1*08b48e0bSAndroid Build Coastguard Worker# Frequently asked questions (FAQ) 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard WorkerIf you find an interesting or important question missing, submit it via 4*08b48e0bSAndroid Build Coastguard Worker[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions). 5*08b48e0bSAndroid Build Coastguard Worker 6*08b48e0bSAndroid Build Coastguard Worker## General 7*08b48e0bSAndroid Build Coastguard Worker 8*08b48e0bSAndroid Build Coastguard Worker<details> 9*08b48e0bSAndroid Build Coastguard Worker <summary id="what-is-the-difference-between-afl-and-aflplusplus">What is the difference between AFL and AFL++?</summary><p> 10*08b48e0bSAndroid Build Coastguard Worker 11*08b48e0bSAndroid Build Coastguard Worker AFL++ is a superior fork to Google's AFL - more speed, more and better 12*08b48e0bSAndroid Build Coastguard Worker mutations, more and better instrumentation, custom module support, etc. 13*08b48e0bSAndroid Build Coastguard Worker 14*08b48e0bSAndroid Build Coastguard Worker American Fuzzy Lop (AFL) was developed by Michał "lcamtuf" Zalewski starting 15*08b48e0bSAndroid Build Coastguard Worker in 2013/2014, and when he left Google end of 2017 he stopped developing it. 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard Worker At the end of 2019, the Google fuzzing team took over maintenance of AFL, 18*08b48e0bSAndroid Build Coastguard Worker however, it is only accepting PRs from the community and is not developing 19*08b48e0bSAndroid Build Coastguard Worker enhancements anymore. 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard Worker In the second quarter of 2019, 1 1/2 years later, when no further development 22*08b48e0bSAndroid Build Coastguard Worker of AFL had happened and it became clear there would none be coming, AFL++ was 23*08b48e0bSAndroid Build Coastguard Worker born, where initially community patches were collected and applied for bug 24*08b48e0bSAndroid Build Coastguard Worker fixes and enhancements. Then from various AFL spin-offs - mostly academic 25*08b48e0bSAndroid Build Coastguard Worker research - features were integrated. This already resulted in a much advanced 26*08b48e0bSAndroid Build Coastguard Worker AFL. 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker Until the end of 2019, the AFL++ team had grown to four active developers 29*08b48e0bSAndroid Build Coastguard Worker which then implemented their own research and features, making it now by far 30*08b48e0bSAndroid Build Coastguard Worker the most flexible and feature rich guided fuzzer available as open source. And 31*08b48e0bSAndroid Build Coastguard Worker in independent fuzzing benchmarks it is one of the best fuzzers available, 32*08b48e0bSAndroid Build Coastguard Worker e.g., 33*08b48e0bSAndroid Build Coastguard Worker [Fuzzbench Report](https://www.fuzzbench.com/reports/2020-08-03/index.html). 34*08b48e0bSAndroid Build Coastguard Worker</p></details> 35*08b48e0bSAndroid Build Coastguard Worker 36*08b48e0bSAndroid Build Coastguard Worker<details> 37*08b48e0bSAndroid Build Coastguard Worker <summary id="is-afl-a-whitebox-graybox-or-blackbox-fuzzer">Is AFL++ a whitebox, graybox, or blackbox fuzzer?</summary><p> 38*08b48e0bSAndroid Build Coastguard Worker 39*08b48e0bSAndroid Build Coastguard Worker The definition of the terms whitebox, graybox, and blackbox fuzzing varies 40*08b48e0bSAndroid Build Coastguard Worker from one source to another. For example, "graybox fuzzing" could mean 41*08b48e0bSAndroid Build Coastguard Worker binary-only or source code fuzzing, or something completely different. 