1# laf-intel instrumentation 2 3## Introduction 4 5This originally is the work of an individual nicknamed laf-intel. His blog 6[Circumventing Fuzzing Roadblocks with Compiler Transformations](https://lafintel.wordpress.com/) 7and GitLab repo [laf-llvm-pass](https://gitlab.com/laf-intel/laf-llvm-pass/) 8describe some code transformations that help AFL++ to enter conditional blocks, 9where conditions consist of comparisons of large values. 10 11## Usage 12 13By default, these passes will not run when you compile programs using 14afl-clang-fast. Hence, you can use AFL++ as usual. To enable the passes, you 15must set environment variables before you compile the target project. 16 17The following options exist: 18 19`export AFL_LLVM_LAF_SPLIT_SWITCHES=1` 20 21Enables the split-switches pass. 22 23`export AFL_LLVM_LAF_TRANSFORM_COMPARES=1` 24 25Enables the transform-compares pass (strcmp, memcmp, strncmp, strcasecmp, 26strncasecmp). 27 28`export AFL_LLVM_LAF_SPLIT_COMPARES=1` 29 30Enables the split-compares pass. By default, it will 311. simplify operators >= (and <=) into chains of > (<) and == comparisons 322. change signed integer comparisons to a chain of sign-only comparison and 33 unsigned integer comparisons 343. split all unsigned integer comparisons with bit widths of 64, 32, or 16 bits 35 to chains of 8 bits comparisons. 36 37You can change the behavior of the last step by setting `export 38AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where bit_width may be 64, 32, or 3916. For example, a bit_width of 16 would split larger comparisons down to 16 bit 40comparisons. 41 42A new unique feature is splitting floating point comparisons into a series 43of sign, exponent and mantissa comparisons followed by splitting each of them 44into 8 bit comparisons when necessary. It is activated with the 45`AFL_LLVM_LAF_SPLIT_FLOATS` setting. 46 47Note that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES`. 48 49You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled. :-) 50