
+
+  }
+
+  if (!access(AFL_PATH "/afl-gcc-rt.o", R_OK)) {
+
+    obj_path = AFL_PATH;
+    return;
+
+  }
+
+  FATAL(
+      "Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set "
+      "AFL_PATH");
+
+}
+
+/* Copy argv to cc_params, making the necessary edits. */
+
+static void edit_params(u32 argc, char** argv) {
+
+  u8  fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1;
+  u8* name;
+
+  cc_params = ck_alloc((argc + 128) * sizeof(u8*));
+
+  name = strrchr(argv[0], '/');
+  if (!name)
+    name = argv[0];
+  else
+    ++name;
+
+  if (!strcmp(name, "afl-g++-fast")) {
+
+    u8* alt_cxx = getenv("AFL_CXX");
+    cc_params[0] = alt_cxx ? alt_cxx : (u8*)AFL_GCC_CXX;
+
+  } else {
+
+    u8* alt_cc = getenv("AFL_CC");
+    cc_params[0] = alt_cc ? alt_cc : (u8*)AFL_GCC_CC;
+
+  }
+
+  char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
+  cc_params[cc_par_cnt++] = fplugin_arg;
+
+  /* Detect stray -v calls from ./configure scripts. */
+
+  if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0;
+
+  while (--argc) {
+
+    u8* cur = *(++argv);
+
+#if defined(__x86_64__)
+    if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
+#endif
+
+    if (!strcmp(cur, "-x")) x_set = 1;
+
+    if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E") ||
+        !strcmp(cur, "-v"))
+      maybe_linking = 0;
+
+    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
+      asan_set = 1;
+
+    if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
+
+    if (!strcmp(cur, "-shared")) maybe_linking = 0;
+
+    cc_params[cc_par_cnt++] = cur;
+
+  }
+
+  if (getenv("AFL_HARDEN")) {
+
+    cc_params[cc_par_cnt++] = "-fstack-protector-all";
+
+    if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
+
+  }
+
+  if (!asan_set) {
+
+    if (getenv("AFL_USE_ASAN")) {
+
+      if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive");
+
+      if (getenv("AFL_HARDEN"))
+        FATAL("ASAN and AFL_HARDEN are mutually exclusive");
+
+      cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
+      cc_params[cc_par_cnt++] = "-fsanitize=address";
+
+    } else if (getenv("AFL_USE_MSAN")) {
+
+      if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive");
+
+      if (getenv("AFL_HARDEN"))
+        FATAL("MSAN and AFL_HARDEN are mutually exclusive");
+
+      cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
+      cc_params[cc_par_cnt++] = "-fsanitize=memory";
+
+    }
+
+  }
+
+  if (getenv("AFL_USE_UBSAN")) {
+
+    cc_params[cc_par_cnt++] = "-fsanitize=undefined";
+    cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error";
+    cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all";
+
+  }
+
+  if (!getenv("AFL_DONT_OPTIMIZE")) {
+
+    cc_params[cc_par_cnt++] = "-g";
+    cc_params[cc_par_cnt++] = "-O3";
+    cc_params[cc_par_cnt++] = "-funroll-loops";
+
+  }
+
+  if (getenv("AFL_NO_BUILTIN")) {
+
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-bcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
+
+  }
+
+#ifdef USEMMAP
+  cc_params[cc_par_cnt++] = "-lrt";
+#endif
+
+  cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
+  cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
+  cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
+
+  /* When the user tries to use persistent or deferred forkserver modes by
+     appending a single line to the program, we want to reliably inject a
+     signature into the binary (to be picked up by afl-fuzz) and we want
+     to call a function from the runtime .o file. This is unnecessarily
+     painful for three reasons:
+
+     1) We need to convince the compiler not to optimize out the signature.
+        This is done with __attribute__((used)).
+
+     2) We need to convince the linker, when called with -Wl,--gc-sections,
+        not to do the same. This is done by forcing an assignment to a
+        'volatile' pointer.
+
+     3) We need to declare __afl_persistent_loop() in the global namespace,
+        but doing this within a method in a class is hard - :: and extern "C"
+        are forbidden and __attribute__((alias(...))) doesn't work. Hence the
+        __asm__ aliasing trick.
+
+   */
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_LOOP(_A)="
+      "({ static volatile char *_B __attribute__((used)); "
+      " _B = (char*)\"" PERSIST_SIG
+      "\"; "
+#ifdef __APPLE__
+      "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
+#else
+      "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_L(_A); })";
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_INIT()="
+      "do { static volatile char *_A __attribute__((used)); "
+      " _A = (char*)\"" DEFER_SIG
+      "\"; "
+#ifdef __APPLE__
+      "void _I(void) __asm__(\"___afl_manual_init\"); "
+#else
+      "void _I(void) __asm__(\"__afl_manual_init\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_I(); } while (0)";
+
+  if (maybe_linking) {
+
+    if (x_set) {
+
+      cc_params[cc_par_cnt++] = "-x";
+      cc_params[cc_par_cnt++] = "none";
+
+    }
+
+    cc_params[cc_par_cnt++] = alloc_printf("%s/afl-gcc-rt.o", obj_path);
+
+  }
+
+  cc_params[cc_par_cnt] = NULL;
+
+}
+
+/* Main entry point */
+
+int main(int argc, char** argv, char** envp) {
+
+  if (argc < 2 || strcmp(argv[1], "-h") == 0) {
+
+    printf(
+        cCYA
+        "afl-gcc-fast" VERSION cRST
+        " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"
+        "\n"
+        "afl-gcc-fast [options]\n"
+        "\n"
+        "This is a helper application for afl-fuzz. It serves as a drop-in "
+        "replacement\n"
+        "for gcc, letting you recompile third-party code with the required "
+        "runtime\n"
+        "instrumentation. A common use pattern would be one of the "
+        "following:\n\n"
+
+        "  CC=%s/afl-gcc-fast ./configure\n"
+        "  CXX=%s/afl-g++-fast ./configure\n\n"
+
+        "In contrast to the traditional afl-gcc tool, this version is "
+        "implemented as\n"
+        "a GCC plugin and tends to offer improved performance with slow "
+        "programs\n"
+        "(similarly to the LLVM plugin used by afl-clang-fast).\n\n"
+
+        "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. "
+        "Setting\n"
+        "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
+        BIN_PATH, BIN_PATH);
+
+    exit(1);
+
+  } else if ((isatty(2) && !getenv("AFL_QUIET")) ||
+
+             getenv("AFL_DEBUG") != NULL) {
+
+    SAYF(cCYA "afl-gcc-fast" VERSION cRST
+              " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n");
+
+    if (getenv("AFL_GCC_WHITELIST") == NULL) {
+
+      SAYF(cYEL "Warning:" cRST
+                " using afl-gcc-fast without using AFL_GCC_WHITELIST currently "
+                "produces worse results than afl-gcc. Even better, use "
+                "llvm_mode for now.\n");
+
+    }
+
+  }
+
+  check_environment_vars(envp);
+
+  find_obj(argv[0]);
+
+  edit_params(argc, argv);
+  /*if (isatty(2) && !getenv("AFL_QUIET")) {
+
+            printf("Calling \"%s\" with:\n", cc_params[0]);
+            for(int i=1; i<cc_par_cnt; i++) printf("%s\n", cc_params[i]);
+
+    }
+
+  */
+  execvp(cc_params[0], (char**)cc_params);
+
+  FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
+
+  return 0;
+
+}
+

