about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--TODO.md27
1 files changed, 25 insertions, 2 deletions
diff --git a/TODO.md b/TODO.md
index 39c7c029..e9912475 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,7 +1,21 @@
+# TODO list for AFL++
+
 ## Roadmap 2.61
 
 Makefile:
- - -march=native -Ofast -flto=full
+ - -march=native -Ofast -flto=full (especially for afl-fuzz)
+
+llvm_mode:
+ - using lto + opt to instrument at link time, and using a sat solver to
+   select basic block IDs that do not result in collisions
+   (Solution for "The far away future", see bottom of file)
+
+qemu_mode:
+ - ensure redqueen implementation works fine
+ - ensure no issues in persistent mode
+
+
+## Further down the road
 
 afl-fuzz:
  - sync_fuzzers(): only masters sync from all, slaves only sync from master
@@ -20,11 +34,11 @@ qemu_mode:
  - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?)
  - add AFL_QEMU_EXITPOINT (maybe multiple?)
  - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM
+ - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses
 
 custom_mutators:
  - rip what Superion is doing into custom mutators for js, php, etc.
  - uniform python and custom mutators API
- - running with -M and custom_only mutators should warn that no deterministic stages are run.
 
 
 ## The far away future:
@@ -33,6 +47,9 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
          At afl's default map that means ~16 collisions and ~3 wrappings.
 
  - Solution #1: increase map size.
+
+    => speed loss is bad. last resort solution
+
     every +1 decreases fuzzing speed by ~10% and halfs the collisions
     birthday paradox predicts collisions at this # of edges:
     
@@ -51,10 +68,16 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
     Increasing the map is an easy solution but also not a good one.
 
  - Solution #2: use dynamic map size and collision free basic block IDs
+
+    => This works and is the selected solution
+
     This only works in llvm_mode and llvm >= 9 though
     A potential good future solution. Heiko/hexcoder follows this up
 
  - Solution #3: write instruction pointers to a big shared map
+
+    => Tested and it is a dead end
+
     512kb/1MB shared map and the instrumented code writes the instruction
     pointer into the map. Map must be big enough but could be command line
     controlled.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-20 16:45:38 +0000