Lines Matching +full:asan +full:- +full:trace +full:- +full:cmp
7 - afl-fuzz:
8 - default power schedule is now EXPLORE, due a fix in fast schedules
10 - fixed minor issues in the mutation engine, thanks to @futhewo for
12 - better deterministic fuzzing is now available, benchmarks have shown
13 to improve fuzzing. Enable with -D. Thanks to @kdsjZh for the PR!
14 - afl-cc:
15 - large rewrite by @SonicStark which fixes a few corner cases, thanks!
16 - LTO mode now requires llvm 12+
17 - workaround for ASAN with gcc_plugin mode
18 - instrumentation:
19 - LLVM 18 support, thanks to @devnexen!
20 - Injection (SQL, LDAP, XSS) fuzzing feature now available, see
22 - compcov/LAF-intel:
23 - floating point splitting bug fix by @hexcoder
24 - due a bug in LLVM 17 integer splitting is disabled there!
25 - when splitting floats was selected, integers were always split as well,
27 - dynamic instrumentation filtering for LLVM NATIVE, thanks @Mozilla!
29 - qemu_mode:
30 - plugins are now activated by default and a new module is included that
33 - updated Nyx checkout (fixes a bug) and some QOL
34 - updated the custom grammar mutator
35 - document afl-cmin does not work on macOS (but afl-cmin.bash does)
38 - afl-fuzz:
39 - fixed the new mutation implementation for two bugs
40 - added `AFL_FINAL_SYNC` which forces a final fuzzer sync (also for `-F`)
42 - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead
44 - allow -S/-M naming up to 50 characters (from 24)
45 - CMPLOG:
46 - added scale support (-l S)
47 - skip unhelpful insertions (u8)
48 - added --version and --help command line parameters
49 - fixed endless loop when reading malformed dictionaries
50 - new custom mutator function: post_run - thanks to yangzao!
51 - afl-whatsup:
52 - detect instanced that are starting up and show them as such as not dead
53 - now also shows coverage reached
54 - option -m shows only very relevant stats
55 - option -n will not use color in the output
56 - instrumentation:
57 - fix for a few string compare transform functions for LAF
58 - we are instrumenting __cxx internal functions again. this might break
60 - frida_mode:
61 - fixes support for large map offsets
62 - support for AFL_FUZZER_LOOPCOUNT for afl.rs and LLVMFuzzerTestOneInput
63 - afl-cmin/afl-cmin.bash: prevent unneeded file errors
64 - added new tool afl-addseeds that adds new seeds to a running campaign
65 - added benchmark/benchmark.py if you want to see how good your fuzzing
69 - afl-fuzz:
70 - new mutation engine: mutations that favor discovery more paths are
73 with `-P`. Also input mode for the target can be defined with `-a` to
75 - new custom mutator that has the new afl++ engine (so it can easily
78 - display the state of the fuzzing run in the UI :-)
79 - fix timeout setting if '+' is used or a session is restarted
80 - -l X option to enable base64 transformation solving
81 - allow to disable CMPLOG with '-c -' (e.g. afl.rs enforces '-c 0' on
83 - afl-cmin/afl-cmin.bash:
84 - fixed a bug inherited from vanilla AFL where a coverage of
86 - warn on crashing inputs
87 - adjust threads if less inputs than threads specified
88 - afl-cc:
89 - fixed an off-by-one instrumentation of iselect, hurting coverage a bit.
91 - @toka fixed a bug in laf-intel signed integer comparison splitting,
93 - more LLVM compatability
94 - frida_mode:
95 - support for long form instrumentation on x86_x64 and arm64
96 - renamed utils/get_symbol_addr.sh to utils/frida_get_symbol_addr.sh
97 - qemu_mode:
98 - added qemu_mode/utils/qemu_get_symbol_addr.sh
101 - afl-fuzz:
102 - reverse reading the seeds only on restarts (increases performance)
103 - new env `AFL_POST_PROCESS_KEEP_ORIGINAL` to keep the orignal
105 - new env `AFL_IGNORE_PROBLEMS_COVERAGE` to ignore coverage from
107 - afl-cc:
108 - added @responsefile support
109 - new env `AFL_LLVM_LTO_SKIPINIT` to support the AFL++ based WASM
111 - error and print help if afl-clan-lto is used with lto=thin
112 - rewrote our PCGUARD pass to be compatible with LLVM 15+ shenanigans,
114 - fallback to native LLVM PCGUARD if our PCGUARD is unavailable
115 - fixed a crash in GCC CMPLOG
116 - afl-showmap:
117 - added custom mutator post_process and send support
118 - add `-I filelist` option, an alternative to `-i in_dir`
119 - afl-cmin + afl-cmin.bash:
120 - `-T threads` parallel task support, can be a huge speedup!
121 - qemu_mode:
122 - Persistent mode + QASAN support for ppc32 targets by @worksbutnottested
123 - a new grammar custom mutator atnwalk was submitted by @voidptr127 !
124 - two new custom mutators are now available:
125 - TritonDSE in custom_mutators/aflpp_tritondse
126 - SymQEMU in custom_mutators/symqemu
129 - afl-fuzz:
130 - ensure temporary file descriptor is closed when not used
131 - added `AFL_NO_WARN_INSTABILITY`
132 - added time_wo_finds to fuzzer_stats
133 - fixed a crash in pizza (1st april easter egg) mode. Sorry for
135 - allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1
136 - option `-p mmopt` now also selects new queue items more often
137 - fix bug in post_process custom mutator implementation
138 - print name of custom mutator in UI
139 - slight changes that improve fuzzer performance
140 - afl-cc:
141 - add CFI sanitizer variant to gcc targets
142 - llvm 16 + 17 support (thanks to @devnexen!)
143 - support llvm 15 native pcguard changes
144 - support for LLVMFuzzerTestOneInput -1 return
145 - LTO autoken and llvm_mode: added AFL_LLVM_DICT2FILE_NO_MAIN support
146 - qemu_mode:
147 - fix _RANGES envs to allow hyphens in the filenames
148 - basic riscv support
149 - frida_mode:
150 - added `AFL_FRIDA_STATS_INTERVAL`
151 - fix issue on MacOS
152 - unicorn_mode:
153 - updated and minor issues fixed
154 - nyx_mode support for all tools
155 - better sanitizer default options support for all tools
156 - new custom module: autotoken, a grammar free fuzzer for text inputs
157 - fixed custom mutator C examples
158 - more minor fixes and cross-platform support
161 - MacOS: libdislocator, libtokencap etc. do not work with modern
165 - afl-fuzz:
166 - added afl_custom_fuzz_send custom mutator feature. Now your can
168 - cmplog mode now has a -l R option for random colorization, thanks
170 - queue statistics are written every 30 minutes to
172 - new env: AFL_FORK_SERVER_KILL_SIGNAL
173 - afl-showmap/afl-cmin
174 - `-t none` now translates to `-t 120000` (120 seconds)
175 - unicorn_mode updated
176 - updated rust custom mutator dependencies and LibAFL custom mutator
177 - overall better sanitizer default setting handling
178 - several minor bugfixes
181 - fix gramatron and grammar_mutator build scripts
182 - enhancements to the afl-persistent-config and afl-system-config
184 - afl-fuzz:
185 - force writing all stats on exit
186 - ensure targets are killed on exit
187 - `AFL_FORK_SERVER_KILL_SIGNAL` added
188 - afl-cc:
189 - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6
190 - qemu_mode:
191 - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for
193 - added qemu_mode/fastexit helper library
194 - unicorn_mode:
195 - Enabled tricore arch (by @jma-qb)
196 - Updated Capstone version in Rust bindings
197 - llvm-mode:
198 - AFL runtime will always pass inputs via shared memory, when possible,
203 - Building now gives a build summary what succeeded and what not
204 - afl-fuzz:
205 - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
208 - default calibration cycles set to 7 from 8, and only add 5 cycles
210 - afl-cc:
211 - fixed off-by-one bug in our pcguard implemenation, thanks for
213 - fix for llvm 15 and reenabling LTO, thanks to nikic for the PR!
214 - better handling of -fsanitize=..,...,.. lists
215 - support added for LLVMFuzzerRunDriver()
216 - fix gcc_mode cmplog
217 - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1
219 - qemu_mode:
220 - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
221 edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
223 - afl-analyze broke at some point, fix by CodeLogicError, thank you!
224 - afl-cmin/afl-cmin.bash now have an -A option to allow also crashing
226 - unicorn_mode:
227 - updated upstream unicorn version
228 - fixed builds for aarch64
229 - build now uses all available cores
233 - afl-cc:
234 - important fix for the default pcguard mode when LLVM IR vector
236 - gcc_plugin:
237 - Adacore submitted CMPLOG support to the gcc_plugin! :-)
238 - llvm_mode:
239 - laf cmp splitting fixed for more comparison types
240 - frida_mode:
241 - now works on Android!
242 - afl-fuzz:
243 - change post_process hook to allow returning NULL and 0 length to
244 tell afl-fuzz to skip this mutated input
247 - fixed */build_...sh scripts to work outside of git
248 - new custom_mutator: libafl with token fuzzing :)
249 - afl-fuzz:
250 - when you just want to compile once and set CMPLOG, then just
251 set -c 0 to tell afl-fuzz that the fuzzing binary is also for
253 - new commandline options -g/G to set min/max length of generated
255 - you can set the time for syncing to other fuzzer now with
257 - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
260 - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
261 possible in the target (for afl-gcc-fast/afl-clang-fast/
262 afl-clang-lto)
263 - "saved timeouts" was wrong information, timeouts are still thrown
266 - AFL never implemented auto token inserts (but user token inserts,
268 - fixed a mutation type in havoc mode
269 - Mopt fix to always select the correct algorithm
270 - fix effector map calculation (deterministic mode)
271 - fix custom mutator post_process functionality
272 - document and auto-activate pizza mode on condition
273 - afl-cc:
274 - due a bug in lld of llvm 15 LTO instrumentation wont work atm :-(
275 - converted all passed to use the new llvm pass manager for llvm 11+
276 - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only)
277 - trying to stay on top on all these #$&§!! changes in llvm 15 ...
278 - frida_mode:
279 - update to new frida release, handles now c++ throw/catch
280 - unicorn_mode:
281 - update unicorn engine, fix C example
282 - utils:
283 - removed optimin because it looses coverage due to a bug and is
284 unmaintained :-(
288 - complete documentation restructuring, made possible by Google Season
290 - we renamed several UI and fuzzer_stat entries to be more precise,
291 e.g. "unique crashes" -> "saved crashes", "total paths" ->
292 "corpus count", "current path" -> "current item".
294 - Nyx mode (full system emulation with snapshot capability) has been
295 added - thanks to @schumilo and @eqv!
296 - unicorn_mode:
297 - Moved to unicorn2! by Ziqiao Kong (@lazymio)
298 - Faster, more accurate emulation (newer QEMU base), risc-v support
299 - removed indirections in rust callbacks
300 - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :)
302 - if instrumented libaries are dlopen()'ed after the forkserver you
307 - afl-fuzz:
308 - cmplog binaries will need to be recompiled for this version
310 - fix a regression introduced in 3.10 that resulted in less
312 - ensure all spawned targets are killed on exit
313 - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
316 - fix -n dumb mode (nobody should use this mode though)
317 - fix stability issue with LTO and cmplog
318 - better banner
319 - more effective cmplog mode
320 - more often update the UI when in input2stage mode
321 - qemu_mode/unicorn_mode: fixed OOB write when using libcompcov,
323 - frida_mode:
324 - better performance, bug fixes
325 - David Carlier added Android support :)
326 - afl-showmap, afl-tmin and afl-analyze:
327 - honor persistent mode for more speed. thanks to dloffre-snl
329 - fix bug where targets are not killed on timeouts
330 - moved hidden afl-showmap -A option to -H to be used for
332 - Prevent accidentally killing non-afl/fuzz services when aborting
333 afl-showmap and other tools.