gcc_plugin/afl-gcc-pass.so.cc

@@ -0,0 +1,593 @@
+//
+// There are some TODOs in this file:
+//   - fix instrumentation via external call
+//   - fix inline instrumentation
+//   - implement whitelist feature
+//   - dont instrument blocks that are uninteresting
+//   - implement neverZero
+//
+
+/*
+   american fuzzy lop++ - GCC instrumentation pass
+   ---------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> with bits from
+              Emese Revfy <re.emese@gmail.com>
+
+   Fixed by Heiko Eißfeldt 2019-2020 for AFL++
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres. Some of the boilerplate code below for
+   afl_pass to adapt to different GCC versions was taken from Emese
+   Revfy's Size Overflow plugin for GCC, licensed under the GPLv2/v3.
+
+   (NOTE: this plugin code is under GPLv3, in order to comply with the
+   GCC runtime library exception, which states that you may distribute
+   "Target Code" from the compiler under a license of your choice, as
+   long as the "Compilation Process" is "Eligible", and contains no
+   GPL-incompatible software in GCC "during the process of
+   transforming high level code to target code". In this case, the
+   plugin will be used to generate "Target Code" during the
+   "Compilation Process", and thus it must be GPLv3 to be "eligible".)
+
+   Copyright (C) 2015 Austin Seipp
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ */
+
+#define BUILD_INLINE_INST
+
+#include "../config.h"
+#include "../include/debug.h"
+
+/* clear helper AFL types pulls in, which intervene with gcc-plugin geaders from
+ * GCC-8 */
+#ifdef likely
+#undef likely
+#endif
+#ifdef unlikely
+#undef unlikely
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <list>
+#include <string>
+#include <fstream>
+
+#include <gcc-plugin.h>
+#include <plugin-version.h>
+#include <diagnostic.h>
+#include <tree.h>
+#include <tree-ssa.h>
+#include <tree-pass.h>
+#include <tree-ssa-alias.h>
+#include <basic-block.h>
+#include <gimple-expr.h>
+#include <gimple.h>
+#include <gimple-iterator.h>
+#include <gimple-ssa.h>
+#include <version.h>
+#include <toplev.h>
+#include <intl.h>
+#include <context.h>
+#include <stringpool.h>
+#include <cgraph.h>
+#include <cfgloop.h>
+
+/* -------------------------------------------------------------------------- */
+/* -- AFL instrumentation pass ---------------------------------------------- */
+
+static int                    be_quiet = 0;
+static unsigned int           inst_ratio = 100;
+static bool                   inst_ext = true;
+static std::list<std::string> myWhitelist;
+
+static unsigned int ext_call_instrument(function *fun) {
+
+  /* Instrument all the things! */
+  basic_block bb;
+  unsigned    finst_blocks = 0;
+  unsigned    fcnt_blocks = 0;
+
+  tree fntype = build_function_type_list(void_type_node,          /* return */
+                                         uint32_type_node,          /* args */
+                                         NULL_TREE);                /* done */
+  tree fndecl = build_fn_decl("__afl_trace", fntype);
+  TREE_STATIC(fndecl) = 1;                             /* Defined elsewhere */
+  TREE_PUBLIC(fndecl) = 1;                                        /* Public */
+  DECL_EXTERNAL(fndecl) = 1;                            /* External linkage */
+  DECL_ARTIFICIAL(fndecl) = 1;                      /* Injected by compiler */
+
+  FOR_EACH_BB_FN(bb, fun) {
+
+    gimple_seq           fcall;
+    gimple_seq           seq = NULL;
+    gimple_stmt_iterator bentry;
+    ++fcnt_blocks;
+
+    // only instrument if this basic block is the destination of a previous
+    // basic block that has multiple successors
+    // this gets rid of ~5-10% of instrumentations that are unnecessary
+    // result: a little more speed and less map pollution
+
+    int           more_than_one = -1;
+    edge          ep;
+    edge_iterator eip;
+
+    FOR_EACH_EDGE(ep, eip, bb->preds) {
+
+      int count = 0;
+      if (more_than_one == -1) more_than_one = 0;
+
+      basic_block   Pred = ep->src;
+      edge          es;
+      edge_iterator eis;
+      FOR_EACH_EDGE(es, eis, Pred->succs) {
+
+        basic_block Succ = es->dest;
+        if (Succ != NULL) count++;
+
+      }
+
+      if (count > 1) more_than_one = 1;
+
+    }
+
+    if (more_than_one != 1) continue;
+
+    /* Bail on this block if we trip the specified ratio */
+    if (R(100) >= inst_ratio) continue;
+
+    /* Make up cur_loc */
+    unsigned int rand_loc = R(MAP_SIZE);
+    tree         cur_loc = build_int_cst(uint32_type_node, rand_loc);
+
+    /* Update bitmap via external call */
+    /* to quote:
+     * /+ Trace a basic block with some ID +/
+     * void __afl_trace(u32 x);
+     */
+
+    fcall = gimple_build_call(
+        fndecl, 1,
+        cur_loc); /* generate the function _call_ to above built reference, with
+                   *1* parameter -> the random const for the location */
+    gimple_seq_add_stmt(&seq, fcall);         /* and insert into a sequence */
+
+    /* Done - grab the entry to the block and insert sequence */
+    bentry = gsi_after_labels(bb);
+    gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT);
+
+    ++finst_blocks;
+
+  }
+
+  /* Say something nice. */
+  if (!be_quiet) {
+
+    if (!finst_blocks)
+      WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST),
+            function_name(fun));
+    else if (finst_blocks < fcnt_blocks)
+      OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST),
+          finst_blocks, fcnt_blocks, function_name(fun));
+    else
+      OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks,
+          function_name(fun));
+
+  }
+
+  return 0;
+
+}
+
+static unsigned int inline_instrument(function *fun) {
+
+  /* Instrument all the things! */
+  basic_block bb;
+  unsigned    finst_blocks = 0;
+  unsigned    fcnt_blocks = 0;
+  tree        one = build_int_cst(unsigned_char_type_node, 1);
+  // tree zero = build_int_cst(unsigned_char_type_node, 0);
+
+  /* Set up global type declarations */
+  tree map_type = build_pointer_type(unsigned_char_type_node);
+  tree map_ptr_g =
+      build_decl(UNKNOWN_LOCATION, VAR_DECL,
