Merge pull request #359 from AFLplusplus/dev

push to master

3 files changed, 29 insertions, 7 deletions

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 54564a5d..0b5c11e8 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -16,9 +16,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      - an old, old bug in afl that would show negative stability in rare
        circumstances is now hopefully fixed
   - llvm_mode:
+     - afl-clang-fast/lto now do not skip single block functions. This
+       behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK
      - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
        address for the shared memory map is used as this increases the
        fuzzing speed
+     - InsTrim now has an LTO version! :-) That is the best and fastest mode!
      - fixes to LTO mode if instrumented edges > MAP_SIZE
      - CTX and NGRAM can now be used together
      - CTX and NGRAM are now also supported in CFG/INSTRIM mode
@@ -38,7 +41,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     network (not fuzzing tcp/ip services but running afl-fuzz on one system
     and the target being on an embedded device)
   - added examples/afl_untracer which does a binary-only fuzzing with the
-    modifications done in memory
+    modifications done in memory (intel32/64 and aarch64 support)
   - added examples/afl_proxy which can be easily used to fuzz and instrument
     non-standard things
   - all:
@@ -2571,3 +2574,6 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
 ### Version 0.21b (2013-11-12):
 
   - Initial public release.
+
+  - Added support for use of multiple custom mutators which can be specified using 
+    the environment variable AFL_CUSTOM_MUTATOR_LIBRARY.
diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md
index 49ce761e..3cd874b9 100644
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@@ -16,6 +16,10 @@ fuzzing by using libraries that perform mutations according to a given grammar.
 
 The custom mutator is passed to `afl-fuzz` via the `AFL_CUSTOM_MUTATOR_LIBRARY`
 or `AFL_PYTHON_MODULE` environment variable, and must export a fuzz function.
+Now afl also supports multiple custom mutators which can be specified in the same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this.
+```bash
+export AFL_CUSTOM_MUTATOR_LIBRARY="full/path/to/mutator_first.so;full/path/to/mutator_second.so"
+```
 Please see [APIs](#2-apis) and [Usage](#3-usage) for detail.
 
 The custom mutation stage is set to be the first non-deterministic stage (right before the havoc stage).
@@ -209,12 +213,15 @@ For C/C++ mutator, the source code must be compiled as a shared object:
 ```bash
 gcc -shared -Wall -O3 example.c -o example.so
 ```
+Note that if you specify multiple custom mutators, the corresponding functions will
+be called in the order in which they are specified. e.g first `pre_save` function of
+`example_first.so` will be called and then that of `example_second.so`
 
 ### Run
 
 C/C++
 ```bash
-export AFL_CUSTOM_MUTATOR_LIBRARY=/full/path/to/example.so
+export AFL_CUSTOM_MUTATOR_LIBRARY="/full/path/to/example_first.so;/full/path/to/example_second.so"
 afl-fuzz /path/to/program
 ```
 
diff --git a/docs/env_variables.md b/docs/env_variables.md
index ed81c8a3..36e5a432 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -83,6 +83,10 @@ tools make fairly broad use of environmental variables:
 The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset
 of the settings discussed in section #1, with the exception of:
 
+    - Setting AFL_LLVM_SKIPSINGLEBLOCK=1 will skip instrumenting
+      functions with a single basic block. This is useful for most C and
+      some C++ targets. This works for all instrumentation modes.
+
   - AFL_AS, since this toolchain does not directly invoke GNU as.
 
   - TMPDIR and AFL_KEEP_ASSEMBLY, since no temporary assembly files are
@@ -116,6 +120,9 @@ Then there are a few specific features that are only available in llvm_mode:
     afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only
     built if LLVM 11 or newer is used.
 
+   - AFL_LLVM_INSTRUMENT=CFG will use Control Flow Graph instrumentation.
+     (recommended)
+
    - AFL_LLVM_LTO_AUTODICTIONARY will generate a dictionary in the target
      binary based on string compare and memory compare functions.
      afl-fuzz will automatically get these transmitted when starting to
@@ -139,7 +146,13 @@ Then there are a few specific features that are only available in llvm_mode:
 
 ### INSTRIM
 
-    This feature increases the speed by ~15% without any disadvantages.
+    This feature increases the speed by ~15% without any disadvantages to the
+    classic instrumentation.
+
+    Note that there is also an LTO version (if you have llvm 11 or higher) -
+    that is the best instrumentation we have. Use `afl-clang-lto` to activate.
+    The InsTrim LTO version additionally has all the options and features of
+    LTO (see above).
 
     - Setting AFL_LLVM_INSTRIM or AFL_LLVM_INSTRUMENT=CFG to activates this mode
 
@@ -147,10 +160,6 @@ Then there are a few specific features that are only available in llvm_mode:
       afl-fuzz will only be able to see the path the loop took, but not how
       many times it was called (unless it is a complex loop).
 
-    - Setting AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 will skip instrumenting
-      functions with a single basic block. This is useful for most C and
-      some C++ targets.
-
     See llvm_mode/README.instrim.md
 
 ### NGRAM