1*08b48e0bSAndroid Build Coastguard Worker# TODO list for AFL++ 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard Worker## Must 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Worker - UI revamp 6*08b48e0bSAndroid Build Coastguard Worker - hardened_usercopy=0 page_alloc.shuffle=0 7*08b48e0bSAndroid Build Coastguard Worker - add value_profile but only enable after 15 minutes without finds 8*08b48e0bSAndroid Build Coastguard Worker - cmplog max len, cmplog max items envs? 9*08b48e0bSAndroid Build Coastguard Worker - adapt MOpt to new mutation engine 10*08b48e0bSAndroid Build Coastguard Worker - Update afl->pending_not_fuzzed for MOpt 11*08b48e0bSAndroid Build Coastguard Worker - cmplog rtn sanity check on fixed length? currently we ignore the length 12*08b48e0bSAndroid Build Coastguard Worker - afl-showmap -f support 13*08b48e0bSAndroid Build Coastguard Worker - afl-fuzz multicore wrapper script 14*08b48e0bSAndroid Build Coastguard Worker - when trimming then perform crash detection 15*08b48e0bSAndroid Build Coastguard Worker - problem: either -L0 and/or -p mmopt results in zero new coverage 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard Worker 18*08b48e0bSAndroid Build Coastguard Worker## Should 19*08b48e0bSAndroid Build Coastguard Worker 20*08b48e0bSAndroid Build Coastguard Worker - afl-crash-analysis 21*08b48e0bSAndroid Build Coastguard Worker - support persistent and deferred fork server in afl-showmap? 22*08b48e0bSAndroid Build Coastguard Worker - better autodetection of shifting runtime timeout values 23*08b48e0bSAndroid Build Coastguard Worker - afl-plot to support multiple plot_data 24*08b48e0bSAndroid Build Coastguard Worker - parallel builds for source-only targets 25*08b48e0bSAndroid Build Coastguard Worker - get rid of check_binary, replace with more forkserver communication 26*08b48e0bSAndroid Build Coastguard Worker - first fuzzer should be a main automatically? not sure. 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker## Maybe 29*08b48e0bSAndroid Build Coastguard Worker 30*08b48e0bSAndroid Build Coastguard Worker - forkserver tells afl-fuzz if cmplog is supported and if so enable 31*08b48e0bSAndroid Build Coastguard Worker it by default, with AFL_CMPLOG_NO=1 (?) set to skip? 32*08b48e0bSAndroid Build Coastguard Worker - afl_custom_splice() 33*08b48e0bSAndroid Build Coastguard Worker - cmdline option from-to range for mutations 34*08b48e0bSAndroid Build Coastguard Worker 35*08b48e0bSAndroid Build Coastguard Worker## Further down the road 36*08b48e0bSAndroid Build Coastguard Worker 37*08b48e0bSAndroid Build Coastguard WorkerQEMU mode/FRIDA mode: 38*08b48e0bSAndroid Build Coastguard Worker - non colliding instrumentation 39*08b48e0bSAndroid Build Coastguard Worker - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, 40*08b48e0bSAndroid Build Coastguard Worker AFL_COMPCOV_LEVEL?) 41*08b48e0bSAndroid Build Coastguard Worker - add AFL_QEMU_EXITPOINT (maybe multiple?) 42*08b48e0bSAndroid Build Coastguard Worker 43*08b48e0bSAndroid Build Coastguard Worker## Ideas 44*08b48e0bSAndroid Build Coastguard Worker 45*08b48e0bSAndroid Build Coastguard Worker - LTO/sancov: write current edge to prev_loc and use that information when 46*08b48e0bSAndroid Build Coastguard Worker using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow up 47*08b48e0bSAndroid Build Coastguard Worker edge numbers that both following cmp paths have been found and then disable 48*08b48e0bSAndroid Build Coastguard Worker working on this edge id -> cmplog_intelligence branch 49*08b48e0bSAndroid Build Coastguard Worker - use cmplog colorization taint result for havoc locations? 50