+                 get_identifier_with_length("__afl_area_ptr", 14), map_type);
+  TREE_USED(map_ptr_g) = 1;
+  TREE_STATIC(map_ptr_g) = 1;                          /* Defined elsewhere */
+  DECL_EXTERNAL(map_ptr_g) = 1;                         /* External linkage */
+  DECL_PRESERVE_P(map_ptr_g) = 1;
+  DECL_ARTIFICIAL(map_ptr_g) = 1;                   /* Injected by compiler */
+  rest_of_decl_compilation(map_ptr_g, 1, 0);
+
+  tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL,
+                               get_identifier_with_length("__afl_prev_loc", 14),
+                               uint32_type_node);
+  TREE_USED(prev_loc_g) = 1;
+  TREE_STATIC(prev_loc_g) = 1;                         /* Defined elsewhere */
+  DECL_EXTERNAL(prev_loc_g) = 1;                        /* External linkage */
+  DECL_PRESERVE_P(prev_loc_g) = 1;
+  DECL_ARTIFICIAL(prev_loc_g) = 1;                  /* Injected by compiler */
+  set_decl_tls_model(prev_loc_g, TLS_MODEL_REAL);          /* TLS attribute */
+  rest_of_decl_compilation(prev_loc_g, 1, 0);
+
+  FOR_EACH_BB_FN(bb, fun) {
+
+    gimple_seq           seq = NULL;
+    gimple_stmt_iterator bentry;
+    ++fcnt_blocks;
+
+    // only instrument if this basic block is the destination of a previous
+    // basic block that has multiple successors
+    // this gets rid of ~5-10% of instrumentations that are unnecessary
+    // result: a little more speed and less map pollution
+
+    int           more_than_one = -1;
+    edge          ep;
+    edge_iterator eip;
+    FOR_EACH_EDGE(ep, eip, bb->preds) {
+
+      int count = 0;
+      if (more_than_one == -1) more_than_one = 0;
+
+      basic_block   Pred = ep->src;
+      edge          es;
+      edge_iterator eis;
+      FOR_EACH_EDGE(es, eis, Pred->succs) {
+
+        basic_block Succ = es->dest;
+        if (Succ != NULL) count++;
+
+      }
+
+      if (count > 1) more_than_one = 1;
+
+    }
+
+    if (more_than_one != 1) continue;
+
+    /* Bail on this block if we trip the specified ratio */
+    if (R(100) >= inst_ratio) continue;
+
+    /* Make up cur_loc */
+
+    unsigned int rand_loc = R(MAP_SIZE);
+    tree         cur_loc = build_int_cst(uint32_type_node, rand_loc);
+
+    /* Load prev_loc, xor with cur_loc */
+    // gimple_assign <var_decl, prev_loc.0_1, prev_loc, NULL, NULL>
+    tree     prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc");
+    gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g);
+    gimple_seq_add_stmt(&seq, g);  // load prev_loc
+    update_stmt(g);
+
+    // gimple_assign <bit_xor_expr, _2, prev_loc.0_1, 47231, NULL>
+    tree area_off = create_tmp_var_raw(uint32_type_node, "area_off");
+    g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc);
+    gimple_seq_add_stmt(&seq, g);  // area_off = prev_loc ^ cur_loc
+    update_stmt(g);
+
+    /* Update bitmap */
+
+    // gimple_assign <addr_expr, p_6, &map[_2], NULL, NULL>
+    tree map_ptr = create_tmp_var(map_type, "map_ptr");
+    tree map_ptr2 = create_tmp_var(map_type, "map_ptr2");
+
+    g = gimple_build_assign(map_ptr, map_ptr_g);
+    gimple_seq_add_stmt(&seq, g);  // map_ptr = __afl_area_ptr
+    update_stmt(g);
+
+#if 1
+#if 0
+		tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off);
+		g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr);
+		gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off
+		update_stmt(g);
+#else
+    g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off);
+    gimple_seq_add_stmt(&seq, g);  // map_ptr2 = map_ptr + area_off
+    update_stmt(g);
+#endif
+
+    // gimple_assign <mem_ref, _3, *p_6, NULL, NULL>
+    tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1");
+    g = gimple_build_assign(tmp1, MEM_REF, map_ptr2);
+    gimple_seq_add_stmt(&seq, g);  // tmp1 = *map_ptr2
+    update_stmt(g);
+#else
+    tree atIndex = build2(PLUS_EXPR, uint32_type_node, map_ptr, area_off);
+    tree array_address = build1(ADDR_EXPR, map_type, atIndex);
+    tree array_access = build1(INDIRECT_REF, map_type, array_address);
+    tree tmp1 = create_tmp_var(unsigned_char_type_node, "tmp1");
+    g = gimple_build_assign(tmp1, array_access);
+    gimple_seq_add_stmt(&seq, g);  // tmp1 = *(map_ptr + area_off)
+    update_stmt(g);
+#endif
+    // gimple_assign <plus_expr, _4, _3, 1, NULL>
+    tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2");
+    g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one);
+    gimple_seq_add_stmt(&seq, g);  // tmp2 = tmp1 + 1
+    update_stmt(g);
+
+    // TODO: neverZero: here we have to check if tmp3 == 0
+    //                  and add 1 if so
+
+    // gimple_assign <ssa_name, *p_6, _4, NULL, NULL>
+    //		tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3");
+    g = gimple_build_assign(map_ptr2, INDIRECT_REF, tmp2);
+    gimple_seq_add_stmt(&seq, g);  // *map_ptr2 = tmp2
+    update_stmt(g);
+
+    /* Set prev_loc to cur_loc >> 1 */
+
+    // gimple_assign <integer_cst, prev_loc, 23615, NULL, NULL>
+    tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1);
+    tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2");
+    g = gimple_build_assign(prev_loc2, shifted_loc);
+    gimple_seq_add_stmt(&seq, g);  // __afl_prev_loc = cur_loc >> 1
+    update_stmt(g);
+    g = gimple_build_assign(prev_loc_g, prev_loc2);
+    gimple_seq_add_stmt(&seq, g);  // __afl_prev_loc = cur_loc >> 1
+    update_stmt(g);
+
+    /* Done - grab the entry to the block and insert sequence */
+
+    bentry = gsi_after_labels(bb);
+    gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT);
+
+    ++finst_blocks;
+
+  }
+
+  /* Say something nice. */
+  if (!be_quiet) {
+
+    if (!finst_blocks)
+      WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST),
+            function_name(fun));
+    else if (finst_blocks < fcnt_blocks)
+      OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST),
+          finst_blocks, fcnt_blocks, function_name(fun));
+    else
+      OKF(G_("Instrumented   %2u   locations in " cBRI "%s" cRST), finst_blocks,
+          function_name(fun));
+
+  }
+
+  return 0;
+
+}
+
