Merged
Conversation
|
|
vanhauser-thc
commented
Jan 19, 2026
| ./afl++ docker afl-clang-fast++ -DNO_MAIN -g -O2 -fsanitize=fuzzer harness.cc main.cc -o fuzz | ||
| mkdir seeds && echo "a" > seeds/minimal_seed | ||
| ./afl++ docker afl-clang-fast++ -DNO_MAIN=1 -O2 -fsanitize=fuzzer harness.cc main.cc -o fuzz | ||
| mkdir seeds && echo "aaaa" > seeds/minimal_seed |
Contributor
Author
There was a problem hiding this comment.
better create seeds with a length of 4, just a minor nit
vanhauser-thc
commented
Jan 19, 2026
| - **LTO mode** (`afl-clang-lto`): Best performance and instrumentation. Try this first. | ||
| - **LLVM mode** (`afl-clang-fast`): Fall back if LTO fails to compile. | ||
| - **GCC plugin** (`afl-gcc-fast`): For projects requiring GCC. | ||
| - **Legacy Clang** (`afl-clang`): Last resort for compatibility. |
Contributor
Author
There was a problem hiding this comment.
support removed from afl++
vanhauser-thc
commented
Jan 19, 2026
|
|
||
| ```bash | ||
| ./afl++ <host/docker> afl-clang-fast++ -DNO_MAIN -g -O2 -fsanitize=fuzzer harness.cc main.cc -o fuzz | ||
| ./afl++ <host/docker> afl-clang-fast++ -DNO_MAIN=1 -O2 -fsanitize=fuzzer harness.cc main.cc -o fuzz |
Contributor
Author
There was a problem hiding this comment.
-g is inherently set in afl++ compilers, and defines should always be set with =1
vanhauser-thc
commented
Jan 19, 2026
|
|
||
| ```bash | ||
| ./afl++ <host/docker> AFL_PIZZA_MODE=1 afl-fuzz -i seeds -o out -- ./fuzz | ||
| ./afl++ <host/docker> AFL_FAST_CAL=1 afl-fuzz -i seeds -o out -- ./fuzz |
Contributor
Author
There was a problem hiding this comment.
pizza mode is a dangerous thing to teach :-)
vanhauser-thc
commented
Jan 19, 2026
| > and systematic coverage improvement, see the **coverage-analysis** technique skill. | ||
|
|
||
| ## CMPLOG | ||
|
|
Contributor
Author
There was a problem hiding this comment.
this is the most important reason why to fuzz with AFL++.
vanhauser-thc
commented
Jan 19, 2026
| | Limit input size | Larger inputs don't necessarily explore more space | | ||
| | Monitor stability | Low stability indicates non-deterministic behavior | | ||
|
|
||
| ### Persistent Mode & Shared Memory |
Contributor
Author
There was a problem hiding this comment.
better to use LLVMFuzzerTestOneInput harnesses isntead
vanhauser-thc
commented
Jan 19, 2026
| @@ -566,22 +537,25 @@ apt install zlib1g-dev | |||
| # Configure and build static library | |||
Contributor
Author
There was a problem hiding this comment.
the libpng example section suffers from a mix of installing libpng on the host but then using the wrapper to run stuff. IMHO either set up everything in docker and make it clear how this is done, or do it on the host.
vanhauser-thc
commented
Jan 19, 2026
| add_executable(fuzz main.cc harness.cc) | ||
| target_compile_definitions(fuzz PRIVATE NO_MAIN=1) | ||
| target_compile_options(fuzz PRIVATE -g -O2 -fsanitize=fuzzer) | ||
| target_compile_options(fuzz PRIVATE -O2 -fsanitize=fuzzer-no-link) |
Contributor
Author
There was a problem hiding this comment.
will fail compiling object files are built
Member
|
Thanks @vanhauser-thc! This skill was a mostly auto-generated from our Testing Handbook. I'll make sure the source material there is updated too. https://appsec.guide/docs/fuzzing/c-cpp/aflpp/ |
- Fix "envinroment" → "environment" typo - Use ./afl++ wrapper consistently in libpng example Co-Authored-By: Claude Opus 4.5 <[email protected]>
This was referenced Jan 20, 2026
Ninja3047
pushed a commit
that referenced
this pull request
Jan 20, 2026
* Added 'when NOT to use' section to dwarf-expert skill. * Add coding reference and reorganize dwarf-expert skill structure - Add reference/coding.md with guidelines for writing, modifying, and reviewing code that interacts with DWARF data - Rename specs/ directory to standards/ for clearer naming - Update SKILL.md with decision tree for choosing the right approach - Move DWARF library table to the new coding reference document
xr843
added a commit
to xr843/skills
that referenced
this pull request
Mar 21, 2026
Add a practical "Environment Variables That Matter" section covering: - Always-set variables (AFL_TMPDIR, AFL_FAST_CAL) for free perf wins - Multi-core campaign variables (AFL_FINAL_SYNC, AFL_TESTCACHE_SIZE) - CI/automated fuzzing variables (AFL_EXIT_ON_TIME, AFL_NO_UI) - Variables to avoid (AFL_NO_ARITH, AFL_SHUFFLE_QUEUE, AFL_DISABLE_TRIM) Follow-up from PR trailofbits#15 review feedback. Closes trailofbits#18
GrosQuildu
pushed a commit
to xr843/skills
that referenced
this pull request
Mar 27, 2026
Add a practical "Environment Variables That Matter" section covering: - Always-set variables (AFL_TMPDIR, AFL_FAST_CAL) for free perf wins - Multi-core campaign variables (AFL_FINAL_SYNC, AFL_TESTCACHE_SIZE) - CI/automated fuzzing variables (AFL_EXIT_ON_TIME, AFL_NO_UI) - Variables to avoid (AFL_NO_ARITH, AFL_SHUFFLE_QUEUE, AFL_DISABLE_TRIM) Follow-up from PR trailofbits#15 review feedback. Closes trailofbits#18
GrosQuildu
pushed a commit
that referenced
this pull request
Mar 27, 2026
* docs(aflpp): add opinionated environment variables guide Add a practical "Environment Variables That Matter" section covering: - Always-set variables (AFL_TMPDIR, AFL_FAST_CAL) for free perf wins - Multi-core campaign variables (AFL_FINAL_SYNC, AFL_TESTCACHE_SIZE) - CI/automated fuzzing variables (AFL_EXIT_ON_TIME, AFL_NO_UI) - Variables to avoid (AFL_NO_ARITH, AFL_SHUFFLE_QUEUE, AFL_DISABLE_TRIM) Follow-up from PR #15 review feedback. Closes #18 * docs(aflpp): address review feedback on env vars guide - AFL_FAST_CAL: clarify it's recommended for slow targets, not universal - AFL_FINAL_SYNC: correct scope to afl-cmin corpus minimization - AFL_TESTCACHE_SIZE: add default (50 MB) and recommended range (50-250) - AFL_NO_ARITH: note it may help for text-based formats * fix: address review feedback on AFL env vars descriptions - AFL_FAST_CAL: move to its own "Slow Targets" section to clarify it's specifically recommended for slow targets, not always - AFL_FINAL_SYNC: clarify it only matters for afl-cmin corpus minimization, not for the fuzzing process itself - AFL_TESTCACHE_SIZE: mention default is 50 MB and good range is 50-250 MB - AFL_NO_ARITH: soften wording to note it may be useful for text-based targets Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The AFL++ skill has various bugs, outdated information and is missing improvements.
I am commenting the changes in the PR to explain why the changes should be done.
For further improvements, a section could be added to explain various good environment variables to add for fuzzing with afl-fuzz.