Roll src/third_party/afl/src/ 2.14b..2.30b (16 versions).

third_party/afl/src/docs/env_variables.txt

 =======================
 Environmental variables
 =======================
 
   This document discusses the environment variables used by American Fuzzy Lop
   to expose various exotic functions that may be (rarely) useful for power
   users or for some types of custom fuzzing setups. See README for the general
   instruction manual.
 
 1) Settings for afl-gcc, afl-clang, and afl-as
@@ skipping 34 matching lines @@
     probability of instrumenting every branch. This is (very rarely) useful
     when dealing with exceptionally complex programs that saturate the output
     bitmap. Examples include v8, ffmpeg, and perl.
 
     (If this ever happens, afl-fuzz will warn you ahead of the time by
     displaying the "bitmap density" field in fiery red.)
 
     Setting AFL_INST_RATIO to 0 is a valid choice. This will instrument only
     the transitions between function entry points, but not individual branches.
 
+  - AFL_NO_BUILTIN causes the compiler to generate code suitable for use with
+    libtokencap.so (but perhaps running a bit slower than without the flag).
+
   - TMPDIR is used by afl-as for temporary files; if this variable is not set,
     the tool defaults to /tmp.
 
   - Setting AFL_KEEP_ASSEMBLY prevents afl-as from deleting instrumented
     assembly files. Useful for troubleshooting problems or understanding how
     the tool works. To get them in a predictable place, try something like:
 
     mkdir assembly_here
     TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all
 
@@ skipping 27 matching lines @@
 
   - Setting AFL_NO_FORKSRV disables the forkserver optimization, reverting to
     fork + execve() call for every tested input. This is useful mostly when
     working with unruly libraries that create threads or do other crazy
     things when initializing (before the instrumentation has a chance to run).
 
     Note that this setting inhibits some of the user-friendly diagnostics
     normally done when starting up the forkserver and causes a pretty
     significant performance drop.
 
-  - Setting AFL_NO_VAR_CHECK skips the detection of variable test cases,
-    greatly speeding up session resumption and path discovery for complex
-    multi-threaded apps (but depriving you of a potentially useful signal
-    in more orderly programs).
-
   - AFL_EXIT_WHEN_DONE causes afl-fuzz to terminate when all existing paths
     have been fuzzed and there were no new finds for a while. This would be
     normally indicated by the cycle counter in the UI turning green. May be
     convenient for some types of automated jobs.
 
+  - Setting AFL_NO_AFFINITY disables attempts to bind to a specific CPU core
+    on Linux systems. This slows things down, but lets you run more instances
+    of afl-fuzz than would be prudent (if you really want to).
+
   - AFL_SKIP_CRASHES causes AFL to tolerate crashing files in the input
     queue. This can help with rare situations where a program crashes only
     intermittently, but it's not really recommended under normal operating
     conditions.
 
   - AFL_SHUFFLE_QUEUE randomly reorders the input queue on startup. Requested
     by some users for unorthodox parallelized fuzzing setups, but not
     advisable otherwise.
 
   - When developing custom instrumentation on top of afl-fuzz, you can use
@@ skipping 10 matching lines @@
   - Setting AFL_POST_LIBRARY allows you to configure a postprocessor for
     mutated files - say, to fix up checksums. See experimental/post_library/
     for more.
 
   - The CPU widget shown at the bottom of the screen is fairly simplistic and
     may complain of high load prematurely, especially on systems with low core
     counts. To avoid the alarming red color, you can set AFL_NO_CPU_RED.
 
   - In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace.
 
-  - Setting AFL_LD_PRELOAD causes AFL to set LD_PRELOAD for the target binary
-    without disrupting the afl-fuzz process itself.
+  - Setting AFL_PRELOAD causes AFL to set LD_PRELOAD for the target binary
+    without disrupting the afl-fuzz process itself. This is useful, among other
+    things, for bootstrapping libdislocator.so.
 
   - If you are Jakub, you may need AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES.
     Others need not apply.
 
   - Benchmarking only: AFL_BENCH_JUST_ONE causes the fuzzer to exit after
     processing the first queue entry; and AFL_BENCH_UNTIL_CRASH causes it to
-    exit when first crash is found.
+    exit soon after the first crash is found.
 
 4) Settings for afl-qemu-trace
 ------------------------------
 
 The QEMU wrapper used to instrument binary-only code supports several settings:
 
   - It is possible to set AFL_INST_RATIO to skip the instrumentation on some
     of the basic blocks, which can be useful when dealing with very complex
     binaries.
 
@@ skipping 16 matching lines @@
     minimization and normally deleted at exit. The files can be found in the
     <out_dir>/.traces/*.
 
 6) Settings for afl-tmin
 ------------------------
 
 Virtually nothing to play with. Well, in QEMU mode (-Q), AFL_PATH will be
 searched for afl-qemu-trace. In addition to this, TMPDIR may be used if a
 temporary file can't be created in the current working directory.
 
-7) Third-party variables set by afl-fuzz & other tools
+7) Settings for libdislocator.so
+--------------------------------
+
+The library honors three environmental variables:
+
+  - AFL_LD_LIMIT_MB caps the size of the maximum heap usage permitted by the
+    library, in megabytes. The default value is 1 GB. Once this is exceeded,
+    allocations will return NULL.
+
+  - AFL_LD_HARD_FAIL alters the behavior by calling abort() on excessive
+    allocations, thus causing what AFL would perceive as a crash. Useful for
+    programs that are supposed to maintain a specific memory footprint.
+
+  - AFL_LD_VERBOSE causes the library to output some diagnostic messages
+    that may be useful for pinpointing the cause of any observed issues.
+
+8) Settings for libtokencap.so
+------------------------------
+
+This library accepts AFL_TOKEN_FILE to indicate the location to which the
+discovered tokens should be written.
+
+9) Third-party variables set by afl-fuzz & other tools
 ------------------------------------------------------
 
 Several variables are not directly interpreted by afl-fuzz, but are set to
 optimal values if not already present in the environment:
 
   - By default, LD_BIND_NOW is set to speed up fuzzing by forcing the
     linker to do all the work before the fork server kicks in. You can
     override this by setting LD_BIND_LAZY beforehand, but it is almost
     certainly pointless.
 
@@ skipping 10 matching lines @@
     difficulty telling crashes and hangs apart.
 
   - In the same vein, by default, MSAN_OPTIONS are set to:
 
     exit_code=86 (required for legacy reasons)    
     abort_on_error=1
     symbolize=0
     msan_track_origins=0
     allocator_may_return_null=1
 
-    Be sure to include the first one when customizing anything, since MSAN
-    doesn't call abort() on error, and we need a way to detect faults.
+    Be sure to include the first one when customizing anything, since some
+    MSAN versions don't call abort() on error, and we need a way to detect
+    faults.