+/* -------------------------------------------------------------------------- */
+/* -- Boilerplate and initialization ---------------------------------------- */
+
+static const struct pass_data afl_pass_data = {
+
+    .type = GIMPLE_PASS,
+    .name = "afl-inst",
+    .optinfo_flags = OPTGROUP_NONE,
+
+    .tv_id = TV_NONE,
+    .properties_required = 0,
+    .properties_provided = 0,
+    .properties_destroyed = 0,
+    .todo_flags_start = 0,
+    // NOTE(aseipp): it's very, very important to include
+    // at least 'TODO_update_ssa' here so that GCC will
+    // properly update the resulting SSA form, e.g., to
+    // include new PHI nodes for newly added symbols or
+    // names. Do not remove this. Do not taunt Happy Fun
+    // Ball.
+    .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg,
+
+};
+
+namespace {
+
+class afl_pass : public gimple_opt_pass {
+
+ private:
+  bool do_ext_call;
+
+ public:
+  afl_pass(bool ext_call, gcc::context *g)
+      : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) {
+
+  }
+
+  unsigned int execute(function *fun) override {
+
+    if (!myWhitelist.empty()) {
+
+      bool         instrumentBlock = false;
+      std::string  instFilename;
+      unsigned int instLine = 0;
+
+      /* EXPR_FILENAME
+      This macro returns the name of the file in which the entity was declared,
+      as a char*. For an entity declared implicitly by the compiler (like
+      __builtin_ memcpy), this will be the string "<internal>".
+      */
+      const char *fname = DECL_SOURCE_FILE(fun->decl);
+
+      if (0 != strncmp("<internal>", fname, 10) &&
+          0 != strncmp("<built-in>", fname, 10)) {
+
+        instFilename = fname;
+        instLine = DECL_SOURCE_LINE(fun->decl);
+
+        /* Continue only if we know where we actually are */
+        if (!instFilename.empty()) {
+
+          for (std::list<std::string>::iterator it = myWhitelist.begin();
+               it != myWhitelist.end(); ++it) {
+
+            /* We don't check for filename equality here because
+             * filenames might actually be full paths. Instead we
+             * check that the actual filename ends in the filename
+             * specified in the list. */
+            if (instFilename.length() >= it->length()) {
+
+              if (instFilename.compare(instFilename.length() - it->length(),
+                                       it->length(), *it) == 0) {
+
+                instrumentBlock = true;
+                break;
+
+              }
+
+            }
+
+          }
+
+        }
+
+      }
+
+      /* Either we couldn't figure out our location or the location is
+       * not whitelisted, so we skip instrumentation. */
+      if (!instrumentBlock) {
+
+        if (!be_quiet) {
+
+          if (!instFilename.empty())
+            SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s line %u...\n",
+                 instFilename.c_str(), instLine);
+          else
+            SAYF(cYEL "[!] " cBRI "No filename information found, skipping it");
+
+        }
+
+        return 0;
+
+      }
+
+    }
+
+    return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun);
+
+  }
+
+};                                                        /* class afl_pass */
+
+}  // namespace
+
+static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) {
+
+  return new afl_pass(ext_call, ctxt);
+
+}
+
+/* -------------------------------------------------------------------------- */
+/* -- Initialization -------------------------------------------------------- */
+
+int plugin_is_GPL_compatible = 1;
+
+static struct plugin_info afl_plugin_info = {
+
+    .version = "20191015",
+    .help = "AFL++ gcc plugin\n",
+
+};
+
+int plugin_init(struct plugin_name_args *  plugin_info,
+                struct plugin_gcc_version *version) {
+
+  struct register_pass_info afl_pass_info;
+  struct timeval            tv;
+  struct timezone           tz;
+  u32                       rand_seed;
+
+  /* Setup random() so we get Actually Random(TM) outputs from R() */
+  gettimeofday(&tv, &tz);
+  rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
+  SR(rand_seed);
+
+  /* Pass information */
+  afl_pass_info.pass = make_afl_pass(inst_ext, g);
+  afl_pass_info.reference_pass_name = "ssa";
+  afl_pass_info.ref_pass_instance_number = 1;
+  afl_pass_info.pos_op = PASS_POS_INSERT_AFTER;
+
+  if (!plugin_default_version_check(version, &gcc_version)) {
+
+    FATAL(G_("Incompatible gcc/plugin versions!"));
+
+  }
+
+  /* Show a banner */
+  if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {
+
+    SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST
+                 " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"));
+
+  } else
+
+    be_quiet = 1;
+
+  /* Decide instrumentation ratio */
+  char *inst_ratio_str = getenv("AFL_INST_RATIO");
+
+  if (inst_ratio_str) {
+
+    if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
+        inst_ratio > 100)
+      FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)"));
+    else {
+
+      if (!be_quiet)
+        ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."),
+             inst_ext ? G_("Call-based") : G_("Inline"), inst_ratio,
+             getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened"));
+
+    }
+
+  }
+
+  char *instWhiteListFilename = getenv("AFL_GCC_WHITELIST");
+  if (instWhiteListFilename) {
+
+    std::string   line;
+    std::ifstream fileStream;
+    fileStream.open(instWhiteListFilename);
+    if (!fileStream) fatal_error(0, "Unable to open AFL_GCC_WHITELIST");
+    getline(fileStream, line);
+    while (fileStream) {
+
+      myWhitelist.push_back(line);
+      getline(fileStream, line);
+
+    }
+
+  } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST"))
+
+    SAYF(cYEL "[-] " cRST
+              "AFL_LLVM_WHITELIST environment variable detected - did you mean "
+              "AFL_GCC_WHITELIST?\n");
+
+  /* Go go gadget */
+  register_callback(plugin_info->base_name, PLUGIN_INFO, NULL,
+                    &afl_plugin_info);
+  register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL,
+                    &afl_pass_info);
+  return 0;
+
+}
+

