diff options
| -rw-r--r-- | instrumentation/README.neverzero.md | 41 | ||||
| -rw-r--r-- | instrumentation/README.out_of_line.md | 19 | ||||
| -rw-r--r-- | instrumentation/README.snapshot.md | 18 |
3 files changed, 0 insertions, 78 deletions
diff --git a/instrumentation/README.neverzero.md b/instrumentation/README.neverzero.md deleted file mode 100644 index 9bcae324..00000000 --- a/instrumentation/README.neverzero.md +++ /dev/null @@ -1,41 +0,0 @@ -# NeverZero counters for LLVM instrumentation - -## Usage - -In larger, complex or reiterative programs the byte sized counters that collect -the edge coverage can easily fill up and wrap around. -This is not that much of an issue - unless by chance it wraps just to a value -of zero when the program execution ends. -In this case afl-fuzz is not able to see that the edge has been accessed and -will ignore it. - -NeverZero prevents this behaviour. If a counter wraps, it jumps over the value -0 directly to a 1. This improves path discovery (by a very little amount) -at a very little cost (one instruction per edge). - -(The alternative of saturated counters has been tested also and proved to be -inferior in terms of path discovery.) - -This is implemented in afl-gcc and afl-gcc-fast, however for llvm_mode this is -optional if multithread safe counters are selected or the llvm version is below -9 - as there are severe performance costs in these cases. - -If you want to enable this for llvm versions below 9 or thread safe counters -then set - -``` -export AFL_LLVM_NOT_ZERO=1 -``` - -In case you are on llvm 9 or greater and you do not want this behaviour then -you can set: -``` -AFL_LLVM_SKIP_NEVERZERO=1 -``` -If the target does not have extensive loops or functions that are called -a lot then this can give a small performance boost. - -Please note that the default counter implementations are not thread safe! - -Support for thread safe counters in mode LLVM CLASSIC can be activated with setting -`AFL_LLVM_THREADSAFE_INST=1`. \ No newline at end of file diff --git a/instrumentation/README.out_of_line.md b/instrumentation/README.out_of_line.md deleted file mode 100644 index 346fe98d..00000000 --- a/instrumentation/README.out_of_line.md +++ /dev/null @@ -1,19 +0,0 @@ -## Using AFL++ without inlined instrumentation - - This file describes how you can disable inlining of instrumentation. - - -By default, the GCC plugin will duplicate the effects of calling -`__afl_trace` (see `afl-gcc-rt.o.c`) in instrumented code, instead of -issuing function calls. - -The calls are presumed to be slower, more so because the rt file -itself is not optimized by the compiler. - -Setting `AFL_GCC_OUT_OF_LINE=1` in the environment while compiling code -with the plugin will disable this inlining, issuing calls to the -unoptimized runtime instead. - -You probably don't want to do this, but it might be useful in certain -AFL debugging scenarios, and it might work as a fallback in case -something goes wrong with the inlined instrumentation. diff --git a/instrumentation/README.snapshot.md b/instrumentation/README.snapshot.md deleted file mode 100644 index c794c2fd..00000000 --- a/instrumentation/README.snapshot.md +++ /dev/null @@ -1,18 +0,0 @@ -# AFL++ snapshot feature - -**NOTE:** the snapshot lkm is currently not supported and needs a maintainer :-) - -Snapshotting is a feature that makes a snapshot from a process and then -restores its state, which is faster then forking it again. - -All targets compiled with llvm_mode are automatically enabled for the -snapshot feature. - -To use the snapshot feature for fuzzing compile and load this kernel -module: [https://github.com/AFLplusplus/AFL-Snapshot-LKM](https://github.com/AFLplusplus/AFL-Snapshot-LKM) - -Note that is has little value for persistent (__AFL_LOOP) fuzzing. - -## Notes - -Snapshot does not work with multithreaded targets yet. Still in WIP, it is now usable only for single threaded applications. |