Merge branch 'dev' into docs_add_overview

author: Jana Aydinbas <46303940+llzmb@users.noreply.github.com> 2021-12-13 18:23:28 +0100
committer: GitHub <noreply@github.com> 2021-12-13 18:23:28 +0100
commit: aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb (patch)
tree: 25eb770e6101757b5af15c2f4d227b4a7eabfeda
parent: 3a60f6a251210497f001673edefbe7a4e1627703 (diff)
parent: 52dd5d479d411460c8cf2010a89f72e269d799ea (diff)
download: afl++-aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb.tar.gz
16 files changed, 196 insertions, 125 deletions
diff --git a/custom_mutators/radamsa/libradamsa.c b/custom_mutators/radamsa/libradamsa.c
index 792eea35..e6838752 100644
--- a/custom_mutators/radamsa/libradamsa.c
+++ b/custom_mutators/radamsa/libradamsa.c
@@ -4473,6 +4473,10 @@ static word prim_sys(word op, word a, word b, word c) {
         FD_CLOEXEC,
         F_DUPFD,
         F_DUPFD_CLOEXEC,
+#if defined(F_DUP2FD)
+        F_DUP2FD,
+        F_DUP2FD_CLOEXEC,
+#endif
         F_GETFD,
         F_SETFD,
         F_GETFL,
diff --git a/docs/Changelog.md b/docs/Changelog.md
index e9b62dc0..00502efe 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -34,6 +34,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - better banner
     - more effective cmplog mode
     - more often update the UI when in input2stage mode
+  - qemu_mode/unicorn_mode: fixed OOB write when using libcompcov,
+      thanks to kotee4ko for reporting!
   - frida_mode:
     - better performance, bug fixes
     - David Carlier added Android support :)
diff --git a/docs/FAQ.md b/docs/FAQ.md
index 7869ee61..f1cffe00 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -34,6 +34,19 @@ If you find an interesting or important question missing, submit it via
 </p></details>
 
 <details>
+  <summary id="is-afl-a-whitebox-graybox-or-blackbox-fuzzer">Is AFL++ a whitebox, graybox, or blackbox fuzzer?</summary><p>
+
+  The definition of the terms whitebox, graybox, and blackbox fuzzing varies
+  from one source to another. For example, "graybox fuzzing" could mean
+  binary-only or source code fuzzing, or something completely different.
+  Therefore, we try to avoid them.
+
+  [The Fuzzing Book](https://www.fuzzingbook.org/html/GreyboxFuzzer.html#AFL:-An-Effective-Greybox-Fuzzer)
+  describes the original AFL to be a graybox fuzzer. In that sense, AFL++ is
+  also a graybox fuzzer.
+</p></details>
+
+<details>
   <summary id="where-can-i-find-tutorials">Where can I find tutorials?</summary><p>
 
   We compiled a list of tutorials and exercises, see
@@ -127,6 +140,15 @@ If you find an interesting or important question missing, submit it via
 ## Performance
 
 <details>
+  <summary id="what-makes-a-good-performance">What makes a good performance?</summary><p>
+
+  Good performance generally means "making the fuzzing results better". This can
+  be influenced by various factors, for example, speed (finding lots of paths
+  quickly) or thoroughness (working with decreased speed, but finding better
+  mutations).
+</p></details>
+
+<details>
   <summary id="how-can-i-improve-the-fuzzing-speed">How can I improve the fuzzing speed?</summary><p>
 
   There are a few things you can do to improve the fuzzing speed, see
@@ -146,8 +168,8 @@ If you find an interesting or important question missing, submit it via
   the edge coverage result will be different across runs. Those edges that
   change are then flagged "unstable".
 
-  The more "unstable" edges, the more difficult for AFL++ to identify valid new
-  paths.
+  The more "unstable" edges there are, the harder it is for AFL++ to identify
+  valid new paths.
 
   A value above 90% is usually fine and a value above 80% is also still ok, and
   even a value above 20% can still result in successful finds of bugs. However,
diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md
index e1599c39..b280ca0a 100644
--- a/docs/fuzzing_in_depth.md
+++ b/docs/fuzzing_in_depth.md
@@ -95,38 +95,43 @@ Clickable README links for the chosen compiler:
 * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own
   features
 
-You can select the mode for the afl-cc compiler by:
-1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
+You can select the mode for the afl-cc compiler by one of the following methods:
+
+* Using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
    afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++,
-   afl-gcc-fast, afl-g++-fast (recommended!)
-2. using the environment variable AFL_CC_COMPILER with MODE
-3. passing --afl-MODE command line options to the compiler via
-   CFLAGS/CXXFLAGS/CPPFLAGS
+   afl-gcc-fast, afl-g++-fast (recommended!).
+* Using the environment variable `AFL_CC_COMPILER` with `MODE`.
+* Passing --afl-MODE command line options to the compiler via
+   `CFLAGS`/`CXXFLAGS`/`CPPFLAGS`.
+
+`MODE` can be one of the following:
 
-MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN
-(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++).
+* LTO (afl-clang-lto*)
+* LLVM (afl-clang-fast*)
+* GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++)
+* CLANG(afl-clang/afl-clang++)
 
 Because no AFL++ specific command-line options are accepted (beside the
 --afl-MODE command), the compile-time tools make fairly broad use of environment
-variables, which can be listed with `afl-cc -hh` or by reading
+variables, which can be listed with `afl-cc -hh` or looked up in
 [env_variables.md](env_variables.md).
 
 ### b) Selecting instrumentation options
 
-The following options are available when you instrument with LTO mode
-(afl-clang-fast/afl-clang-lto):
+If you instrument with LTO mode (afl-clang-fast/afl-clang-lto), the following
+options are available:
 
-* Splitting integer, string, float and switch comparisons so AFL++ can easier
+* Splitting integer, string, float, and switch comparisons so AFL++ can easier
   solve these. This is an important option if you do not have a very good and
-  large input corpus. This technique is called laf-intel or COMPCOV. To use this
-  set the following environment variable before compiling the target: `export
-  AFL_LLVM_LAF_ALL=1` You can read more about this in
+  large input corpus. This technique is called laf-intel or COMPCOV. To use
+  this, set the following environment variable before compiling the target:
+  `export AFL_LLVM_LAF_ALL=1`. You can read more about this in
   [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
 * A different technique (and usually a better one than laf-intel) is to
   instrument the target so that any compare values in the target are sent to
   AFL++ which then tries to put these values into the fuzzing data at different
   locations. This technique is very fast and good - if the target does not
-  transform input data before comparison. Therefore this technique is called
+  transform input data before comparison. Therefore, this technique is called
   `input to state` or `redqueen`. If you want to use this technique, then you
   have to compile the target twice, once specifically with/for this mode by
   setting `AFL_LLVM_CMPLOG=1`, and pass this binary to afl-fuzz via the `-c`
@@ -135,24 +140,25 @@ The following options are available when you instrument with LTO mode
   about this in
   [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).
 