334 - afl-cc:
335 - detect overflow reads on initial input buffer for asan
336 - new cmplog mode (incompatible with older AFL++ versions)
337 - support llvm IR select instrumentation for default PCGUARD and LTO
338 - fix for shared linking on MacOS
339 - better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST
341 - fixed a potential crash in targets for LAF string handling
342 - fixed a bad assert in LAF split switches
343 - added AFL_USE_TSAN thread sanitizer support
344 - llvm and LTO mode modified to work with new llvm 14-dev (again.)
345 - fix for AFL_REAL_LD
346 - more -z defs filtering
347 - make -v without options work
348 - added the very good grammar mutator "GramaTron" to the
350 - added optimin, a faster and better corpus minimizer by
352 - added afl-persistent-config script to set perform permanent system
355 - added xml, curl & exotic string functions to llvm dictionary feature
356 - fix AFL_PRELOAD issues on MacOS
357 - removed utils/afl_frida because frida_mode/ is now so much better
358 - added uninstall target to makefile (todo: update new readme!)
361 - afl-fuzz:
362 - fix -F when a '/' was part of the parameter
363 - fixed a crash for cmplog for very slow inputs
364 - fix for AFLfast schedule counting
365 - removed implied -D determinstic from -M main
366 - if the target becomes unavailable check out out/default/error.txt
368 - AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL
369 - reverse read the queue on resumes (more effective)
370 - fix custom mutator trimming
371 - afl-cc:
372 - Update to COMPCOV/laf-intel that speeds up the instrumentation
373 process a lot - thanks to Michael Rodler/f0rki for the PR!
374 - Fix for failures for some sized string instrumentations
375 - Fix to instrument global namespace functions in c++
376 - Fix for llvm 13
377 - support partial linking
378 - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary andDICT2FILE
379 - We do support llvm versions from 3.8 to 5.0 again
380 - frida_mode:
381 - several fixes for cmplog
382 - remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET
383 - less coverage collision
384 - feature parity of aarch64 with intel now (persistent, cmplog,
385 in-memory testcases, asan)
386 - afl-cmin and afl-showmap -i do now descend into subdirectories
387 (like afl-fuzz does) - note that afl-cmin.bash does not!
388 - afl_analyze:
389 - fix timeout handling
390 - add forkserver support for better performance
391 - ensure afl-compiler-rt is built for gcc_module
392 - always build aflpp_driver for libfuzzer harnesses
393 - added `AFL_NO_FORKSRV` env variable support to
394 afl-cmin, afl-tmin, and afl-showmap, by @jhertz
395 - removed outdated documents, improved existing documentation
398 - Note: plot_data switched to relative time from unix time in 3.10
399 - frida_mode - new mode that uses frida to fuzz binary-only targets,
402 - create a fuzzing dictionary with the help of CodeQL thanks to
404 - afl-fuzz:
405 - added patch by @realmadsci to support @@ as part of command line
406 options, e.g. `afl-fuzz ... -- ./target --infile=@@`
407 - add recording of previous fuzz attempts for persistent mode
408 to allow replay of non-reproducable crashes, see
410 - fixed a bug when trimming for stdin targets
411 - cmplog -l: default cmplog level is now 2, better efficiency.
413 - better fuzzing strategy yield display for enabled options
414 - ensure one fuzzer sync per cycle
415 - fix afl_custom_queue_new_entry original file name when syncing
417 - fixed a crash when more than one custom mutator was used together
419 - on a crashing seed potentially the wrong input was disabled
420 - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
421 -i dir crashes the target or results in a timeout. By default
423 - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
425 - when AFL_FAST_CAL is set a variable path will now be calibrated
427 - added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
429 - afl-cc:
430 - We do not support llvm versions prior 6.0 anymore
431 - added thread safe counters to all modes (`AFL_LLVM_THREADSAFE_INST`),
433 - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
434 - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
435 - Removed InsTrim instrumentation as it is not as good as PCGUARD
436 - Removed automatic linking with -lc++ for LTO mode
437 - Fixed a crash in llvm dict2file when a strncmp length was -1
438 - added --afl-noopt support
439 - utils/aflpp_driver:
440 - aflpp_qemu_driver_hook fixed to work with qemu_mode
441 - aflpp_driver now compiled with -fPIC
442 - unicornafl:
443 - fix MIPS delay slot caching, thanks @JackGrence
444 - fixed aarch64 exit address
445 - execution no longer stops at address 0x0
446 - updated afl-system-config to support Arch Linux weirdness and increase
448 - updated the grammar custom mutator to the newest version
449 - add -d (add dead fuzzer stats) to afl-whatsup
450 - added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the
452 - afl-showmap/cmin will now process queue items in alphabetical order
455 - afl-fuzz:
456 - added AFL_TARGET_ENV variable to pass extra env vars to the target
458 - fix map detection, AFL_MAP_SIZE not needed anymore for most cases
459 - fix counting favorites (just a display thing)
460 - afl-cc:
461 - fix cmplog rtn (rare crash and not being able to gather ptr data)
462 - fix our own PCGUARD implementation to compile with llvm 10.0.1
463 - link runtime not to shared libs
464 - ensure shared libraries are properly built and instrumented
465 - AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added
466 - show correct LLVM PCGUARD NATIVE mode when auto switching to it
467 and keep fsanitize-coverage-*list=...
469 - qemu_mode (thanks @realmadsci):
470 - move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace
471 - add AFL_QEMU_CUSTOM_BIN
472 - unicorn_mode
473 - accidently removed the subfolder from github, re-added
474 - added DEFAULT_PERMISSION to config.h for all files created, default
478 - afl-fuzz:
479 - better auto detection of map size
480 - fix sanitizer settings (bug since 3.10c)
481 - fix an off-by-one overwrite in cmplog
482 - add non-unicode variants from unicode-looking dictionary entries
483 - Rust custom mutator API improvements
484 - Imported crash stats painted yellow on resume (only new ones are red)
485 - afl-cc:
486 - added AFL_NOOPT that will just pass everything to the normal
487 gcc/clang compiler without any changes - to pass weird configure
489 - fixed a crash that can occur with ASAN + CMPLOG together plus
491 - fixed a crash in LAF transform for empty strings
492 - handle erroneous setups in which multiple afl-compiler-rt are
496 - the compiler rt was added also in object building (-c) which
498 - Renamed CTX to CALLER, added correct/real CTX implementation to
500 - qemu_mode:
501 - added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks!
502 - if no new/updated checkout is wanted, build with:
504 - we no longer perform a "git drop"
505 - afl-cmin: support filenames with spaces
508 - Mac OS ARM64 support
509 - Android support fixed and updated by Joey Jiaojg - thanks!
510 - New selective instrumentation option with __AFL_COVERAGE_* commands
513 - afl-fuzz
514 - Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on
516 - upgraded cmplog/redqueen: solving for floating point, solving
519 `-l` that sets the intensity (values 1 to 3). Recommended is 2.
520 - added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial seeds
521 from `-i` or resumes (these have most likely already been done)
522 - fix crash for very, very fast targets+systems (thanks to mhlakhani
524 - on restarts (`-i`)/autoresume (AFL_AUTORESUME) the stats are now
526 - changed the meaning of '+' of the '-t' option, it now means to
527 auto-calculate the timeout with the value given being the max
529 abort is now inherent to the -t option.
530 - if deterministic mode is active (`-D`, or `-M` without `-d`) then
533 - added minimum SYNC_TIME to include/config.h (30 minutes default)
534 - better detection if a target needs a large shared map
535 - fix for `-Z`
536 - fixed a few crashes
537 - switched to an even faster RNG
538 - added hghwng's patch for faster trace map analysis
539 - printing suggestions for mistyped `AFL_` env variables
540 - added Rust bindings for custom mutators (thanks @julihoh)
541 - afl-cc
542 - allow instrumenting LLVMFuzzerTestOneInput
543 - fixed endless loop for allow/blocklist lines starting with a
545 - cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit
546 - cmplog/redqueen can now process basic libc++ and libstdc++
548 - added support for __afl_coverage_interesting() for LTO and our
551 - added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard
552 support (less performant than our own), GCC for old afl-gcc and
553 CLANG for old afl-clang
554 - fixed a potential crash in the LAF feature
555 - workaround for llvm bitcast lto bug
556 - workaround for llvm 13
557 - qemuafl
558 - QASan (address sanitizer for Qemu) ported to qemuafl!
560 - solved some persistent mode bugs (thanks Dil4rd)
561 - solved an issue when dumping the memory maps (thanks wizche)
562 - Android support for QASan
563 - unicornafl
564 - Substantial speed gains in python bindings for certain use cases
565 - Improved rust bindings
566 - Added a new example harness to compare python, c and rust bindings
567 - afl-cmin and afl-showmap now support the -f option
568 - afl_plot now also generates a graph on the discovered edges
569 - changed default: no memory limit for afl-cmin and afl-cmin.bash
570 - warn on any _AFL and __AFL env vars.
571 - set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars
572 - added dummy Makefile to instrumentation/
573 - Updated utils/afl_frida to be 5% faster, 7% on x86_x64
574 - Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b)
575 - @Edznux added a nice documentation on how to use rpc.statsd with
579 - llvm_mode/ and gcc_plugin/ moved to instrumentation/
580 - examples/ renamed to utils/
581 - moved libdislocator, libtokencap and qdbi_mode to utils/
582 - all compilers combined to afl-cc which emulates the previous ones
583 - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
584 - afl-fuzz
585 - not specifying -M or -S will now auto-set "-S default"
586 - deterministic fuzzing is now disabled by default and can be enabled with
587 -D. It is still enabled by default for -M.
588 - a new seed selection was implemented that uses weighted randoms based on
590 walk the whole queue approach. Select the old mode with -Z (auto enabled
591 with -M)
592 - Marcel Boehme submitted a patch that improves all AFFast schedules :)
593 - the default schedule is now FAST
594 - memory limits are now disabled by default, set them with -m if required
595 - rpc.statsd support, for stats and charts, by Edznux, thanks a lot!
