README.llvm.md - OpenGrok cross reference for /aosp_15_r20/external/AFLplusplus/instrumentation/README.llvm.md

Lines Matching +full:highly +full:- +full:available
1 # Fast LLVM-based instrumentation for afl-fuzz
5 For the GCC-based instrumentation, see
10 ! llvm_mode works with llvm versions 3.8 up to 17 - but 13+ is recommended !
13 true compiler-level instrumentation, instead of the more crude assembly-level
14 rewriting approach taken by afl-gcc and afl-clang. This has several interesting
17 - The compiler can make many optimizations that are hard to pull off when
18   manually inserting assembly. As a result, some slow, CPU-bound programs will
25 - The instrumentation is CPU-independent. At least in principle, you should be
26   able to rely on it to fuzz programs on non-x86 architectures (after building
27   afl-fuzz with AFL_NO_X86=1).
29 - The instrumentation can cope a bit better with multi-threaded targets.
31 - Because the feature relies on the internals of LLVM, it is clang-specific and
33   available).
36 will probably replace afl-clang. For now, it can be built separately and
37 co-exists with the original code.
41 ## 2a) How to use this - short
46 LLVM_CONFIG=llvm-config-9 make
52 LLVM_CONFIG=~/llvm-project/build/bin/llvm-config make
60 LLVM_CONFIG=llvm-config-7 REAL_CC=gcc REAL_CXX=g++ make
63 It is highly recommended to use the newest clang version you can put your hands
68 ## 2b) How to use this - long
71 system. You should also make sure that the llvm-config tool is in your path (or
75 the version you want to use will switch compiling to this specific version - if
76 you installation is set up correctly :-)
78 Unfortunately, some systems that do have clang come without llvm-config or the
81 load modules (you'll see "Service unavailable" when loading afl-llvm-pass.so).
83 To solve all your problems, you can grab pre-built binaries for your OS from:
92 called afl-clang-fast and afl-clang-fast++ in the parent directory. Once this is
93 done, you can instrument third-party code in a way similar to the standard
97   CC=/path/to/afl/afl-clang-fast ./configure [...options...]
101 Be sure to also include CXX set to afl-clang-fast++ for C++ code.
103 Note that afl-clang-fast/afl-clang-fast++ are just pointers to afl-cc. You can
104 also use afl-cc/afl-c++ and instead direct it to use LLVM instrumentation by
105 either setting `AFL_CC_COMPILER=LLVM` or pass the parameter `--afl-llvm` via
108 The tool honors roughly the same environmental variables as afl-gcc (see
117 code to make afl-fuzz path discovery easier.
124 [README.laf-intel.md](README.laf-intel.md).
131    afl-clang-lto/afl-clang-lto++. See [README.lto.md](README.lto.md).
135 2a. N-GRAM coverage - which combines the previous visited edges with the current
138     [7) AFL++ N-Gram Branch Coverage](#7-afl-n-gram-branch-coverage).
140 2b. Context sensitive coverage - which combines the visited edges with an
142     [6) AFL++ Context Sensitive Branch Coverage](#6-afl-context-sensitive-branch-coverage).
144 Then - additionally to one of the instrumentation options above - there is a
146 laf-intel that allow AFL++ to apply mutations similar to Redqueen. See
168 with afl-fuzz' `-x` option.
178 This is an LLVM-based implementation of the context sensitive branch coverage.
191 The callstack hash is produced XOR-ing the function IDs to avoid explosion with
198 It is highly recommended to increase the MAP_SIZE_POW2 definition in config.h to
214 ## 7) AFL++ N-Gram Branch Coverage
218 This is an LLVM-based implementation of the n-gram branch coverage proposed in
220 …overage Metrics in Greybox Fuzzing"](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf)
223 Note that the original implementation (available
224 [here](https://github.com/bitsecurerlab/afl-sensitive)) is built on top of AFL's
226 (available from llvm versions 4.0.1 and higher) to achieve the same results when
230 prev_location[0] >> 1 ^ prev_location[1] >> 1 ^ ... up to n-1`] += 1`
235 specified either in the `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or the
237 are 2-16.
239 It is highly recommended to increase the MAP_SIZE_POW2 definition in config.h to
247 much of an issue - unless, by chance, it wraps just to a value of zero when the
248 program execution ends. In this case, afl-fuzz is not able to see that the edge
258 This is implemented in afl-gcc and afl-gcc-fast, however, for llvm_mode this is
260 9 - as there are severe performance costs in these cases.
289 When using the `AFL_LLVM_INSTRUMENT=llvm-codecov` option, afl-cc will use
290 native trace-pc-guard instrumentation but additionally select options that
295 experimental pc-table support that allows the runtime to gather 100% of