-If you use LTO, LLVM or GCC_PLUGIN mode
-(afl-clang-fast/afl-clang-lto/afl-gcc-fast) you have the option to selectively
+If you use LTO, LLVM, or GCC_PLUGIN mode
+(afl-clang-fast/afl-clang-lto/afl-gcc-fast), you have the option to selectively
 only instrument parts of the target that you are interested in:
 
-* To instrument only those parts of the target that you are interested in create
-  a file with all the filenames of the source code that should be instrumented.
-  For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than
-  DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one filename or
-  function per line (no directory information necessary for filenames9, and
-  either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** `export
-  AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default to
-  instrument unless noted (DENYLIST) or not perform instrumentation unless
+* To instrument only those parts of the target that you are interested in,
+  create a file with all the filenames of the source code that should be
+  instrumented. For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode
+  other than DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one
+  filename or function per line (no directory information necessary for
+  filenames), and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or**
+  `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default
+  to instrument unless noted (DENYLIST) or not perform instrumentation unless
   requested (ALLOWLIST). **NOTE:** During optimization functions might be
   inlined and then would not match! See
-  [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
+  [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
 
 There are many more options and modes available, however, these are most of the
 time less effective. See:
+
 * [instrumentation/README.llvm.md#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage)
 * [instrumentation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage)
 
@@ -166,12 +172,13 @@ It is possible to use sanitizers when instrumenting targets for fuzzing, which
 allows you to find bugs that would not necessarily result in a crash.
 
 Note that sanitizers have a huge impact on CPU (= less executions per second)
-and RAM usage. Also you should only run one afl-fuzz instance per sanitizer
+and RAM usage. Also, you should only run one afl-fuzz instance per sanitizer
 type. This is enough because a use-after-free bug will be picked up, e.g., by
 ASAN (address sanitizer) anyway when syncing to other fuzzing instances, so not
 all fuzzing instances need to be instrumented with ASAN.
 
 The following sanitizers have built-in support in AFL++:
+
 * ASAN = Address SANitizer, finds memory corruption vulnerabilities like
   use-after-free, NULL pointer dereference, buffer overruns, etc. Enabled with
   `export AFL_USE_ASAN=1` before compiling.
@@ -184,7 +191,7 @@ The following sanitizers have built-in support in AFL++:
   with `export AFL_USE_UBSAN=1` before compiling.
 * CFISAN = Control Flow Integrity SANitizer, finds instances where the control
   flow is found to be illegal. Originally this was rather to prevent return
-  oriented programming exploit chains from functioning, in fuzzing this is
+  oriented programming exploit chains from functioning. In fuzzing, this is
   mostly reduced to detecting type confusion vulnerabilities - which is,
   however, one of the most important and dangerous C++ memory corruption
   classes! Enabled with `export AFL_USE_CFISAN=1` before compiling.
@@ -227,20 +234,20 @@ All AFL++ compilers will set this preprocessor definition automatically.
 
 ### e) Instrumenting the target
 
-In this step the target source code is compiled so that it can be fuzzed.
+In this step, the target source code is compiled so that it can be fuzzed.
 
-Basically you have to tell the target build system that the selected AFL++
+Basically, you have to tell the target build system that the selected AFL++
 compiler is used. Also - if possible - you should always configure the build
-system such that the target is compiled statically and not dynamically. How to
-do this is described below.
+system in such way that the target is compiled statically and not dynamically.
+How to do this is described below.
 
 The #1 rule when instrumenting a target is: avoid instrumenting shared libraries
-at all cost. You would need to set LD_LIBRARY_PATH to point to these, you could
-accidentally type "make install" and install them system wide - so don't. Really
-don't. **Always compile libraries you want to have instrumented as static and
-link these to the target program!**
+at all cost. You would need to set `LD_LIBRARY_PATH` to point to these, you
+could accidentally type "make install" and install them system wide - so don't.
+Really don't. **Always compile libraries you want to have instrumented as static
+and link these to the target program!**
 
-Then build the target. (Usually with `make`)
+Then build the target. (Usually with `make`.)
 
 **NOTES**
 
@@ -258,41 +265,49 @@ Then build the target. (Usually with `make`)
 
 #### configure
 
-For `configure` build systems this is usually done by:
+For `configure` build systems, this is usually done by:
 
-`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared`
+```
+CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared
+```
 
-Note that if you are using the (better) afl-clang-lto compiler you also have to
-set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
+Note that if you are using the (better) afl-clang-lto compiler, you also have to
+set `AR` to llvm-ar[-VERSION] and `RANLIB` to llvm-ranlib[-VERSION] - as is
 described in [instrumentation/README.lto.md](../instrumentation/README.lto.md).
 
-#### cmake
+#### CMake
 
-For `cmake` build systems this is usually done by:
+For CMake build systems, this is usually done by:
 
-`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..`
+```
+mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..
+```
 
 Note that if you are using the (better) afl-clang-lto compiler you also have to
 set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
 described in [instrumentation/README.lto.md](../instrumentation/README.lto.md).
 
-#### meson
+#### Meson Build System
 
-For meson you have to set the AFL++ compiler with the very first command!
-`CC=afl-cc CXX=afl-c++ meson`
+For the Meson Build System, you have to set the AFL++ compiler with the very
+first command!
 
-#### other build systems or if configure/cmake didn't work
+```
+CC=afl-cc CXX=afl-c++ meson
+```
+
+#### Other build systems or if configure/cmake didn't work
 
-Sometimes cmake and configure do not pick up the AFL++ compiler, or the
-ranlib/ar that is needed - because this was just not foreseen by the developer
-of the target. Or they have non-standard options. Figure out if there is a
-non-standard way to set this, otherwise set up the build normally and edit the
-generated build environment afterwards manually to point it to the right
-compiler (and/or ranlib and ar).
+Sometimes `cmake` and `configure` do not pick up the AFL++ compiler or the
+`RANLIB`/`AR` that is needed - because this was just not foreseen by the
+developer of the target. Or they have non-standard options. Figure out if there
+is a non-standard way to set this, otherwise set up the build normally and edit
+the generated build environment afterwards manually to point it to the right
+compiler (and/or `RANLIB` and `AR`).
 
 ### f) Better instrumentation
 
-If you just fuzz a target program as-is you are wasting a great opportunity for
+If you just fuzz a target program as-is, you are wasting a great opportunity for
 much more fuzzing speed.
 
 This variant requires the usage of afl-clang-lto, afl-clang-fast or
@@ -304,7 +319,7 @@ that you want to fuzz, plus a few specific AFL++ functions around it. See
 [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
 for details.
 
-Basically if you do not fuzz a target in persistent mode, then you are just
+Basically, if you do not fuzz a target in persistent mode, then you are just
 doing it for a hobby and not professionally :-).
 
 ### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput()
@@ -354,20 +369,24 @@ You can find many good examples of starting files in the
 ### b) Making the input corpus unique
 
 Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not
-produce a new path/coverage in the target.
+produce a new path/coverage in the target:
 
-Put all files from step a) into one directory, e.g., INPUTS.
+1. Put all files from [step a](#a-collecting-inputs) into one directory, e.g., INPUTS.
+2. Run afl-cmin:
+   * If the target program is to be called by fuzzing as `bin/target -d
+     INPUTFILE`, set the INPUTFILE argument that the target program would read
+     from as `@@`:
 
-If the target program is to be called by fuzzing as `bin/target -d INPUTFILE`
-the run afl-cmin like this:
+     ```
+     afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@
+     ```
 
-`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@`
+   * If the target reads from stdin instead, just omit the `@@` as this is the
+     default:
 
-Note that the INPUTFILE argument that the target program would read from has to
-be set as `@@`.
-
-If the target reads from stdin instead, just omit the `@@` as this is the
-default.
+     ```
+     afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d
+     ```
 
 This step is highly recommended!
 
@@ -385,14 +404,16 @@ for i in *; do
 done
 ```
 
-This step can also be parallelized, e.g., with `parallel`. Note that this step
-is rather optional though.
+This step can also be parallelized, e.g., with `parallel`.
+
+Note that this step is rather optional though.
 
 ### Done!
 
-The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/
-if you minimized the corpus in step c) - is the resulting input corpus directory
-to be used in fuzzing! :-)
+The INPUTS_UNIQUE/ directory from [step b](#b-making-the-input-corpus-unique) -
+or even better the directory input/ if you minimized the corpus in
+[step c](#c-minimizing-all-corpus-files) - is the resulting input corpus
+directory to be used in fuzzing! :-)
 
 ## 3. Fuzzing the target
 
@@ -405,28 +426,31 @@ seriously :-)
 
 ### a) Running afl-fuzz
 
-Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on
-the host if you execute afl-fuzz in a docker container). This reconfigures the
+Before you do even a test run of afl-fuzz, execute `sudo afl-system-config` (on
+the host if you execute afl-fuzz in a Docker container). This reconfigures the
 system for optimal speed - which afl-fuzz checks and bails otherwise. Set
 `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot run
 afl-system-config with root privileges on the host for whatever reason.
 
-Note there is also `sudo afl-persistent-config` which sets additional permanent
-boot options for a much better fuzzing performance.
+Note:
 
-Note that both scripts improve your fuzzing performance but also decrease your
-system protection against attacks! So set strong firewall rules and only expose
-SSH as a network service if you use these (which is highly recommended).
+* There is also `sudo afl-persistent-config` which sets additional permanent
+  boot options for a much better fuzzing performance.
+* Both scripts improve your fuzzing performance but also decrease your system
+  protection against attacks! So set strong firewall rules and only expose SSH
+  as a network service if you use these (which is highly recommended).
 
-If you have an input corpus from step 2, then specify this directory with the
-`-i` option. Otherwise, create a new directory and create a file with any
-content as test data in there.
+If you have an input corpus from [step 2](#2-preparing-the-fuzzing-campaign),
+then specify this directory with the `-i` option. Otherwise, create a new
+directory and create a file with any content as test data in there.
 
 If you do not want anything special, the defaults are already usually best,
 hence all you need is to specify the seed input directory with the result of
-step [2a) Collect inputs](#a-collect-inputs):
+step [2a) Collecting inputs](#a-collecting-inputs):
 
-`afl-fuzz -i input -o output -- bin/target -d @@`
+```
+afl-fuzz -i input -o output -- bin/target -d @@
+```
 
 Note that the directory specified with `-o` will be created if it does not
 exist.
@@ -444,7 +468,9 @@ If you need to stop and re-start the fuzzing, use the same command line options
 (or even change them by selecting a different power schedule or another mutation
 mode!) and switch the input directory with a dash (`-`):
 
-`afl-fuzz -i - -o output -- bin/target -d @@`
+```
+afl-fuzz -i - -o output -- bin/target -d @@
+```
 
 Adding a dictionary is helpful. See the directory
 [dictionaries/](../dictionaries/) if something is already included for your data
@@ -461,7 +487,7 @@ specific locations for the input file (`-f`), performing deterministic fuzzing
 We highly recommend that you set a memory limit for running the target with `-m`
 which defines the maximum memory in MB. This prevents a potential out-of-memory
 problem for your system plus helps you detect missing `malloc()` failure
-handling in the target. Play around with various -m values until you find one
+handling in the target. Play around with various `-m` values until you find one
 that safely works for all your input seeds (if you have good ones and then
 double or quadruple that.
 
@@ -469,8 +495,8 @@ By default, afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or
 send a signal SIGINT. You can limit the number of executions or approximate
 runtime in seconds with options also.
 
-When you start afl-fuzz you will see a user interface that shows what the status
-is:
+When you start afl-fuzz, you will see a user interface that shows what the
+status is:
 
 ![resources/screenshot.png](resources/screenshot.png)
 
@@ -596,7 +622,8 @@ done
 ```
 
 You can run this manually, per cron job - as you need it. There is a more
-complex and configurable script in `utils/distributed_fuzzing`.
+complex and configurable script in
+[utils/distributed_fuzzing](../utils/distributed_fuzzing).
 
 ### e) The status of the fuzz campaign
 
@@ -612,7 +639,7 @@ If you have multiple servers, then use the command after a sync or you have to
 execute this script per server.
 
 Another tool to inspect the current state and history of a specific instance is
-afl-plot, which generates an index.html file and a graphs that show how the
+afl-plot, which generates an index.html file and graphs that show how the
 fuzzing instance is performing. The syntax is `afl-plot instance_dir web_dir`,
 e.g., `afl-plot out/default /srv/www/htdocs/plot`.
 
@@ -623,7 +650,7 @@ To stop an afl-fuzz run, press Control-C.
 To restart an afl-fuzz run, just reuse the same command line but replace the `-i
 directory` with `-i -` or set `AFL_AUTORESUME=1`.
 
-If you want to add new seeds to a fuzzing campaign you can run a temporary
+If you want to add new seeds to a fuzzing campaign, you can run a temporary
 fuzzing instance, e.g., when your main fuzzer is using `-o out` and the new
 seeds are in `newseeds/` directory:
 
@@ -686,21 +713,21 @@ or honggfuzz.
 ### i) Improve the speed!
 
 * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20
-  speed increase)
+  speed increase).
 * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input
-  file on a tempfs location, see [env_variables.md](env_variables.md)
+  file on a tempfs location, see [env_variables.md](env_variables.md).
 * Linux: Improve kernel performance: modify `/etc/default/grub`, set
   `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off
   mitigations=off no_stf_barrier noibpb noibrs nopcid nopti
   nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off
   spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then
   `update-grub` and `reboot` (warning: makes the system more insecure) - you can
-  also just run `sudo afl-persistent-config`
+  also just run `sudo afl-persistent-config`.
 * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a
-  bit faster than on any other journaling filesystem
-* Use your cores! [3c) Using multiple cores](#c-using-multiple-cores)
+  bit faster than on any other journaling filesystem.
+* Use your cores! See [3c) Using multiple cores](#c-using-multiple-cores).
 * Run `sudo afl-system-config` before starting the first afl-fuzz instance after
-  a reboot
+  a reboot.
 
