Lines Matching +full:collect +full:- +full:v8 +full:- +full:coverage
14 Starting with AFL++ 3.0, there is only one compiler: afl-cc.
18 - Pass the --afl-MODE command-line option to the compiler. Only this option
19 accepts further AFL-specific command-line options.
20 - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast,
21 afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-g++, afl-g++-fast,
22 afl-gcc, afl-gcc-fast. This option does not accept AFL-specific command-line
24 - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select
27 - `GCC` (afl-gcc/afl-g++)
28 - `GCC_PLUGIN` (afl-g*-fast)
29 - `LLVM` (afl-clang-fast*)
30 - `LTO` (afl-clang-lto*).
32 The compile-time tools do not accept AFL-specific command-line options. The
33 --afl-MODE command line option is the only exception. The other options make
36 - Some build/configure scripts break with AFL++ compilers. To be able to pass
40 export CC=afl-cc
41 export CXX=afl-c++
43 ./configure --disable-shared --disabler-werror
48 - Setting `AFL_AS`, `AFL_CC`, and `AFL_CXX` lets you use alternate downstream
52 - If you are a weird person that wants to compile and instrument asm text
54 `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo`
56 - Most AFL tools do not print any output if stdout/stderr are redirected. If
61 - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this
62 will cause problems in programs built with -Werror, because `-O3` enables
64 optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or
65 `-fno-unroll-loops` are set, these are not overridden.
67 - Setting `AFL_HARDEN` automatically adds code hardening options when invoking
68 the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and
69 `-fstack-protector-all`. The setting is useful for catching non-crashing
70 memory bugs at the expense of a very slight (sub-5%) performance loss.
72 - Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the
75 Examples include ffmpeg, perl, and v8.
77 (If this ever happens, afl-fuzz will warn you ahead of the time by
83 Note that this is an outdated variable. A few instances (e.g., afl-gcc)
84 still support these, but state-of-the-art (e.g., LLVM LTO and LLVM PCGUARD)
87 - `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with
90 - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as.
92 instrument hand-written assembly when compiling clang code by plugging a
95 - Setting `AFL_QUIET` will prevent afl-as and afl-cc banners from being
98 - Setting `AFL_USE_...` automatically enables supported sanitizers - provided
100 - `AFL_USE_ASAN=1` - activates the address sanitizer (memory corruption
102 - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g.
104 - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check
110 - `AFL_USE_MSAN=1` - activates the memory sanitizer (uninitialized memory)
111 - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race
113 - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer
115 - `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
118 ## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++
123 - `AFL_AS`, since this toolchain does not directly invoke GNU `as`.
125 - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not
128 - LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will
130 afl-fuzz' `-x` option.
132 - An option to `AFL_LLVM_DICT2FILE` is `AFL_LLVM_DICT2FILE_NO_MAIN=1` which
135 - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are
138 - LLVM modes compiling C++ will normally set rpath in the binary if LLVM is
149 `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode.
153 - CLANG - outdated clang instrumentation
154 - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default)
157 then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4`
160 - CTX - context sensitive instrumentation
161 - GCC - outdated gcc instrumentation
162 - LTO - LTO instrumentation
163 - NATIVE - clang's original pcguard based instrumentation
164 - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16)
165 - PCGUARD - our own pcguard based instrumentation (default)
169 Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
172 For afl-gcc-fast, set `AFL_GCC_CMPLOG=1` instead.
180 branch coverage - meaning that each edge is additionally combined with its
186 …#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensi…
204 - Setting `AFL_LLVM_INJECTIONS_ALL` will enable all injection hooking
206 - Setting `AFL_LLVM_INJECTIONS_SQL` will enable SQL injection hooking
208 - Setting `AFL_LLVM_INJECTIONS_LDAP` will enable LDAP injection hooking
210 - Setting `AFL_LLVM_INJECTIONS_XSS` will enable XSS injection hooking
212 #### LAF-INTEL
215 allow afl-fuzz to find otherwise rather impossible paths. It is not restricted
216 to Intel CPUs. ;-)
218 - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare
221 - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64,
224 - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
227 - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs.
229 - Setting `AFL_LLVM_LAF_ALL` sets all of the above.
232 [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
238 which is 100% collision free (collisions are a big issue in AFL and AFL-like
239 instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++
240 instead of afl-clang-fast, but is only built if LLVM 11 or newer is used.
243 recommended for afl-clang-fast, default for afl-clang-lto as there it is a
251 - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
254 - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written
256 - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the
258 - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than
261 - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic.
262 - `AFL_LLVM_LTO_SKIPINIT` skips adding initialization code. Some global vars
270 Setting `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or `AFL_LLVM_NGRAM_SIZE` activates
271 ngram prev_loc coverage. Good values are 2, 4, or 8 (any value between 2 and 16
277 …entation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n…
281 - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters that skip
287 - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero test.
