Package Release Info


Update Info: Base Release
Available in Package Hub : 15 SP4





Change Logs

* Sun Sep 26 2021 Marcus Meissner <>
- enable gcc-plugin on factory
- build with 32bit plugins on x86_64
* Mon Jul 19 2021 Marcus Meissner <>
- updated to 3.14c
  - afl-fuzz:
  - fix -F when a '/' was part of the parameter
  - fixed a crash for cmplog for very slow inputs
  - fix for AFLfast schedule counting
  - removed implied -D determinstic from -M main
  - if the target becomes unavailable check out out/default/error.txt
    for an indicator why
  - AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL
  - reverse read the queue on resumes (more effective)
  - fix custom mutator trimming
  - afl-cc:
  - Update to COMPCOV/laf-intel that speeds up the instrumentation
    process a lot - thanks to Michael Rodler/f0rki for the PR!
  - Fix for failures for some sized string instrumentations
  - Fix to instrument global namespace functions in c++
  - Fix for llvm 13
  - support partial linking
  - do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE
  - We do support llvm versions from 3.8 to 5.0 again
  - frida_mode:
  - several fixes for cmplog
  - less coverage collision
  - feature parity of aarch64 with intel now (persistent, cmplog,
    in-memory testcases, asan)
  - afl-cmin and afl-showmap -i do now descend into subdirectories
    (like afl-fuzz does) - note that afl-cmin.bash does not!
  - afl_analyze:
  - fix timeout handling
  - add forkserver support for better performance
  - ensure afl-compiler-rt is built for gcc_module
  - always build aflpp_driver for libfuzzer harnesses
  - added `AFL_NO_FORKSRV` env variable support to
    afl-cmin, afl-tmin, and afl-showmap, by @jhertz
  - removed outdated documents, improved existing documentation
* Thu Jul 15 2021 Peace Peters <>
- s390x added to the compiler files
* Tue Jun 08 2021 Andreas Schwab <>
- Fix filelist for riscv64
* Tue Jun 01 2021 Marcus Meissner <>
- updated to 3.13c
  - Note: plot_data switched to relative time from unix time in 3.10
  - frida_mode - new mode that uses frida to fuzz binary-only targets,
    it currently supports persistent mode and cmplog.
    thanks to @WorksButNotTested!
  - create a fuzzing dictionary with the help of CodeQL thanks to
    @microsvuln! see utils/autodict_ql
  - afl-fuzz:
  - added patch by @realmadsci to support @@ as part of command line
    options, e.g. `afl-fuzz ... -- ./target --infile=@@`
  - add recording of previous fuzz attempts for persistent mode
    to allow replay of non-reproducable crashes, see
    AFL_PERSISTENT_RECORD in config.h and docs/envs.h
  - fixed a bug when trimming for stdin targets
  - cmplog -l: default cmplog level is now 2, better efficiency.
    level 3 now performs redqueen on everything. use with care.
  - better fuzzing strategy yield display for enabled options
  - ensure one fuzzer sync per cycle
  - fix afl_custom_queue_new_entry original file name when syncing
    from fuzzers
  - fixed a crash when more than one custom mutator was used together
    with afl_custom_post_process
  - on a crashing seed potentially the wrong input was disabled
  - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
  - i dir crashes the target or results in a timeout. By default
    afl++ ignores these and uses them for splicing instead.
  - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
    after no new paths have been found for n seconds
  - when AFL_FAST_CAL is set a variable path will now be calibrated
    8 times instead of originally 40. Long calibration is now 20.
  - added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
    it fails
  - afl-cc:
  - We do not support llvm versions prior 6.0 anymore
  - added thread safe counters to all modes (`AFL_LLVM_THREADSAFE_INST`),
    note that this disables NeverZero counters.
  - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
  - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
  - Removed InsTrim instrumentation as it is not as good as PCGUARD
  - Removed automatic linking with -lc++ for LTO mode
  - Fixed a crash in llvm dict2file when a strncmp length was -1
  - added --afl-noopt support
  - utils/aflpp_driver:
  - aflpp_qemu_driver_hook fixed to work with qemu_mode
  - aflpp_driver now compiled with -fPIC
  - unicornafl:
  - fix MIPS delay slot caching, thanks @JackGrence
  - fixed aarch64 exit address
  - execution no longer stops at address 0x0
  - updated afl-system-config to support Arch Linux weirdness and increase
    MacOS shared memory
  - updated the grammar custom mutator to the newest version
  - add -d (add dead fuzzer stats) to afl-whatsup
  - added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the
    current filename
  - afl-showmap/cmin will now process queue items in alphabetical order
* Fri Apr 09 2021 Guillaume GARDET <>
- Fix packaging for aarch64 and %arm
* Sat Apr 03 2021 Niklas Haas <>
- install `afl-clang-lto`, recommended by upstream as the best variant
  - add dependency on `lld`
  - bump llvm-devel up to >= 11.0.0
- fix /usr/bin/env path in afl.cmin scripts
- prevent stripping of runtime objects (fix bug 1184324)
* Wed Mar 24 2021 Marcus Meissner <>
- updated to 3.12c
  - afl-fuzz:
  - added AFL_TARGET_ENV variable to pass extra env vars to the target
    (for things like LD_LIBRARY_PATH)
  - fix map detection, AFL_MAP_SIZE not needed anymore for most cases
  - fix counting favorites (just a display thing)
  - afl-cc:
  - fix cmplog rtn (rare crash and not being able to gather ptr data)
  - fix our own PCGUARD implementation to compile with llvm 10.0.1
  - link runtime not to shared libs
  - ensure shared libraries are properly built and instrumented
  - AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added
  - show correct LLVM PCGUARD NATIVE mode when auto switching to it
    and keep fsanitize-coverage-*list=...
    Short mnemnonic NATIVE is now also accepted.
  - qemu_mode (thanks @realmadsci):
  - move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace
  - unicorn_mode
  - accidently removed the subfolder from github, re-added
  - added DEFAULT_PERMISSION to config.h for all files created, default
    to 0600
* Tue Mar 16 2021 Marcus Meissner <>
- updated to 3.11c
  - afl-fuzz:
  - better auto detection of map size
  - fix sanitizer settings (bug since 3.10c)
  - fix an off-by-one overwrite in cmplog
  - add non-unicode variants from unicode-looking dictionary entries
  - Rust custom mutator API improvements
  - Imported crash stats painted yellow on resume (only new ones are red)
  - afl-cc:
  - added AFL_NOOPT that will just pass everything to the normal
    gcc/clang compiler without any changes - to pass weird configure
  - fixed a crash that can occur with ASAN + CMPLOG together plus
    better support for unicode (thanks to @stbergmann for reporting!)
  - fixed a crash in LAF transform for empty strings
  - handle erroneous setups in which multiple afl-compiler-rt are
    compiled into the target. This now also supports dlopen()
    instrumented libs loaded before the forkserver and even after the
    forkserver is started (then with collisions though)
  - the compiler rt was added also in object building (-c) which
    should have been fixed years ago but somewhere got lost :(
  - Renamed CTX to CALLER, added correct/real CTX implementation to
  - qemu_mode:
  - added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks!
  - if no new/updated checkout is wanted, build with:
    NO_CHECKOUT=1 ./
  - we no longer perform a "git drop"
  - afl-cmin: support filenames with spaces
- afl-3.0c-fix-paths.patch: refreshed
* Mon Mar 01 2021 Marcus Meissner <>
- update to 3.10c
  - Mac OS ARM64 support
  - Android support fixed and updated by Joey Jiaojg - thanks!
  - New selective instrumentation option with __AFL_COVERAGE_* commands
    to be placed in the source code.
    Check out instrumentation/
  - afl-fuzz
  - Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on
    start the target map size
  - upgraded cmplog/redqueen: solving for floating point, solving
    transformations (e.g. toupper, tolower, to/from hex, xor,
    arithmetics, etc.). This is costly hence new command line option
    `-l` that sets the intensity (values 1 to 3). Recommended is 2.
  - added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial seeds
    from `-i` or resumes (these have most likely already been done)
  - fix crash for very, very fast targets+systems (thanks to mhlakhani
    for reporting)
  - on restarts (`-i`)/autoresume (AFL_AUTORESUME) the stats are now
    reloaded and used, thanks to Vimal Joseph for this patch!
  - changed the meaning of '+' of the '-t' option, it now means to
    auto-calculate the timeout with the value given being the max
    timeout. The original meaning of skipping timeouts instead of
    abort is now inherent to the -t option.