 ### j) Going beyond crashes
 
@@ -774,7 +801,7 @@ making it easier to diagnose faults.
 Having said that, it's important to acknowledge that some fuzzing crashes can be
 difficult to quickly evaluate for exploitability without a lot of debugging and
 code analysis work. To assist with this task, afl-fuzz supports a very unique
-"crash exploration" mode enabled with the -C flag.
+"crash exploration" mode enabled with the `-C` flag.
 
 In this mode, the fuzzer takes one or more crashing test cases as the input and
 uses its feedback-driven fuzzing strategies to very quickly enumerate all code
@@ -800,19 +827,19 @@ mode, it will happily accept instrumented and non-instrumented binaries. In the
 non-crashing mode, the minimizer relies on standard AFL++ instrumentation to
 make the file simpler without altering the execution path.
 
-The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with
-afl-fuzz.
+The minimizer accepts the `-m`, `-t`, `-f`, and `@@` syntax in a manner
+compatible with afl-fuzz.
 
 Another tool in AFL++ is the afl-analyze tool. It takes an input file, attempts
-to sequentially flip bytes, and observes the behavior of the tested program. It
-then color-codes the input based on which sections appear to be critical, and
+to sequentially flip bytes and observes the behavior of the tested program. It
+then color-codes the input based on which sections appear to be critical and
 which are not; while not bulletproof, it can often offer quick insights into
 complex file formats.
 
 ## 5. CI fuzzing
 
-Some notes on CI fuzzing - this fuzzing is different to normal fuzzing campaigns
-as these are much shorter runnings.
+Some notes on continuous integration (CI) fuzzing - this fuzzing is different to
+normal fuzzing campaigns as these are much shorter runnings.
 
 1. Always:
     * LTO has a much longer compile time which is diametrical to short fuzzing -
@@ -820,10 +847,10 @@ as these are much shorter runnings.
     * If you compile with CMPLOG, then you can save fuzzing time and reuse that
       compiled target for both the `-c` option and the main fuzz target. This
       will impact the speed by ~15% though.
-    * `AFL_FAST_CAL` - Enable fast calibration, this halves the time the
+    * `AFL_FAST_CAL` - enables fast calibration, this halves the time the
       saturated corpus needs to be loaded.
-    * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the
-      initial corpus as this very likely has been done for them already.
+    * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the initial
+      corpus as this very likely has been done for them already.
     * Keep the generated corpus, use afl-cmin and reuse it every time!
 
