updated docs and crash issues with gcc_plugin

7 files changed, 46 insertions, 6 deletions

diff --git a/TODO b/TODO
index d89524c2..2c5d05a5 100644
--- a/TODO
+++ b/TODO
@@ -4,6 +4,8 @@ Roadmap 2.53d:
 
  - README.md
 
+ - update docs/sister_projects.txt
+
  - better defaults:
    * laf-intel activated, needs deactiatation
    * fast mode schedule
@@ -15,7 +17,7 @@ afl-fuzz:
  - reuse forkserver for showmap, afl-cmin, etc.
 
 gcc_plugin:
- (see TODOs)
+ - fix crashes when compiling :(
  - whitelist support
  - skip over uninteresting blocks
  - laf-intel
diff --git a/afl-fuzz.c b/afl-fuzz.c
index 422260ef..e917ed9c 100644
--- a/afl-fuzz.c
+++ b/afl-fuzz.c
@@ -11247,7 +11247,7 @@ static void usage(u8* argv0) {
        "  -Q            - use binary-only instrumentation (QEMU mode)\n"
        "  -L minutes    - use MOpt(imize) mode and set the limit time for entering the\n"
        "                  pacemaker mode (minutes of no new paths, 0 = immediately).\n"
-       "                  see docs/README.MOpt\n\n"
+       "                  a recommended value is 10-60. see docs/README.MOpt\n\n"
  
        "Fuzzing behavior settings:\n"
        "  -d            - quick & dirty mode (skips deterministic steps)\n"
diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt
index 41701e2f..a2eb2a22 100644
--- a/docs/sister_projects.txt
+++ b/docs/sister_projects.txt
@@ -6,6 +6,10 @@ Sister projects
   designed for, or meant to integrate with AFL. See README for the general
   instruction manual.
 
+!!!
+!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz
+!!!
+
 -------------------------------------------
 Support for other languages / environments:
 -------------------------------------------
@@ -263,7 +267,7 @@ Static binary-only instrumentation (Aleksandar Nikolich)
   reports better performance compared to QEMU, but occasional translation
   errors with stripped binaries.
 
-  https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
+  https://github.com/vanhauser-thc/afl-dyninst
 
 AFL PIN (Parker Thompson)
 -------------------------
diff --git a/gcc_plugin/CRASH b/gcc_plugin/CRASH
new file mode 100644
index 00000000..51930bb3
--- /dev/null
+++ b/gcc_plugin/CRASH
@@ -0,0 +1,23 @@
+to reproduce:
+=============
+tiff-4.0.4.tar.gz
+CC=afl-gcc-fast CXX=afl-g++-fast ./configure --disable-shared
+make
+
+result
+======
+[+] Instrumented 11 locations in TIFFInitJPEG
+during GIMPLE pass: evrp
+tif_jpeg.c: In function ‘JPEGFixupTagsSubsamplingSec’:
+tif_jpeg.c:2388:1: internal compiler error: Segmentation fault
+ }
+ ^
+0x7ffff758e83f ???
+	/build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
+0x7ffff757b09a __libc_start_main
+	../csu/libc-start.c:308
+Please submit a full bug report,
+with preprocessed source if appropriate.
+Please include the complete backtrace with any bug report.
+See <file:///usr/share/doc/gcc-8/README.Bugs> for instructions.
+make[2]: *** [Makefile:696: tif_jpeg.lo] Error 1
diff --git a/gcc_plugin/README.gcc b/gcc_plugin/README.gcc
index fe62020b..a002c741 100644
--- a/gcc_plugin/README.gcc
+++ b/gcc_plugin/README.gcc
@@ -5,6 +5,12 @@ Fast GCC-based instrumentation for afl-fuzz
   (See ../docs/README for the general instruction manual.)
   (See ../llvm_mode/README.llvm for the LLVM-based instrumentation.)
 
+
+!!!
+!!! gcc_plugin is not stable yet and can crash when compiling
+!!!
+
+
 1) Introduction
 ---------------
 
diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc
index 8d1888ef..b1ca8325 100644
--- a/gcc_plugin/afl-gcc-pass.so.cc
+++ b/gcc_plugin/afl-gcc-pass.so.cc
@@ -1,7 +1,9 @@
 //
-// There are two TODOs in this file:
+// There are some TODOs in this file:
 //   - dont instrument blocks that are uninterested
 //   - implement whitelist feature
+//   - implement notZero
+//   - fix crash
 //
 
 /*
@@ -102,7 +104,7 @@ static unsigned int ext_call_instrument(function *fun) {
 
 		if (!fcnt_blocks++) continue; /* skip block 0 */
 		
-		// TODO: if the predecessor does not have to destinations
+		// TODO: if the predecessor does not have ast least two destinations
 		// then skip this block :TODO
 
 		/* Bail on this block if we trip the specified ratio */
@@ -223,6 +225,9 @@ static unsigned int inline_instrument(function *fun) {
 		g = gimple_build_assign(tmp3, PLUS_EXPR, tmp2, one);
 		gimple_seq_add_stmt(&seq, g); // tmp3 = tmp2 + 1
 
+		// TODO: neverZero: here we have to check if tmp3 == 0
+		//                  and add 1 if so
+
 //		tree tmp4 = create_tmp_var(map_type, "tmp4");
 //		g = gimple_build_assign(tmp4, PLUS_EXPR, map_ptr_g, area_off);
 //		gimple_seq_add_stmt(&seq, g); // tmp4 = __afl_area_ptr + area_off
diff --git a/qemu_mode/README.qemu b/qemu_mode/README.qemu
index cf29088b..124fce12 100644
--- a/qemu_mode/README.qemu
+++ b/qemu_mode/README.qemu
@@ -117,7 +117,7 @@ program control flow without actually executing each and every code path.
 If you want to experiment with this mode of operation, there is a module
 contributed by Aleksandar Nikolich:
 
-  https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
+  https://github.com/vanhauser-thc/afl-dyninst
   https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
 
 At this point, the author reports the possibility of hiccups with stripped