596 - reading testcases from -i now descends into subdirectories
597 - allow the -x command line option up to 4 times
598 - loaded extras now have a duplication protection
599 - If test cases are too large we do a partial read on the maximum
601 - longer seeds with the same trace information will now be ignored
603 - crashing seeds are now not prohibiting a run anymore but are
604 skipped - they are used for splicing, though
605 - update MOpt for expanded havoc modes
606 - setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
607 - added NO_SPLICING compile option and makefile define
608 - added INTROSPECTION make target that writes all mutations to
610 - print special compile time options used in help output
611 - when using -c cmplog, one of the childs was not killed, fixed
612 - somewhere we broke -n dumb fuzzing, fixed
613 - added afl_custom_describe to the custom mutator API to allow for easy
615 - new env. var. AFL_NO_COLOR (or AFL_NO_COLOUR) to suppress colored
617 - instrumentation
618 - We received an enhanced gcc_plugin module from AdaCore, thank you
620 - not overriding -Ox or -fno-unroll-loops anymore
621 - we now have our own trace-pc-guard implementation. It is the same as
622 -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
624 - new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
625 -x dictionary of string comparisons found during compilation
626 - LTO autodict now also collects interesting cmp comparisons,
628 - fix crash in dict2file for integers > 64 bit
629 - custom mutators
630 - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
631 - added a new custom mutator: libfuzzer that integrates libfuzzer mutations
632 - Our AFL++ Grammar-Mutator is now better integrated into custom_mutators/
633 - added INTROSPECTION support for custom modules
634 - python fuzz function was not optional, fixed
635 - some python mutator speed improvements
636 - afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
637 - unicornafl synced with upstream version 1.02 (fixes, better rust bindings)
638 - renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD
639 - added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash
643 - added the GSoC excellent AFL++ grammar mutator by Shengtuo to our
644 custom_mutators/ (see custom_mutators/README.md) - or get it here:
645 https://github.com/AFLplusplus/Grammar-Mutator
646 - a few QOL changes for Apple and its outdated gmake
647 - afl-fuzz:
648 - fix for auto dictionary entries found during fuzzing to not throw out
649 a -x dictionary
650 - added total execs done to plot file
651 - AFL_MAX_DET_EXTRAS env variable added to control the amount of
653 - AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait
656 - bugfix for cmplog that results in a heap overflow based on target data
658 - write fuzzing setup into out/fuzzer_setup (environment variables and
660 - custom mutators:
661 - added afl_custom_fuzz_count/fuzz_count function to allow specifying
663 - llvm_mode:
664 - ported SanCov to LTO, and made it the default for LTO. better
666 - Further llvm 12 support (fast moving target like AFL++ :-) )
667 - deprecated LLVM SKIPSINGLEBLOCK env environment
671 - Support for improved AFL++ snapshot module:
672 https://github.com/AFLplusplus/AFL-Snapshot-LKM
673 - Due to the instrumentation needing more memory, the initial memory sizes
674 for -m have been increased
675 - afl-fuzz:
676 - added -F option to allow -M main fuzzers to sync to foreign fuzzers,
678 - added -b option to bind to a specific CPU
679 - eliminated CPU affinity race condition for -S/-M runs
680 - expanded havoc mode added, on no cycle finds add extra splicing and
682 - fixed a bug in redqueen for strings and made deterministic with -s
683 - Compiletime autodictionary fixes
684 - llvm_mode:
685 - now supports llvm 12
686 - support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous
690 - added neverzero counting to trace-pc/pcgard
691 - fixes for laf-intel float splitting (thanks to mark-griffin for
693 - fixes for llvm 4.0
694 - skipping ctors and ifuncs for instrumentation
695 - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
697 - LTO: improved stability for persistent mode, no other instrumentation
699 - LTO: fixed autodict for long strings
700 - LTO: laf-intel and redqueen/cmplog are now applied at link time
702 - LTO: autodictionary mode is a fixed default now
703 - LTO: instrim instrumentation disabled, only classic support used
705 - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID
707 - LTO: single block functions were not implemented by default, fixed
708 - LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed
709 - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates
711 - support for -E and -shared compilation runs
712 - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
713 - added afl-frida gum solution to examples/afl_frida (mostly imported
715 - small fixes to afl-plot, afl-whatsup and man page creation
716 - new README, added FAQ
720 - renamed the main branch on Github to "stable"
721 - renamed master/slave to main/secondary
722 - renamed blacklist/whitelist to ignorelist/instrumentlist ->
724 - warn on deprecated environment variables
725 - afl-fuzz:
726 - -S secondary nodes now only sync from the main node to increase
727 performance, the -M main node still syncs from everyone. Added checks
729 - Add -D after -S to force a secondary to perform deterministic fuzzing
730 - If no main node is present at a sync one secondary node automatically
732 - Fixed a mayor performance issue we inherited from AFLfast
733 - switched murmur2 hashing and random() for xxh3 and xoshiro256**,
735 - Resizing the window does not crash afl-fuzz anymore
736 - Ensure that the targets are killed on exit
737 - fix/update to MOpt (thanks to arnow117)
738 - added MOpt dictionary support from repo
739 - added experimental SEEK power schedule. It is EXPLORE with ignoring
741 - llvm_mode:
742 - the default instrumentation is now PCGUARD if the llvm version is >= 7,
746 - PCGUARD mode is now even better because we made it collision free - plus
748 - some targets want a ld variant for LD that is not gcc/clang but ld,
749 added afl-ld-lto to solve this
750 - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
752 - instrument_file list feature now supports wildcards (thanks to sirmc)
753 - small change to cmplog to make it work with current llvm 11-dev
754 - added AFL_LLVM_LAF_ALL, sets all laf-intel settings
755 - LTO instrument_files functionality rewritten, now main, _init etc functions
757 - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
759 - fixed crash in cmplog with LTO
760 - enable snapshot lkm also for persistent mode
761 - Unicornafl
762 - Added powerPC support from unicorn/next
763 - rust bindings!
764 - CMPLOG/Redqueen now also works for MMAP sharedmem
765 - ensure shmem is released on errors
766 - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
768 - allow running in /tmp (only unsafe with umask 0)
769 - persistent mode shared memory testcase handover (instead of via
770 files/stdin) - 10-100% performance increase
771 - General support for 64 bit PowerPC, RiscV, Sparc etc.
772 - fix afl-cmin.bash
773 - slightly better performance compilation options for AFL++ and targets
774 - fixed afl-gcc/afl-as that could break on fast systems reusing pids in
776 - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
777 - added former post_library examples to examples/custom_mutators/
778 - Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
779 gcc 10 so afl-clang-lto can be build
783 - afl-fuzz:
784 - AFL_MAP_SIZE was not working correctly
785 - better python detection
786 - an old, old bug in AFL that would show negative stability in rare
788 - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY
790 - llvm_mode:
791 - afl-clang-fast/lto now do not skip single block functions. This
793 - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
796 - InsTrim now has an LTO version! :-) That is the best and fastest mode!
797 - fixes to LTO mode if instrumented edges > MAP_SIZE
798 - CTX and NGRAM can now be used together
799 - CTX and NGRAM are now also supported in CFG/INSTRIM mode
800 - AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
801 - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
804 - qemu_mode:
805 - add information on PIE/PIC load addresses for 32 bit
806 - better dependency checks
807 - gcc_plugin:
808 - better dependency checks
809 - unicorn_mode:
810 - validate_crash_callback can now count non-crashing inputs as crash as well
811 - better submodule handling
812 - afl-showmap: fix for -Q mode
813 - added examples/afl_network_proxy which allows to fuzz a target over the
814 network (not fuzzing tcp/ip services but running afl-fuzz on one system
816 - added examples/afl_untracer which does a binary-only fuzzing with the
818 - added examples/afl_proxy which can be easily used to fuzz and instrument
819 non-standard things
820 - all:
821 - forkserver communication now also used for error reporting
822 - fix 32 bit build options
823 - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
824 intact if in a git/svn checkout - unless "deepclean" is used
828 - llvm_mode LTO mode:
829 - now requires llvm11 - but compiles all targets! :)
830 - autodictionary feature added, enable with `AFL_LLVM_LTO_AUTODICTIONARY`
831 - variable map size usage
832 - afl-fuzz:
833 - variable map size support added (only LTO mode can use this)
834 - snapshot feature usage now visible in UI
835 - Now setting `-L -1` will enable MOpt in parallel to normal mutation.
837 - fix for cmplog/redqueen mode if stdin was used
838 - fix for writing a better plot_data file
839 - qemu_mode: fix for persistent mode (which would not terminate or get stuck)
840 - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
842 - extended forkserver: map_size and more information is communicated to
843 afl-fuzz (and afl-fuzz acts accordingly)
844 - new environment variable: AFL_MAP_SIZE to specify the size of the shared map
845 - if AFL_CC/AFL_CXX is set but empty AFL compilers did fail, fixed
847 - added NO_PYTHON flag to disable python support when building afl-fuzz
848 - more refactoring
853 ! the repository was moved from vanhauser-thc to AFLplusplus. It is now
857 - all:
858 - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
860 - AFL basic tools now report on the environment variables picked up
861 - more tools get environment variable usage info in the help output
862 - force all output to stdout (some OK/SAY/WARN messages were sent to
864 - uninstrumented mode uses an internal forkserver ("fauxserver")
865 - now builds with `-D_FORTIFY_SOURCE=2`
866 - drastically reduced number of (de)allocations during fuzzing
867 - afl-fuzz:
868 - python mutator modules and custom mutator modules now use the same
870 - AFL_AUTORESUME will resume execution without the need to specify `-i -`
871 - added experimental power schedules (-p):
872 - mmopt: ignores runtime of queue entries, gives higher weighting to
874 - rare: puts focus on queue entries that hits rare branches, also ignores
876 - llvm_mode:
877 - added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM)
878 - added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
879 - added AFL_LLVM_INSTRUMENT option to control the instrumentation type
880 easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16)
881 - made USE_TRACE_PC compile obsolete
882 - LTO collision free instrumented added in llvm_mode with afl-clang-lto -
884 - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
885 (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting
886 AFL_LLVM_INSTRUMENT=NGRAM-<value> or AFL_LLVM_NGRAM_SIZE=<value>
887 - Added llvm_mode context sensitive branch coverage, activated by setting
889 - llvm_mode InsTrim mode:
890 - removed workaround for bug where paths were not instrumented and
892 - made skipping 1 block functions an option and is disabled by default,
893 set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
894 - qemu_mode:
895 - qemu_mode now uses solely the internal capstone version to fix builds
897 - QEMU now logs routine arguments for CmpLog when the target is x86
898 - afl-tmin:
899 - now supports hang mode `-H` to minimize hangs
900 - fixed potential afl-tmin missbehavior for targets with multiple hangs
901 - Pressing Control-c in afl-cmin did not terminate it for some OS
902 - the custom API was rewritten and is now the same for Python and shared
908 - Important fix for memory allocation functions that result in afl-fuzz
909 not identifying crashes - UPDATE!
910 - Small fix for -E/-V to release the CPU
911 - CmpLog does not need sancov anymore
916 - use -march=native if available
917 - most tools now check for mistyped environment variables
918 - gcc 10 is now supported
919 - the memory safety checks are now disabled for a little more speed during
921 - afl-fuzz:
922 - MOpt out of bounds writing crash fixed
923 - now prints the real python version support compiled in
924 - set stronger performance compile options and little tweaks
925 - Android: prefer bigcores when selecting a CPU
926 - CmpLog forkserver
927 - Redqueen input-2-state mutator (cmp instructions only ATM)
928 - all Python 2+3 versions supported now
929 - changed execs_per_sec in fuzzer_stats from "current" execs per second
931 - bugfix for dictionary insert stage count (fix via Google repo PR)
932 - added warning if -M is used together with custom mutators with _ONLY option
933 - AFL_TMPDIR checks are now later and better explained if they fail
934 - llvm_mode
935 - InsTrim: three bug fixes:
940 - afl-clang-fast:
941 - show in the help output for which llvm version it was compiled for
942 - now does not need to be recompiled between trace-pc and pass
944 - LLVM 11 is supported
945 - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog.md)
946 - afl-gcc, afl-clang-fast, afl-gcc-fast:
947 - experimental support for undefined behaviour sanitizer UBSAN
949 - the instrumentation summary output now also lists activated sanitizers
950 - afl-as: added isatty(2) check back in
951 - added AFL_DEBUG (for upcoming merge)
952 - qemu_mode:
953 - persistent mode is now also available for arm and aarch64
954 - CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
956 - AFL_PERSISTENT_HOOK callback module for persistent QEMU
958 - added qemu_mode/README.persistent.md documentation
959 - AFL_ENTRYPOINT now has instruction granularity
960 - afl-cmin is now a sh script (invoking awk) instead of bash for portability
961 the original script is still present as afl-cmin.bash
962 - afl-showmap: -i dir option now allows processing multiple inputs using the
963 forkserver. This is for enhanced speed in afl-cmin.
