docs

author: vanhauser-thc <vh@thc.org> 2023-05-01 08:55:37 +0200
committer: vanhauser-thc <vh@thc.org> 2023-05-01 08:55:37 +0200
commit: fcab3ec99026e92b688a69de476a0763942a9d67 (patch)
tree: ecce5db65912995bfec76df8ec1df6587f8956b3 /docs/best_practices.md
parent: 9065d4ba86ecdafeade50e5235ee1e99f4179692 (diff)
download: afl++-fcab3ec99026e92b688a69de476a0763942a9d67.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 133c645e..459fcaf7 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -131,6 +131,11 @@ jitter, or is a hash map function etc., then it should not be instrumented.
 To be able to exclude these functions (based on AFL++'s measured stability), the
 following process will allow to identify functions with variable edges.
 
+Note that this is only useful for non-persistent targets!
+If a persistent target is unstable whereas when run non-persistent is fine,
+then this means that the target is keeping internal state, which is bad for
+fuzzing. Fuzz such targets **without** persistent mode.
+
 Four steps are required to do this and it also requires quite some knowledge of
 coding and/or disassembly and is effectively possible only with `afl-clang-fast`
 `PCGUARD` and `afl-clang-lto` `LTO` instrumentation.
author	vanhauser-thc <vh@thc.org>	2023-05-01 08:55:37 +0200
committer	vanhauser-thc <vh@thc.org>	2023-05-01 08:55:37 +0200
commit	fcab3ec99026e92b688a69de476a0763942a9d67 (patch)
tree	ecce5db65912995bfec76df8ec1df6587f8956b3 /docs/best_practices.md
parent	9065d4ba86ecdafeade50e5235ee1e99f4179692 (diff)
download	afl++-fcab3ec99026e92b688a69de476a0763942a9d67.tar.gz