Merge pull request #477 from AFLplusplus/dev

Push to stable

1 files changed, 17 insertions, 5 deletions

diff --git a/TODO.md b/TODO.md
index 8085bc07..999cb9d3 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,20 +1,20 @@
 # TODO list for AFL++
 
-## Roadmap 2.66+
+## Roadmap 2.67+
 
+ - expand on AFL_LLVM_INSTRUMENT_FILE to also support sancov allowlist format
  - AFL_MAP_SIZE for qemu_mode and unicorn_mode
- - namespace for targets? e.g. network
- - learn from honggfuzz (mutations, maybe ptrace?)
  - CPU affinity for many cores? There seems to be an issue > 96 cores
 
 ## Further down the road
 
 afl-fuzz:
- - ascii_only mode for mutation output - or use a custom mutator for this?
  - setting min_len/max_len/start_offset/end_offset limits for mutation output
+ - add __sanitizer_cov_trace_cmp* support via shmem
 
 llvm_mode:
  - LTO - imitate sancov
+ - add __sanitizer_cov_trace_cmp* support
 
 gcc_plugin:
  - (wait for submission then decide)
@@ -22,7 +22,7 @@ gcc_plugin:
  - better instrumentation (seems to be better with gcc-9+)
 
 qemu_mode:
- - update to 5.x (if the performance bug if gone)
+ - update to 5.x (if the performance bug is gone)
  - non colliding instrumentation
  - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END,
    AFL_COMPCOV_LEVEL?)
@@ -30,3 +30,15 @@ qemu_mode:
    persistent mode
  - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM
  - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses
+
+## Ideas
+
+ - LTO/sancov: write current edge to prev_loc and use that information when
+   using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow
+   up edge numbers that both following cmp paths have been found and then
+   disable working on this edge id
+
+ - new tancov: use some lightweight taint analysis to see which parts of a
+   new queue entry is accessed and only fuzz these bytes - or better, only
+   fuzz those bytes that are newly in coverage compared to the queue entry
+   the new one is based on