  - if deterministic mode is active (`-D`, or `-M` without `-d`) then
    we sync after every queue entry as this can take very long time
  - added minimum SYNC_TIME to include/config.h (30 minutes default)
  - better detection if a target needs a large shared map
  - fix for `-Z`
  - fixed a few crashes
  - switched to an even faster RNG
  - added hghwng's patch for faster trace map analysis
  - printing suggestions for mistyped `AFL_` env variables
  - added Rust bindings for custom mutators (thanks @julihoh)
  - afl-cc
  - allow instrumenting LLVMFuzzerTestOneInput
  - fixed endless loop for allow/blocklist lines starting with a
    comment (thanks to Zherya for reporting)
  - cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit
  - cmplog/redqueen can now process basic libc++ and libstdc++
    std::string comparisons (no position or length type variants)
  - added support for __afl_coverage_interesting() for LTO and our
    own PCGUARD (llvm 10.0.1+), read more about this function and
    selective coverage in instrumentation/
  - added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard
    support (less performant than our own), GCC for old afl-gcc and
    CLANG for old afl-clang
  - fixed a potential crash in the LAF feature
  - workaround for llvm bitcast lto bug
  - workaround for llvm 13
  - qemuafl
  - QASan (address sanitizer for Qemu) ported to qemuafl!
    See qemu_mode/libqasan/
  - solved some persistent mode bugs (thanks Dil4rd)
  - solved an issue when dumping the memory maps (thanks wizche)
  - Android support for QASan
  - unicornafl
  - Substantial speed gains in python bindings for certain use cases
  - Improved rust bindings
  - Added a new example harness to compare python, c and rust bindings
  - afl-cmin and afl-showmap now support the -f option
  - afl_plot now also generates a graph on the discovered edges
  - changed default: no memory limit for afl-cmin and afl-cmin.bash
  - warn on any _AFL and __AFL env vars.
  - set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars
  - added dummy Makefile to instrumentation/
  - Updated utils/afl_frida to be 5% faster, 7% on x86_x64
  - Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b)
  - @Edznux added a nice documentation on how to use rpc.statsd with
    afl++ in docs/, thanks!
* Tue Dec 15 2020 Marcus Meissner <>
- updated to 3.0c
  - llvm_mode/ and gcc_plugin/ moved to instrumentation/
  - examples/ renamed to utils/
  - moved libdislocator, libtokencap and qdbi_mode to utils/
  - all compilers combined to afl-cc which emulates the previous ones
  - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
  - afl-fuzz
  - not specifying -M or -S will now auto-set "-S default"
  - deterministic fuzzing is now disabled by default and can be enabled with
  - D. It is still enabled by default for -M.
  - a new seed selection was implemented that uses weighted randoms based on
    a schedule performance score, which is much better that the previous
    walk the whole queue approach. Select the old mode with -Z (auto enabled
    with -M)
  - Marcel Boehme submitted a patch that improves all AFFast schedules :)
  - the default schedule is now FAST
  - memory limits are now disabled by default, set them with -m if required
  - rpc.statsd support, for stats and charts, by Edznux, thanks a lot!
  - reading testcases from -i now descends into subdirectories
  - allow the -x command line option up to 4 times
  - loaded extras now have a duplication protection
  - If test cases are too large we do a partial read on the maximum
    supported size
  - longer seeds with the same trace information will now be ignored
    for fuzzing but still be used for splicing
  - crashing seeds are now not prohibiting a run anymore but are
    skipped - they are used for splicing, though
  - update MOpt for expanded havoc modes
  - setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
  - added NO_SPLICING compile option and makefile define
  - added INTROSPECTION make target that writes all mutations to
  - print special compile time options used in help output
  - when using -c cmplog, one of the childs was not killed, fixed
  - somewhere we broke -n dumb fuzzing, fixed
  - added afl_custom_describe to the custom mutator API to allow for easy
    mutation reproduction on crashing inputs
  - instrumentation
  - We received an enhanced gcc_plugin module from AdaCore, thank you
    very much!!
  - not overriding -Ox or -fno-unroll-loops anymore
  - we now have our own trace-pc-guard implementation. It is the same as
  - fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline
    and b) works from llvm 10.0.1 + onwards :)
  - new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz
  - x dictionary of string comparisons found during compilation
  - LTO autodict now also collects interesting cmp comparisons,
    std::string compare + find + ==, bcmp
  - fix crash in dict2file for integers > 64 bit
  - custom mutators
  - added a new custom mutator: symcc ->
  - added a new custom mutator: libfuzzer that integrates libfuzzer mutations
  - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
  - added INTROSPECTION support for custom modules
  - python fuzz function was not optional, fixed
  - some python mutator speed improvements
  - afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
  - unicornafl synced with upstream version 1.02 (fixes, better rust bindings)
  - added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash
- afl-2.63c-fix-paths.patch refreshed to afl-3.0c-fix-paths.patch
* Sat Sep 05 2020 Marcus Meissner <>
- updated to 2.68c
  - added the GSoC excellent afl++ grammar mutator by Shengtuo to our
    custom_mutators/ (see custom_mutators/ - or get it here:
  - a few QOL changes for Apple and its outdated gmake
  - afl-fuzz:
  - fix for auto dictionary entries found during fuzzing to not throw out
    a -x dictionary
  - added total execs done to plot file
  - AFL_MAX_DET_EXTRAS env variable added to control the amount of
    deterministic dict entries without recompiling.
  - AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait
    for the forkserver to come up without the need to increase the overall
  - bugfix for cmplog that results in a heap overflow based on target data
    (thanks to the magma team for reporting!)
  - write fuzzing setup into out/fuzzer_setup (environment variables and
    command line)
  - custom mutators:
  - added afl_custom_fuzz_count/fuzz_count function to allow specifying
    the number of fuzz attempts for custom_fuzz
  - llvm_mode:
  - ported SanCov to LTO, and made it the default for LTO. better
    instrumentation locations
  - Further llvm 12 support (fast moving target like afl++ :-) )
  - deprecated LLVM SKIPSINGLEBLOCK env environment
* Wed Aug 19 2020 Marcus Meissner <>
- updated to 2.67c
  - Support for improved afl++ snapshot module:
  - Due to the instrumentation needing more memory, the initial memory sizes
    for -m have been increased
  - afl-fuzz:
  - added -F option to allow -M main fuzzers to sync to foreign fuzzers,
    e.g. honggfuzz or libfuzzer
  - added -b option to bind to a specific CPU
  - eliminated CPU affinity race condition for -S/-M runs
  - expanded havoc mode added, on no cycle finds add extra splicing and
    MOpt into the mix
  - fixed a bug in redqueen for strings and made deterministic with -s
  - llvm_mode:
  - now supports llvm 12
  - support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous
    are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm
    sancov, and also supports function matching :)
  - added neverzero counting to trace-pc/pcgard
  - fixes for laf-intel float splitting (thanks to mark-griffin for
  - fixes for llvm 4.0
  - skipping ctors and ifuncs for instrumentation
  - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
    for a fixed map address (eg. 0x10000)
  - LTO: improved stability for persistent mode, no other instrumentation
    has that advantage
  - LTO: fixed autodict for long strings
  - LTO: laf-intel and redqueen/cmplog are now applied at link time
    to prevent llvm optimizing away the splits
  - LTO: autodictionary mode is a fixed default now
  - LTO: instrim instrumentation disabled, only classic support used
    as it is always better
  - LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID
    was given to which function during compilation
  - LTO: single block functions were not implemented by default, fixed
  - LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed
  - setting AFL_LLVM_LAF_SPLIT_FLOATS now activates
  - support for -E and -shared compilation runs
  - added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
  - added afl-frida gum solution to examples/afl_frida (mostly imported
  - small fixes to afl-plot, afl-whatsup and man page creation
  - new README, added FAQ
* Thu Jul 02 2020 Marcus Meissner <>
- updated to 2.66c
  - renamed blacklist/whitelist to ignorelist/instrumentlist ->
  - warn on deprecated environment variables
  - afl-fuzz:
  - -S secondary nodes now only sync from the main node to increase
    performance, the -M main node still syncs from everyone. Added checks
    that ensure exactly one main node is present and warn otherwise
  - Add -D after -S to force a secondary to perform deterministic fuzzing
  - If no main node is present at a sync one secondary node automatically
    becomes a temporary main node until a real main nodes shows up
  - Fixed a mayor performance issue we inherited from AFLfast
  - switched murmur2 hashing and random() for xxh3 and xoshiro256**,
    resulting in an up to 5.5% speed increase
  - Resizing the window does not crash afl-fuzz anymore
  - Ensure that the targets are killed on exit
  - fix/update to MOpt (thanks to arnow117)
  - added MOpt dictionary support from repo
  - added experimental SEEK power schedule. It is EXPLORE with ignoring
    the runtime and less focus on the length of the test case
  - llvm_mode:
  - the default instrumentation is now PCGUARD if the llvm version is >= 7,
    as it is faster and provides better coverage. The original afl
    instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is
    automatically done when the instrument_file list feature is used.
  - PCGUARD mode is now even better because we made it collision free - plus
    it has a fixed map size, so it is also faster! :)
  - some targets want a ld variant for LD that is not gcc/clang but ld,
    added afl-ld-lto to solve this
  - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
    needs 3.8.0)
  - instrument_file list feature now supports wildcards (thanks to sirmc)
  - small change to cmplog to make it work with current llvm 11-dev
  - added AFL_LLVM_LAF_ALL, sets all laf-intel settings
  - LTO instrument_files functionality rewritten, now main, _init etc functions
    need not to be listed anymore
  - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
    tried to be instrumented with LTO
  - fixed crash in cmplog with LTO
  - enable snapshot lkm also for persistent mode
  - Unicornafl
  - Added powerPC support from unicorn/next
  - rust bindings!