42*08b48e0bSAndroid Build Coastguard Worker Therefore, we try to avoid them. 43*08b48e0bSAndroid Build Coastguard Worker 44*08b48e0bSAndroid Build Coastguard Worker [The Fuzzing Book](https://www.fuzzingbook.org/html/GreyboxFuzzer.html#AFL:-An-Effective-Greybox-Fuzzer) 45*08b48e0bSAndroid Build Coastguard Worker describes the original AFL to be a graybox fuzzer. In that sense, AFL++ is 46*08b48e0bSAndroid Build Coastguard Worker also a graybox fuzzer. 47*08b48e0bSAndroid Build Coastguard Worker</p></details> 48*08b48e0bSAndroid Build Coastguard Worker 49*08b48e0bSAndroid Build Coastguard Worker<details> 50*08b48e0bSAndroid Build Coastguard Worker <summary id="where-can-i-find-tutorials">Where can I find tutorials?</summary><p> 51*08b48e0bSAndroid Build Coastguard Worker 52*08b48e0bSAndroid Build Coastguard Worker We compiled a list of tutorials and exercises, see 53*08b48e0bSAndroid Build Coastguard Worker [tutorials.md](tutorials.md). 54*08b48e0bSAndroid Build Coastguard Worker</p></details> 55*08b48e0bSAndroid Build Coastguard Worker 56*08b48e0bSAndroid Build Coastguard Worker<details> 57*08b48e0bSAndroid Build Coastguard Worker <summary id="what-is-an-edge">What is an "edge"?</summary><p> 58*08b48e0bSAndroid Build Coastguard Worker 59*08b48e0bSAndroid Build Coastguard Worker A program contains `functions`, `functions` contain the compiled machine code. 60*08b48e0bSAndroid Build Coastguard Worker The compiled machine code in a `function` can be in a single or many `basic 61*08b48e0bSAndroid Build Coastguard Worker blocks`. A `basic block` is the **largest possible number of subsequent machine 62*08b48e0bSAndroid Build Coastguard Worker code instructions** that has **exactly one entry point** (which can be be entered by 63*08b48e0bSAndroid Build Coastguard Worker multiple other basic blocks) and runs linearly **without branching or jumping to 64*08b48e0bSAndroid Build Coastguard Worker other addresses** (except at the end). 65*08b48e0bSAndroid Build Coastguard Worker 66*08b48e0bSAndroid Build Coastguard Worker ``` 67*08b48e0bSAndroid Build Coastguard Worker function() { 68*08b48e0bSAndroid Build Coastguard Worker A: 69*08b48e0bSAndroid Build Coastguard Worker some 70*08b48e0bSAndroid Build Coastguard Worker code 71*08b48e0bSAndroid Build Coastguard Worker B: 72*08b48e0bSAndroid Build Coastguard Worker if (x) goto C; else goto D; 73*08b48e0bSAndroid Build Coastguard Worker C: 74*08b48e0bSAndroid Build Coastguard Worker some code 75*08b48e0bSAndroid Build Coastguard Worker goto E 76*08b48e0bSAndroid Build Coastguard Worker D: 77*08b48e0bSAndroid Build Coastguard Worker some code 78*08b48e0bSAndroid Build Coastguard Worker goto B 79*08b48e0bSAndroid Build Coastguard Worker E: 80*08b48e0bSAndroid Build Coastguard Worker return 81*08b48e0bSAndroid Build Coastguard Worker } 82*08b48e0bSAndroid Build Coastguard Worker ``` 83*08b48e0bSAndroid Build Coastguard Worker 84*08b48e0bSAndroid Build Coastguard Worker Every code block between two jump locations is a `basic block`. 85*08b48e0bSAndroid Build Coastguard Worker 86*08b48e0bSAndroid Build Coastguard Worker An `edge` is then the unique relationship between two directly connected 87*08b48e0bSAndroid Build Coastguard Worker `basic blocks` (from the code example above): 88*08b48e0bSAndroid Build Coastguard Worker 89*08b48e0bSAndroid Build Coastguard Worker ``` 90*08b48e0bSAndroid Build Coastguard Worker Block A 91*08b48e0bSAndroid Build Coastguard Worker | 92*08b48e0bSAndroid Build Coastguard Worker v 93*08b48e0bSAndroid Build Coastguard Worker Block B <------+ 94*08b48e0bSAndroid Build Coastguard Worker / \ | 95*08b48e0bSAndroid Build Coastguard Worker v v | 96*08b48e0bSAndroid Build Coastguard