document AFL_LLVM_INSTRUMENT option NATIVE

4 files changed, 8 insertions, 20 deletions

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 28b7e723..a26a4e0e 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -17,6 +17,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - allow instrumenting LLVMFuzzerTestOneInput
     - fixed endless loop for allow/blocklist lines starting with a
       comment (thanks to Zherya for reporting)
+    - added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard support
+      (less performant than our own)
 
 
 ### Version ++3.00c (release)
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 74863d8d..c1693748 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -113,6 +113,8 @@ Then there are a few specific features that are only available in instrumentatio
 
     - `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode. 
       Available options:
+        PCGUARD - our own pcgard based instrumentation (default)
+        NATIVE - clang's original pcguard based instrumentation
         CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default)
         CFG - InsTrim instrumentation (see below)
         LTO - LTO instrumentation (see below)
diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md
index 07636970..2705ce0d 100644
--- a/instrumentation/README.llvm.md
+++ b/instrumentation/README.llvm.md
@@ -168,26 +168,7 @@ This is the most powerful and effective fuzzing you can do.
 Please see [README.persistent_mode.md](README.persistent_mode.md) for a
 full explanation.
 
-## 7) Bonus feature: 'trace-pc-guard' mode
-
-LLVM is shipping with a built-in execution tracing feature
-that provides AFL with the necessary tracing data without the need to
-post-process the assembly or install any compiler plugins. See:
-
-  http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards
-
-If you have not an outdated compiler and want to give it a try, build
-targets this way:
-
-```
-AFL_LLVM_INSTRUMENT=PCGUARD  make
-```
-
-Note that this is currently the default if you use LLVM >= 7, as it is the best
-mode. Recommended is LLVM >= 9.
-If you have llvm 11+ and compiled afl-clang-lto - this is the only better mode.
-
-## 8) Bonus feature: 'dict2file' pass
+## 7) Bonus feature: 'dict2file' pass
 
 Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation
 all constant string compare parameters will be written to this file to be
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 8593f9b8..6f4801de 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -1346,6 +1346,9 @@ int main(int argc, char **argv, char **envp) {
         "Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best "
         "available)\n"
         "  PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)\n"
+#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
+        "  NATIVE:  use llvm's native PCGUARD instrumentation (less performant)\n"
+#endif
         "  CLASSIC: decision target instrumentation (README.llvm.md)\n"
         "  CTX:     CLASSIC + callee context (instrumentation/README.ctx.md)\n"
         "  NGRAM-x: CLASSIC + previous path "