  - CMPLOG/Redqueen now also works for MMAP sharedmem
  - ensure shmem is released on errors
  - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
    compiled by default anymore.
  - allow running in /tmp (only unsafe with umask 0)
  - persistent mode shared memory testcase handover (instead of via
    files/stdin) - 10-100% performance increase
  - General support for 64 bit PowerPC, RiscV, Sparc etc.
  - fix afl-cmin.bash
  - slightly better performance compilation options for afl++ and targets
  - fixed afl-gcc/afl-as that could break on fast systems reusing pids in
    the same second
  - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
  - added former post_library examples to examples/custom_mutators/
  - Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
    gcc 10 so afl-clang-lto can be build
* Fri May 15 2020 Marcus Meissner <>
- updated to 2.65c
  - afl-fuzz:
  - AFL_MAP_SIZE was not working correctly
  - better python detection
  - an old, old bug in afl that would show negative stability in rare
    circumstances is now hopefully fixed
    instead (see docs/
  - llvm_mode:
  - afl-clang-fast/lto now do not skip single block functions. This
    behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK
  - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
    address for the shared memory map is used as this increases the
    fuzzing speed
  - InsTrim now has an LTO version! :-) That is the best and fastest mode!
  - fixes to LTO mode if instrumented edges > MAP_SIZE
  - CTX and NGRAM can now be used together
  - CTX and NGRAM are now also supported in CFG/INSTRIM mode
  - AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
  - added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
    implementation. For targets with few or no loops or heavily called
    functions. Gives a small performance boost.
  - qemu_mode:
  - add information on PIE/PIC load addresses for 32 bit
  - better dependency checks
  - gcc_plugin:
  - better dependency checks
  - unicorn_mode:
  - validate_crash_callback can now count non-crashing inputs as crash as well
  - better submodule handling
  - afl-showmap: fix for -Q mode
  - added examples/afl_network_proxy which allows to fuzz a target over the
    network (not fuzzing tcp/ip services but running afl-fuzz on one system
    and the target being on an embedded device)
  - added examples/afl_untracer which does a binary-only fuzzing with the
    modifications done in memory (intel32/64 and aarch64 support)
  - added examples/afl_proxy which can be easily used to fuzz and instrument
    non-standard things
  - all:
  - forkserver communication now also used for error reporting
  - fix 32 bit build options
  - make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
    intact if in a git/svn checkout - unless "deepclean" is used
* Sat Apr 18 2020 Marcus Meissner <>
- updated to 2.64c
  - llvm_mode LTO mode:
  - now requires llvm11 - but compiles all targets! :)
  - autodictionary feature added, enable with `AFL_LLVM_LTO_AUTODICTIONARY`
  - variable map size usage
  - afl-fuzz:
  - variable map size support added (only LTO mode can use this)
  - snapshot feature usage now visible in UI
  - Now setting `-L -1` will enable MOpt in parallel to normal mutation.
    Additionally, this allows to run dictionaries, radamsa and cmplog.
  - fix for cmplog/redqueen mode if stdin was used
  - fix for writing a better plot_data file
  - qemu_mode: fix for persistent mode (which would not terminate or get stuck)
  - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
    static global and local variable comparisons (cannot find all though)
  - extended forkserver: map_size and more information is communicated to
    afl-fuzz (and afl-fuzz acts accordingly)
  - new environment variable: AFL_MAP_SIZE to specify the size of the shared map
  - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed
    (this bug is in vanilla afl too)
  - added NO_PYTHON flag to disable python support when building afl-fuzz
  - more refactoring
* Sun Apr 12 2020 Marcus Meissner <>
- updated to 2.63c
  - all:
  - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
    multiple fuzzing threads in the future or even become a library
  - afl basic tools now report on the environment variables picked up
  - more tools get environment variable usage info in the help output
  - force all output to stdout (some OK/SAY/WARN messages were sent to
    stdout, some to stderr)
  - uninstrumented mode uses an internal forkserver ("fauxserver")
  - now builds with `-D_FORTIFY_SOURCE=2`
  - drastically reduced number of (de)allocations during fuzzing
  - afl-fuzz:
  - python mutator modules and custom mutator modules now use the same
    interface and hence the API changed
  - AFL_AUTORESUME will resume execution without the need to specify `-i -`
  - added experimental power schedules (-p):
  - mmopt: ignores runtime of queue entries, gives higher weighting to
    the last 5 queue entries
  - rare: puts focus on queue entries that hits rare branches, also ignores
  - llvm_mode:
  - added SNAPSHOT feature (using
  - added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
  - added AFL_LLVM_INSTRUMENT option to control the instrumentation type
    easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16)
  - made USE_TRACE_PC compile obsolete
  - LTO collision free instrumented added in llvm_mode with afl-clang-lto -
    note that this mode is amazing, but quite some targets won't compile
  - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
    (, activate by setting
  - Added llvm_mode context sensitive branch coverage, activated by setting
  - llvm_mode InsTrim mode:
  - removed workaround for bug where paths were not instrumented and
    imported fix by author
  - made skipping 1 block functions an option and is disabled by default,
    set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
  - qemu_mode:
  - qemu_mode now uses solely the internal capstone version to fix builds
    on modern Linux distributions
  - QEMU now logs routine arguments for CmpLog when the target is x86
  - afl-tmin:
  - now supports hang mode `-H` to minimize hangs
  - fixed potential afl-tmin missbehavior for targets with multiple hangs
  - Pressing Control-c in afl-cmin did not terminate it for some OS
  - the custom API was rewritten and is now the same for Python and shared
- afl-1.58b-fix-paths.patch moved to
- afl-2.63c-fix-paths.patch: adjust Makefile -> GNUmakefile
* Fri Feb 28 2020 Marcus Meissner <>
- updated to 2.62c
  - Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE!