Worker Block C Block D --+ 97*08b48e0bSAndroid Build Coastguard Worker \ 98*08b48e0bSAndroid Build Coastguard Worker v 99*08b48e0bSAndroid Build Coastguard Worker Block E 100*08b48e0bSAndroid Build Coastguard Worker ``` 101*08b48e0bSAndroid Build Coastguard Worker 102*08b48e0bSAndroid Build Coastguard Worker Every line between two blocks is an `edge`. Note that a few basic block loop 103*08b48e0bSAndroid Build Coastguard Worker to itself, this too would be an edge. 104*08b48e0bSAndroid Build Coastguard Worker</p></details> 105*08b48e0bSAndroid Build Coastguard Worker 106*08b48e0bSAndroid Build Coastguard Worker<details> 107*08b48e0bSAndroid Build Coastguard Worker <summary id="should-you-ever-stop-afl-fuzz-minimize-the-corpus-and-restart">Should you ever stop afl-fuzz, minimize the corpus and restart?</summary><p> 108*08b48e0bSAndroid Build Coastguard Worker 109*08b48e0bSAndroid Build Coastguard Worker To stop afl-fuzz, minimize it's corpus and restart you would usually do: 110*08b48e0bSAndroid Build Coastguard Worker 111*08b48e0bSAndroid Build Coastguard Worker ``` 112*08b48e0bSAndroid Build Coastguard Worker Control-C # to terminate afl-fuzz 113*08b48e0bSAndroid Build Coastguard Worker $ afl-cmin -T nproc -i out/default/queue -o minimized_queue -- ./target 114*08b48e0bSAndroid Build Coastguard Worker $ AFL_FAST_CAL=1 AFL_CMPLOG_ONLY_NEW=1 afl-fuzz -i minimized_queue -o out2 [other options] -- ./target 115*08b48e0bSAndroid Build Coastguard Worker ``` 116*08b48e0bSAndroid Build Coastguard Worker 117*08b48e0bSAndroid Build Coastguard Worker If this improves fuzzing or not is debated and no consensus has been reached 118*08b48e0bSAndroid Build Coastguard Worker or in-depth analysis been performed. 119*08b48e0bSAndroid Build Coastguard Worker 120*08b48e0bSAndroid Build Coastguard Worker On the pro side: 121*08b48e0bSAndroid Build Coastguard Worker * The queue/corpus is reduced (up to 20%) by removing intermediate paths 122*08b48e0bSAndroid Build Coastguard Worker that are maybe not needed anymore. 123*08b48e0bSAndroid Build Coastguard Worker 124*08b48e0bSAndroid Build Coastguard Worker On the con side: 125*08b48e0bSAndroid Build Coastguard Worker * Fuzzing time is lost for the time the fuzzing is stopped, minimized and 126*08b48e0bSAndroid Build Coastguard Worker restarted. 127*08b48e0bSAndroid Build Coastguard Worker 128*08b48e0bSAndroid Build Coastguard Worker The the big question: 129*08b48e0bSAndroid Build Coastguard Worker * Does a minimized queue/corpus improve finding new coverage or does it 130*08b48e0bSAndroid Build Coastguard Worker hinder it? 131*08b48e0bSAndroid Build Coastguard Worker 132*08b48e0bSAndroid Build Coastguard Worker The AFL++ team's own limited analysis seem to to show that keeping 133*08b48e0bSAndroid Build Coastguard Worker intermediate paths help to find more coverage, at least for afl-fuzz. 134*08b48e0bSAndroid Build Coastguard Worker 135*08b48e0bSAndroid Build Coastguard Worker For honggfuzz in comparison it is a good idea to restart it from time to 136*08b48e0bSAndroid Build Coastguard Worker time if you have other fuzzers (e.g: AFL++) running in parallel to sync 137*08b48e0bSAndroid Build Coastguard Worker the finds of other fuzzers to honggfuzz as it has no syncing feature like 138*08b48e0bSAndroid Build Coastguard Worker AFL++ or libfuzzer. 139*08b48e0bSAndroid Build Coastguard Worker 140*08b48e0bSAndroid Build Coastguard Worker</p></details> 141*08b48e0bSAndroid Build Coastguard Worker 142*08b48e0bSAndroid Build Coastguard Worker## Targets 143*08b48e0bSAndroid Build Coastguard Worker 144*08b48e0bSAndroid Build Coastguard Worker<details> 145*08b48e0bSAndroid Build Coastguard Worker <summary id="how-can-i-fuzz-a-binary-only-target">How can I fuzz a binary-only target?