gcc_plugin/afl-gcc-rt.o.c

@@ -0,0 +1,300 @@
+/*
+   american fuzzy lop++ - GCC plugin instrumentation bootstrap
+   ---------------------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> and
+              Laszlo Szekeres <lszekeres@google.com> and
+              Michal Zalewski
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This code is the rewrite of afl-as.h's main_payload.
+
+*/
+
+#ifdef __ANDROID__
+#include "android-ashmem.h"
+#endif
+#include "../config.h"
+#include "../types.h"
+
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+#include <string.h>
+#include <assert.h>
+
+#include <sys/mman.h>
+#include <sys/shm.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+#include <sys/mman.h>
+#include <fcntl.h>
+
+/* Globals needed by the injected instrumentation. The __afl_area_initial region
+   is used for instrumentation output before __afl_map_shm() has a chance to
+   run. It will end up as .comm, so it shouldn't be too wasteful. */
+
+u8  __afl_area_initial[MAP_SIZE];
+u8 *__afl_area_ptr = __afl_area_initial;
+
+#ifdef __ANDROID__
+u32 __afl_prev_loc;
+#else
+__thread u32 __afl_prev_loc;
+#endif
+
+/* Trace a basic block with some ID */
+void __afl_trace(const u32 x) {
+
+#if 1                                      /* enable for neverZero feature. */
+  __afl_area_ptr[__afl_prev_loc ^ x] +=
+      1 + ((u8)(1 + __afl_area_ptr[__afl_prev_loc ^ x]) == 0);
+#else
+  ++__afl_area_ptr[__afl_prev_loc ^ x];
+#endif
+
+  __afl_prev_loc = (x >> 1);
+  return;
+
+}
+
+/* Running in persistent mode? */
+
+static u8 is_persistent;
+
+/* SHM setup. */
+
+static void __afl_map_shm(void) {
+
+  u8 *id_str = getenv(SHM_ENV_VAR);
+
+  /* If we're running under AFL, attach to the appropriate region, replacing the
+     early-stage __afl_area_initial region that is needed to allow some really
+     hacky .init code to work correctly in projects such as OpenSSL. */
+
+  if (id_str) {
+
+#ifdef USEMMAP
+    const char *   shm_file_path = id_str;
+    int            shm_fd = -1;
+    unsigned char *shm_base = NULL;
+
+    /* create the shared memory segment as if it was a file */
+    shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
+    if (shm_fd == -1) {
+
+      printf("shm_open() failed\n");
+      exit(1);
+
+    }
+
+    /* map the shared memory segment to the address space of the process */
+    shm_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0);
+    if (shm_base == MAP_FAILED) {
+
+      close(shm_fd);
+      shm_fd = -1;
+
+      printf("mmap() failed\n");
+      exit(2);
+
+    }
+
+    __afl_area_ptr = shm_base;
+#else
+    u32 shm_id = atoi(id_str);
+
+    __afl_area_ptr = shmat(shm_id, NULL, 0);
+#endif
+
+    /* Whooooops. */
+
+    if (__afl_area_ptr == (void *)-1) exit(1);
+
+    /* Write something into the bitmap so that even with low AFL_INST_RATIO,
+       our parent doesn't give up on us. */
+
+    __afl_area_ptr[0] = 1;
+
+  }
+
+}
+
+/* Fork server logic. */
+
+static void __afl_start_forkserver(void) {
+
+  static u8 tmp[4];
+  s32       child_pid;
+
+  u8 child_stopped = 0;
+
+  void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
+
+  /* Phone home and tell the parent that we're OK. If parent isn't there,
+     assume we're not running in forkserver mode and just execute program. */
+
+  if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
+
+  while (1) {
+
+    u32 was_killed;
+    int status;
+
+    /* Wait for parent by reading from the pipe. Abort if read fails. */
+
+    if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(1);
+
+    /* If we stopped the child in persistent mode, but there was a race
+       condition and afl-fuzz already issued SIGKILL, write off the old
+       process. */
+
+    if (child_stopped && was_killed) {
+
+      child_stopped = 0;
+      if (waitpid(child_pid, &status, 0) < 0) exit(1);
+
+    }
+
+    if (!child_stopped) {
+
+      /* Once woken up, create a clone of our process. */
+
+      child_pid = fork();
+      if (child_pid < 0) exit(1);
+
+      /* In child process: close fds, resume execution. */
+
+      if (!child_pid) {
+
+        signal(SIGCHLD, old_sigchld_handler);
+
+        close(FORKSRV_FD);
+        close(FORKSRV_FD + 1);
+        return;
+
+      }
+
+    } else {
+
+      /* Special handling for persistent mode: if the child is alive but
+         currently stopped, simply restart it with SIGCONT. */
+
+      kill(child_pid, SIGCONT);
+      child_stopped = 0;
+
+    }
+
+    /* In parent process: write PID to pipe, then wait for child. */
+
+    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1);
+
+    if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(1);
+
+    /* In persistent mode, the child stops itself with SIGSTOP to indicate
+       a successful run. In this case, we want to wake it up without forking
+       again. */
+
+    if (WIFSTOPPED(status)) child_stopped = 1;
+
+    /* Relay wait status to pipe, then loop back. */
+
+    if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1);
+
+  }
+
+}
+
+/* A simplified persistent mode handler, used as explained in README.md. */
+
+int __afl_persistent_loop(unsigned int max_cnt) {
+
+  static u8  first_pass = 1;
+  static u32 cycle_cnt;
+
+  if (first_pass) {
+
+    /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
+       On subsequent calls, the parent will take care of that, but on the first
+       iteration, it's our job to erase any trace of whatever happened
+       before the loop. */
+
+    if (is_persistent) {
+
+      memset(__afl_area_ptr, 0, MAP_SIZE);
+      __afl_area_ptr[0] = 1;
+      __afl_prev_loc = 0;
+
+    }
+
+    cycle_cnt = max_cnt;
+    first_pass = 0;
+    return 1;
+
+  }
+
+  if (is_persistent) {
+
+    if (--cycle_cnt) {
+
+      raise(SIGSTOP);
+
+      __afl_area_ptr[0] = 1;
+      __afl_prev_loc = 0;
+
+      return 1;
+
+    } else {
+
+      /* When exiting __AFL_LOOP(), make sure that the subsequent code that
+         follows the loop is not traced. We do that by pivoting back to the
+         dummy output region. */
+
+      __afl_area_ptr = __afl_area_initial;
+
+    }
+
+  }
+
+  return 0;
+
+}
+
+/* This one can be called from user code when deferred forkserver mode
+    is enabled. */
+
+void __afl_manual_init(void) {
+
+  static u8 init_done;
+
+  if (!init_done) {
+
+    __afl_map_shm();
+    __afl_start_forkserver();
+    init_done = 1;
+
+  }
+
+}
+
+/* Proper initialization routine. */
+
+__attribute__((constructor(101))) void __afl_auto_init(void) {
+
+  is_persistent = !!getenv(PERSIST_ENV_VAR);
+
+  if (getenv(DEFER_ENV_VAR)) return;
+
+  __afl_manual_init();
+
+}
+

include/afl-as.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - injectable parts
    ---------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -261,6 +261,7 @@ static const u8* main_payload_32 =
   "  je   __afl_setup_abort\n"
   "\n"
 #endif
+  "  movb $1, (%eax)\n"
   "  /* Store the address of the SHM region. */\n"
   "\n"
   "  movl %eax, __afl_area_ptr\n"
@@ -563,6 +564,7 @@ static const u8* main_payload_64 =
   "  je   __afl_setup_abort\n"
   "\n"
 #endif
+  "  movb $1, (%rax)\n"
   "  /* Store the address of the SHM region. */\n"
   "\n"
   "  movq %rax, %rdx\n"

include/afl-fuzz.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - fuzzer header
    ------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -72,18 +72,21 @@
 #include <sys/file.h>
 