964 - added blacklist and instrument_filesing function check in all modules of llvm_mode
965 - added fix from Debian project to compile libdislocator and libtokencap
966 - libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t
971 - fixed a critical bug in afl-tmin that was introduced during ++2.53d
972 - added test cases for afl-cmin and afl-tmin to test/test.sh
973 - added ./examples/argv_fuzzing ld_preload library by Kjell Braden
974 - added preeny's desock_dup ld_preload library as
976 - added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
978 - we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used
983 - qbdi_mode: fuzz android native libraries via QBDI framework
984 - unicorn_mode: switched to the new unicornafl, thanks domenukk
985 (see https://github.com/vanhauser-thc/unicorn)
986 - afl-fuzz:
987 - added radamsa as (an optional) mutator stage (-R[R])
988 - added -u command line option to not unlink the fuzz input file
989 - Python3 support (autodetect)
990 - AFL_DISABLE_TRIM env var to disable the trim stage
991 - CPU affinity support for DragonFly
992 - llvm_mode:
993 - float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
994 - support for llvm 10 included now (thanks to devnexen)
995 - libtokencap:
996 - support for *BSD/OSX/Dragonfly added
997 - hook common *cmp functions from widely used libraries
998 - compcov:
999 - hook common *cmp functions from widely used libraries
1000 - floating point splitting support for QEMU on x86 targets
1001 - qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
1002 - afl-analyze: added AFL_SKIP_BIN_CHECK support
1003 - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
1004 - Dockerfile by courtesy of devnexen
1005 - added regex.dictionary
1006 - qemu and unicorn download scripts now try to download until the full
1008 - more support for Android (please test!)
1009 - added the few Android stuff we didnt have already from Google AFL repository
1010 - removed unnecessary warnings
1015 - reverted patch to not unlink and recreate the input file, it resulted in
1017 - added test/test-performance.sh script
1018 - (re)added gcc_plugin, fast inline instrumentation is not yet finished,
1019 however it includes the instrument_filesing and persistance feature! by hexcoder-
1020 - gcc_plugin tests added to testing framework
1023 ### Version ++2.54d-2.57c (release):
1025 - we jump to 2.57 instead of 2.55 to catch up with Google's versioning
1026 - persistent mode for QEMU (see qemu_mode/README.md)
1027 - custom mutator library is now an additional mutator, to exclusivly use it
1029 - new library qemu_mode/unsigaction which filters sigaction events
1030 - afl-fuzz: new command line option -I to execute a command on a new crash
1031 - no more unlinking the input file, this way the input file can also be a
1033 - setting LLVM_CONFIG for llvm_mode will now again switch to the selected
1035 - fuzzing strategy yields for custom mutator were missing from the UI, added them :)
1036 - added "make tests" which will perform checks to see that all functionality
1038 - added mutation documentation feature ("make document"), creates afl-fuzz-document
1040 - libtokencap and libdislocator now compile to the afl_root directory and are
1042 - more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
1043 - reducing duplicate code in afl-fuzz
1044 - added "make help"
1045 - removed compile warnings from python internal stuff
1046 - added man page for afl-clang-fast[++]
1047 - updated documentation
1048 - Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
1049 - CompareCoverage for ARM target in QEMU/Unicorn
1050 - laf-intel in llvm_mode now also handles floating point comparisons
1055 - big code refactoring:
1057 * all AFL sources are now in src/ - see src/README.md
1058 * afl-fuzz was split up in various individual files for including
1062 - auto-generating man pages for all (main) tools
1063 - added AFL_FORCE_UI to show the UI even if the terminal is not detected
1064 - llvm 9 is now supported (still needs testing)
1065 - Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though
1066 - fix building qemu on some Ubuntus (thanks to floyd!)
1067 - custom mutator by a loaded library is now supported (thanks to kyakdan!)
1068 - added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report
1069 - more support for *BSD (thanks to devnexen!)
1070 - fix building on *BSD (thanks to tobias.kortkamp for the patch)
1071 - fix for a few features to support different map sized than 2^16
1072 - afl-showmap: new option -r now shows the real values in the buckets (stock
1074 - small docu updates
1075 - NeverZero counters for QEMU
1076 - NeverZero counters for Unicorn
1077 - CompareCoverage Unicorn
1078 - immediates-only instrumentation for CompareCoverage
1083 - README is now README.md
1084 - imported the few minor changes from the 2.53b release
1085 - unicorn_mode got added - thanks to domenukk for the patch!
1086 - fix llvm_mode AFL_TRACE_PC with modern llvm
1087 - fix a crash in qemu_mode which also exists in stock afl
1088 - added libcompcov, a laf-intel implementation for qemu! :)
1090 - afl-fuzz now displays the selected core in the status screen (blue {#})
1091 - updated afl-fuzz and afl-system-config for new scaling governor location
1093 - using the old ineffective afl-gcc will now show a deprecation warning
1094 - all queue, hang and crash files now have their discovery time in their name
1095 - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these
1096 instead of afl-gcc
1097 - added instrim, a much faster llvm_mode instrumentation at the cost of
1099 - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt.md
1100 - added code to make it more portable to other platforms than Intel Linux
1101 - added never zero counters for afl-gcc and optionally (because of an
1103 - added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt
1104 - more cpu power for afl-system-config
1105 - added forkserver patch to afl-tmin, makes it much faster (originally from
1107 - added instrument_files support for llvm_mode via AFL_LLVM_WHITELIST to allow
1110 - added Python Module mutator support, python2.7-dev is autodetected.
1112 - added AFL_CAL_FAST for slow applications and AFL_DEBUG_CHILD_OUTPUT for
1114 - added -V time and -E execs option to better comparison runs, runs afl-fuzz
1116 - added a -s seed switch to allow AFL run with a fixed initial
1119 - llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_...
1123 ### Version ++2.52c (2019-06-05):
1125 - Applied community patches. See docs/PATCHES for the full list.
1128 afl-fuzz: -e EXTENSION commandline option
1129 llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel.md)
1130 a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.md
1131 - Added the power schedules of AFLfast by Marcel Boehme, but set the default
1133 you use the new -p option :-) - see docs/power_schedules.md
1134 - added afl-system-config script to set all system performance options for fuzzing
1135 - llvm_mode works with llvm 3.9 up to including 8 !
1136 - qemu_mode got upgraded from 2.1 to 3.1 - incorporated from
1140 ### Version 2.52b (2017-11-04):
1142 - Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting
1145 - Added setsid to afl-showmap. See the notes for 2.51b.
1147 - Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats.
1150 - afl-tmin should now save a partially minimized file when Ctrl-C
1153 - Added an option for afl-analyze to dump offsets in hex. Suggested by
1156 - Added support for parameters in triage_crashes.sh. Patch by Adam of
1159 ### Version 2.51b (2017-08-30):
1161 - Made afl-tmin call setsid to prevent glibc traceback junk from showing
1164 ### Version 2.50b (2017-08-19):
1166 - Fixed an interesting timing corner case spotted by Jakub Wilk.
1168 - Addressed a libtokencap / pthreads incompatibility issue. Likewise, spotted
1171 - Added a mention of afl-kit and Pythia.
1173 - Added AFL_FAST_CAL.
1175 - In-place resume now preserves .synced. Suggested by Jakub Wilk.
1177 ### Version 2.49b (2017-07-18):
1179 - Added AFL_TMIN_EXACT to allow path constraint for crash minimization.
1181 - Added dates for releases (retroactively for all of 2017).
1183 ### Version 2.48b (2017-07-17):
1185 - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp.
1187 - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin).
1189 - Made it possible to point -o and -f to the same file in afl-tmin.
1191 ### Version 2.47b (2017-07-14):
1193 - Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk.
1195 ### Version 2.46b (2017-07-10):
1197 - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not
1200 - Made a minor fix to libtokencap. Reported by Daniel Stender.
1202 - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk.
1204 ### Version 2.45b (2017-07-04):
1206 - Added strstr, strcasestr support to libtokencap. Contributed by
1209 - Fixed a resumption offset glitch spotted by Jakub Wilk.
1211 - There are definitely no bugs in afl-showmap -c now.
1213 ### Version 2.44b (2017-06-28):
1215 - Added a visual indicator of ASAN / MSAN mode when compiling. Requested
1218 - Added support for afl-showmap coredumps (-c). Suggested by Jakub Wilk.
1220 - Added LD_BIND_NOW=1 for afl-showmap by default. Although not really useful,
1223 - Added a note about allocator_may_return_null=1 not always working with
1224 ASAN. Spotted by Jakub Wilk.
1226 ### Version 2.43b (2017-06-16):
1228 - Added AFL_NO_ARITH to aid in the fuzzing of text-based formats.
1231 ### Version 2.42b (2017-06-02):
1233 - Renamed the R() macro to avoid a problem with llvm_mode in the latest
1236 ### Version 2.41b (2017-04-12):
1238 - Addressed a major user complaint related to timeout detection. Timing out
1242 ### Version 2.40b (2017-04-02):
1244 - Fixed a minor oversight in the insertion strategy for dictionary words.
1247 - Made a small improvement to the havoc block insertion strategy.
1249 - Adjusted color rules for "is it done yet?" indicators.
1251 ### Version 2.39b (2017-02-02):
1253 - Improved error reporting in afl-cmin. Suggested by floyd.
1255 - Made a minor tweak to trace-pc-guard support. Suggested by kcc.
1257 - Added a mention of afl-monitor.
1259 ### Version 2.38b (2017-01-22):
1261 - Added -mllvm -sanitizer-coverage-block-threshold=0 to trace-pc-guard
1264 ### Version 2.37b (2017-01-22):
1266 - Fixed a typo. Spotted by Jakub Wilk.
1268 - Fixed support for make install when using trace-pc. Spotted by
1271 - Switched trace-pc to trace-pc-guard, which should be considerably
1276 "vanilla" afl-clang-fast / afl-clang.
1278 ### Version 2.36b (2017-01-14):
1280 - Fixed a cosmetic bad free() bug when aborting -S sessions. Spotted
1283 - Made a small change to afl-whatsup to sort fuzzers by name.
1285 - Fixed a minor issue with malloc(0) in libdislocator. Spotted by
1288 - Changed the clobber pattern in libdislocator to a slightly more
1291 - Added a note about THP performance. Suggested by Sergey Davidoff.
1293 - Added a somewhat unofficial support for running afl-tmin with a
1298 - "Fixed" a getPassName() problem with newer versions of clang.
1306 - Fixed a minor cmdline reporting glitch, spotted by Leo Barnes.
1308 - Fixed a silly bug in libdislocator. Spotted by Johannes Schultz.
1312 - Added a note about afl-tmin to technical_details.txt.
1314 - Added support for AFL_NO_UI, as suggested by Leo Barnes.
1318 - Added code to strip -Wl,-z,defs and -Wl,--no-undefined for afl-clang-fast,
1319 since they interfere with -shared. Spotted and diagnosed by Toby Hutton.
1321 - Added some fuzzing tips for Android.
