9 files changed, 41 insertions, 31 deletions

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 04b2fb2e..6a9c895c 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -9,24 +9,34 @@ Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 ### Version ++3.15a (dev)
+  - documentation restructuring, made possible by Google Season of Docs :)
   - afl-fuzz:
+    - cmplog binaries will need to be recompiled for this version
+      (it is better!)
+    - fix a regression introduced in 3.10 that resulted in less
+      coverage being detected. thanks to Collin May for reporting!
     - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on
       incorrect LTO usage setups and enhanced the READMEs for better
       information on how to deal with instrumenting libraries
-    - fix a regression introduced in 3.10 that resulted in less
-      coverage being detected. thanks to Collin May for reporting!
     - fix -n dumb mode (nobody should use this)
     - fix stability issue with LTO and cmplog
     - better banner
-  - frida_mode: David Carlier added Android support :)
+    - more effective cmplog mode
+    - more often update the UI when in input2stage mode
+  - frida_mode:
+    - better performance, bug fixes
+    - David Carlier added Android support :)
   - afl-showmap, afl-tmin and afl-analyze:
-    - honor persistent mode for more speed. thanks to dloffre-snl for
-      reporting!
+    - honor persistent mode for more speed. thanks to dloffre-snl
+      for reporting!
     - fix bug where targets are not killed on timeouts
   - Prevent accidently killing non-afl/fuzz services when aborting
     afl-showmap and other tools.
   - afl-cc:
+    - new cmplog mode (incompatible with older afl++ versions)
+    - support llvm IR select instrumentation for default PCGUARD and LTO
     - fix for shared linking on MacOS
+    - added AFL_USE_TSAN thread sanitizer support
     - llvm and LTO mode modified to work with new llvm 14-dev (again)
   - added the very good grammar mutator "GramaTron" to the
     custom_mutators
@@ -41,7 +51,6 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - added uninstall target to makefile (todo: update new readme!)
   - removed indirections in rust callbacks for unicornafl
 
-
 ### Version ++3.14c (release)
   - afl-fuzz:
     - fix -F when a '/' was part of the parameter
@@ -2758,7 +2767,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - Updated the documentation and added notes_for_asan.txt. Based on feedback
     from Hanno Boeck, Ben Laurie, and others.
 
-  - Moved the project to http://lcamtuf.coredump.cx/afl/.
+  - Moved the project to https://lcamtuf.coredump.cx/afl/.
 