 2. Additionally randomize the AFL++ compilation options, e.g.:
diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg
new file mode 100644
index 00000000..95afe77b
--- /dev/null
+++ b/docs/resources/1_instrument_target.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1021px" height="291px" viewBox="-0.5 -0.5 1021 291" content="&lt;mxfile host=&quot;Electron&quot; modified=&quot;2021-12-12T21:16:18.624Z&quot; agent=&quot;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36&quot; etag=&quot;FGRpX-Ip4ObwsVXxBH71&quot; version=&quot;15.8.7&quot; type=&quot;device&quot;&gt;&lt;diagram name=&quot;1 - instrument target&quot; id=&quot;y32N0Cs56pMhbVcY_pYT&quot;&gt;7VpbT+M6EP41lZaHolx6fWyztIvUAjpd9hyekJu4iQ9OnHUcaPn1ayfOjYSGAk0rtghEPB6P7fnGn+1JWrrhrqcU+M6cWBC3NMVat/TvLU3TukOV/xOSTSwZ9LuxwKbIikVqJligZyiFipSGyIJBQZERghnyi0KTeB40WUEGKCVPRbUVwcVefWDDkmBhAlyW/oss5kip2htmFT8gsh3Z9UDrxxUuSJTlTAIHWOQpJ9IvWrpBCWHxk7s2IBbOS/wy3dzdsitoTlZ3s6CvoMG1ddmOjU12aZJOgUKPfa5pLTb9CHAo/dXSeph3Mg584PFnWzxfegGjoSt65+gBakOWqPH+8prSU2yTuJ+S0LOgGILCq58cxODCB6aofeIBx2UOczEvqfxxhTA2CCaUlz3iQSEiHltIc0KFD4Q8wBdKgJoy8DqiF7AMCA4ZHKViJR1arROlsx8hZXCdCyHp1CkkLmR0w1VkbbvfkwGyKUb+UxZuWkfKnFyk6VIGZITbqekMRf4ggdwBVL0E6j/wd4goh0HAFzxsQUmtR6kIQYvPI/qRYE2Ai7DwxA+IHyFDJhCIYGR7XGZy30Peaizcy6vwSFa4yLIwrA4BzgwMIE+02y+QnV6nAKTWLyOp9ppEslNC8tpniHgAfwqSFgicVPfLwqoNlSODtVuCDVp805JFQplDbAHyRSYdF4k005kR4ksE/4eMbSTjgZCRBpftbuCJ2W6FjkIMGHosbuFVMMimNwRFe9OrlNwZnneLVgISUhPKhvlts2RLr7UVb4klW1FspLN6f7gMKjbp5uPnyCAe9suw9HrvxHjYqTe2Z5CTU8OJFJqKGK2nvClcPg1h9YRwswjr6rBZhA9CzHCN2H+iOd+W4tJdrub7WlqOCpuk4PGZ5hqJ4l2+LmsWlZJ2f3U09QfNRlP5HncikGYh7wwb3iI6JwL5wtHUe2Fj30fKg9wz3xNNRwZcXy8mgtSB/s6LRa2lfYdAr2IPiTO3QGQ7KFxF0t7vUKSxOY5M5OVHYiDaxEbMCZfnJnF5YTSZ+TgMxF+ptMRkKTLBDCx5EGkTi5hCvAqfn5Fn3yPv3oI+c85di6940A4ghibjNW3mwPYSBqwNVrjN+/ERhrS9IrSN0pxzopcmnuVYk5zzIrLWEq8Q4va53DTIEtOxbElfl8x+Xou8P7Fgue5bVV7cxMCzeS/y/zj6VcQ5f/xqfrxs5axGd+uQZ7/mnzFm/XzQ3KCnhnF/M7udXl7tNnTbNHmDbqMD5a2M2ehq+vpICY9NelZi2oOn1Jng64MmXlW1W9wAuxWJ10FF4lVT9pV5VfvHx4fLHB9mrAdEnr9NonR/sIX0Mo13cV7ZjsKHBj0LCXZQiFduwuM9T7bCOfX9GNfzG+P6V9X68bAIGk6+Z28y5PozYn/cjvT5o5jLC69XGI+2BkOYjwhXPGUs9sHFv/e3MIdngpf51cMTgXYcl+vdPB4fO7fpyQyFPCptmf6nH6U/RstVrzgOTMtmjpYD4CHGMaTbmDhV+jgXe7DKXqbpC2FEW8ATAfEmCh4tRlcVfDq5rJTPKqXzSunPSuntOBKfqHErNb58vXh4akyS5se0GOEO90EjPplkNJgSpzi1ZGf4XZdnvd3S0UmJz0rLEGFLqG8CBt03LlcegStkh7TizmHMwUOFeA6DqNOx7G4Rd1fSi24spYVZsxSL6/ZrrkVdPba1qJW/APoCx5T0Q9C6Y0pCRUdyTEkMHxMzWm2XWGi1qWPFeaTVqvh+cycSHEVe4uNNU0fJRTAoK1skokAkbpUiqFwQLXi8Oa/q6nRQ2EpOXa05cuLF7LvmOBedfR2uX/wB&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="390" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 391px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Instrument target</span></div></div></div></foreignObject><text x="510" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Instrument target</text></switch></g><rect x="686" y="260" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 687px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="766" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="860" y="260" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 275px; margin-left: 861px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="940" y="279" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 139.5 L 413.63 139.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 139.5 L 411.88 143 L 413.63 139.5 L 411.88 136 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 180 139.66 L 203.63 139.66" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 139.66 L 201.88 143.16 L 203.63 139.66 L 201.88 136.16 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="0" y="40" width="180" height="200" rx="27" ry="27" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-selecting-the-best-afl-compiler-for-instrumenting-the-target">Select compiler</a><br /><br />LTO mode<br />(<span>clang/clang++ 11+</span><span>)</span><br /><br />LLVM mode<br />(<span>clang/clang++ 3.8+</span><span>)</span><br /><br />GCC_PLUGIN mode<br />(<span>gcc 5+</span><span>)</span><br /><br />GCC/CLANG mode<br />(other)</div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select compiler...</text></switch></g><rect x="210" y="40" width="180" height="200" rx="27" ry="27" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-selecting-instrumentation-options">Select options</a><br /><br />Select options depending on<br />the compiler:<br /><br />COMPCOV<br />(only LTO)<br /><br />CmpLog<br />(only LTO)<br /><br />selective instrumentation<br />(LTO, LLVM, GCC_PLUGIN)</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select options...</text></switch></g><path d="M 600 140 L 620 140 L 610 140 L 623.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 628.88 140 L 621.88 143.5 L 623.63 140 L 621.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="420" y="40" width="180" height="200" rx="27" ry="27" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-selecting-sanitizers">Select sanitizer</a><br /><br />Select one sanitizer<br />per instance:<br /><br />ASAN<br />CFISAN<br />LSAN<br />MSAN<br />TSAN<br />UBSAN</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Select sanitizer...</text></switch></g><rect x="840" y="40" width="180" height="200" rx="27" ry="27" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 841px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-instrumenting-the-target">Compile target source code</a><br /><br />Compile target source code depending on the build system:<br /><br />configure<br />CMake<br />Meson Build System<br />other</div></div></div></foreignObject><text x="930" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Compile target source code...</text></switch></g><path d="M 810 140 L 830 140 L 820 140 L 833.63 140" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 838.88 140 L 831.88 143.5 L 833.63 140 L 831.88 136.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="630" y="40" width="180" height="200" rx="27" ry="27" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 631px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-modifying-the-target">Modify target</a><br /><br />All AFL++ compilers<br />do this automatically.<br /></div></div></div></foreignObject><text x="720" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Modify target...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg>
\ No newline at end of file
diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg
new file mode 100644
index 00000000..44427908
--- /dev/null
+++ b/docs/resources/2_prepare_campaign.