From 4ce5ed370a1c18c8c7d7f6ad4fa029a34e1326e4 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 20 Aug 2020 18:57:05 +0200
Subject: LTO: sancov made default, deprecated SKIPSINGLEBLOCK, deactivate LTO
 autodict for cmplog binaries

---
 docs/Changelog.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'docs')

diff --git a/docs/Changelog.md b/docs/Changelog.md
index efb5ed0b..d00d59d7 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -10,8 +10,14 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
 
 
 ### Version ++2.67d (develop)
-  - Further llvm 12 support (fast moving target like afl++ :-) )
-  - Fix for auto dictionary not to throw out a -x dictionary
+  - afl-fuzz:
+    - Fix for auto dictionary entries found during fuzzing to not throw out
+      a -x dictionary
+  - llvm_mode:
+    - Ported SanCov to LTO, and made it the default for LTO. better
+      instrumentation locations
+    - Further llvm 12 support (fast moving target like afl++ :-) )
+    - deprecated LLVM SKIPSINGLEBLOCK env environment
 
 
 ### Version ++2.67c (release)
-- 
cgit 1.4.1


From 182b8b3e142814ac865396f8a66453f071d8a2d6 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 20 Aug 2020 19:00:15 +0200
Subject: remove doc reference for SKIPSINGLEBLOCK

---
 docs/env_variables.md       | 10 +++-------
 llvm_mode/README.instrim.md |  9 ---------
 2 files changed, 3 insertions(+), 16 deletions(-)

(limited to 'docs')

diff --git a/docs/env_variables.md b/docs/env_variables.md
index f0ae0b6c..94c34400 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -83,17 +83,12 @@ tools make fairly broad use of environmental variables:
 The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset
 of the settings discussed in section #1, with the exception of:
 
-    - Setting AFL_LLVM_SKIPSINGLEBLOCK=1 will skip instrumenting
-      functions with a single basic block. This is useful for most C and
-      some C++ targets. This works for all instrumentation modes.
-
   - AFL_AS, since this toolchain does not directly invoke GNU as.
 
   - TMPDIR and AFL_KEEP_ASSEMBLY, since no temporary assembly files are
     created.
 
-  - AFL_INST_RATIO, as we switched for instrim instrumentation which
-    is more effective but makes not much sense together with this option.
+  - AFL_INST_RATIO, as we by default collision free instrumentation is used.
 
 Then there are a few specific features that are only available in llvm_mode:
 
@@ -121,7 +116,8 @@ Then there are a few specific features that are only available in llvm_mode:
     built if LLVM 11 or newer is used.
 
    - AFL_LLVM_INSTRUMENT=CFG will use Control Flow Graph instrumentation.
-     (not recommended!)
+     (not recommended for afl-clang-fast, default for afl-clang-lto as there
+      it is a different and better kind of instrumentation.)
 
     None of the following options are necessary to be used and are rather for
     manual use (which only ever the author of this LTO implementation will use).
diff --git a/llvm_mode/README.instrim.md b/llvm_mode/README.instrim.md
index 53a518a9..7758091b 100644
--- a/llvm_mode/README.instrim.md
+++ b/llvm_mode/README.instrim.md
@@ -19,15 +19,6 @@ see how often the loop has been rerun.
 This again is a tradeoff for speed for less path information.
 To enable this mode set `AFL_LLVM_INSTRIM_LOOPHEAD=1`.
 
-There is an additional optimization option that skips single block
-functions. In 95% of the C targets and (guess) 50% of the C++ targets
-it is good to enable this, as otherwise pointless instrumentation occurs.
-The corner case where we want this instrumentation is when vtable/call table
-is used and the index to that vtable/call table is not set in specific
-basic blocks.
-To enable skipping these (most of the time) unnecessary instrumentations set
-`AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1`
-
 ## Background
 
 The paper: [InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing]
-- 
cgit 1.4.1


From 47878f697485e0543ce9e5d81369aa1ecc56e55e Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Fri, 21 Aug 2020 23:33:35 +0200
Subject: add execs_done to plot file

---
 docs/Changelog.md    |  1 +
 include/afl-fuzz.h   |  2 +-
 src/afl-fuzz-stats.c | 17 ++++++++++-------
 3 files changed, 12 insertions(+), 8 deletions(-)

(limited to 'docs')

diff --git a/docs/Changelog.md b/docs/Changelog.md
index d00d59d7..8bbb4e19 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -13,6 +13,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - afl-fuzz:
     - Fix for auto dictionary entries found during fuzzing to not throw out
       a -x dictionary
+    - added total execs done to plot file
   - llvm_mode:
     - Ported SanCov to LTO, and made it the default for LTO. better
       instrumentation locations
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index c04ba396..1deeddd3 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -624,7 +624,7 @@ typedef struct afl_state {
 
   /* plot file saves from last run */
   u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md;
-  u64 plot_prev_qc, plot_prev_uc, plot_prev_uh;
+  u64 plot_prev_qc, plot_prev_uc, plot_prev_uh, plot_prev_ed;
 
   u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs;
   double stats_avg_exec;
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index aeb290bd..0ce35cb7 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -206,7 +206,8 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) {
                afl->plot_prev_qc == afl->queue_cycle &&
                afl->plot_prev_uc == afl->unique_crashes &&
                afl->plot_prev_uh == afl->unique_hangs &&
-               afl->plot_prev_md == afl->max_depth) ||
+               afl->plot_prev_md == afl->max_depth &&
+               afl->plot_prev_ed == afl->fsrv.total_execs) ||
       unlikely(!afl->queue_cycle) ||
       unlikely(get_cur_time() - afl->start_time <= 60)) {
 
@@ -222,6 +223,7 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) {
   afl->plot_prev_uc = afl->unique_crashes;
   afl->plot_prev_uh = afl->unique_hangs;
   afl->plot_prev_md = afl->max_depth;
+  afl->plot_prev_ed = afl->fsrv.total_execs;
 
   /* Fields in the file:
 
@@ -229,12 +231,13 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) {
      favored_not_fuzzed, afl->unique_crashes, afl->unique_hangs, afl->max_depth,
      execs_per_sec */
 
-  fprintf(afl->fsrv.plot_file,
-          "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n",
-          get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry,
-          afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored,
-          bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth,
-          eps);                                            /* ignore errors */
+  fprintf(
+      afl->fsrv.plot_file,
+      "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu\n",
+      get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry,
+      afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored,
+      bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps,
+      afl->plot_prev_ed);                                  /* ignore errors */
 
   fflush(afl->fsrv.plot_file);
 
-- 
cgit 1.4.1