  - Small fix for -E/-V to release the CPU
  - CmpLog does not need sancov anymore
* Tue Feb 25 2020 Marcus Meissner <>
- updated to 2.61c
  - use -march=native if available
  - most tools now check for mistyped environment variables
  - gcc 10 is now supported
  - the memory safety checks are now disabled for a little more speed during
    fuzzing (only affects creating queue entries), can be toggled in config.h
  - afl-fuzz:
  - MOpt out of bounds writing crash fixed
  - now prints the real python version support compiled in
  - set stronger performance compile options and little tweaks
  - Android: prefer bigcores when selecting a CPU
  - CmpLog forkserver
  - Redqueen input-2-state mutator (cmp instructions only ATM)
  - all Python 2+3 versions supported now
  - changed execs_per_sec in fuzzer_stats from "current" execs per second
    (which is pointless) to total execs per second
  - bugfix for dictionary insert stage count (fix via Google repo PR)
  - added warning if -M is used together with custom mutators with _ONLY option
  - AFL_TMPDIR checks are now later and better explained if they fail
  - llvm_mode
  - InsTrim: three bug fixes:
    1. (minor) no pointless instrumentation of 1 block functions
    2. (medium) path bug that leads a few blocks not instrumented that
    should be
    3. (major) incorrect prev_loc was written, fixed!
  - afl-clang-fast:
  - show in the help output for which llvm version it was compiled for
  - now does not need to be recompiled between trace-pc and pass
    instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
  - LLVM 11 is supported
  - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
  - afl-gcc, afl-clang-fast, afl-gcc-fast:
  - experimental support for undefined behaviour sanitizer UBSAN
    (set AFL_USE_UBSAN=1)
  - the instrumentation summary output now also lists activated sanitizers
  - afl-as: added isatty(2) check back in
  - added AFL_DEBUG (for upcoming merge)
  - qemu_mode:
  - persistent mode is now also available for arm and aarch64
  - CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
    for x86, x86_64, arm and aarch64
  - AFL_PERSISTENT_HOOK callback module for persistent QEMU
    (see examples/qemu_persistent_hook)
  - added qemu_mode/ documentation
  - AFL_ENTRYPOINT noew has instruction granularity
  - afl-cmin is now a sh script (invoking awk) instead of bash for portability
    the original script is still present as afl-cmin.bash
  - afl-showmap: -i dir option now allows processing multiple inputs using the
    forkserver. This is for enhanced speed in afl-cmin.
  - added blacklist and whitelisting function check in all modules of llvm_mode
  - added fix from Debian project to compile libdislocator and libtokencap
  - libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t
Version: 2.52b-bp150.2.4
* Sun Nov 05 2017
- Update to version 2.52b:
  * Upgraded QEMU patches from 2.3.0 to 2.10.0. Required troubleshooting
    several weird issues.
  * Added setsid to afl-showmap. See the notes for 2.51b.
  * Added target mode (deferred, persistent, qemu, etc) to fuzzer_stats.
  * afl-tmin should now save a partially minimized file when Ctrl-C
    is pressed.
  * Added an option for afl-analyze to dump offsets in hex.
