afl-cc - Man Page

afl-cc/afl-c++ [options]

This is a helper application for afl-fuzz. It serves as a drop-in replacement
for gcc and clang, letting you recompile third-party code with the required
runtime instrumentation. A common use pattern would be one of the following:

  CC=afl-cc CXX=afl-c++ ./configure --disable-shared
  cmake -DCMAKE_C_COMPILERC=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .
  CC=afl-cc CXX=afl-c++ meson

                                       |------------- FEATURES -------------|
MODES:                                  NCC PERSIST DICT   LAF CMPLOG SELECT
  [LLVM] LLVM:             unavailable!
      PCGUARD              unavailable!    yes yes     module yes yes    yes
      NATIVE               AVAILABLE    no  yes     no     no  part.  yes
      CLASSIC              unavailable!    no  yes     module yes yes    yes
        - NORMAL
        - CALLER
        - CTX
        - NGRAM-{2-16}
  [LTO] LLVM LTO:          unavailable!
      PCGUARD              DEFAULT      yes yes     yes    yes yes    yes
      CLASSIC                           yes yes     yes    yes yes    yes
  [GCC_PLUGIN] gcc plugin: unavailable!
      CLASSIC              DEFAULT      no  yes     no     no  no     yes
  [GCC/CLANG] simple gcc/clang: AVAILABLE [SELECTED]
      CLASSIC              DEFAULT      no  no      no     no  no     no

Modes:
  To select the compiler mode use a symlink version (e.g. afl-clang-fast), set
  the environment variable AFL_CC_COMPILER to a mode (e.g. LLVM) or use the
  command line parameter --afl-MODE (e.g. --afl-llvm). If none is selected,
  afl-cc will select the best available (LLVM -> GCC_PLUGIN -> GCC).
  The best is LTO but it often needs RANLIB and AR settings outside of afl-cc.

Sub-Modes: (set via env AFL_LLVM_INSTRUMENT, afl-cc selects the best available)
  PCGUARD: Dominator tree instrumentation (best!) (README.llvm.md)
  LLVM-NATIVE:  use llvm's native PCGUARD instrumentation (less performant)
  CLASSIC: decision target instrumentation (README.llvm.md)
  CALLER:  CLASSIC + single callee context (instrumentation/README.ctx.md)
  CTX:     CLASSIC + full callee context (instrumentation/README.ctx.md)
  NGRAM-x: CLASSIC + previous path ((instrumentation/README.ngram.md)

Features: (see documentation links)
  NCC:    non-colliding coverage [automatic] (that is an amazing thing!)
          (instrumentation/README.lto.md)
  PERSIST: persistent mode support [code] (huge speed increase!)
          (instrumentation/README.persistent_mode.md)
  DICT:   dictionary in the target [yes=automatic or LLVM module pass]
          (instrumentation/README.lto.md + instrumentation/README.llvm.md)
  LAF:    comparison splitting [env] (instrumentation/README.laf-intel.md)
  CMPLOG: input2state exploration [env] (instrumentation/README.cmplog.md)
  SELECT: selective instrumentation (allow/deny) on filename or function [env]
          (instrumentation/README.instrument_list.md)

To see all environment variables for the configuration of afl-cc use "-hh".

For any information on the available instrumentations and options please 
consult the README.md, especially section 3.1 about instrumenting targets.

Compiled with shmat support.

Do not be overwhelmed :) afl-cc uses good defaults if no options are selected.
Read the documentation for FEATURES though, all are good but few are defaults.
Recommended is afl-clang-lto with AFL_LLVM_CMPLOG or afl-clang-fast with
AFL_LLVM_CMPLOG and AFL_LLVM_DICT2FILE+AFL_LLVM_DICT2FILE_NO_MAIN.

AFL++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>, Dominik Maier <domenukk@gmail.com>, Andrea Fioraldi <andreafioraldi@gmail.com> and Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de> The homepage of AFL++ is: https://github.com/AFLplusplus/AFLplusplus

Apache License Version 2.0, January 2004

The man pages afl-c++(8), afl-clang-fast(8), afl-clang-fast++(8), afl-clang-lto(8), afl-clang-lto++(8), afl-gcc-fast(8), afl-g++-fast(8), afl-lto(8) and afl-lto++(8) are aliases of afl-cc(8).