1325 - Added a check for AFL_HARDEN combined with AFL_USE_*SAN. Suggested by
1328 - Made several other cosmetic adjustments to cycle timing in the wake of the
1333 - Changed havoc cycle counts for a marked performance boost, especially
1334 with -S / -d. See the discussion of FidgetyAFL in:
1336 https://groups.google.com/forum/#!topic/afl-users/fOPeb62FZUg
1345 - Made minor improvements to persistent mode to avoid the remote
1349 - Fixed a minor glitch with a leftover process in persistent mode.
1352 - Made persistent mode bitmaps a bit more consistent and adjusted the way
1357 - Made a minor #include fix to llvm_mode. Suggested by Jonathan Metzman.
1359 - Made cosmetic updates to the docs.
1363 - Added "life pro tips" to docs/.
1365 - Moved testcases/_extras/ to dictionaries/ for visibility.
1367 - Made minor improvements to install scripts.
1369 - Added an important safety tip.
1373 - Added libtokencap, a simple feature to intercept strcmp / memcmp and
1376 - Moved libdislocator to its own dir, added README.md.
1378 - The demo in examples/instrumented_cmp is no more.
1382 - Made a fix for libdislocator.so to compile on MacOS X.
1384 - Added support for DYLD_INSERT_LIBRARIES.
1386 - Renamed AFL_LD_PRELOAD to AFL_PRELOAD.
1390 - Made some cosmetic updates to libdislocator.so, renamed one env
1395 - Added libdislocator.so, an experimental, abusive allocator. Try
1397 afl-fuzz.
1401 - Improved the stability metric for persistent mode binaries. Problem
1404 - Made a related improvement that may bring the metric to 100% for those
1409 - Mentioned the potential conflicts between MSAN / ASAN and FORTIFY_SOURCE.
1413 - Populated the support for AFL_LD_PRELOAD to all companion tools.
1415 - Made a change to the handling of ./afl-clang-fast -v. Spotted by
1420 - Added some crash reporting notes for Solaris in docs/INSTALL, as
1423 - Fixed a minor UI mix-up with havoc strategy stats.
1427 - Revamped the handling of variable paths, replacing path count with a
1431 - Made a stability improvement to the syncing behavior with resuming
1434 - Changed the UI to include current input bitmap density along with
1437 - Added experimental support for parallelizing -M.
1441 - Made a fix to make sure that auto CPU binding happens at non-overlapping
1446 - Made several performance improvements to has_new_bits() and
1452 - Killed the error-prone and manual -Z option. On Linux, AFL will now
1456 - Made some doc updates along these lines.
1460 - Improved support for older versions of clang (hopefully without
1463 - Moved version data from Makefile to config.h. Suggested by
1468 - Added a README section on looking for non-crashing bugs.
1470 - Added license data to several boring files. Contributed by
1475 - Added FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION as a macro defined when
1476 compiling with afl-gcc and friends. Suggested by Kostya Serebryany.
1478 - Refreshed some of the non-x86 docs.
1482 - Fixed a spurious build test error with trace-pc and llvm_mode/Makefile.
1485 - Fixed a cosmetic issue with afl-whatsup. Spotted by Brandon Perry.
1489 - Fixed a minor issue in afl-tmin that can make alphabet minimization less
1494 - Fixed a minor typo in instrumented_cmp, spotted by Hanno Eissfeldt.
1496 - Added a missing size check for deterministic insertion steps.
1498 - Made an improvement to afl-gotcpu when -Z not used.
1500 - Fixed a typo in post_library_png.so.c in examples/. Spotted by Kostya
1505 - Fixed a minor core counting glitch, reported by Tyler Nighswander.
1509 - Made several documentation updates.
1511 - Added some visual indicators to promote and simplify the use of -Z.
1515 - Added explicit support for -m32 and -m64 for llvm_mode. Inspired by
1518 - Added a new benchmarking option, as requested by Kostya Serebryany.
1522 - Added CPU affinity option (-Z) on Linux. With some caution, this can
1526 - Updated afl-gotcpu to use CPU affinity where supported.
1528 - Fixed confusing CPU_TARGET error messages with QEMU build. Spotted by
1533 - Worked around LLVM persistent mode hiccups with -shared code.
1536 - Added __AFL_COMPILER as a convenient way to detect that something is
1537 built under afl-gcc / afl-clang / afl-clang-fast and enable custom
1538 optimizations in your code. Suggested by Pedro Corte-Real.
1540 - Upstreamed several minor changes developed by Franjo Ivancic to
1541 allow AFL to be built as a library. This is fairly use-specific and
1546 - Put __sanitizer_cov_module_init & co behind #ifdef to avoid problems
1547 with ASAN. Spotted by Christian Holler.
1551 - Removed indirect-calls coverage from -fsanitize-coverage (since it's
1556 - Added experimental -fsanitize-coverage=trace-pc support that goes with
1561 - Made several substantial improvements to better support non-standard
1564 - Switched LLVM mode to thread-local execution tracing, which may offer
1567 - Fixed a minor typo, reported by Heiko Eissfeldt.
1569 - Force-disabled symbolization for ASAN, as suggested by Christian Holler.
1571 - AFL_NOX86 renamed to AFL_NO_X86 for consistency.
1573 - Added AFL_LD_PRELOAD to allow LD_PRELOAD to be set for targets without
1574 affecting AFL itself. Suggested by Daniel Godas-Lopez.
1578 - Fixed a "lcamtuf can't count to 16" bug in the havoc stage. Reported
1583 - Made an improvement to cycle counter color coding, based on feedback
1586 - Added a mention of aflize to sister_projects.txt.
1588 - Fixed an installation issue with afl-as, as spotted by ilovezfs.
1592 - Cleaned up color handling after a minor snafu in 1.99b (affecting some
1595 - Made minor updates to the documentation.
1599 - Substantially revamped the output and the internal logic of afl-analyze.
1601 - Cleaned up some of the color handling code and added support for
1604 - Removed some stray files (oops).
1606 - Updated docs to better explain afl-analyze.
1610 - Improved to "boring string" detection in afl-analyze.
1612 - Added technical_details.txt for afl-analyze.
1616 - Added afl-analyze, a nifty tool to analyze the structure of a file
1620 - Added a mention of afl-cygwin.
1622 - Fixed a couple of typos, as reported by Jakub Wilk and others.
1626 - Added -fpic to CFLAGS for the clang plugin, as suggested by Hanno Boeck.
1628 - Made another clang change (IRBuilder) suggested by Jeff Trull.
1630 - Fixed several typos, spotted by Jakub Wilk.
1632 - Added support for AFL_SHUFFLE_QUEUE, based on discussions with
1637 - Fixed a harmless bug when handling -B. Spotted by Jacek Wielemborek.
1639 - Made the exit message a bit more accurate when AFL_EXIT_WHEN_DONE is set.
1641 - Added some error-checking for old-style forkserver syntax. Suggested by
1644 - Switched from exit() to _exit() in injected code to avoid snafus with
1647 - Made a change to avoid spuriously setting __AFL_SHM_ID when
1648 AFL_DUMB_FORKSRV is set in conjunction with -n. Spotted by Jakub Wilk.
1652 - Changed allocator alignment to improve support for non-x86 systems (now
1655 - Fixed a minor typo in afl-cmin. Spotted by Jonathan Neuschafer.
1657 - Fixed an obscure bug that would affect people trying to use afl-gcc
1662 - Hopefully fixed a problem with MacOS X and persistent mode, spotted by
1667 - Made yet another C++ fix (namespaces). Reported by Daniel Lockyer.
1671 - Made another fix to make 1.90b actually work properly with C++ (d'oh).
1676 - Fixed a minor typo spotted by Kai Zhao; and made several other minor updates
1679 - Updated the project URL for python-afl. Requested by Jakub Wilk.
1681 - Fixed a potential problem with deferred mode signatures getting optimized
1682 out by the linker (with --gc-sections).
1686 - Revamped the support for persistent and deferred forkserver modes.
1690 - Added a bit more info about afl-showmap. Suggested by Jacek Wielemborek.
1694 - Made AFL_EXIT_WHEN_DONE work in non-tty mode. Issue spotted by
1699 - Added QuickStartGuide.txt, a one-page quick start doc.
1701 - Fixed several typos spotted by Dominique Pelle.
1703 - Revamped several parts of README.
1707 - Added support for AFL_SKIP_CRASHES, which is a very hackish solution to
1710 - Removed the hard-fail terminal size check, replaced with a dynamic
1713 - Fixed a minor typo in show_stats. Spotted by Dingbao Xie.
1717 - Fixed a garbled sentence in notes on parallel fuzzing. Thanks to Jakub Wilk.
1719 - Fixed a minor glitch in afl-cmin. Spotted by Jonathan Foote.
1723 - Made SIMPLE_FILES behave as expected when naming backup directories for
1726 - Added the total number of favored paths to fuzzer_stats. Requested by
1729 - Made afl-tmin, afl-fuzz, and afl-cmin reject negative values passed to
1730 -t and -m, since they generally won't work as expected.
1732 - Made a fix for no lahf / sahf support on older versions of FreeBSD.
1737 - Fixed a problem with xargs -d on non-Linux systems in afl-cmin. Spotted by
1740 - Fixed an implicit declaration in LLVM mode on MacOS X. Reported by
1745 - Fixed a harmless but annoying race condition in persistent mode - signal
1748 - Updated the documentation to explain persistent mode a bit better.
1750 - Tweaked AFL_PERSISTENT to force AFL_NO_VAR_CHECK.
1754 - Added persistent mode for in-process fuzzing. See llvm_mode/README.llvm.
1757 - Changed the in-place resume code to preserve crashes/README.txt. Suggested
1760 - Included a potential fix for LLVM mode issues on MacOS X, based on the
1765 - Made afl-cmin tolerant of whitespaces in filenames. Suggested by
1768 - Added support for AFL_EXIT_WHEN_DONE, as suggested by Michael Rash.
1772 - Added support for dictionary levels, see testcases/README.testcases.
1774 - Reworked the SQL dictionary to use levels.
1776 - Added a note about Preeny.
1780 - Added a dictionary for PDF, contributed by Ben Nagy.
1782 - Added several references to afl-cov, a new tool by Michael Rash.
1784 - Fixed a problem with crash reporter detection on MacOS X, as reported by
1789 - Extended the -x option to support single-file dictionaries.
1791 - Replaced factory-packaged dictionaries with file-based variants.
1793 - Removed newlines from HTML keywords in testcases/_extras/html/.
1797 - Very significantly reduced the number of duplicate execs during
1799 identical path yields. This should improve early-stage efficiency by
1800 around 5-10%.
1802 - Reduced the likelihood of duplicate non-deterministic execs by
1807 - Added a note about integrating afl-fuzz with third-party tools.
1811 - Improved argv_fuzzing to allow it to emit empty args. Spotted by Jakub
1814 - afl-clang-fast now defines __AFL_HAVE_MANUAL_INIT. Suggested by Jakub Wilk.
1816 - Fixed a libtool-related bug with afl-clang-fast that would make some
1819 - Removed flock() on Solaris. This means no locking on this platform,
1822 - Fixed a typo. Reported by Jakub Wilk.
1826 - Added an example argv[] fuzzing wrapper in examples/argv_fuzzing.
1829 - Clarified llvm_mode prerequisites for FreeBSD.
1831 - Improved afl-tmin to use /tmp if cwd is not writeable.