  * Added support for parameters in
* Sun Sep 03 2017
- afl 2.51b:
  * Make afl-tmin call setsid to prevent glibc traceback junk from
    showing up on the terminal
- includes changes form 2.50b:
  * Fix a timing corner case
  * Address a libtokencap / pthreads incompatibility issue
  * In-place resume now preserves .synced
* Sat Jul 29 2017
- include docs/README
* Wed Jul 26 2017
- Version 2.49b
  - Added AFL_TMIN_EXACT to allow path constraint for crash minimization.
  - Added dates for releases (retroactively for all of 2017).
- Version 2.48b
  - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp.
  - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin).
  - Made it possible to point -o and -f to the same file in afl-tmin.
- Version 2.47b
  - Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk.
- Version 2.46b
  - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not
    want to abort on calloc() overflows.
  - Made a minor fix to libtokencap. Reported by Daniel Stender.
  - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk.
* Fri Jul 07 2017
- update to 2.45b:
  - Added strstr, strcasestr support to libtokencap. Contributed by
    Daniel Hodson.
  - Fixed a resumption offset glitch spotted by Jakub Wilk.
  - There are definitely no bugs in afl-showmap -c now.
* Mon Jul 03 2017
- update to 2.44b:
  * Add visual indicator of ASAN / MSAN mode when compiling
  * Add support for afl-showmap coredumps (-c)
  * Add LD_BIND_NOW=1 for afl-showmap by default
  * Added AFL_NO_ARITH to aid in the fuzzing of text-based formats
  * Renamed the R() macro to avoid a problem with llvm_mode in the
    latest versions of LLVM
* Wed Apr 12 2017
- update to 2.41b:
  - Addressed a major user complaint related to timeout detection. Timing out
    inputs are now binned as "hangs" only if they exceed a far more generous
    time limit than the one used to reject slow paths.
- update to 2.40b:
  - Fixed a minor oversight in the insertion strategy for dictionary words.
    Spotted by Andrzej Jackowski.
  - Made a small improvement to the havoc block insertion strategy.
  - Adjusted color rules for "is it done yet?" indicators.
* Wed Mar 08 2017
- Changed %doc line, to clear buildfailure in openSUSE:Factory
  Due to unpackaged files
* Fri Feb 10 2017
- update to 2.39b:
  - Improved error reporting in afl-cmin. Suggested by floyd.
  - Made a minor tweak to trace-pc-guard support. Suggested by kcc.
  - Added a mention of afl-monitor.
* Mon Jan 30 2017
- update to  2.38b:
  * Added -mllvm -sanitizer-coverage-block-threshold=0 to
    trace-pc-guard mode
  * Fixed a cosmetic bad free() bug when aborting -S sessions
  * Made a small change to afl-whatsup to sort fuzzers by name.
  * Fixed a minor issue with malloc(0) in libdislocator
  * Changed the clobber pattern in libdislocator to a slightly more
    reliable one
  * Added a note about THP performance
  * Added a somewhat unofficial support for running afl-tmin with a
    baseline "mask" that causes it to minimize only for edges that
    are unique to the input file, but not to the "boring" baseline.
  * "Fixed" a getPassName() problem with never versions of clang.
* Wed Oct 19 2016
- Update to version 2.35b:
  * Fixed a minor cmdline reporting glitch, spotted by Leo Barnes.
  * Fixed a silly bug in libdislocator. Spotted by Johannes Schultz.
- Changes for version 2.34b:
  * Added a note about afl-tmin to technical_details.txt.
  * Added support for AFL_NO_UI, as suggested by Leo Barnes.
- Changes for version 2.33b:
  * Added code to strip -Wl,-z,defs and -Wl,--no-undefined for
    fl-clang-fast, since they interfere with -shared. Spotted and
    iagnosed by Toby Hutton.
  * Added some fuzzing tips for Android.
* Thu Aug 25 2016
- Version 2.32b:
  - Added a check for AFL_HARDEN combined with AFL_USE_*SAN. Suggested by Hanno Boeck.
  - Made several other cosmetic adjustments to cycle timing in the wake of the big tweak made in 2.31b.
- Version 2.31b:
  - Changed havoc cycle counts for a marked performance boost, especially
    with -S / -d. See the discussion of FidgetyAFL in:!topic/afl-users/fOPeb62FZUg
    While this does not implement the approach proposed by the authors of
    the CCS paper, the solution is a result of digging into that research;
    more improvements may follow as I do more experiments and get more
    definitive data.
- Version 2.30b:
  - Made minor improvements to persistent mode to avoid the remote
    possibility of "no instrumentation detected" issues with very low
    instrumentation densities.
  - Fixed a minor glitch with a leftover process in persistent mode.
    Reported by Jakub Wilk and Daniel Stender.
