afl-cc

NAME

afl-cc - afl-cc++4.04c by Michal Zalewski, Laszlo Szekeres, Marc Heuse afl-cc

SYNOPSIS

afl-cc/afl-c++ [options]

OPTIONS

This is a helper application for afl-fuzz. It serves as a drop-in replacement
for gcc and clang, letting you recompile third-party code with the required
runtime instrumentation. A common use pattern would be one of the following:

CC=afl-cc CXX=afl-c++ ./configure --disable-shared
cmake -DCMAKE_C_COMPILERC=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .
CC=afl-cc CXX=afl-c++ meson

|------------- FEATURES -------------|
MODES: NCC PERSIST DICT LAF CMPLOG SELECT
[LTO] llvm LTO: AVAILABLE
PCGUARD DEFAULT yes yes yes yes yes yes
CLASSIC yes yes yes yes yes yes
[LLVM] llvm: AVAILABLE [SELECTED]
PCGUARD DEFAULT yes yes module yes yes yes
CLASSIC no yes module yes yes yes
- NORMAL
- CALLER
- CTX
- NGRAM-{2-16}
[GCC_PLUGIN] gcc plugin: unavailable!
CLASSIC DEFAULT no yes no no no yes
[GCC/CLANG] simple gcc/clang: AVAILABLE
CLASSIC DEFAULT no no no no no no

Modes:
To select the compiler mode use a symlink version (e.g. afl-clang-fast), set
the environment variable AFL_CC_COMPILER to a mode (e.g. LLVM) or use the
command line parameter --afl-MODE (e.g. --afl-llvm). If none is selected,
afl-cc will select the best available (LLVM -> GCC_PLUGIN -> GCC).
The best is LTO but it often needs RANLIB and AR settings outside of afl-cc.

Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best available)
PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)
LLVM-NATIVE: use llvm’s native PCGUARD instrumentation (less performant)
CLASSIC: decision target instrumentation (README.llvm.md)
CALLER: CLASSIC + single callee context (instrumentation/README.ctx.md)
CTX: CLASSIC + full callee context (instrumentation/README.ctx.md)
NGRAM-x: CLASSIC + previous path ((instrumentation/README.ngram.md)

Features: (see documentation links)
NCC: non-colliding coverage [automatic] (that is an amazing thing!)
(instrumentation/README.lto.md)
PERSIST: persistent mode support [code] (huge speed increase!)
(instrumentation/README.persistent_mode.md)
DICT: dictionary in the target [yes=automatic or llvm module pass]
(instrumentation/README.lto.md + instrumentation/README.llvm.md)
LAF: comparison splitting [env] (instrumentation/README.laf-intel.md)
CMPLOG: input2state exploration [env] (instrumentation/README.cmplog.md)
SELECT: selective instrumentation (allow/deny) on filename or function [env]
(instrumentation/README.instrument_list.md)

To see all environment variables for the configuration of afl-cc use "-hh".

For any information on the available instrumentations and options please
consult the README.md, especially section 3.1 about instrumenting targets.

afl-cc LTO with ld=/usr/lib/llvm-14/bin/ld.lld -flto=full
afl-cc LLVM version 14 using the binary path "/usr/lib/llvm-14/bin".
Compiled with shmat support.

Do not be overwhelmed :) afl-cc uses good defaults if no options are selected.
Read the documentation for FEATURES though, all are good but few are defaults.
Recommended is afl-clang-lto with AFL_LLVM_CMPLOG or afl-clang-fast with
AFL_LLVM_CMPLOG and AFL_LLVM_DICT2FILE.

AUTHOR

afl++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>, Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com> The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus

LICENSE

Apache License Version 2.0, January 2004