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="601px" height="182px" viewBox="-0.5 -0.5 601 182" content="&lt;mxfile host=&quot;Electron&quot; modified=&quot;2021-12-12T20:15:37.131Z&quot; agent=&quot;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36&quot; etag=&quot;UXO8THvPptx1MviG0OWa&quot; version=&quot;15.8.7&quot; type=&quot;device&quot;&gt;&lt;diagram name=&quot;2 - prepare campaign&quot; id=&quot;dejA2OcQ2wkmtmh7vij0&quot;&gt;7Vpbc9o6EP41PDqDbcDmMSGhTU/T0zlM57RPHWELW41sObLMJb/+7NoytjEhl0OANmEmifVpddvv29UC6dijaPlBkiS8ET7lHavrLzv2ZceCl2PCH0RWBeI6/QIIJPMLyKyACbunGuxqNGM+TRuGSgiuWNIEPRHH1FMNjEgpFk2zmeDNVRMS0BYw8Qhvo/8yX4UaNQfDquMjZUGol3Ytp+iISGmsT5KGxBeLGmRfdeyRFEIVT9FyRDk6r/TLX1+m3z99urlW1xfO9WQgR4uFYxSTjZ8zZH0ESWO136n1WeeEZ9pfHWvAYZGLNCExPAf4/FVSXBxZIlFCWBCXVrBc3VA7Sq1K70uRxT7FHXShexEyRScJ8bB3AXoDLFQRh5YJjzPG+UhwIaEdi5giJGI10dOhSaqkuKUbRkR6Wnc9XIVMU8EzRc/XcHe9tUd9qH09p1LRZU1B2qcfqIiokisw0b3G0NH6WDWFv6jUZvU0FtaEZmuMaIEH66krEuFB8/gMToctTv+hdxmTQAPEHklvd7BkPs5Sk4IOnCN/abLGJGIcPfGR8jlVzCPICEfJ2Jce+J7CqAt0L3Txc90RMd/ndLsEIDEowmIc97pEum6vSWTfbjFpDg7JZCmlGpV/J4qJmPC9UOmTNFzb/rG8Omb3xHgtr5gab9SHW0s3hVShCJDlqwq9aKbSyuazEImm8BdVaqVzHsmUOGDgPo+9VGTSo7s85OpSgciA7prQ0tkO/bdTDZJyoti8WRXsn1n3wQuVoLokneXo4C7DsgHoUVgHneOq1jhgKsymZ56IoHE+/pzwLMWfVmvKxRSvXkWm4H1r7AsP4Vl2f8/i4CeLf/o0UeFZBCnfnhoRuQXYUCE1WJxkyvCETLLUyGJ2B9tc76a8xm/ILV72uW1emqE1PKzty7ufVBd/gU3lw8i3FCctcdQc1nNE66DcwwikwUBrVvcLXbS3Rmbc8CJWL0CKmcpVuyJubf3sPU0+oY7pNdNkv13HmO6WLOm+WpZsFzJHjyXPAO2xiGGXQTgvIwmIgzc57UAqjGk9iND06CGknh5C+dHeI+gphYZ9YhHU72+JoMMXHnuuDUovP14buCdVG9jtav7o+YxAAuOcegrzWR7xW7LYqDApc0L60uxVIj6bNzRYrgdxpgwd6nDqLqcztWs3GN7wGxNdJCTdkrMe2gG6BTfx6KcWb/n9sGn2Tyyf2UdJXyf0vml/mUwP/SpYXkM89GGWNdjgssjOetgGnet9/A+G7XeGD8uwbQ4Py3DvGAzTJVPfcfhZX7d+1Houl3rmvLEqGzGctDYImz/qfdWwvFWOe9NqctzDquk0Kty3THlveOArYvCeQP5gNQ025ije5b2amnrD30VNJ0acY298W+baT0oDL5jpxRKAZvX1fGFe/ZODffUf&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="180" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 181px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Prepare campaign</span></div></div></div></foreignObject><text x="300" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Prepare campaign</text></switch></g><rect x="266" y="143" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 158px; margin-left: 267px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="346" y="162" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="440" y="143" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 158px; margin-left: 441px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="520" y="162" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 80 L 410 80 L 400 80 L 413.63 80" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 80 L 411.88 83.5 L 413.63 80 L 411.88 76.5 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><rect x="210" y="40" width="180" height="80" rx="12" ry="12" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 80px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#b-making-the-input-corpus-unique">Make input corpus unique</a><br /><br />Use <font face="Courier New">afl-cmin</font> on input corpus.</div></div></div></foreignObject><text x="300" y="84" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Make input corpus unique...</text></switch></g><rect x="420" y="40" width="180" height="80" rx="12" ry="12" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 80px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-minimizing-all-corpus-files">Minimize corpus file</a><br /><br />Use <font face="Courier New">afl-tmin</font> on input files.</div></div></div></foreignObject><text x="510" y="84" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Minimize corpus file...</text></switch></g><path d="M 180 80 L 200 80 L 190 80 L 203.63 80" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 80 L 201.88 83.5 L 203.63 80 L 201.88 76.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="0" y="40" width="180" height="80" rx="12" ry="12" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 80px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-collecting-inputs">Collect inputs</a><br /><br /><div style="text-align: left">Collect one or more input files.<br /></div></div></div></div></foreignObject><text x="90" y="84" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Collect inputs...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg>
\ No newline at end of file
diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg
new file mode 100644
index 00000000..dbe34a87
--- /dev/null
+++ b/docs/resources/3_fuzz_target.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="601px" height="321px" viewBox="-0.5 -0.5 601 321" content="&lt;mxfile host=&quot;Electron&quot; modified=&quot;2021-12-12T21:40:13.215Z&quot; agent=&quot;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36&quot; etag=&quot;kE1LZhr6sPELjIr0ut40&quot; version=&quot;15.8.7&quot; type=&quot;device&quot;&gt;&lt;diagram name=&quot;3 - fuzz target&quot; id=&quot;5ivncerJTzjQBJIEBaCC&quot;&gt;7Vrfc+I4DP5reKRDEn4+tmzZPnSv3TI3d33qmEQk3jp26jhA+teflTiEENrSLhu43XamBMuSHOv7JAdByxmHq6+SRME34QFr2R1v1XK+tGzb7o0sfUFJmkuGg14u8CX1cpFVCqb0GYywY6QJ9SCuKCohmKJRVegKzsFVFRmRUiyranPBqqtGxIeaYOoSVpf+Qz0VGKnVH5UTV0D9wCw9tAf5REgKZbOTOCCeWG6InMuWM5ZCqPxduBoDw+AVcRmvRvdOMri4vXkSjw8PfXZhrdq5s8l7TNZbkMDVYV07uesFYYmJ1yR5fkaMiPRBmY2rtIimFAn3AD12Ws7FMqAKphFxcXap+aNlgQqZHln67ZwyNhZMSD3mggOKBFdT4w5VYiXFI2wpEekaHnVxFTKLBUsUnK/FKN0zJiZ2C5AKVhuMMDH6CiIEJVOtYmbbo4HBO60SeVmyx+4aWbBBHMfIiCGsv3ZdgqLfGFzegVG3htEdPCVUahgQp/jxFZSst1GqQtDS+8j+DFgTElKGkbgCtgBFXYKIMOpzLXN17EFbXWB49RQ7NxMh9TwGuymgE10RytHu1wI5HHYrQOqN1ZC0+k0i2asheRMpKjhhB0HSI3Gw1v1tYR1YnRODtV+DDTx9BpmhkCoQPoJ8WUovqoW01LkWIjII/gClUlPxSKJEg2n7PvBwt69CJ4ERRRfVE3kXDMb0VlC97gbk/a2S3O2e9apeYpFIF4zh5ilY8+W86Ss/+2q+Mm6sd/VxugxqVeAY/DkxiGun7k9APOoeG+LhZ0Voli52v7MXWQ4F8OgT4GYBdqxRowAXDxnNIgwrqv5Fc12v8tH9xsyXlfGcDdJiwPVON4xweL85V5plo8Luj2bTYNgsm4rH3OOe+X8y5N1RsyeEdRSEPwtIQ2zqb/n4xQ+UlvN/YdOJATdwqk0ga+h88FPFm54OR4Hv30ns98mP5PJm4Cxur6bz9Np0d6tHSJ8pzCpsdEiYZ9L+U4INaQ2jwg77Od6HPfGpCpLZmStCPTifXEcsifG/NpoxMdOXWJGZ5pA98YSL4nny/Ey5/0D5gweRCs5CTye8205iLW2HCfbzGbRdISEu70G/8/H6dwzYUDdaLWz253os15qQQrOQzeTLEtOhxrZT2afuLPUO67oba1KuN8VdyIPy9jI3mf+QUK4vuH8sWK9YYtFDzbw7VwZhrAlGta3d+QuW9di0v61Xeckzxj9z/tKtTsEV3CNZwuR3+vomP3qr04x/khKurL1vri7J6ZBECJ/QLw4mS7+7zYvSQCAEQNwgC5UbUA5n+yw01roZSSDG/bokhvisVkhPq8eqsDYftcG63T7p7eivDnf0Vw/SYN1Z+nY9PR+59Hnbpc/wMm7PhWwbmz0qYWHWcDFcL/vxWqi5l73GIBefpfFApXGacld7moFaAmCwVVbA8hh/1q63vxxyTq122adXu0hbJpxj9SJzltWqOqHvEmRfNSvymQ2b11j+3kJ2h4k6p34ioaB9qTIptOI0VhBiggrMRREpGmbfnsYRgLfXQ8E0ApfO03VuUR4lKn/2iDCWHY9KcJWQ6V7uzj0PaZPZudmXuXsaTrNKjYYhhCJjMaMhVT+Z5L9nXltWr7nE1sPyVz35x7fyt1HO5X8=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="180" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 181px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">Fuzz target</div></div></div></foreignObject><text x="300" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Fuzz target</text></switch></g><rect x="266" y="290" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 305px; margin-left: 267px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="346" y="309" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="440" y="290" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 305px; margin-left: 441px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="520" y="309" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 134.5 L 413.63 134.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 134.5 L 411.88 138 L 413.63 134.5 L 411.88 131 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 180 134.5 L 203.63 134.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 134.5 L 201.88 138 L 203.63 134.5 L 201.88 131 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="210" y="40" width="180" height="230" rx="27" ry="27" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-using-multiple-cores">Use multiple cores</a><br /><br />Fuzz one target with<br />multiple instances:<br /><br />One main fuzzer:<br /><font face="Courier New">-M main<br /></font><br />Secondary fuzzers:<br /><font face="Courier New">-S variant1</font><br /><br />Use up to 32/64 cores<br />on each machine.<br /><br />Cache test cases.</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Use multiple cores...</text></switch></g><rect x="420" y="40" width="180" height="230" rx="27" ry="27" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#d-using-multiple-machines-for-fuzzing">Use multiple machines</a><br /><br />Fuzz one target with<br />multiple machines:<br /><br />One main fuzzer per server:<br /><font face="Courier New">-M main<br /></font><br />Secondary fuzzers:<br /><font face="Courier New">-S variant1</font><br /><br />Sync between the servers.</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Use multiple machines...</text></switch></g><rect x="0" y="40" width="180" height="230" rx="27" ry="27" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#a-running-afl-fuzz">Run <font>afl-fuzz</font></a><br /><br />Reconfigure the<br />system for optimal speed.<br /><br />Specify the input corpus directory.<br /><br />Add a dictionary.<br /><br />Set a memory limit.</div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Run afl-fuzz...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg>