  - Made persistent mode bitmaps a bit more consistent and adjusted the way
    this is shown in the UI, especially in persistent mode.
- Version 2.29b:
  - Made a minor #include fix to llvm_mode. Suggested by Jonathan Metzman.
  - Made cosmetic updates to the docs.
- Version 2.28b:
  - Added "life pro tips" to docs/.
  - Moved testcases/_extras/ to dictionaries/ for visibility.
  - Made minor improvements to install scripts.
  - Added an important safety tip.
- Version 2.27b:
  - Added libtokencap, a simple feature to intercept strcmp / memcmp and
    generate dictionary entries that can help extend coverage.
  - Moved libdislocator to its own dir, added README.
  - The demo in experimental/instrumented_cmp is no more.
- Version 2.26b:
  - Made a fix for to compile on MacOS X.
  - Added support for DYLD_INSERT_LIBRARIES.
- Version 2.25b:
  - Made some cosmetic updates to, renamed one env
- Version 2.24b:
  - Added, an experimental, abusive allocator. Try
    it out with AFL_LD_PRELOAD=/path/to/ when running
- Version 2.23b:
  - Improved the stability metric for persistent mode binaries. Problem
    spotted by Kurt Roeckx.
  - Made a related improvement that may bring the metric to 100% for those
- Version 2.22b:
  - Mentioned the potential conflicts between MSAN / ASAN and FORTIFY_SOURCE.
    There is no automated check for this, since some distros may implicitly
    set FORTIFY_SOURCE outside of the compiler's argv[].
  - Populated the support for AFL_LD_PRELOAD to all companion tools.
  - Made a change to the handling of ./afl-clang-fast -v. Spotted by
    Jan Kneschke.
* Sat Jul 23 2016
- afl 2.21b:
  * Minor UI fixes
- includes changes from 2.20b:
  * Revamp handling of variable paths
  * Stablility improvements
  * Include current input bitmap density in UI
  * Add experimental support for parallelizing -M.
- includes changes from 2.19b:
  * Ensure auto CPU binding happens at non-overlapping times
- includes changes from 2.18b
  * Performance improvements
* Tue Jun 28 2016
- afl 2.17b:
  * Remove error-prone and manual -Z option
  * automatically bind to the first free core
* Wed Jun 15 2016
- afl 2.14b:
    defined when compiling with afl-gcc and friends
  - Refreshed some of the non-x86 docs.
* Tue May 31 2016
- afl 2.13b:
  * Fixed a spurious build test error with trace-pc and
  * Fixed a cosmetic issue with afl-whatsup
- includes changes from 2.12b
  * Fixed a minor issue in afl-tmin that can make alphabet
    minimization less efficient during passes > 1
* Mon May 02 2016
- afl 2.11b:
  - Fixed a minor typo in instrumented_cmp
  - Added a missing size check for deterministic insertion steps.
  - Made an improvement to afl-gotcpu when -Z not used.
  - Fixed a typo in in experimental/
* Sat Apr 16 2016
- afl 2.10b:
  * Fix a minor core counting glitch
* Mon Mar 28 2016
- Update to 2.09b
  * Made several documentation updates.
  * Added some visual indicators to promote and simplify the use
    of -Z.
- Changes for 2.08b
  * Added explicit support for -m32 and -m64 for llvm_mode.
    Inspired by a request from Christian Holler.
  * Added a new benchmarking option, as requested by Kostya
- Changes for 2.07b
  * Added CPU affinity option (-Z) on Linux. With some caution,
    this can offer a significant (10%+) performance bump and
    reduce jitter. Proposed by Austin Seipp.
  * Updated afl-gotcpu to use CPU affinity where supported.
  * Fixed confusing CPU_TARGET error messages with QEMU build.
    Spotted by Daniel Komaromy and others.
- Changes for 2.06b
  * Worked around LLVM persistent mode hiccups with -shared code.
    Contributed by Christian Holler.
  * Added __AFL_COMPILER as a convenient way to detect that
    something is built under afl-gcc / afl-clang / afl-clang-fast
    and enable custom optimizations in your code. Suggested by
    Pedro Corte-Real.
  * Upstreamed several minor changes developed by Franjo Ivancic to
    allow AFL to be built as a library. This is fairly use-specific
    and may have relatively little appeal to general audiences.
* Sun Feb 28 2016
- afl 2.05b:
  * Put __sanitizer_cov_module_init & co behind #ifdef to avoid
    problems with ASAN.
Version: 2.52b-bp153.2.1
* Mon Mar 29 2021 Guillaume GARDET <>
- Fix packaging on aarch64 and %{arm}