1833 - Removed redundant includes for sys/fcntl.h, which caused warnings with
1836 - Added a corpus of basic HTML tags that parsers are likely to pay attention
1839 - Added EP_EnabledOnOptLevel0 to llvm_mode, so that the instrumentation is
1842 - Switched qemu_mode to use the newly-released QEMU 2.3.0, which contains
1847 - Fixed a pretty stupid bug in effector maps that could sometimes cause
1854 - Fixed a glitch in non-x86 install, spotted by Tobias Ospelt.
1856 - Added a minor safeguard to llvm_mode Makefile following a report from
1861 - Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted
1864 - Added last find / crash / hang times to fuzzer_stats, suggested by
1867 - Fixed a typo, thanks to Jakub Wilk.
1871 - Modified resumption code to reuse the original timeout value when resuming
1872 a session if -t is not given. This prevents timeout creep in continuous
1875 - Added improved error messages for failed handshake when AFL_DEFER_FORKSRV
1878 - Made a slight improvement to llvm_mode/Makefile based on feedback from
1881 - Refreshed several bits of documentation.
1883 - Added a more prominent note about the MacOS X trade-offs to Makefile.
1887 - Added support for deferred initialization in LLVM mode. Suggested by
1892 - Fixed a minor PRNG glitch that would make the first seconds of a fuzzing
1895 - Made tmp[] static in the LLVM runtime to keep Valgrind happy (this had
1898 - Clarified the footnote in README.
1902 - Made one more correction to llvm_mode Makefile, spotted by Jakub Wilk.
1906 - Added CC / CXX support to llvm_mode Makefile. Requested by Charlie Eriksen.
1908 - Fixed 'make clean' with gmake. Suggested by Oliver Schneider.
1910 - Fixed 'make -j n clean all'. Suggested by Oliver Schneider.
1912 - Removed build date and time from banners to give people deterministic
1917 - Fixed a snafu with some leftover code in afl-clang-fast.
1919 - Corrected even moar typos.
1923 - Further simplified afl-clang-fast runtime by reverting .init_array to
1925 non-ELF platforms.
1927 - Fixed a problem with afl-clang-fast and -shared libraries. Simplified
1931 - Removed unnecessary instrumentation density adjustment for the LLVM mode.
1936 - Updated cgroups_asan/ with a new version from Sam, made a couple changes
1939 - Fixed typos, thanks to Jakub Wilk.
1943 - Improved the handling of -x in afl-clang-fast,
1945 - Improved the handling of low AFL_INST_RATIO settings for QEMU and
1948 - Fixed the llvm-config bug for good (thanks to Tobias Ospelt).
1952 - Fixed an obscure bug compiling OpenSSL with afl-clang-fast. Patch by
1955 - Fixed a 'make install' bug on non-x86 systems, thanks to Tobias Ospelt.
1957 - Fixed a problem with half-broken llvm-config on Odroid, thanks to
1959 fixed - TBD).
1963 - Allowed examples/llvm_instrumentation/ to graduate to llvm_mode/.
1965 - Removed examples/arm_support/, since it's completely broken and likely
1968 - Added ASAN cgroups script to examples/asan_cgroups/, updated existing
1971 - Refactored afl-tmin to reduce the number of execs in common use cases.
1974 - Added a note about CLAs at the bottom of README.
1976 - Renamed testcases_readme.txt to README.testcases for some semblance of
1979 - Made assorted updates to docs.
1981 - Added MEM_BARRIER() to afl-showmap and afl-tmin, just to be safe.
1985 - Imported Laszlo Szekeres' experimental LLVM instrumentation into
1989 - Fixed another typo, thanks to Jakub Wilk.
1993 - Added a workaround for abort() behavior in -lpthread programs in QEMU mode.
1996 - Made several documentation updates, including links to the static
2001 - Fixed a problem with exception handling on some versions of MacOS X.
2004 - Tweaked afl-gcc to use BIN_PATH instead of a fixed string in help
2009 - Renamed related_work.txt to historical_notes.txt.
2011 - Made minor edits to the ASAN doc.
2013 - Added docs/sister_projects.txt with a list of inspired or closely
2018 - Fixed a glitch with afl-showmap opening /dev/null with O_RDONLY when
2023 - Added another postprocessor example for PNG.
2025 - Made a cosmetic fix to realloc() handling in examples/post_library/,
2028 - Improved -ldl handling. Suggested by Jakub Wilk.
2032 - Fixed an -l ordering issue that is apparently still a problem on Ubuntu.
2037 - Added support for file format postprocessors. Requested by Ben Nagy. This
2043 - Made it possible to properly override LD_BIND_NOW after one very unusual
2046 - Cleaned up typos, thanks to Jakub Wilk.
2048 - Fixed a bug in AFL_DUMB_FORKSRV.
2052 - Fixed a flock() bug that would prevent dir reuse errors from kicking
2055 - Renamed references to ppvm (the project is now called recidivm).
2057 - Made improvements to file descriptor handling to avoid leaving some fds
2060 - Fixed a typo or two.
2064 - Added code to save original command line in fuzzer_stats and
2070 - Fixed a bug with QEMU fork server crashes when translation is attempted
2077 - Fixed a bug with afl-cmin in -Q mode complaining about binary being not
2080 - Fixed another bug with argv handling for afl-fuzz in -Q mode. Reported
2083 - Improved the use of colors when showing crash counts in -C mode.
2087 - Improved instrumentation performance on 32-bit systems by getting rid of
2088 xor-swap (oddly enough, xor-swap is still faster on 64-bit) and tweaking
2091 - Made path depth numbers more accurate with imported test cases.
2095 - Added support for SIMPLE_FILES in config.h for folks who don't like
2099 - Replaced zero-sized files with symlinks in the variable behavior state
2102 - Changed the period of limited-range block ops from 5 to 10 minutes based
2106 without discovering new paths. Should have no effect on well-seeded jobs.
2108 - Made several minor updates to docs.
2112 - Corrected two bungled attempts to get the -C mode work properly
2113 with afl-cmin (accounting for the short-lived releases tagged 1.42 and
2114 1.43b) - sorry.
2116 - Removed AFL_ALLOW_CRASHES in favor of the -C mode in said tool.
2118 - Said goodbye to Hello Kitty, as requested by Padraig Brady.
2122 - Added AFL_ALLOW_CRASHES=1 to afl-cmin. Allows crashing inputs in the
2125 - Made the afl-cmin output dir default to 0700, not 0755, to be consistent
2126 with afl-fuzz; documented the rationale for 0755 in afl-plot.
2128 - Lowered the output dir reuse time limit to 25 minutes as a dice-roll
2129 compromise after a discussion on afl-users@.
2131 - Made afl-showmap accept -o /dev/null without borking out.
2133 - Added support for crash / hang info in exit codes of afl-showmap.
2135 - Tweaked block operation scaling to also factor in ballpark run time
2138 - Fixed typos and made improvements to several docs.
2142 - Switched to smaller block op sizes during the first passes over the
2145 - Added memory barrier for run_target(), just in case compilers get
2148 - Updated a bunch of docs.
2152 - Added the ability to skip inputs by sending SIGUSR1 to the fuzzer.
2154 - Reworked several portions of the documentation.
2156 - Changed the code to reset splicing perf scores between runs to keep
2159 - Reduced the minimum value of -t to 5 for afl-fuzz (~200 exec/sec)
2162 - Switched to more aggressive default timeouts (rounded up to 25 ms
2163 versus 50 ms - ~40 execs/sec) and made several other cosmetic changes
2168 - Fixed a bug in the QEMU build script, spotted by William Robinet.
2170 - Improved the reporting of skipped bitflips to keep the UI counters a bit
2173 - Cleaned up related_work.txt and added some non-goals.
2175 - Fixed typos, thanks to Jakub Wilk.
2179 - Added effector maps, which detect regions that do not seem to respond
2182 improvements with quite a few types of text-based formats, reducing the
2185 - Cleaned up mem limit handling in afl-cmin.
2187 - Switched from uname -i to uname -m to work around Gentoo-specific
2190 - Switched from PID checking to flock() to detect running sessions.
2193 - Added SKIP_COUNTS and changed the behavior of COVERAGE_ONLY in config.h.
2196 - Made improvements to UI refresh rates and exec/sec stats to make them
2199 - Made assorted improvements to the documentation and to the QEMU build
2202 - Switched from perror() to strerror() in error macros, thanks to Jakub
2205 - Moved afl-cmin back to bash, wasn't thinking straight. It has to stay
2210 - Switched afl-cmin over to /bin/sh. Thanks to Jonathan Gray.
2212 - Fixed an off-by-one bug in queue limit check when resuming sessions
2215 - Fixed the QEMU script to tolerate i686 if returned by uname -i. Based on
2218 - Added multiple references to Jakub's ppvm tool.
2220 - Made several minor improvements to the Makefile.
2222 - Believe it or not, fixed some typos. Thanks to Jakub Wilk.
2226 - Cleaned up regular expressions in some of the scripts to avoid errors
2231 - Performed a substantial documentation and program output cleanup to
2236 - Added support for AFL_INST_RATIO and AFL_INST_LIBS in the QEMU mode.
2238 - Fixed a stack allocation crash in QEMU mode (bug in QEMU, fixed with
2241 - Added code to test the QEMU instrumentation once the afl-qemu-trace
2244 - Modified afl-tmin and afl-showmap to search $PATH for binaries and to
2247 - Added a check for instrumented binaries when passing -Q to afl-fuzz.
2251 - Fixed 'make install' following the QEMU changes. Spotted by Hanno Boeck.
2253 - Fixed EXTRA_PAR handling in afl-cmin.
2257 - Hallelujah! Thanks to Andrew Griffiths, we now support very fast, black-box
2258 instrumentation of binary-only code. See qemu_mode/README.qemu.
2261 directory and then run afl-fuzz with -Q.
2265 - Added -s (summary) option to afl-whatsup. Suggested by Jodie Cunningham.
2267 - Added a sanity check in afl-tmin to detect minimization to zero len or
2270 - Fixed alphabet size counter in afl-tmin.
2272 - Slightly improved the handling of -B in afl-fuzz.
2274 - Fixed process crash messages with -m none.
2278 - Improved the naming of test cases when orig: is already present in the file
2281 - Made substantial improvements to technical_details.txt.
2285 - Made a minor tweak to the instrumentation to preserve the directionality
2286 of tuples (i.e., A -> B != B -> A) and to maintain the identity of tight
2287 loops (A -> A). You need to recompile targeted binaries to leverage this.
2289 - Cleaned up some of the afl-whatsup stats.
2291 - Added several sanity checks to afl-cmin.
2295 - Made afl-tmin recursive. Thanks to Hanno Boeck for the tip.
2297 - Added docs/technical_details.txt.
2299 - Changed afl-showmap search strategy in afl-cmap to just look into the
2300 same place that afl-cmin is executed from. Thanks to Jakub Wilk.
2302 - Removed current_todo.txt and cleaned up the remaining docs.
2306 - Added total execs/sec stat for afl-whatsup.
2308 - afl-cmin now auto-selects between cp or ln. Based on feedback from
2311 - Fixed a typo. Thanks to Jakub Wilk.
2313 - Made afl-gotcpu a bit more accurate by using getrusage instead of
2316 - Fixed a memory limit issue during the build process on NetBSD-current.
2321 - Introduced afl-whatsup, a simple tool for querying the status of
2322 local synced instances of afl-fuzz.
2324 - Added -x compiler to clang options on Darwin. Suggested by Filipe
2327 - Improved exit codes for afl-gotcpu.
2329 - Improved the checks for -m and -t values in afl-cmin. Bug report
2334 - Introduced afl-getcpu, an experimental tool to empirically measure
2339 - Reverted one change to afl-cmin that actually made it slower.