\ No newline at end of file
diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg
new file mode 100644
index 00000000..3263b5bd
--- /dev/null
+++ b/docs/resources/4_manage_campaign.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="811px" height="248px" viewBox="-0.5 -0.5 811 248" content="&lt;mxfile host=&quot;Electron&quot; modified=&quot;2021-12-12T20:13:33.340Z&quot; agent=&quot;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/15.8.7 Chrome/91.0.4472.164 Electron/13.6.2 Safari/537.36&quot; etag=&quot;AU7bJEwpT_KnQxL-RQZz&quot; version=&quot;15.8.7&quot; type=&quot;device&quot;&gt;&lt;diagram name=&quot;4 - manage campaign&quot; id=&quot;Y3go6SgXnJCvyWpIHdu5&quot;&gt;7Vpbd5s4EP41fnQOBl8fEydOTjdpt3Wz2+5LjwwClAiJChFffv2OhLDB2I5zMfbZTc5pQYM00uib+UZmaDjDaHYtUBzecQ/Thm15s4Zz2bDhr9eCi5LMM0m/18kEgSBeJmqtBGOywEZoGWlKPJyUOkrOqSRxWehyxrArSzIkBJ+Wu/mclmeNUYArgrGLaFX6N/FkaKSt7mD14AaTIDRT9+1e9iBCeWdjSRIij08LIueq4QwF5zK7i2ZDTNXm5fvC6OjT9VfyRX5zxl07ifvDf/xmpmz0kiFLEwRm8tWqH5K/Fo64v5l9jmngjBfz6cV908lUPyGamv1q2F0Kk1wgEIcC+1ra/Z0qKy9CKRVs52oWexQQGaaTM5dH0Dgf3cY0TdS/SmtC+QQuiUQTgMUeedxVYj9dLAgLfhH2y8OxDM8ir2E7QdMNsfsID5oyxE2XP2EBGDW5r9tm0GpNcBeo61CN0o6UDcgNgYlQ3ieXTcR2yX0CQ61c7nPYcnA75OLSTgx5KgiGQdZnPK0uBvm0mYR8GqG4sI5MWT4xxIGKDyyra3AhDEumWLB3kiSSuMlZrUbAErYa0EVRDDdskqiLsqYsCTCD5Uu1EsTgv5vvd7dwETjmQq535qxg8JmJODnPw1jwlHlYuXILOk9DIvE4zuyZAnFp34yoeeyhJFz2TaTgj3jIKRdalWPpP7MtIxQRqqjtBtMnDPuLlOGUBAxkLsQbbI9zAatSj+i5eSC5mtEnlOZ6GWdYA8ckIkwNurT0Ju0VuSbC1TR4VuAtE8nXmEdYijl0MU+bg7ZhJUPLHdOcFjiub2Rhgd5aXSNEhleDpe4Vd8CNoY8XsJS9lUqSWMGfec0dYplDu4A+Uru58q5ivx0OYD3vABuQUWCPjbqqW5hOSLgmg7XVLGiScJpKfL4UHxTTfreMaauKqd3egKlzKEir2eEb/p0SATAAe6Hk8W1heojIjIjnUXzk4Oz22iUg7fxMUYzObp1ItitIfokl4QzRd0Hy4IR7ErB2LOvEYO1UYMMenH5NE7JsyAMF8tVKelEm0lWfW66SmkbwAUs5N4yHUkjs9YXty8BT1u6ETmAK56an8m+BTTCYoX9yoo9KOeS9dUq2B2edspYEDlEuNgOL5++KLudZXRIJOA9WdGnfWFr1enfpb0jR9fvPiUE86L0fxOunsvohzs8MH5RQl7/Y6yfqLd7ybgi3PhCuF2GnNagX4aPQMp4R+UMNB8bKWj8LTy5nRrNuzPMGA0sLg1TzZ/HZaphu5eP+197U69frTZve8X0QSJ2Qtwc1p4j2B4H8h72pu6bj0EfKo/zKfI03nRhwHXv9NdB+NPAKTe/nAhvLRJ0NKeTIZSKsq0GqLJImxdpQs/Biea2ecccZkVw0smqKmvLIFaJpiGSSPlchUnUkdR/iwsot7i9ly5LY8qV6vTWimHK524YX1YWsKThMQ9WTURwmH6Wg515LtlqdI9aCAmqJhx9fH4RzeX/+h7z7JL8Ml0acwoumNZrfH4KMnXewYjfrl3Hvjt2wNuO3d3rZF4pdizwl6m43pSAoUBV+V6j4TKq88l310HXCZY/Xc3WZft6B8ZRd2xnP8Ncb52kOt8/gUxTk6UGkLN8m5e0zYGMgV6Lr6RH3cL25QEaEbV+3XpTEidS5KlnBulqJrxM0aCERWWg76jUAAcPMF3i7DXrTfcK8DZ9tCKJzgyIP7Kq1q0xN1o1+Y0o7YBYr1MitI2e19WrJ8ZOatZVJ09wBxpALFMxMeVfhEwer4E7pdieuSsYKGOVCwKzMVfGi2YWnmz4ayphyr3ApL3RdfbW/R3wfa4whiHXleM95MFUf9eUT7Q79CYi9nCVgTQrUDcHyTHiUY2ndpXcET9XZN0fJFlfeNwp21Jft+lwemqsvF7OfiavvP52rfwE=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><rect x="210" y="40" width="180" height="160" rx="24" ry="24" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 211px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#g-checking-the-coverage-of-the-fuzzing">Check coverage</a><br /><br />Use <font face="Courier New">afl-showmap</font> to get<br />code coverage statistics.<br /><br />Use <font face="Courier New">afl-cov</font> to generate an HTML report on coverage.</div></div></div></foreignObject><text x="300" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Check coverage...</text></switch></g><rect x="290" y="0" width="240" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 15px; margin-left: 291px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;"><span>Manage campaign</span></div></div></div></foreignObject><text x="410" y="19" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle" font-weight="bold">Manage campaign</text></switch></g><rect x="476" y="217" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 232px; margin-left: 477px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Required task</div></div></div></foreignObject><text x="556" y="236" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Required task</text></switch></g><rect x="650" y="217" width="160" height="30" rx="4.5" ry="4.5" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 232px; margin-left: 651px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Optional task</div></div></div></foreignObject><text x="730" y="236" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Optional task</text></switch></g><path d="M 390 119.5 L 413.63 119.5" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.88 119.5 L 411.88 123 L 413.63 119.5 L 411.88 116 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/><path d="M 180 119.5 L 203.63 119.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 208.88 119.5 L 201.88 123 L 203.63 119.5 L 201.88 116 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="0" y="40" width="180" height="160" rx="24" ry="24" fill="none" stroke="#000000" stroke-dasharray="3 3" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 1px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#e-the-status-of-the-fuzz-campaign">Monitor status</a><br /><br />Use <font face="Courier New">afl-whatsup</font> to show the status of the fuzzing campaign.<br /><br />Use <font face="Courier New">afl-plot</font> to generate an HTML report with graphs.</div></div></div></foreignObject><text x="90" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Monitor status...</text></switch></g><path d="M 600 120 L 620 120 L 610 120 L 623.63 120" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 628.88 120 L 621.88 123.5 L 623.63 120 L 621.88 116.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="420" y="40" width="180" height="160" rx="24" ry="24" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 421px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><a href="https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#4-triaging-crashes">Triage crashes</a><br /><br />Use <font face="Courier New">afl-fuzz</font> with <font face="Courier New">-C</font> flag to run crash exploration mode.<br /><br />Use <font face="Courier New">afl-tmin</font> on test cases<br />for minimization.<br /><br />Use <font face="Courier New">afl-analyze</font> to find<br />critical sections in test cases.</div></div></div></foreignObject><text x="510" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Triage crashes...</text></switch></g><rect x="630" y="40" width="180" height="160" rx="24" ry="24" fill="none" stroke="#000000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 178px; height: 1px; padding-top: 47px; margin-left: 631px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><u>Start new campaign </u><br /><br />Stop instances without<br />crashes.<br /><br />Start new instances with<br />different options.<br /><br />Select new test cases<br />based on insights.</div></div></div></foreignObject><text x="720" y="59" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Start new campaign...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg>
\ No newline at end of file
diff --git a/instrumentation/README.cmplog.md b/instrumentation/README.cmplog.md
index 146b4620..668c07eb 100644
--- a/instrumentation/README.cmplog.md
+++ b/instrumentation/README.cmplog.md
@@ -11,12 +11,11 @@ see
 ## Build
 