 ### Version 0.46b:
 
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 960de1af..cfa20dea 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -150,4 +150,4 @@ sysctl kern.sysv.shmseg=48
 sysctl kern.sysv.shmall=98304
 ```
 
-See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent.
\ No newline at end of file
+See [https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent.
\ No newline at end of file
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 0708d49d..5d07dd14 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -108,7 +108,7 @@ Four steps are required to do this and it also requires quite some knowledge of
 
      Follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
      If `PCGUARD` is used, then you need to follow this guide (needs llvm 12+!):
-     [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation)
+     [https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation)
 
      Only exclude those functions from instrumentation that provide no value for coverage - that is if it does not process any fuzz data directly or indirectly (e.g. hash maps, thread management etc.).
      If however a function directly or indirectly handles fuzz data, then you should not put the function in a deny instrumentation list and rather live with the instability it comes with.
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 96193f88..876c5fbb 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -87,8 +87,8 @@ The following options are available when you instrument with LTO mode (afl-clang
    transform input data before comparison. Therefore this technique is called
    `input to state` or `redqueen`.
    If you want to use this technique, then you have to compile the target
-   twice, once specifically with/for this mode, and pass this binary to afl-fuzz
-   via the `-c` parameter.
+   twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`,
+   and pass this binary to afl-fuzz via the `-c` parameter.
    Note that you can compile also just a cmplog binary and use that for both
    however there will be a performance penality.
    You can read more about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
@@ -149,6 +149,8 @@ The following sanitizers have built-in support in AFL++:
     vulnerabilities - which is however one of the most important and dangerous
     C++ memory corruption classes!
     Enabled with `export AFL_USE_CFISAN=1` before compiling.
+  * TSAN = Thread SANitizer, finds thread race conditions.
+    Enabled with `export AFL_USE_TSAN=1` before compiling.
   * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really
     a security issue, but for developers this can be very valuable.
     Note that unlike the other sanitizers above this needs
diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md
index 327a0ac0..4bd705f2 100644
--- a/docs/interpreting_output.md
+++ b/docs/interpreting_output.md
@@ -56,7 +56,7 @@ Any existing output directory can be also used to resume aborted jobs; try:
 
 If you have gnuplot installed, you can also generate some pretty graphs for any
 active fuzzing task using afl-plot. For an example of how this looks like,
-see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
+see [https://lcamtuf.coredump.cx/afl/plot/](https://lcamtuf.coredump.cx/afl/plot/).
 
 You can also manually build and install afl-plot-ui, which is a helper utility
 for showing the graphs generated by afl-plot in a graphical window using GTK.
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
index 2d8f84a5..a68c0a85 100644
--- a/docs/known_limitations.md
+++ b/docs/known_limitations.md
@@ -31,6 +31,6 @@ Here are some of the most important caveats for AFL:
     [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
 
   - Occasionally, sentient machines rise against their creators. If this
-    happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
+    happens to you, please consult [https://lcamtuf.coredump.cx/prep/](https://lcamtuf.coredump.cx/prep/).
 
 Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md
index e37276a5..d24f2837 100644
--- a/docs/parallel_fuzzing.md
+++ b/docs/parallel_fuzzing.md
@@ -27,9 +27,8 @@ will not be able to use that input to guide their work.
 To help with this problem, afl-fuzz offers a simple way to synchronize test
 cases on the fly.
 
-Note that AFL++ has AFLfast's power schedules implemented.
-It is therefore a good idea to use different power schedules if you run
-several instances in parallel. See [power_schedules.md](power_schedules.md)
+It is a good idea to use different power schedules if you run several instances
+in parallel (`-p` option).
 
 Alternatively running other AFL spinoffs in parallel can be of value,
 e.g. Angora (https://github.com/AngoraFuzzer/Angora/)
@@ -39,7 +38,7 @@ e.g. Angora (https://github.com/AngoraFuzzer/Angora/)
 If you wish to parallelize a single job across multiple cores on a local
 system, simply create a new, empty output directory ("sync dir") that will be
 shared by all the instances of afl-fuzz; and then come up with a naming scheme
-for every instance - say, "fuzzer01", "fuzzer02", etc. 
+for every instance - say, "fuzzer01", "fuzzer02", etc.
 
 Run the first one ("main node", -M) like this:
 
@@ -93,7 +92,7 @@ file name.
 
 There is support for parallelizing the deterministic checks.
 This is only needed where
- 
+
  1. many new paths are found fast over a long time and it looks unlikely that
     main node will ever catch up, and
  2. deterministic fuzzing is actively helping path discovery (you can see this
@@ -195,7 +194,7 @@ to keep in mind:
   - You do not want a "main" instance of afl-fuzz on every system; you should
     run them all with -S, and just designate a single process somewhere within
     the fleet to run with -M.
-    
+
   - Syncing is only necessary for the main nodes on a system. It is possible
     to run main-less with only secondaries. However then you need to find out
     which secondary took over the temporary role to be the main node. Look for
diff --git a/docs/sister_projects.md b/docs/sister_projects.md
index 5cb3a102..613bc778 100644
--- a/docs/sister_projects.md
+++ b/docs/sister_projects.md
@@ -15,7 +15,7 @@ instruction manual.
 Allows fuzz-testing of Python programs. Uses custom instrumentation and its
 own forkserver.
 
-http://jwilk.net/software/python-afl
+https://jwilk.net/software/python-afl
 
 ### Go-fuzz (Dmitry Vyukov)
 
@@ -34,7 +34,7 @@ https://github.com/kmcallister/afl.rs
 Adds AFL-compatible instrumentation to OCaml programs.
 
 https://github.com/ocamllabs/opam-repo-dev/pull/23
-http://canopy.mirage.io/Posts/Fuzzing
+https://canopy.mirage.io/Posts/Fuzzing
 
 ### AFL for GCJ Java and other GCC frontends (-)
 
@@ -54,7 +54,7 @@ some programs to be fuzzed without the fork / execve overhead. (Similar
 functionality is now available as the "persistent" feature described in
 [the llvm_mode readme](../instrumentation/README.llvm.md))
 
-http://llvm.org/docs/LibFuzzer.html
+https://llvm.org/docs/LibFuzzer.html
 
 ## TriforceAFL (Tim Newsham and Jesse Hertz)
 
@@ -189,7 +189,7 @@ https://github.com/bshastry/afl-sancov
 
 Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
 
-http://jwilk.net/software/recidivm
+https://jwilk.net/software/recidivm
 
 ### aflize (Jacek Wielemborek)
 
@@ -274,7 +274,7 @@ https://goo.gl/j9EgFf
 
 A simple SQL shell designed specifically for fuzzing the underlying library.
 
-http://www.sqlite.org/src/artifact/9e7e273da2030371
+https://www.sqlite.org/src/artifact/9e7e273da2030371
 
 ### Support for Python mutation modules (Christian Holler)
 
@@ -292,7 +292,7 @@ A similar guided approach as applied to fuzzing syscalls:
 
 https://github.com/google/syzkaller/wiki/Found-Bugs
 https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
-http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
+https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
 
 
 ### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications)
diff --git a/docs/technical_details.md b/docs/technical_details.md
index b0ca493e..b9d271d9 100644
--- a/docs/technical_details.md
+++ b/docs/technical_details.md
@@ -161,8 +161,8 @@ features of the underlying data format, as shown in this image:
 Several practical examples of the results of this algorithm are discussed
 here:
 
-  http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
-  http://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html
+  https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
+  https://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html
 
 The synthetic corpus produced by this process is essentially a compact
 collection of "hmm, this does something new!" input files, and can be used to
@@ -323,7 +323,7 @@ value of various fuzzing strategies and optimize their parameters so that they
 work equally well across a wide range of file types. The strategies used by
 afl-fuzz are generally format-agnostic and are discussed in more detail here:
 
-  http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
+  https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
 
 It is somewhat notable that especially early on, most of the work done by
 `afl-fuzz` is actually highly deterministic, and progresses to random stacked
@@ -376,7 +376,7 @@ valid grammar for the tested parser.
 A discussion of how these features are implemented within afl-fuzz can be found
 here:
 
-  http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
+  https://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
 
 In essence, when basic, typically easily-obtained syntax tokens are combined
 together in a purely random manner, the instrumentation and the evolutionary
@@ -429,7 +429,7 @@ thrown away.
 
 A detailed discussion of the value of this approach can be found here:
 
-  http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html
+  https://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html
 
 The method uses instrumentation feedback to explore the state of the crashing
 program to get past the ambiguous faulting condition and then isolate the
@@ -447,7 +447,7 @@ goes through `execve()`, linking, and libc initialization only once, and is then
 cloned from a stopped process image by leveraging copy-on-write. The
 implementation is described in more detail here:
 
-  http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
+  https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
 
 The fork server is an integral aspect of the injected instrumentation and
 simply stops at the first instrumented function to await commands from