diff options
Diffstat (limited to 'llvm_mode/README.neverzero.md')
| -rw-r--r-- | llvm_mode/README.neverzero.md | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/llvm_mode/README.neverzero.md b/llvm_mode/README.neverzero.md index 5fcf7b47..1e406560 100644 --- a/llvm_mode/README.neverzero.md +++ b/llvm_mode/README.neverzero.md @@ -2,17 +2,20 @@ ## Usage -In larger, complex or reiterative programs the map that collects the edge pairs -can easily fill up and wrap. -This is not that much of an issue - unless by chance it wraps just to a 0 -when the program execution ends. -In this case afl-fuzz is not able to see that the pair has been accessed and +In larger, complex or reiterative programs the counters that collect the edge +coverage can easily fill up and wrap around. +This is not that much of an issue - unless by chance it wraps just to a value +of zero when the program execution ends. +In this case afl-fuzz is not able to see that the edge has been accessed and will ignore it. -NeverZero prevents this behaviour. If a counter wraps, it jumps over the 0 -directly to a 1. This improves path discovery (by a very little amount) +NeverZero prevents this behaviour. If a counter wraps, it jumps over the value +0 directly to a 1. This improves path discovery (by a very little amount) at a very little cost (one instruction per edge). +(The alternative of saturated counters has been tested also and proved to be +inferior in terms of path discovery.) + This is implemented in afl-gcc, however for llvm_mode this is optional if the llvm version is below 9 - as there is a perfomance bug that is only fixed in version 9 and onwards. |