 #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
-    defined(__NetBSD__)
+    defined(__NetBSD__) || defined(__DragonFly__)
 #include <sys/sysctl.h>
 #endif                           /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
 
 /* For systems that have sched_setaffinity; right now just Linux, but one
    can hope... */
 
-#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__)
+#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
+    defined(__DragonFly__)
 #define HAVE_AFFINITY 1
-#if defined(__FreeBSD__)
+#if defined(__FreeBSD__) || defined(__DragonFly__)
 #include <sys/param.h>
+#if defined(__FreeBSD__)
 #include <sys/cpuset.h>
+#endif
 #include <sys/user.h>
 #include <pthread.h>
 #include <pthread_np.h>
@@ -93,6 +96,10 @@
 #endif
 #endif                                                         /* __linux__ */
 
+#ifdef __APPLE__
+#include <TargetConditionals.h>
+#endif
+
 #ifndef SIMPLE_FILES
 #define CASE_PREFIX "id:"
 #else
@@ -111,7 +118,8 @@ struct queue_entry {
       has_new_cov,                      /* Triggers new coverage?           */
       var_behavior,                     /* Variable behavior?               */
       favored,                          /* Currently favored?               */
-      fs_redundant;                     /* Marked as redundant in the fs?   */
+      fs_redundant,                     /* Marked as redundant in the fs?   */
+      fully_colorized;                  /* Do not run redqueen stage again  */
 
   u32 bitmap_size,                      /* Number of bits set in bitmap     */
       fuzz_level,                       /* Number of fuzzing iterations     */
@@ -160,7 +168,10 @@ enum {
   /* 15 */ STAGE_HAVOC,
   /* 16 */ STAGE_SPLICE,
   /* 17 */ STAGE_PYTHON,
-  /* 18 */ STAGE_CUSTOM_MUTATOR
+  /* 18 */ STAGE_RADAMSA,
+  /* 19 */ STAGE_CUSTOM_MUTATOR,
+  /* 20 */ STAGE_COLORIZATION,
+  /* 21 */ STAGE_ITS,
 
 };
 
@@ -252,7 +263,7 @@ extern u8 *in_dir,                      /* Input directory with test cases  */
     *file_extension,                    /* File extension                   */
     *orig_cmdline,                      /* Original command line            */
     *doc_path,                          /* Path to documentation dir        */
-    *infoexec,                          /* Command to execute on a new crash */
+    *infoexec,                         /* Command to execute on a new crash */
     *out_file;                          /* File to fuzz, if any             */
 
 extern u32 exec_tmout;                  /* Configurable exec timeout (ms)   */
@@ -261,7 +272,10 @@ extern u32 hang_tmout;                  /* Timeout used for hang det (ms)   */
 extern u64 mem_limit;                   /* Memory cap for child (MB)        */
 
 extern u8 cal_cycles,                   /* Calibration cycles defaults      */
-    cal_cycles_long, debug,             /* Debug mode                       */
+    cal_cycles_long,                    /* Calibration cycles defaults      */
+    no_unlink,                          /* do not unlink cur_input          */
+    use_stdin,                          /* use stdin for sending data       */
+    debug,                              /* Debug mode                       */
     custom_only,                        /* Custom mutator only mode         */
     python_only;                        /* Python-only mode                 */
 
@@ -285,6 +299,9 @@ extern char* power_names[POWER_SCHEDULES_NUM];
 extern u8 schedule;                     /* Power schedule (default: EXPLORE)*/
 extern u8 havoc_max_mult;
 
+extern u8 use_radamsa;
+extern size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);
+
 extern u8 skip_deterministic,           /* Skip deterministic stages?       */
     force_deterministic,                /* Force deterministic stages?      */
     use_splicing,                       /* Recombine input files?           */
@@ -312,7 +329,8 @@ extern u8 skip_deterministic,           /* Skip deterministic stages?       */
     deferred_mode,                      /* Deferred forkserver mode?        */
     fixed_seed,                         /* do not reseed                    */
     fast_cal,                           /* Try to calibrate faster?         */
-    uses_asan;                          /* Target uses ASAN?                */
+    uses_asan,                          /* Target uses ASAN?                */
+    disable_trim;                       /* Never trim in fuzz_one           */
 
 extern s32 out_fd,                      /* Persistent fd for out_file       */
 #ifndef HAVE_ARC4RANDOM
@@ -400,6 +418,9 @@ extern u64 stage_finds[32],             /* Patterns found per fuzz stage    */
 extern u32 rand_cnt;                    /* Random number counter            */
 #endif
 
+extern u32 rand_seed[2];
+extern s64 init_seed;
+
 extern u64 total_cal_us,                /* Total calibration time (us)      */
     total_cal_cycles;                   /* Total calibration cycles         */
 
@@ -432,6 +453,11 @@ extern u32                a_extras_cnt; /* Total number of tokens available */
 
 u8* (*post_handler)(u8* buf, u32* len);
 
+/* CmpLog */
+
+extern u8* cmplog_binary;
+extern s32 cmplog_child_pid, cmplog_forksrv_pid;
+
 /* hooks for the custom mutator function */
 /**
  * Perform custom mutations on a given input
@@ -541,7 +567,7 @@ u8   has_new_bits(u8*);
 u32  count_bits(u8*);
 u32  count_bytes(u8*);
 u32  count_non_255_bytes(u8*);
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 void simplify_trace(u64*);
 void classify_counts(u64*);
 #else
@@ -627,6 +653,16 @@ char** get_qemu_argv(u8*, char**, int);
 char** get_wine_argv(u8*, char**, int);
 void   save_cmdline(u32, char**);
 
+/* CmpLog */
+
+void init_cmplog_forkserver(char** argv);
+u8   common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len);
+
+/* RedQueen */
+
+u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
+                        u32 exec_cksum);
+
 /**** Inline routines ****/
 
 /* Generate a random number (from 0 to limit - 1). This may
@@ -643,11 +679,9 @@ static inline u32 UR(u32 limit) {
 #else
   if (!fixed_seed && unlikely(!rand_cnt--)) {
 
-    u32 seed[2];
-
-    ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom");
-    srandom(seed[0]);
-    rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG);
+    ck_read(dev_urandom_fd, &rand_seed, sizeof(rand_seed), "/dev/urandom");
+    srandom(rand_seed[0]);
+    rand_cnt = (RESEED_RNG / 2) + (rand_seed[1] % RESEED_RNG);
 
   }
 
@@ -656,6 +690,13 @@ static inline u32 UR(u32 limit) {
 
 }
 
+static inline u32 get_rand_seed() {
+
+  if (fixed_seed) return (u32)init_seed;
+  return rand_seed[0];
+
+}
+
 /* Find first power of two greater or equal to val (assuming val under
    2^63). */
 

include/alloc-inl.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - error-checking, memory-zeroing alloc routines
    --------------------------------------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -34,6 +34,197 @@
 #include "types.h"
 #include "debug.h"
 