294 counters. The overhead is a little bit higher compared to the older non-thread
302 - GCC mode only: Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting
313 - GCC_PLUGIN mode only: Setting `AFL_GCC_INSTRUMENT_FILE` or
323 Setting `AFL_GCC_OUT_OF_LINE=1` will instruct afl-gcc-fast to instrument the
331 ## 4) Settings for afl-fuzz
336 - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`)
337 for an existing out folder, even if a different `-i` was provided. Without
338 this setting, afl-fuzz will refuse execution for a long-fuzzed out dir.
340 - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after
344 - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for
346 (`-i in`). This is an important feature to set when resuming a fuzzing
349 - `AFL_IGNORE_SEED_PROBLEMS` will skip over crashes and timeouts in the seeds
352 - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL++ treats as crash. For
353 example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1`
354 return code (i.e. `exit(-1)` got called), will be treated as if a crash had
355 occurred. This may be beneficial if you look for higher-level faulty
358 - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with
360 afl-fuzz is compiled with Python (which is autodetected during building
361 afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide
368 - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time
371 - Setting `AFL_DEBUG_CHILD` will not suppress the child output. This lets you
378 - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
381 - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach
382 new coverage
384 - On the contrary, if you are not interested in any timeouts, you can set
387 - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
388 does not allow crashes or timeout seeds in the initial -i corpus.
390 - `AFL_CRASHING_SEEDS_AS_NEW_CRASH` will treat crashing seeds as new crash. these
393 - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found
397 - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths
402 - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that
403 includes costly mutations. afl-fuzz automatically enables this mode when
406 - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less
410 - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if no
413 - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout
415 …The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 10…
416 …_TMOUT` value does not get multiplied. It overwrites the initial timeout afl-fuzz waits for the ta…
418 full-system fuzzing or emulation, but you don't want the actual runs to wait
421 - Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for
423 the value of the `-t` parameter, whichever is larger. Dialing the value down
428 - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`.
432 - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session
434 set `AFL_IGNORE_PROBLEMS`. If you additionally want to also ignore coverage
437 - When running with multiple afl-fuzz or with `-F`, setting `AFL_IMPORT_FIRST`
441 - When running with multiple afl-fuzz or with `-F`, setting `AFL_FINAL_SYNC`
443 terminating. This is beneficial for `-M` main fuzzers to ensure it has all
444 unique test cases and hence you only need to `afl-cmin` this single
447 - Setting `AFL_INPUT_LEN_MIN` and `AFL_INPUT_LEN_MAX` are an alternative to
448 the afl-fuzz -g/-G command line option to control the minimum/maximum
451 - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes
456 - `AFL_FORK_SERVER_KILL_SIGNAL`: Set the signal ID to be delivered to the
467 - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz,
468 afl-showmap, and afl-tmin create to gather instrumentation data from the
472 - Setting `AFL_MAX_DET_EXTRAS` will change the threshold at what number of
473 elements in the `-x` dictionary and LTO autodict (combined) the
480 - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core
482 afl-fuzz than would be prudent (if you really want to).
484 - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics.
485 This can be useful to speed up the fuzzing of text-based file formats.
487 - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
490 - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for
494 - The CPU widget shown at the bottom of the screen is fairly simplistic and
499 - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to
504 Note that this setting inhibits some of the user-friendly diagnostics
508 - `AFL_NO_SNAPSHOT` will advise afl-fuzz not to use the snapshot feature if
511 - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints
513 output from afl-fuzz is redirected to a file or to a pipe.
515 - Setting `AFL_NO_STARTUP_CALIBRATION` will skip the initial calibration
519 - Setting `AFL_NO_WARN_INSTABILITY` will suppress instability warnings.
521 - In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for
522 afl-qemu-trace and afl-frida-trace.so.
524 - If you are using persistent mode (you should, see
528 re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable
535 - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY`
538 - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary
539 without disrupting the afl-fuzz process itself. This is useful, among other
542 - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` will cause afl-fuzz to skip
543 prepending `afl-qemu-trace` to your command line. Use this if you wish to
544 use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace
547 - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested
551 - When developing custom instrumentation on top of afl-fuzz, you can use
552 `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries and
553 shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` setting
554 to instruct afl-fuzz to still follow the fork server protocol without
558 - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is
562 - Setting `AFL_STATSD` enables StatsD metrics collection. By default, AFL++
569 - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `influxdb`,
571 This is especially useful when running multiple instances (`-M/-S` for
573 to the name of the fuzzer provided through `-M/-S`. `afl_version`
578 - `AFL_SYNC_TIME` allows you to specify a different minimal time (in minutes)
580 note that time is halved for -M main nodes.