2343 - Reworked afl-showmap.c to support normal options, including -o, -q,
2344 -e. Also added support for timeouts and memory limits.
2346 - Made changes to afl-cmin and other scripts to accommodate the new
2349 - Officially retired AFL_EDGES_ONLY.
2351 - Fixed another typo in afl-tmin, courtesy of Jakub Wilk.
2355 - Graduated minimize_corpus.sh to afl-cmin. It is now a first-class
2358 - Made significant improvements to afl-cmin to make it faster, more
2361 - Refactored some of afl-tmin code to make it a bit more readable.
2363 - Made assorted changes to the doc to document afl-cmin and other stuff.
2367 - Added AFL_DUMB_FORKSRV, as requested by Jakub Wilk. This works only
2368 in -n mode and allows afl-fuzz to run with "dummy" fork servers that
2371 - Renamed AFL_SKIP_CHECKS to AFL_SKIP_BIN_CHECK to make it at least
2374 - Switched to using clang as the default assembler on MacOS X to work
2378 - Fixed a typo (via Jakub Wilk).
2382 - Improved exec failure detection in afl-fuzz and afl-showmap.
2384 - Improved Ctrl-C handling in afl-showmap.
2386 - Added afl-tmin, a handy instrumentation-enabled minimizer.
2390 - Fixed a serious but short-lived bug in the resumption behavior introduced
2393 - Added -t nn+ mode for soft-skipping timing-out paths.
2397 - Fixed a compiler warning introduced in 1.16b for newer versions of GCC.
2400 - Improved the consistency of saving fuzzer_stats, bitmap info, and
2401 auto-dictionaries when aborting fuzzing sessions.
2403 - Made several noticeable performance improvements to deterministic arith
2408 - Added a bit of code to make resumption pick up from the last known
2412 - Switched to tighter timeout control for slow programs (3x rather than
2417 - Added support for AFL_NO_VAR_CHECK to speed up resumption and inhibit
2420 - Made the trimmer run even for variable paths, since there is no special
2424 - Made the UI a bit more descriptive by adding "n/a" instead of "0" in a
2429 - Added a (partial) dictionary for JavaScript.
2431 - Added AFL_NO_CPU_RED, as suggested by Jakub Wilk.
2433 - Tweaked the havoc scaling logic added in 1.12b.
2437 - Improved the performance of minimize_corpus.sh by switching to a
2438 sort-based approach.
2440 - Made several minor revisions to the docs.
2444 - Made an improvement to dictionary generation to avoid runs of identical
2447 - Added havoc cycle scaling to help with slow binaries in -d mode. Based on
2450 - Added AFL_SYNC_FIRST for afl-fuzz. This is useful for those who obsess
2453 - Switched to more robust box drawing codes, suggested by Jakub Wilk.
2455 - Created faster 64-bit variants of several critical-path bitmap functions
2458 - Fixed moar typos, as reported by Jakub Wilk.
2462 - Added a bit more info about dictionary strategies to the status screen.
2466 - Revised the dictionary behavior to use insertion and overwrite in
2470 - Added a mention of "*" in status_screen.txt, as suggested by Jakub Wilk.
2474 - Corrected a cosmetic problem with 'extras' stage count not always being
2477 - Fixed a typo reported by Jakub Wilk and made some minor documentation
2482 - Fixed a div-by-zero bug in the newly-added code when using a dictionary.
2486 - Added code that automatically finds and extracts syntax tokens from the
2489 - Fixed a problem with ld dead-code removal option on MacOS X, reported
2492 - Corrected minor typos spotted by Jakub Wilk.
2494 - Added a couple of more exotic archive format samples.
2498 - Switched to slightly more accurate (if still not very helpful) reporting
2503 - Revamped some of the allocator and debug code, adding comments and
2506 - Tweaked the odds of fuzzing non-favored test cases to make sure that
2511 - Added a dictionary for WebP.
2513 - Made some additional performance improvements to minimize_corpus.sh,
2518 - Made substantial performance improvements to minimize_corpus.sh with
2522 - Tweaked afl-showmap to support the format used by the new script.
2526 - Added code to skip README.txt in the input directory to make the crash
2529 - Added a dictionary for SQLite.
2533 - Reverted the ./ search path in minimize_corpus.sh because people did
2536 - Added very explicit warnings not to run various shell scripts that
2538 multi-user systems).
2540 - Added a check for /tmp binaries and -f locations in afl-fuzz.
2544 - Added dictionaries for XML and GIF.
2548 - Slightly improved the performance of minimize_corpus.sh, especially on
2551 - Made a couple of improvements to calibration timeouts for resumed scans.
2555 - Fixed minimize_corpus.sh to work with dash, as suggested by Jakub Wilk.
2557 - Modified minimize_corpus.sh to try locate afl-showmap in $PATH and ./.
2560 - Added support for afl-as --version, as required by one funky build
2565 - Added a dictionary for TIFF.
2567 - Fixed another cosmetic snafu with stage exec counts for -x.
2569 - Switched afl-plot to /bin/sh, since it seems bashism-free. Also tried
2576 - Fixed cosmetic issues around the naming of -x strategy files.
2578 - Added a dictionary for JPEG.
2580 - Fixed a very rare glitch when running instrumenting 64-bit code that makes
2585 - Added support for extra dictionaries, provided testcases/_extras/png/
2588 - Fixed a minor bug in number formatting routines used by the UI.
2590 - Added several additional PNG test cases that are relatively unlikely
2593 - Fixed afl-plot syntax for gnuplot 5.x. Reported by David Necas.
2597 - Cleaned up the OSX ReportCrash code. Thanks to Tobias Ospelt for help.
2599 - Added some extra tips for AFL_NO_FORKSERVER on OSX.
2601 - Refreshed the INSTALL file.
2605 - Added in-place resume (-i-) to address a common user complaint.
2607 - Added an awful workaround for ReportCrash on MacOS X. Problem
2612 - Fixed the link() workaround, as reported by Jakub Wilk.
2616 - Added support for reading test cases from another filesystem.
2619 - Added pointers to the mailing list.
2621 - Added a sample PDF document.
2625 - Refactored minimize_corpus.sh to make it a bit more user-friendly and to
2629 - Slightly improved the performance of splicing code.
2633 - Moved to an algorithm where paths are marked as preferred primarily based
2637 - Refactored path calibration code; calibration now takes place as soon as a
2641 - Changed the way of marking variable paths to avoid .state metadata
2644 - Made sure that calibration routines always create a new test case to avoid
2647 - Added bitmap saturation to fuzzer stats and plot data.
2649 - Added a testcase for JPEG XR.
2651 - Added a tty check for the colors warning in Makefile, to keep distro build
2656 - Renamed afl-plot.sh to afl-plot, as requested by Padraig Brady.
2658 - Improved the compatibility of afl-plot with older versions of gnuplot.
2660 - Added banner information to fuzzer_stats, populated it to afl-plot.
2664 - Added support for plotting, with design and implementation based on a
2667 - Added afl-plot.sh, which allows you to, well, generate a nice plot using
2670 - Refactored the code slightly to make more frequent updates to fuzzer_stats
2673 - Added an fflush(stdout) call for non-tty operation, as requested by
2676 - Added some detail to fuzzer_stats for parity with plot_file.
2680 - Added support for MSAN, via AFL_USE_MSAN, same gotchas as for ASAN.
2684 - Added AFL_NO_FORKSRV, allowing the forkserver to be bypassed. Suggested
2687 - Simplified afl-showmap.c to make use of the no-forkserver mode.
2689 - Made minor improvements to crash_triage.sh, as suggested by Jakub Wilk.
2693 - Fixed the CPU counting code - no sysctlbyname() on OpenBSD, d'oh. Bug
2696 - Made a slight correction to error messages - the advice on testing
2701 - Added support for the CPU widget on some non-Linux platforms (I hope).
2704 - Cleaned up the changelog (very meta).
2708 - Added examples/clang_asm_normalize/ and related notes in
2709 env_variables.txt and afl-as.c. Thanks to Ryan Govostes for the idea.
2711 - Added advice on hardware utilization in README.
2715 - Made additional fixes for Xcode support, juggling -Q and -q flags. Thanks to
2718 - Added a check for __asm__ blocks and switches to .intel_syntax in assembly.
2723 - A workaround for Xcode 6 as -Q flag glitch. Spotted by Ryan Govostes.
2725 - Improved Solaris build instructions, as suggested by Martin Carpenter.
2727 - Fix for a slightly busted path scoring conditional. Minor practical impact.
2731 - Added a check for $PATH-induced loops. Problem noticed by Kartik Agaram.
2733 - Added AFL_KEEP_ASSEMBLY for easier troubleshooting.
2735 - Added an override for AFL_USE_ASAN if set at AFL compile time. Requested by
2740 - Made minor adjustments to path skipping logic.
2742 - Made several documentation updates to reflect the path selection changes
2747 - Added a CPU governor check. Bug report from Joe Zbiciak.
2749 - Favored paths are now selected strictly based on new edges, not hit
2750 counts. This speeds up the first pass by a factor of 3-6x without
2755 some of the in-memory bitmaps much smaller.
2757 - Made multiple significant performance improvements to bitmap checking
2760 - Owing largely to these optimizations, bumped the size of the bitmap to
2766 - Added AFL_SKIP_CHECKS to bypass binary checks when really warranted.
2769 - Fixed a couple of typos.
2771 - Added a warning for runs that are aborted early on.
2775 - Incorporated another signal handling fix for Solaris. Suggestion
2780 - Implemented a slightly more "elegant" kludge for the %llu glitch (see
2783 - Relaxed CPU load warnings to stay in sync with reality.
2787 - Switched to more responsive exec speed averages and better UI speed
2790 - Fixed a bug with interrupted reads on Solaris. Issue spotted by Martin
2795 - Fixed a stray memcpy() instead of memmove() on overlapping buffers.
2800 - Bumped map size up to 32k. You may want to recompile instrumented
2803 - Made huge performance improvements for bit-counting functions.
2805 - Default optimizations now include -funroll-loops. This should have
2809 - Made a fix for stack alignment crash on MacOS X 10.10; looks like the
2810 rhetorical question in the comments in afl-as.h has been answered.
2815 - Added a fix for the nonsensical MacOS ELF check. Spotted by Mudge Zatko.
2817 - Made some improvements to ASAN checks.
2821 - Added explicit detection of ASANified binaries.
2823 - Fixed compilation issues on Solaris. Reported by Martin Carpenter.
2827 - Improved the detection of non-instrumented binaries.
2829 - Made the crash counter in -C mode accurate.
2831 - Fixed an obscure install bug that made afl-as non-functional with the tool
2834 - Fixed for a cosmetic SIGFPE when Ctrl-C is pressed while the fork server
2839 - Added crash exploration mode! Woot!
2843 - Fixed several more typos, the project is now cartified 100% typo-free.
2846 - Made a change to write fuzzer_stats early on.
2848 - Fixed a glitch when (not!) running on MacOS X as root. Spotted by Tobias
2851 - Made it possible to override -O3 in Makefile. Suggested by Jakub Wilk.
2855 - Fixed a very obscure issue with build systems that use gcc as an assembler
2856 for hand-written .s files; this would confuse afl-as. Affected nss, reported
2859 - Fixed a bug when cleaning up synchronized fuzzer output dirs. Issue reported
2864 - Cleaned up shell printf escape codes in Makefile. Reported by Jakub Wilk.
2866 - Added more color to fuzzer_stats, provided short documentation of the file
2867 format, and made several other stats-related improvements.
2871 - Enabled GCC support on MacOS X.
2875 - Provided a new, simplified way to pass data in files (@@). See README.
2877 - Made additional fixes for 64-bit MacOS X, working around a crashing bug in
2880 - Added a minor workaround for a bug in 64-bit FreeBSD (clang -m32 -g doesn't
2881 work on that platform, but clang -m32 does, so we no longer insert -g).
2883 - Added a build-time warning for inverse video terminals and better
2888 - Made minor improvements to the allocator, as suggested by Tobias Ospelt.
2890 - Added example instrumented memcmp() in examples/instrumented_cmp.
2892 - Added a speculative fix for MacOS X (clang detection, again).
2894 - Fixed typos in parallel_fuzzing.txt. Problems spotted by Thomas Jarosch.
2898 - Fixed a minor issue with clang detection on systems with a clang cc
2899 wrapper, so that afl-gcc doesn't confuse it with GCC.
2901 - Made cosmetic improvements to docs and to the CPU load indicator.
2903 - Fixed a glitch with crash removal (README.txt left behind, d'oh).
2907 - Fixed problems with jump tables generated by exotic versions of GCC. This
2908 solves an outstanding problem on OpenBSD when using afl-gcc + PIE (not
2909 present with afl-clang).
2911 - Fixed permissions on one of the sample archives.
2913 - Added a lahf / sahf workaround for OpenBSD (their assembler doesn't know
2916 - Added docs/INSTALL.
2920 - Modified 'make install' to also install test cases.
2922 - Provided better pointers to installed README in afl-fuzz.
2924 - More work on RLIMIT_AS for OpenBSD.
2928 - Added a core count check on Linux.
2930 - Refined the code for the lack-of-RLIMIT_AS case on OpenBSD.
2932 - Added a rudimentary CPU utilization meter to help with optimal loading.
2936 - Made fixes to support FreeBSD and OpenBSD: use_64bit is now inferred if not
2937 explicitly specified when calling afl-as, and RLIMIT_AS is behind an #ifdef.
2940 - Modified 'make install' to also install docs (in /usr/local/share/doc/afl).
2942 - Fixed a typo in status_screen.txt.
2944 - Made a couple of Makefile improvements as proposed by Jakub Wilk.
2948 - Added probabilistic instrumentation density reduction in ASAN mode. This
2949 compensates for ASAN-specific branches in a crude but workable way.
2951 - Updated notes_for_asan.txt.
2955 - Implemented smarter out_dir behavior, automatically deleting directories
2959 - Added more detail in fuzzer_stats (start time, run time, fuzzer PID).
2961 - Implemented support for configurable install prefixes in Makefile
2964 - Made it possible to resume by doing -i <out_dir>, without having to specify
2965 -i <out_dir>/queue/.
2969 - Added a fix for -Wformat warning messages (oops, I thought this had been in
2974 - Redesigned the crash & hang duplicate detection code to better deal with
2977 The old approach could be compared to hashing stack traces to de-dupe
2982 The middle ground currently used in afl-fuzz can be compared to looking
2983 at every line item in the stack trace and tagging crashes as unique if
2990 - Added a fix for harmless but absurd trim ratios shown if the first exec in
2995 - Added a quick summary of the contents in examples/.
2997 - Made a fix to the process of writing fuzzer_stats.
2999 - Slightly reorganized the .state/ directory, now recording redundant paths,
3001 - sorry about that.
3008 - Changed the search order for afl-as to avoid the problem with older copies
3009 installed system-wide; this also means that I can remove the Makefile check
3012 - Made it possible to set instrumentation ratio of 0%.
3014 - Introduced some typos, fixed others.
3016 - Fixed the test_prev target in Makefile, as reported by Ozzy Johnson.
3020 - Improved the 'make install' logic, as suggested by Padraig Brady.
3022 - Revamped various bits of the documentation, especially around perf_tips.txt;
3025 - Added AFL_INST_RATIO to afl-as. The only case where this comes handy is
3027 ffmpeg ./configure also ignores CC and --cc, probably unintentionally).
3029 - Added documentation for all environmental variables (env_variables.txt).
3031 - Implemented a visual warning for excessive or insufficient bitmap density.
3033 - Changed afl-gcc to add -O3 by default; use AFL_DONT_OPTIMIZE if you don't
3036 - Made a regression fix to afl-as to ignore .LBB labels in gcc mode.
3040 - Fixed more typos, as found by Jakub Wilk.
3042 - Added support for clang!
3044 - Changed AFL_HARDEN to *not* include ASAN by default. Use AFL_USE_ASAN if
3047 - Switched from configure auto-detection to isatty() to keep afl-as and
3048 afl-gcc quiet.
3050 - Improved installation process to properly create symlinks, rather than
3055 - Improved afl-fuzz to force-set ASAN_OPTIONS=abort_on_error=1. Otherwise,
3056 ASAN crashes wouldn't be caught at all. Reported by Hanno Boeck.
3058 - Improved Makefile mkdir logic, as suggested by Hanno Boeck.
3060 - Improved the 64-bit instrumentation to properly save r8-r11 registers in
3063 .o file has 5+ parameters. No impact on code running under afl-fuzz or
3064 afl-showmap. Issue spotted by Padraig Brady.
3068 - Fixed another Makefile bug for parallel builds of afl. Problem identified
3071 - Added support for suffixes for -m.
3073 - Updated the documentation and added notes_for_asan.txt. Based on feedback
3076 - Moved the project to https://lcamtuf.coredump.cx/afl/.
3080 - Cleaned up Makefile dependencies for parallel builds. Requested by
3083 - Added support for DESTDIR in Makefile. Once again suggested by
3084 Richard W. M. Jones :-)
3086 - Removed all the USE_64BIT stuff; we now just auto-detect compilation mode.
3089 - Fixed rare problems with programs that use snippets of assembly and
3095 - Implemented a test case trimmer. Results in 20-30% size reduction for many
3099 - Added better warnings for various problems with input directories.
3101 - Added a Makefile warning for older copies, based on counterintuitive
3104 - Added fuzzer_stats file for status monitoring. Suggested by @dronesec.
3106 - Fixed moar typos, thanks to Alexander Cherepanov.
3108 - Implemented better warnings for ASAN memory requirements, based on calls
3111 - Switched to saner behavior with non-tty stdout (less output generated,
3116 - Added support for AFL_CC and AFL_CXX, based on a patch from Ben Laurie.
3118 - Replaced afl-fuzz -S -D with -M for simplicity.
3120 - Added a check for .section .text; lack of this prevented main() from
3123 - Reorganized the testcases/ directory.
3125 - Added an extra check to confirm that the build is operational.
3127 - Made more consistent use of color reset codes, as suggested by Oliver
3132 - Fixed a bug with 64-bit gcc -shared relocs.
3134 - Removed echo -e from Makefile for compatibility with dash. Suggested
3137 - Added status_screen.txt.
3139 - Added examples/canvas_harness.
3141 - Made a minor change to the Makefile GCC check. Suggested by Hanno Boeck.
3145 - Fixed a bug with red zone handling for 64-bit (oops!). Problem reported by
3148 - Implemented horribly experimental ARM support in examples/arm_support.
3150 - Made several improvements to error messages.
3152 - Added AFL_QUIET to silence afl-gcc and afl-as when using wonky build
3155 - Improved check for 64-bit compilation, plus several sanity checks
3160 - Fixed a fork served bug for processes that call execve().
3162 - Made minor compatibility fixes to Makefile, afl-gcc; suggested by Jakub
3165 - Fixed triage_crashes.sh to work with the new layout of output directories.
3168 - Made multiple performance-related improvements to the injected
3171 - Added visual indication of the number of imported paths.
3173 - Fixed afl-showmap to make it work well with new instrumentation.
3175 - Added much better error messages for crashes when importing test cases
3180 - Added support for parallelized fuzzing. Inspired by earlier patch
3183 - Added an example in examples/distributed_fuzzing/.
3187 - Redesigned status screen, now 90% more spiffy.
3189 - Added more verbose and user-friendly messages for some common problems.
3191 - Modified the resumption code to reconstruct path depth.
3193 - Changed the code to inhibit core dumps and improve the ability to detect
3196 - Added a check for redirection of core dumps to programs.
3198 - Made a minor improvement to the handling of variable paths.
3200 - Made additional performance tweaks to afl-fuzz, chiefly around mem limits.
3202 - Added performance_tips.txt.
3206 - Fixed an fd leak and +cov tracking bug resulting from changes in 0.37b.
3208 - Implemented auto-scaling for screen update speed.
3210 - Added a visual indication when running in non-instrumented mode.
3214 - Added fuzz state tracking for more seamless resumption of aborted
3217 - Removed the -D option, as it's no longer necessary.
3219 - Refactored calibration code and improved startup reporting.
3221 - Implemented dynamically scaled timeouts, so that you don't need to
3222 play with -t except in some very rare cases.
3224 - Added visual notification for slow binaries.
3226 - Improved instrumentation to explicitly cover the other leg of every
3231 - Implemented fork server support to avoid the overhead of execve(). A
3232 nearly-verbatim design from Jann Horn; still pending part 2 that would
3235 - Added a check for shell scripts used as fuzz targets.
3237 - Added a check for fuzz jobs that don't seem to be finding anything.
3239 - Fixed the way IGNORE_FINDS works (was a bit broken after adding splicing
3244 - Properly integrated 64-bit instrumentation into afl-as.
3248 - Added a new exec count classifier (the working theory is that it gets
3253 - Switched to new, somewhat experimental instrumentation that tries to
3257 - Made several other cosmetic fixes and typo corrections, thanks to
3262 - Another take at fixing the C++ exception thing. Reported by Jakub Wilk.
3266 - Made another fix to afl-as to address a potential problem with newer
3271 - Added more detail about the underlying operations in file names.
3275 - Made some general improvements to chunk operations.
3279 - Fixed C++ exception handling in newer versions of GCC. Problem diagnosed
3282 - Fixed the handling of the overflow flag. Once again, thanks to
3287 - Added prioritization of new paths over the already-fuzzed ones.
3289 - Included spliced test case ID in the output file name.
3291 - Fixed a rare, cosmetic null ptr deref after Ctrl-C.
3293 - Refactored the code to make copies of test cases in the output directory.
3295 - Switched to better output file names, keeping track of stage and splicing
3300 - Revamped storage of testcases, -u option removed,
3302 - Added a built-in effort minimizer to get rid of potentially redundant
3305 - Provided a testcase count minimization script in examples/,
3307 - Made miscellaneous improvements to directory and file handling.
3309 - Fixed a bug in timeout detection.
3313 - Improved count-based instrumentation.
3315 - Improved the hang deduplication logic.
3317 - Added -cov prefixes for test cases.
3319 - Switched from readdir() to scandir() + alphasort() to preserve ordering of
3322 - Added a splicing strategy.
3324 - Made various minor UI improvements and several other bugfixes.
3328 - Added program name to the status screen, plus the -T parameter to go with
3333 - Improved the detection of variable behaviors.
3335 - Added path depth tracking,
3337 - Improved the UI a bit,
3339 - Switched to simplified (XOR-based) tuple instrumentation.
3343 - Refactored the handling of long bitflips and some swaps.
3345 - Fixed the handling of gcc -pipe, thanks to anonymous reporter.
3347 ### Version 0.21b (2013-11-12):
3349 - Initial public release.
3351 - Added support for use of multiple custom mutators which can be specified using