+#ifndef _WANT_ORIGINAL_AFL_ALLOC
+// afl++ stuff without memory corruption checks - for speed
+
+/* User-facing macro to sprintf() to a dynamically allocated buffer. */
+
+#define alloc_printf(_str...)                        \
+  ({                                                 \
+                                                     \
+    u8* _tmp;                                        \
+    s32 _len = snprintf(NULL, 0, _str);              \
+    if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
+    _tmp = ck_alloc(_len + 1);                       \
+    snprintf((char*)_tmp, _len + 1, _str);           \
+    _tmp;                                            \
+                                                     \
+  })
+
+/* Macro to enforce allocation limits as a last-resort defense against
+   integer overflows. */
+
+#define ALLOC_CHECK_SIZE(_s)                                          \
+  do {                                                                \
+                                                                      \
+    if ((_s) > MAX_ALLOC) ABORT("Bad alloc request: %u bytes", (_s)); \
+                                                                      \
+  } while (0)
+
+/* Macro to check malloc() failures and the like. */
+
+#define ALLOC_CHECK_RESULT(_r, _s)                                    \
+  do {                                                                \
+                                                                      \
+    if (!(_r)) ABORT("Out of memory: can't allocate %u bytes", (_s)); \
+                                                                      \
+  } while (0)
+
+/* Allocator increments for ck_realloc_block(). */
+
+#define ALLOC_BLK_INC 256
+
+/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
+   requests. */
+
+static inline void* DFL_ck_alloc_nozero(u32 size) {
+
+  u8* ret;
+
+  if (!size) return NULL;
+
+  ALLOC_CHECK_SIZE(size);
+  ret = malloc(size);
+  ALLOC_CHECK_RESULT(ret, size);
+
+  return (void*)ret;
+
+}
+
+/* Allocate a buffer, returning zeroed memory. */
+
+static inline void* DFL_ck_alloc(u32 size) {
+
+  void* mem;
+
+  if (!size) return NULL;
+  mem = DFL_ck_alloc_nozero(size);
+
+  return memset(mem, 0, size);
+
+}
+
+/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
+   is set, the old memory will be also clobbered with 0xFF. */
+
+static inline void DFL_ck_free(void* mem) {
+
+  if (!mem) return;
+
+  free(mem);
+
+}
+
+/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail.
+   With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
+   old memory is clobbered with 0xFF. */
+
+static inline void* DFL_ck_realloc(void* orig, u32 size) {
+
+  u8* ret;
+
+  if (!size) {
+
+    DFL_ck_free(orig);
+    return NULL;
+
+  }
+
+  ALLOC_CHECK_SIZE(size);
+
+  /* Catch pointer issues sooner: force relocation and make sure that the
+     original buffer is wiped. */
+
+  ret = realloc(orig, size);
+
+  ALLOC_CHECK_RESULT(ret, size);
+
+  return (void*)ret;
+
+}
+
+/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
+   repeated small reallocs without complicating the user code). */
+
+static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
+
+  return DFL_ck_realloc(orig, size);
+
+}
+
+/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
+
+static inline u8* DFL_ck_strdup(u8* str) {
+
+  u8* ret;
+  u32 size;
+
+  if (!str) return NULL;
+
+  size = strlen((char*)str) + 1;
+
+  ALLOC_CHECK_SIZE(size);
+  ret = malloc(size);
+  ALLOC_CHECK_RESULT(ret, size);
+
+  return memcpy(ret, str, size);
+
+}
+
+/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
+   or NULL inputs. */
+
+static inline void* DFL_ck_memdup(void* mem, u32 size) {
+
+  u8* ret;
+
+  if (!mem || !size) return NULL;
+
+  ALLOC_CHECK_SIZE(size);
+  ret = malloc(size);
+  ALLOC_CHECK_RESULT(ret, size);
+
+  return memcpy(ret, mem, size);
+
+}
+
+/* Create a buffer with a block of text, appending a NUL terminator at the end.
+   Returns NULL for zero-sized or NULL inputs. */
+
+static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
+
+  u8* ret;
+
+  if (!mem || !size) return NULL;
+
+  ALLOC_CHECK_SIZE(size);
+  ret = malloc(size + 1);
+  ALLOC_CHECK_RESULT(ret, size);
+
+  memcpy(ret, mem, size);
+  ret[size] = 0;
+
+  return ret;
+
+}
+
+/* In non-debug mode, we just do straightforward aliasing of the above functions
+   to user-visible names such as ck_alloc(). */
+
+#define ck_alloc DFL_ck_alloc
+#define ck_alloc_nozero DFL_ck_alloc_nozero
+#define ck_realloc DFL_ck_realloc
+#define ck_realloc_block DFL_ck_realloc_block
+#define ck_strdup DFL_ck_strdup
+#define ck_memdup DFL_ck_memdup
+#define ck_memdup_str DFL_ck_memdup_str
+#define ck_free DFL_ck_free
+
+#define alloc_report()
+
+#else
+// This is the original alloc-inl of stock afl
+
 /* User-facing macro to sprintf() to a dynamically allocated buffer. */
 
 #define alloc_printf(_str...)                        \
@@ -101,29 +292,13 @@
           ABORT("Corrupted head alloc canary."); \
                                                  \
       }                                          \
+      if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2)         \
+        ABORT("Corrupted tail alloc canary.");   \
                                                  \
     }                                            \
                                                  \
   } while (0)
 
-/* #define CHECK_PTR(_p) do { \
-    if (_p) { \
-      if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
-        if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
-          ABORT("Use after free."); \
-        else ABORT("Corrupted head alloc canary."); \
-
-      } \
-
-      if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
-        ABORT("Corrupted tail alloc canary."); \
-
-    } \
-
-  } while (0)
-
-*/
-
 #define CHECK_PTR_EXPR(_p)  \
   ({                        \
                             \
@@ -138,7 +313,7 @@
 
 static inline void* DFL_ck_alloc_nozero(u32 size) {
 
-  u8* ret;
+  void* ret;
 
   if (!size) return NULL;
 
@@ -152,7 +327,7 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
   ALLOC_S(ret) = size;
   ALLOC_C2(ret) = ALLOC_MAGIC_C2;
 
-  return (void*)ret;
+  return ret;
 
 }
 
@@ -187,8 +362,7 @@ static inline void DFL_ck_free(void* mem) {
 
   ALLOC_C1(mem) = ALLOC_MAGIC_F;
 
-  u8* realStart = mem;
-  free(realStart - ALLOC_OFF_HEAD);
+  free(mem - ALLOC_OFF_HEAD);
 
 }
 
@@ -198,8 +372,8 @@ static inline void DFL_ck_free(void* mem) {
 
 static inline void* DFL_ck_realloc(void* orig, u32 size) {
 
-  u8* ret;
-  u32 old_size = 0;
+  void* ret;
+  u32   old_size = 0;
 
   if (!size) {
 
@@ -217,9 +391,7 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
 #endif                                                      /* !DEBUG_BUILD */
 
     old_size = ALLOC_S(orig);
-    u8* origu8 = orig;
-    origu8 -= ALLOC_OFF_HEAD;
-    orig = origu8;
+    orig -= ALLOC_OFF_HEAD;
 
