Merge pull request #1499 from AFLplusplus/dev

push to stable

5 files changed, 46 insertions, 3 deletions

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 957f6206..842b727b 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -8,6 +8,25 @@
 Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
+### Version ++4.03a (dev)
+  - Building now gives a build summary what succeeded and what not
+  - afl-fuzz:
+    - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
+      of calibrating all initial seeds first. Good for large queues
+      and long execution times, especially in CIs.
+    - default calibration cycles set to 7 from 8, and only add 5 cycles
+      to variables queue items instead of 12.
+  - afl-cc:
+    - better handling of -fsanitize=..,...,.. lists
+    - fix gcc_mode cmplog
+    - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1
+      note that this will exit the target before main()
+  - qemu_mode:
+    - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
+      edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
+      worksbutnottested!
+
+
 ### Version ++4.02c (release)
   - afl-cc:
     - important fix for the default pcguard mode when LLVM IR vector
@@ -22,7 +41,6 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - change post_process hook to allow returning NULL and 0 length to
       tell afl-fuzz to skip this mutated input
 
-
 ### Version ++4.01c (release)
   - fixed */build_...sh scripts to work outside of git
   - new custom_mutator: libafl with token fuzzing :)
diff --git a/docs/FAQ.md b/docs/FAQ.md
index 1822e46b..4a9080f8 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -255,3 +255,18 @@ If you find an interesting or important question missing, submit it via
 
   Solution: `git pull ; make clean install` of AFL++.
 </p></details>
+
+<details>
+  <summary id="afl-map-size-warning">AFL++ map size warning.</summary><p>
+
+  When you run a large instrumented program stand-alone or via afl-showmap
+  you might see a warning like the following:
+
+  ```
+  Warning: AFL++ tools might need to set AFL_MAP_SIZE to 223723 to be able to run this instrumented program if this crashes!
+  ```
+
+  Depending how the target works it might also crash afterwards.
+
+  Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`.
+</p></details>
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 4f2b7174..86ba916f 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -21,8 +21,8 @@ development state of AFL++.
 If you want to build AFL++ yourself, you have many options. The easiest choice
 is to build and install everything:
 
-NOTE: depending on your Debian/Ubuntu/Kali/... version release `-12` with
-whatever llvm version is available!
+NOTE: depending on your Debian/Ubuntu/Kali/... release, replace `-12` with
+whatever llvm version is available. We recommend llvm 12, 13 or 14.
 
 ```shell
 sudo apt-get update
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 00948fc1..bb54357b 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -462,6 +462,9 @@ checks or alter some of the more exotic semantics of the tool:
     some basic stats. This behavior is also automatically triggered when the
     output from afl-fuzz is redirected to a file or to a pipe.
 
+  - Setting `AFL_NO_STARTUP_CALIBRATION` will skip the initial calibration
+    of all starting seeds, and start fuzzing at once.
+
   - In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for
     afl-qemu-trace and afl-frida-trace.so.
 
diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md
index 37889137..92c9910b 100644
--- a/docs/fuzzing_in_depth.md
+++ b/docs/fuzzing_in_depth.md
@@ -626,6 +626,9 @@ from other fuzzers in the campaign first.
 
 If you have a large corpus, a corpus from a previous run or are fuzzing in a CI,
 then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
+If the queue in the CI is huge and/or the execution time is slow then you can
+also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration
+phase and start fuzzing at once.
 
 You can also use different fuzzers. If you are using AFL spinoffs or AFL
 conforming fuzzers, then just use the same -o directory and give it a unique
@@ -902,6 +905,10 @@ complex file formats.
 Some notes on continuous integration (CI) fuzzing - this fuzzing is different to
 normal fuzzing campaigns as these are much shorter runnings.
 
+If the queue in the CI is huge and/or the execution time is slow then you can
+also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration
+phase and start fuzzing at once.
+
 1. Always:
     * LTO has a much longer compile time which is diametrical to short fuzzing -
       hence use afl-clang-fast instead.