|afl-clang-fast(8)||System Manager's Manual||afl-clang-fast(8)|
afl-clang-fast - afl-clang-fast++2.68c by <firstname.lastname@example.org> in PCGUARD mode
This is a helper application for afl-fuzz. It serves as a drop-in replacement for clang, letting you recompile third-party code with the required runtime instrumentation. A common use pattern would be one of the following:
CXX=/usr/bin/afl-clang-fast++ ./configure In contrast to the traditional afl-clang tool, this version is implemented as an LLVM pass and tends to offer improved performance with slow programs. Environment variables used: AFL_CC: path to the C compiler to use AFL_CXX: path to the C++ compiler to use AFL_DEBUG: enable developer debugging output AFL_DONT_OPTIMIZE: disable optimization instead of -O3 AFL_HARDEN: adds code hardening to catch memory bugs AFL_INST_RATIO: percentage of branches to instrument AFL_LLVM_SKIP_NEVERZERO: do not skip zero on trace counters AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons AFL_LLVM_LAF_SPLIT_COMPARES_BITW: size limit (default 8) AFL_LLVM_LAF_SPLIT_SWITCHES: casc. comp. in 'switch'
to cascaded comparisons AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to cascaded comp. AFL_LLVM_LAF_TRANSFORM_COMPARES: transform library comparison function calls AFL_LLVM_LAF_ALL: enables all LAF splits/transforms AFL_LLVM_INSTRUMENT_ALLOW/AFL_LLVM_INSTRUMENT_DENY: enable instrumentallow/deny listing (selective instrumentation) AFL_NO_BUILTIN: compile for use with libtokencap.so AFL_PATH: path to instrumenting pass and runtime (afl-llvm-rt.*o) AFL_LLVM_DOCUMENT_IDS: document edge IDs given to which function (LTO only) AFL_QUIET: suppress verbose output AFL_USE_ASAN: activate address sanitizer AFL_USE_CFISAN: activate control flow sanitizer AFL_USE_MSAN: activate memory sanitizer AFL_USE_UBSAN: activate undefined behaviour sanitizer afl-clang-fast specific environment variables: AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen mutator) AFL_LLVM_INSTRUMENT: set instrumentation mode: AFL, CFG (INSTRIM), PCGUARD [DEFAULT], LTO, CTX, NGRAM-2 ... NGRAM-16
You can also use the old environment variables instead:
AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation [DEFAULT]
AFL_LLVM_INSTRIM: use light weight instrumentation InsTrim
AFL_LLVM_INSTRIM_LOOPHEAD: optimize loop tracing for speed (option to INSTRIM)
AFL_LLVM_CTX: use context sensitive coverage
AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage afl-clang-lto specific environment variables: AFL_LLVM_MAP_ADDR: use a fixed coverage map address (speed), e.g. 0x10000 AFL_LLVM_DOCUMENT_IDS: write all edge IDs and the corresponding functions they are in into this file AFL_LLVM_LTO_DONTWRITEID: don't write the highest ID used to a global var AFL_LLVM_LTO_STARTID: from which ID to start counting from for a bb AFL_REAL_LD: use this lld linker instead of the compiled in path afl-clang-lto was built with linker target "" and LTO flags "-flto=full" If anything fails - be sure to read README.lto.md! afl-clang-fast was built for llvm 11.0.0 with the llvm binary path of "/usr/lib/llvm-11/bin".
afl++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <email@example.com>, Heiko "hexcoder-" Eissfeldt <firstname.lastname@example.org>, Andrea Fioraldi <email@example.com> and Dominik Maier <firstname.lastname@example.org> The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus
Apache License Version 2.0, January 2004