</summary><p> 146*08b48e0bSAndroid Build Coastguard Worker 147*08b48e0bSAndroid Build Coastguard Worker AFL++ is a great fuzzer if you have the source code available. 148*08b48e0bSAndroid Build Coastguard Worker 149*08b48e0bSAndroid Build Coastguard Worker However, if there is only the binary program and no source code available, 150*08b48e0bSAndroid Build Coastguard Worker then the standard non-instrumented mode is not effective. 151*08b48e0bSAndroid Build Coastguard Worker 152*08b48e0bSAndroid Build Coastguard Worker To learn how these binaries can be fuzzed, read 153*08b48e0bSAndroid Build Coastguard Worker [fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md). 154*08b48e0bSAndroid Build Coastguard Worker</p></details> 155*08b48e0bSAndroid Build Coastguard Worker 156*08b48e0bSAndroid Build Coastguard Worker<details> 157*08b48e0bSAndroid Build Coastguard Worker <summary id="how-can-i-fuzz-a-network-service">How can I fuzz a network service?</summary><p> 158*08b48e0bSAndroid Build Coastguard Worker 159*08b48e0bSAndroid Build Coastguard Worker The short answer is - you cannot, at least not "out of the box". 160*08b48e0bSAndroid Build Coastguard Worker 161*08b48e0bSAndroid Build Coastguard Worker For more information on fuzzing network services, see 162*08b48e0bSAndroid Build Coastguard Worker [best_practices.md#fuzzing-a-network-service](best_practices.md#fuzzing-a-network-service). 163*08b48e0bSAndroid Build Coastguard Worker</p></details> 164*08b48e0bSAndroid Build Coastguard Worker 165*08b48e0bSAndroid Build Coastguard Worker<details> 166*08b48e0bSAndroid Build Coastguard Worker <summary id="how-can-i-fuzz-a-gui-program">How can I fuzz a GUI program?</summary><p> 167*08b48e0bSAndroid Build Coastguard Worker 168*08b48e0bSAndroid Build Coastguard Worker Not all GUI programs are suitable for fuzzing. If the GUI program can read the 169*08b48e0bSAndroid Build Coastguard Worker fuzz data from a file without needing any user interaction, then it would be 170*08b48e0bSAndroid Build Coastguard Worker suitable for fuzzing. 171*08b48e0bSAndroid Build Coastguard Worker 172*08b48e0bSAndroid Build Coastguard Worker For more information on fuzzing GUI programs, see 173*08b48e0bSAndroid Build Coastguard Worker [best_practices.md#fuzzing-a-gui-program](best_practices.md#fuzzing-a-gui-program). 174*08b48e0bSAndroid Build Coastguard Worker</p></details> 175*08b48e0bSAndroid Build Coastguard Worker 176*08b48e0bSAndroid Build Coastguard Worker## Performance 177*08b48e0bSAndroid Build Coastguard Worker 178*08b48e0bSAndroid Build Coastguard Worker<details> 179*08b48e0bSAndroid Build Coastguard Worker <summary id="what-makes-a-good-performance">What makes a good performance?</summary><p> 180*08b48e0bSAndroid Build Coastguard Worker 181*08b48e0bSAndroid Build Coastguard Worker Good performance generally means "making the fuzzing results better". This can 182*08b48e0bSAndroid Build Coastguard Worker be influenced by various factors, for example, speed (finding lots of paths 183*08b48e0bSAndroid Build Coastguard Worker quickly) or thoroughness (working with decreased speed, but finding better 184*08b48e0bSAndroid Build Coastguard Worker mutations). 185*08b48e0bSAndroid Build Coastguard Worker</p></details> 186*08b48e0bSAndroid Build Coastguard Worker 187*08b48e0bSAndroid Build Coastguard Worker<details> 188*08b48e0bSAndroid Build Coastguard Worker <summary id="how-can-i-improve-the-fuzzing-speed">How can I improve the fuzzing speed?</summary><p> 189*08b48e0bSAndroid Build Coastguard Worker 190*08b48e0bSAndroid Build Coastguard Worker There are a few things you can do to improve the fuzzing speed, see 191*08b48e0bSAndroid Build Coastguard Worker [best_practices.md#improving-speed](best_practices.md#improving-speed). 192*08b48e0bSAndroid Build Coastguard Worker</p></details> 193*08b48e0bSAndroid Build Coastguard Worker 194*08b48e0bSAndroid Build Coastguard Worker<details> 195*08b48e0bSAndroid Build Coastguard Worker <summary id="why-is-my-stability-below-100percent">Why is my stability below 100%?</summary><p> 196*08b48e0bSAndroid Build Coastguard Worker 197*08b48e0bSAndroid Build Coastguard Worker Stability is measured by how many percent of the edges in the target are 198*08b48e0bSAndroid Build Coastguard Worker "stable". Sending the same input again and again should take the exact same 199*08b48e0bSAndroid Build Coastguard Worker path through the target every time. If that is the case, the stability is 200*08b48e0bSAndroid Build Coastguard Worker 100%. 201*08b48e0bSAndroid Build Coastguard Worker 202*08b48e0bSAndroid Build Coastguard Worker If, however, randomness happens, e.g., a thread reading other external data, 203*08b48e0bSAndroid Build Coastguard Worker reaction to timing, etc., then in some of the re-executions with the same data 204*08b48e0bSAndroid Build Coastguard Worker the edge coverage result will be different across runs. Those edges that 205*08b48e0bSAndroid Build Coastguard Worker change are then flagged "unstable". 206*08b48e0bSAndroid Build Coastguard Worker 207*08b48e0bSAndroid Build Coastguard Worker The more "unstable" edges there are, the harder it is for AFL++ to identify 208*08b48e0bSAndroid Build Coastguard Worker valid new paths. 209*08b48e0bSAndroid Build Coastguard Worker 210*08b48e0bSAndroid Build Coastguard Worker If you fuzz in persistent mode (`AFL_LOOP` or `LLVMFuzzerTestOneInput()` 211*08b48e0bSAndroid Build Coastguard Worker harnesses, a large number of unstable edges can mean that the target keeps 212*08b48e0bSAndroid Build Coastguard Worker internal state and therefore it is possible that crashes cannot be replayed. 213*08b48e0bSAndroid Build Coastguard Worker In such a case do either **not** fuzz in persistent mode (remove `AFL_LOOP()` 214*08b48e0bSAndroid Build Coastguard Worker from your harness or call `LLVMFuzzerTestOneInput()` harnesses with `@@`), 215*08b48e0bSAndroid Build Coastguard Worker or set a low `AFL_LOOP` value, e.g. 100, and enable `AFL_PERSISTENT_RECORD` 216*08b48e0bSAndroid Build Coastguard Worker in `config.h` with the same value. 217*08b48e0bSAndroid Build Coastguard Worker 218*08b48e0bSAndroid Build Coastguard Worker A value above 90% is usually fine and a value above 80% is also still ok, and 219*08b48e0bSAndroid Build Coastguard Worker even a value above 20% can still result in successful finds of bugs. However, 220*08b48e0bSAndroid Build Coastguard Worker it is recommended that for values below 90% or 80% you should take 221*08b48e0bSAndroid Build Coastguard Worker countermeasures to improve stability. 222*08b48e0bSAndroid Build Coastguard Worker 223*08b48e0bSAndroid Build Coastguard Worker For more information on stability and how to improve the stability value, see 224*08b48e0bSAndroid Build Coastguard Worker [best_practices.md#improving-stability](best_practices.md#improving-stability). 225*08b48e0bSAndroid Build Coastguard Worker</p></details> 226*08b48e0bSAndroid Build Coastguard Worker 227*08b48e0bSAndroid Build Coastguard Worker<details> 228*08b48e0bSAndroid Build Coastguard Worker <summary id="what-are-power-schedules">What are power schedules?</summary><p> 229*08b48e0bSAndroid Build Coastguard Worker 230*08b48e0bSAndroid Build Coastguard Worker Not every item in our queue/corpus is the same, some are more interesting, 231*08b48e0bSAndroid Build Coastguard Worker others provide little value. 232*08b48e0bSAndroid Build Coastguard Worker A power schedule measures how "interesting" a value is, and depending on 233*08b48e0bSAndroid Build Coastguard Worker the calculated value spends more or less time mutating it. 234*08b48e0bSAndroid Build Coastguard Worker 235*08b48e0bSAndroid Build Coastguard Worker AFL++ comes with several power schedules, initially ported from 236*08b48e0bSAndroid Build Coastguard Worker [AFLFast](https://github.com/mboehme/aflfast), however, modified to be more 237*08b48e0bSAndroid Build Coastguard Worker effective and several more modes added. 238*08b48e0bSAndroid Build Coastguard Worker 239*08b48e0bSAndroid Build Coastguard Worker The most effective modes are `-p fast` (default) and `-p explore`. 240*08b48e0bSAndroid Build Coastguard Worker 241*08b48e0bSAndroid Build Coastguard Worker If you fuzz with several parallel afl-fuzz instances, then it is beneficial 242*08b48e0bSAndroid Build Coastguard Worker to assign a different schedule to each instance, however the majority should 243*08b48e0bSAndroid Build Coastguard Worker be `fast` and `explore`. 244*08b48e0bSAndroid Build Coastguard Worker 245*08b48e0bSAndroid Build Coastguard Worker It does not make sense to explain the details of the calculation and 246*08b48e0bSAndroid Build Coastguard Worker reasoning behind all of the schedules. If you are interested, read the source 247*08b48e0bSAndroid Build Coastguard Worker code and the AFLFast paper. 248*08b48e0bSAndroid Build Coastguard Worker</p></details> 249*08b48e0bSAndroid Build Coastguard Worker 250*08b48e0bSAndroid Build Coastguard Worker## Troubleshooting 251*08b48e0bSAndroid Build Coastguard Worker 252*08b48e0bSAndroid Build Coastguard Worker<details> 253*08b48e0bSAndroid Build Coastguard Worker <summary id="fatal-forkserver-is-already-up-but-an-instrumented-dlopen-library-loaded-afterwards">FATAL: forkserver is already up but an instrumented dlopen library loaded afterwards</summary><p> 254*08b48e0bSAndroid Build Coastguard Worker 255*08b48e0bSAndroid Build Coastguard Worker It can happen that you see this error on startup when fuzzing a target: 256*08b48e0bSAndroid Build Coastguard Worker 257*08b48e0bSAndroid Build Coastguard Worker ``` 258*08b48e0bSAndroid Build Coastguard Worker [-] FATAL: forkserver is already up, but an instrumented dlopen() library 259*08b48e0bSAndroid Build Coastguard Worker loaded afterwards. You must AFL_PRELOAD such libraries to be able 260*08b48e0bSAndroid Build Coastguard Worker to fuzz them or LD_PRELOAD to run outside of afl-fuzz. 261*08b48e0bSAndroid Build Coastguard Worker To ignore this set AFL_IGNORE_PROBLEMS=1. 262*08b48e0bSAndroid Build Coastguard Worker ``` 263*08b48e0bSAndroid Build Coastguard Worker 264*08b48e0bSAndroid Build Coastguard Worker As the error describes, a dlopen() call is happening in the target that is 265*08b48e0bSAndroid Build Coastguard Worker loading an instrumented library after the forkserver is already in place. This 266*08b48e0bSAndroid Build Coastguard Worker is a problem for afl-fuzz because when the forkserver is started, we must know 267*08b48e0bSAndroid Build Coastguard Worker the map size already and it can't be changed later. 268*08b48e0bSAndroid Build Coastguard Worker 269*08b48e0bSAndroid Build Coastguard Worker The best solution is to simply set `AFL_PRELOAD=foo.so` to the libraries that 270*08b48e0bSAndroid Build Coastguard Worker are dlopen'ed (e.g., use `strace` to see which), or to set a manual forkserver 271*08b48e0bSAndroid Build Coastguard Worker after the final dlopen(). 272*08b48e0bSAndroid Build Coastguard Worker 273*08b48e0bSAndroid Build Coastguard Worker If this is not a viable option, you can set `AFL_IGNORE_PROBLEMS=1` but then 274*08b48e0bSAndroid Build Coastguard Worker the existing map will be used also for the newly loaded libraries, which 275*08b48e0bSAndroid Build Coastguard Worker allows it to work, however, the efficiency of the fuzzing will be partially 276*08b48e0bSAndroid Build Coastguard Worker degraded. Note that there is additionally `AFL_IGNORE_PROBLEMS_COVERAGE` to 277*08b48e0bSAndroid Build Coastguard Worker additionally tell AFL++ to ignore any coverage from the late loaded libaries. 278*08b48e0bSAndroid Build Coastguard Worker</p></details> 279*08b48e0bSAndroid Build Coastguard Worker 280*08b48e0bSAndroid Build Coastguard Worker<details> 281*08b48e0bSAndroid Build Coastguard Worker <summary id="i-got-a-weird-compile-error-from-clang">I got a weird compile error from clang.</summary><p> 282*08b48e0bSAndroid Build Coastguard Worker 283*08b48e0bSAndroid Build Coastguard Worker If you see this kind of error when trying to instrument a target with 284*08b48e0bSAndroid Build Coastguard Worker afl-cc/afl-clang-fast/afl-clang-lto: 285*08b48e0bSAndroid Build Coastguard Worker 286*08b48e0bSAndroid Build Coastguard Worker ``` 287*08b48e0bSAndroid Build Coastguard Worker /prg/tmp/llvm-project/build/bin/clang-13: symbol lookup error: /usr/local/bin/../lib/afl//cmplog-instructions-pass.so: undefined symbol: _ZNK4llvm8TypeSizecvmEv 288*08b48e0bSAndroid Build Coastguard Worker clang-13: error: unable to execute command: No such file or directory 289*08b48e0bSAndroid Build Coastguard Worker clang-13: error: clang frontend command failed due to signal (use -v to see invocation) 290*08b48e0bSAndroid Build Coastguard Worker clang version 13.0.0 (https://github.com/llvm/llvm-project 1d7cf550721c51030144f3cd295c5789d51c4aad) 291*08b48e0bSAndroid Build Coastguard Worker Target: x86_64-unknown-linux-gnu 292*08b48e0bSAndroid Build Coastguard Worker Thread model: posix 293*08b48e0bSAndroid Build Coastguard Worker InstalledDir: /prg/tmp/llvm-project/build/bin 294*08b48e0bSAndroid Build Coastguard Worker clang-13: note: diagnostic msg: 295*08b48e0bSAndroid Build Coastguard Worker ******************** 296*08b48e0bSAndroid Build Coastguard Worker ``` 297*08b48e0bSAndroid Build Coastguard Worker 298*08b48e0bSAndroid Build Coastguard Worker Then this means that your OS updated the clang installation from an upgrade 299*08b48e0bSAndroid Build Coastguard Worker package and because of that the AFL++ llvm plugins do not match anymore. 300*08b48e0bSAndroid Build Coastguard Worker 301*08b48e0bSAndroid Build Coastguard Worker Solution: `git pull ; make clean install` of AFL++. 302*08b48e0bSAndroid Build Coastguard Worker</p></details> 303*08b48e0bSAndroid Build Coastguard Worker 304*08b48e0bSAndroid Build Coastguard Worker<details> 305*08b48e0bSAndroid Build Coastguard Worker <summary id="afl-map-size-warning">AFL++ map size warning.</summary><p> 306*08b48e0bSAndroid Build Coastguard Worker 307*08b48e0bSAndroid Build Coastguard Worker When you run a large instrumented program stand-alone or via afl-showmap 308*08b48e0bSAndroid Build Coastguard Worker you might see a warning like the following: 309*08b48e0bSAndroid Build Coastguard Worker 310*08b48e0bSAndroid Build Coastguard Worker ``` 311*08b48e0bSAndroid Build Coastguard Worker Warning: AFL++ tools might need to set AFL_MAP_SIZE to 223723 to be able to run this instrumented program if this crashes! 