 To use CmpLog, you have to build two versions of the instrumented target
-program.
+program:
 
-The first version is built using the regular AFL++ instrumentation.
-
-The second one, the CmpLog binary, is built with setting AFL_LLVM_CMPLOG during
-the compilation.
+* The first version is built using the regular AFL++ instrumentation.
+* The second one, the CmpLog binary, is built with setting `AFL_LLVM_CMPLOG`
+  during the compilation.
 
 For example:
 
diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md
index 06e653ea..414be060 100644
--- a/instrumentation/README.laf-intel.md
+++ b/instrumentation/README.laf-intel.md
@@ -39,13 +39,11 @@ AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where bit_width may be 64, 32, or
 16. For example, a bit_width of 16 would split larger comparisons down to 16 bit
 comparisons.
 
-A new experimental feature is splitting floating point comparisons into a series
+A new unique feature is splitting floating point comparisons into a series
 of sign, exponent and mantissa comparisons followed by splitting each of them
 into 8 bit comparisons when necessary. It is activated with the
-`AFL_LLVM_LAF_SPLIT_FLOATS` setting. Note that full IEEE 754 functionality is
-not preserved, that is values of nan and infinity will probably behave
-differently.
+`AFL_LLVM_LAF_SPLIT_FLOATS` setting.
 
 Note that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES`.
 
-You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled. :-)
\ No newline at end of file
+You can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled. :-)
diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION
index 680c04d6..0c5c12d3 100644
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@@ -1 +1 @@
-002e473939
+ce65a7349e
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
-Subproject 002e473939a350854d56f67ce7b2e2d9706b8bc
+Subproject ce65a7349e7156e052b37a660422cad8346764d
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 1448d8ae..cafb8e32 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -395,7 +395,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
           snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang",
                    LLVM_BINDIR);
         else
-          snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANGPP_BIN);
+          snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANG_BIN);
         alt_cc = llvm_fullpath;
 
       }
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 50e6c2f4..289f7e09 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -296,9 +296,9 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
           ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) /
            1000),
       afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored,
-      afl->queued_discovered, afl->queued_imported, afl->max_depth,
-      afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed,
-      afl->queued_variable, stability, bitmap_cvg, afl->saved_crashes,
+      afl->queued_discovered, afl->queued_imported, afl->queued_variable,
+      afl->max_depth, afl->current_entry, afl->pending_favored,
+      afl->pending_not_fuzzed, stability, bitmap_cvg, afl->saved_crashes,
       afl->saved_hangs, afl->last_find_time / 1000, afl->last_crash_time / 1000,
       afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs,
       afl->fsrv.exec_tmout, afl->slowest_exec_ms,
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 7fb8f821..c1d4ff03 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -242,8 +242,11 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
 #else
   u8 *shm_str;
 
+  // for qemu+unicorn we have to increase by 8 to account for potential
+  // compcov map overwrite
   shm->shm_id =
-      shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
+      shmget(IPC_PRIVATE, map_size == MAP_SIZE ? map_size + 8 : map_size,
+             IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
   if (shm->shm_id < 0) {
 
     PFATAL("shmget() failed, try running afl-system-config");
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
-Subproject d4915053d477dd827b3fe4b494173d3fbf9f456
+Subproject 9df92d6868e8b219886e4b7458e5e134c48ff2c
author	Jana Aydinbas <46303940+llzmb@users.noreply.github.com>	2021-12-13 18:23:28 +0100
committer	GitHub <noreply@github.com>	2021-12-13 18:23:28 +0100
commit	aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb (patch)
tree	25eb770e6101757b5af15c2f4d227b4a7eabfeda
parent	3a60f6a251210497f001673edefbe7a4e1627703 (diff)
parent	52dd5d479d411460c8cf2010a89f72e269d799ea (diff)
download	afl++-aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb.tar.gz