582 - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables for
583 the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz
593 - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define
594 TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if
597 - `AFL_TMPDIR` is used to write the `.cur_input` file to if it exists, and in
602 - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core
605 - The following environment variables are only needed if you implemented
608 - `AFL_DEFER_FORKSRV` enforces a deferred forkserver even if none was
610 - `AFL_PERSISTENT` enforces persistent mode even if none was detected
613 - If you need an early forkserver in your target because of early
615 Note that this is not a compile time option but a runtime option :-)
617 - Set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to -1
621 - If you need a specific interval to update fuzzer_stats file, you can
627 ## 5) Settings for afl-qemu-trace
629 The QEMU wrapper used to instrument binary-only code supports several settings:
631 - Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp
637 only comparisons with immediate values / read-only memory and
641 - `AFL_DEBUG` will print the found entry point for the binary to stderr. Use
642 this if you are unsure if the entry point might be wrong - but use it
643 directly, e.g., `afl-qemu-trace ./program`.
645 - `AFL_ENTRYPOINT` allows you to specify a specific entry point into the
650 - Setting `AFL_INST_LIBS` causes the translator to also instrument the code
653 - You can use `AFL_QEMU_INST_RANGES=0xaaaa-0xbbbb,0xcccc-0xdddd` to just
657 - You can use `AFL_QEMU_EXCLUDE_RANGES=0xaaaa-0xbbbb,0xcccc-0xdddd` to **NOT**
661 - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some
665 - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all cmp
669 - With `AFL_QEMU_FORCE_DFL`, you force QEMU to ignore the registered signal
672 - When the target is i386/x86_64, you can specify the address of the function
676 - With `AFL_QEMU_PERSISTENT_GPR=1`, QEMU will save the original value of
679 - Another modality to execute the persistent loop is to specify also the
684 - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET`, you can specify the offset from
688 - With `AFL_USE_QASAN`, you can enable QEMU AddressSanitizer for dynamically
691 - The underlying QEMU binary will recognize any standard "user space
695 - Normally a `README.txt` is written to the `crashes/` directory when a first
699 ## 7) Settings for afl-frida-trace
701 The FRIDA wrapper used to instrument binary-only code supports many of the same
702 options as `afl-qemu-trace`, but also has a number of additional advanced
709 * `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS`
710 * `AFL_FRIDA_DRIVER_NO_HOOK` - See `AFL_QEMU_DRIVER_NO_HOOK`. When using the
713 `stdin` rather than using in-memory test cases.
714 * `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES`
715 * `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRio format coverage
717 * `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks
719 * `AFL_FRIDA_INST_JIT` - Enable the instrumentation of Just-In-Time compiled
722 * `AFL_FRIDA_INST_NO_DYNAMIC_LOAD` - Don't instrument the code loaded late at
724 * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
727 * `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing
730 * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default, the child will
734 * `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH` - Disable prefetching of stalker
738 * `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES`
739 * `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to
742 * `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks, implies
744 * `AFL_FRIDA_INST_TRACE_UNIQUE` - As per `AFL_FRIDA_INST_TRACE`, but each edge
746 * `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE` - File to write DynamoRio format
747 coverage information for unstable edges (e.g., to be loaded within IDA
749 * `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting
751 * `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target
753 * `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target
755 * `AFL_FRIDA_PERSISTENT_ADDR` - See `AFL_QEMU_PERSISTENT_ADDR`
756 * `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT`
757 * `AFL_FRIDA_PERSISTENT_DEBUG` - Insert a Breakpoint into the instrumented code
760 * `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK`
761 * `AFL_FRIDA_PERSISTENT_RET` - See `AFL_QEMU_PERSISTENT_RET`
762 * `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to
764 * `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks
770 * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries
771 stored along-side branch instructions which provide a cache to avoid having to
773 * `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being
779 * `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics
782 * `AFL_FRIDA_TRACEABLE` - Set the child process to be traceable by any process
784 Linux only. Permits a non-root user to use `gcore` or similar to collect a
786 dump you must set a sufficient timeout (using `-t`) to avoid `afl-fuzz`
789 ## 8) Settings for afl-cmin
793 - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is
794 a modest security risk on multi-user systems with rogue users, but should be
797 - `AFL_KEEP_TRACES` makes the tool keep traces and other metadata used for
801 - Setting `AFL_PATH` offers a way to specify the location of afl-showmap and
802 afl-qemu-trace (the latter only in `-Q` mode).
804 - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed.
805 This can help when embedding `afl-cmin` or `afl-showmap` in other scripts.
807 ## 9) Settings for afl-tmin
809 Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be
810 searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a
813 You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths
816 very buggy software. You probably want to combine it with the `-e` flag.
818 ## 10) Settings for afl-analyze
827 - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to
830 - `AFL_LD_HARD_FAIL` alters the behavior by calling `abort()` on excessive
834 - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the
838 - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most of
842 - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that
850 ## 12) Third-party variables set by afl-fuzz & other tools
852 Several variables are not directly interpreted by afl-fuzz, but are set to
855 - By default, `ASAN_OPTIONS` are set to (among others):
865 If you want to set your own options, be sure to include `abort_on_error=1` -
870 - Similarly, the default `LSAN_OPTIONS` are set to:
883 - In the same vein, by default, `MSAN_OPTIONS` are set to:
893 - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker