1afl-cc(8) System Manager's Manual afl-cc(8)
2
6 afl-cc - afl-cc++4.06a by Michal Zalewski, Laszlo Szekeres, Marc Heuse
7 afl-cc
8
11 afl-cc/afl-c++ [options]
12
15 This is a helper application for afl-fuzz. It serves as a drop-in replacement
16 for gcc and clang, letting you recompile third-party code with the required
17 runtime instrumentation. A common use pattern would be one of the following:
18 CC=afl-cc CXX=afl-c++ ./configure --disable-shared
20 cmake -DCMAKE_C_COMPILERC=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .
21 CC=afl-cc CXX=afl-c++ meson
22 |------------- FEATURES -------------|
24 MODES: NCC PERSIST DICT LAF CMPLOG SELECT
25 [LTO] llvm LTO: unavailable!
26 PCGUARD DEFAULT yes yes yes yes yes yes
27 CLASSIC yes yes yes yes yes yes
28 [LLVM] llvm: unavailable!
29 PCGUARD DEFAULT yes yes module yes yes yes
30 CLASSIC no yes module yes yes yes
31 - NORMAL
32 - CALLER
33 - CTX
34 - NGRAM-{2-16}
35 [GCC_PLUGIN] gcc plugin: unavailable!
36 CLASSIC DEFAULT no yes no no no yes
37 [GCC/CLANG] simple gcc/clang: AVAILABLE [SELECTED]
38 CLASSIC DEFAULT no no no no no no
39 Modes:
41 To select the compiler mode use a symlink version (e.g. afl-clang-fast), set
42 the environment variable AFL_CC_COMPILER to a mode (e.g. LLVM) or use the
43 command line parameter --afl-MODE (e.g. --afl-llvm). If none is selected,
44 afl-cc will select the best available (LLVM -> GCC_PLUGIN -> GCC).
45 The best is LTO but it often needs RANLIB and AR settings outside of afl-cc.
46 Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best available)
48 PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)
49 LLVM-NATIVE: use llvm's native PCGUARD instrumentation (less performant)
50 CLASSIC: decision target instrumentation (README.llvm.md)
51 CALLER: CLASSIC + single callee context (instrumentation/README.ctx.md)
52 CTX: CLASSIC + full callee context (instrumentation/README.ctx.md)
53 NGRAM-x: CLASSIC + previous path ((instrumentation/README.ngram.md)
54 Features: (see documentation links)
56 NCC: non-colliding coverage [automatic] (that is an amazing thing!)
57 (instrumentation/README.lto.md)
58 PERSIST: persistent mode support [code] (huge speed increase!)
59 (instrumentation/README.persistent_mode.md)
60 DICT: dictionary in the target [yes=automatic or llvm module pass]
61 (instrumentation/README.lto.md + instrumentation/README.llvm.md)
62 LAF: comparison splitting [env] (instrumentation/README.laf-intel.md)
63 CMPLOG: input2state exploration [env] (instrumentation/README.cmplog.md)
64 SELECT: selective instrumentation (allow/deny) on filename or function [env]
65 (instrumentation/README.instrument_list.md)
66 To see all environment variables for the configuration of afl-cc use "-hh".
68 For any information on the available instrumentations and options please
70 consult the README.md, especially section 3.1 about instrumenting targets.
71 Compiled with shmat support.
73 Do not be overwhelmed :) afl-cc uses good defaults if no options are selected.
75 Read the documentation for FEATURES though, all are good but few are defaults.
76 Recommended is afl-clang-lto with AFL_LLVM_CMPLOG or afl-clang-fast with
77 AFL_LLVM_CMPLOG and AFL_LLVM_DICT2FILE+AFL_LLVM_DICT2FILE_NO_MAIN.
78
82 afl++ was written by Michal "lcamtuf" Zalewski and is maintained by
83 Marc "van Hauser" Heuse <mh@mh-sec.de>, Heiko "hexcoder-" Eissfeldt
84 <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com>
85 and Dominik Maier <domenukk@gmail.com> The homepage of afl++ is:
86 https://github.com/AFLplusplus/AFLplusplus
87
90 Apache License Version 2.0, January 2004
91afl++ 2023-04-03 afl-cc(8)