     ALLOC_CHECK_SIZE(old_size);
 
@@ -242,11 +414,10 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
 
   if (orig) {
 
-    u8* origu8 = orig;
-    memcpy(ret + ALLOC_OFF_HEAD, origu8 + ALLOC_OFF_HEAD, MIN(size, old_size));
-    memset(origu8 + ALLOC_OFF_HEAD, 0xFF, old_size);
+    memcpy(ret + ALLOC_OFF_HEAD, orig + ALLOC_OFF_HEAD, MIN(size, old_size));
+    memset(orig + ALLOC_OFF_HEAD, 0xFF, old_size);
 
-    ALLOC_C1(origu8 + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F;
+    ALLOC_C1(orig + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F;
 
     free(orig);
 
@@ -262,7 +433,7 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
 
   if (size > old_size) memset(ret + old_size, 0, size - old_size);
 
-  return (void*)ret;
+  return ret;
 
 }
 
@@ -293,8 +464,8 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
 
 static inline u8* DFL_ck_strdup(u8* str) {
 
-  u8* ret;
-  u32 size;
+  void* ret;
+  u32   size;
 
   if (!str) return NULL;
 
@@ -319,7 +490,7 @@ static inline u8* DFL_ck_strdup(u8* str) {
 
 static inline void* DFL_ck_memdup(void* mem, u32 size) {
 
-  u8* ret;
+  void* ret;
 
   if (!mem || !size) return NULL;
 
@@ -588,5 +759,7 @@ static inline void TRK_ck_free(void* ptr, const char* file, const char* func,
 
 #endif                                                     /* ^!DEBUG_BUILD */
 
+#endif                                          /* _WANT_ORIGINAL_AFL_ALLOC */
+
 #endif                                               /* ! _HAVE_ALLOC_INL_H */
 

include/android-ashmem.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - android shared memory compatibility layer
    ----------------------------------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -52,7 +52,7 @@ static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
   if (__cmd == IPC_RMID) {
 
     int               length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
-    struct ashmem_pin pin = {0, length};
+    struct ashmem_pin pin = {0, (unsigned int)length};
     ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
     close(__shmid);
 
@@ -64,6 +64,7 @@ static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
 
 static inline int shmget(key_t __key, size_t __size, int __shmflg) {
 
+  (void)__shmflg;
   int  fd, ret;
   char ourkey[11];
 
@@ -87,6 +88,7 @@ error:
 
 static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
 
+  (void)__shmflg;
   int   size;
   void *ptr;
 

include/cmplog.h

@@ -0,0 +1,77 @@
+/*
+   american fuzzy lop++ - cmplog header
+   ------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Forkserver design by Jann Horn <jannhorn@googlemail.com>
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Shared code to handle the shared memory. This is used by the fuzzer
+   as well the other components like afl-tmin, afl-showmap, etc...
+
+ */
+
+#ifndef _AFL_CMPLOG_H
+#define _AFL_CMPLOG_H
+
+#include "config.h"
+
+#define CMP_MAP_W 65536
+#define CMP_MAP_H 256
+#define CMP_MAP_RTN_H (CMP_MAP_H / 4)
+
+#define SHAPE_BYTES(x) (x + 1)
+
+#define CMP_TYPE_INS 0
+#define CMP_TYPE_RTN 1
+
+struct cmp_header {
+
+  unsigned hits : 20;
+
+  unsigned cnt : 20;
+  unsigned id : 16;
+
+  unsigned shape : 5;  // from 0 to 31
+  unsigned type : 1;
+
+} __attribute__((packed));
+
+struct cmp_operands {
+
+  u64 v0;
+  u64 v1;
+
+};
+
+struct cmpfn_operands {
+
+  u8 v0[32];
+  u8 v1[32];
+
+};
+
+typedef struct cmp_operands cmp_map_list[CMP_MAP_H];
+
+struct cmp_map {
+
+  struct cmp_header   headers[CMP_MAP_W];
+  struct cmp_operands log[CMP_MAP_W][CMP_MAP_H];
+
+};
+
+#endif
+

include/common.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - common routines header
    ---------------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 extern u8* target_path;                 /* Path to target binary            */
 
 void detect_file_args(char** argv, u8* prog_in);
+void check_environment_vars(char** env);
 
 char** get_qemu_argv(u8* own_loc, char** argv, int argc);
 char** get_wine_argv(u8* own_loc, char** argv, int argc);

include/config.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - vaguely configurable bits
    ------------------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -26,7 +26,8 @@
 
 /* Version string: */
 
-#define VERSION "++2.57c"  // c = release, d = volatile github dev
+// c = release, d = volatile github dev, e = experimental branch
+#define VERSION "++2.62c"
 
 /******************************************************
  *                                                    *
@@ -39,9 +40,16 @@
 
 #define USE_COLOR
 
+/* If you want to have the original afl internal memory corruption checks.
+   Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */
+
+//#define _WANT_ORIGINAL_AFL_ALLOC
+
 /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
 
+#ifndef ANDROID_DISABLE_FANCY  // Fancy boxes are ugly from adb
 #define FANCY_BOXES
+#endif
 
 /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
    also used for detecting hangs; the actual value is auto-scaled: */
@@ -52,14 +60,23 @@
 
 #define EXEC_TM_ROUND 20
 
+/* 64bit arch MACRO */
+#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
+#define WORD_SIZE_64 1
+#endif
+
 /* Default memory limit for child process (MB): */
 
-#ifndef __x86_64__
+#ifndef __NetBSD__
+#ifndef WORD_SIZE_64
 #define MEM_LIMIT 25
 #else
 #define MEM_LIMIT 50
-#endif                                                      /* ^!__x86_64__ */
-
+#endif                                                    /* ^!WORD_SIZE_64 */
+#else  /* NetBSD's kernel needs more space for stack, see discussion for issue \
+          #165 */
+#define MEM_LIMIT 200
+#endif
 /* Default memory limit when running in QEMU mode (MB): */
 
 #define MEM_LIMIT_QEMU 200
@@ -354,6 +371,10 @@
 
 #define AFL_QEMU_NOT_ZERO
 
+/* AFL RedQueen */
+
+#define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID"
+
 /* Uncomment this to use inferior block-coverage-based instrumentation. Note
    that you need to recompile the target binary for this to have any effect: */
 

include/debug.h

@@ -2,14 +2,14 @@
    american fuzzy lop++ - debug / error handling macros
    ----------------------------------------------------
 
-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski
 
-   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+   Now maintained by Marc Heuse <mh@mh-sec.de>,
                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
                         Andrea Fioraldi <andreafioraldi@gmail.com>
 
    Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.