312*08b48e0bSAndroid Build Coastguard Worker ``` 313*08b48e0bSAndroid Build Coastguard Worker 314*08b48e0bSAndroid Build Coastguard Worker Depending how the target works it might also crash afterwards. 315*08b48e0bSAndroid Build Coastguard Worker 316*08b48e0bSAndroid Build Coastguard Worker Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`. 317*08b48e0bSAndroid Build Coastguard Worker</p></details> 318*08b48e0bSAndroid Build Coastguard Worker 319*08b48e0bSAndroid Build Coastguard Worker<details> 320*08b48e0bSAndroid Build Coastguard Worker <summary id="linker-errors">Linker errors.</summary><p> 321*08b48e0bSAndroid Build Coastguard Worker 322*08b48e0bSAndroid Build Coastguard Worker If you compile C++ harnesses and see `undefined reference` errors for 323*08b48e0bSAndroid Build Coastguard Worker variables named `__afl_...`, e.g.: 324*08b48e0bSAndroid Build Coastguard Worker 325*08b48e0bSAndroid Build Coastguard Worker ``` 326*08b48e0bSAndroid Build Coastguard Worker /usr/bin/ld: /tmp/test-d3085f.o: in function `foo::test()': 327*08b48e0bSAndroid Build Coastguard Worker test.cpp:(.text._ZN3fooL4testEv[_ZN3fooL4testEv]+0x35): undefined reference to `foo::__afl_connected' 328*08b48e0bSAndroid Build Coastguard Worker clang: error: linker command failed with exit code 1 (use -v to see invocation) 329*08b48e0bSAndroid Build Coastguard Worker ``` 330*08b48e0bSAndroid Build Coastguard Worker 331*08b48e0bSAndroid Build Coastguard Worker Then you use AFL++ macros like `__AFL_LOOP` within a namespace and this 332*08b48e0bSAndroid Build Coastguard Worker will not work. 333*08b48e0bSAndroid Build Coastguard Worker 334*08b48e0bSAndroid Build Coastguard Worker Solution: Move that harness portion to the global namespace, e.g. before: 335*08b48e0bSAndroid Build Coastguard Worker ``` 336*08b48e0bSAndroid Build Coastguard Worker #include <cstdio> 337*08b48e0bSAndroid Build Coastguard Worker namespace foo { 338*08b48e0bSAndroid Build Coastguard Worker static void test() { 339*08b48e0bSAndroid Build Coastguard Worker while(__AFL_LOOP(1000)) { 340*08b48e0bSAndroid Build Coastguard Worker foo::function(); 341*08b48e0bSAndroid Build Coastguard Worker } 342*08b48e0bSAndroid Build Coastguard Worker } 343*08b48e0bSAndroid Build Coastguard Worker } 344*08b48e0bSAndroid Build Coastguard Worker 345*08b48e0bSAndroid Build Coastguard Worker int main(int argc, char** argv) { 346*08b48e0bSAndroid Build Coastguard Worker foo::test(); 347*08b48e0bSAndroid Build Coastguard Worker return 0; 348*08b48e0bSAndroid Build Coastguard Worker } 349*08b48e0bSAndroid Build Coastguard Worker ``` 350*08b48e0bSAndroid Build Coastguard Worker after: 351*08b48e0bSAndroid Build Coastguard Worker ``` 352*08b48e0bSAndroid Build Coastguard Worker #include <cstdio> 353*08b48e0bSAndroid Build Coastguard Worker static void mytest() { 354*08b48e0bSAndroid Build Coastguard Worker while(__AFL_LOOP(1000)) { 355*08b48e0bSAndroid Build Coastguard Worker foo::function(); 356*08b48e0bSAndroid Build Coastguard Worker } 357*08b48e0bSAndroid Build Coastguard Worker } 358*08b48e0bSAndroid Build Coastguard Worker namespace foo { 359*08b48e0bSAndroid Build Coastguard Worker static void test() { 360*08b48e0bSAndroid Build Coastguard Worker mytest(); 361*08b48e0bSAndroid Build Coastguard Worker } 362*08b48e0bSAndroid Build Coastguard Worker } 363*08b48e0bSAndroid Build Coastguard Worker int main(int argc, char** argv) { 364*08b48e0bSAndroid Build Coastguard Worker foo::test(); 365*08b48e0bSAndroid Build Coastguard Worker return 0; 366*08b48e0bSAndroid Build Coastguard Worker } 367*08b48e0bSAndroid Build Coastguard Worker ``` 368*08b48e0bSAndroid Build Coastguard Worker</p></details> 369