0.12.0

Highlights

• API for multithreaded initial seed corpus loading
• Initial seed corpus entries are kept for splicing
• Stages and Mutators can now be provided as a dynamic Vec
• Stages resume after crashes and timeout
• Multipart Input support
• LibAFL_Bolts: performant get_or_insert_with API for AnyMap/Metadata
• LibAFL_Targets: Exposing pcguard's PC-Table
• LibAFL_Libfuzzer: MacOS support
• libAFL_QEMU: Injection fuzzing and massive rework overall
• LibAFL_Frida: Binary-only Cmplog support for x64
• LibAFL_Tinyinst: Linux instrumentation support

API changes

• Replaced TimeoutExecutor with a timeout in each executor
• Removed python bindings for most parts of the lib (LibAFL_sugar and LibAFL_QEMU remain)
• LLMP Client timeout removed, clients manually unregister on exit now
• Turning on and off tracking of novelties and indexes is now enforced with the CanTrack trait to be less error-prone
• Instead of providing the current testcase and current stage id everywhere, this information is now available in the State

What's Changed

• bolts/minibsod adding openbsd arm64 part by @devnexen in #1724
• QEMU filtering rework + paging filtering by @rmalmain in #1705
• Use latest AFLplusplus/symcc by @tokatoka in #1749
• Ignore SigPipe by default by @domenukk in #1741
• Enabling DrCov on Windows by @mkravchik in #1765
• Dedup common code in scheduler by @tokatoka in #1702
• Safe access to QEMU's Emulator struct by @rmalmain in #1763
• Add mute_inprocess_target fn, SimpleFdLogger::set_logger, and more by @domenukk in #1754
• Check canonicalized_module_path before used by @bet4it in #1767
• Multipart Input support by @addisoncrump in #1617
• Resumable stages redux by @addisoncrump in #1780
• libafl_qemu injections by @vanhauser-thc in #1743
• libafl_frida: Add tests for ASan for Unix platforms by @mkravchik in #1781
• Don't use assert fail when building on libafl_libfuzzer on windows by @tokatoka in #1792
• libafl_frida: Make cmplog work on x64 by @expend20 in #1713
• Remove unnecessary PartialEq trait constraint on DiffFeedback observers by @djoooooe in #1811
• Refactor InProcessExecutor, merge timeout executors by @tokatoka in #1789
• QEMU: safe linking of extern "C" declarations by @rmalmain in #1810
• Add SimpleMgr feature to qemu_launcher by @domenukk in #1790
• Allow corpus removal during main fuzz loop by @hgarrereyn in #1717
• Expose PCs table. by @mvanotti in #1812
• QEMU: add injections mode default by @domenukk in #1818
• Remove create_serde_registry_for_trait macro by @skoriop in #1815
• Default ignore_* flags to true when tui=1 by @skoriop in #1820
• Delete TimeoutForkserverExecutor by @tokatoka in #1819
• libafl_libfuzzer: macOS build support by @sameer in #1711
• HookId trait and types in libafl_qemu by @rbran in #1796
• Configurable LLMP client timeout by @rmalmain in #1838
• Remove unused shmem structs, update Nix by @domenukk in #1845
• Getter for mutable reference to forkserver by @tbethe in #1849
• Make cmp_extend_encoding panic-less by @tokatoka in #1857
• Disable af-xdp from QEMU default config by @rmalmain in #1846
• feature(libqasan): add asprintf and vasprintf by @rbran in #1844
• feature(libqasan): add strndup by @rbran in #1860
• Companion patch to qemu-libafl-bridge #46 by @cube0x8 in #1830
• Finalize macOS support for libafl_libfuzzer by @sameer in #1843
• Support raw byte grammar in NautilusContext by @sadeli413 in #1868
• Less useless allocs for monitor display by @domenukk in #1874
• Add several warnings when starting forkserver by @tokatoka in #1877
• Make NopState public so that it can be used as reproducer by @addisoncrump in #1888
• Implement RetryProgress for limiting retry attempts in stages by @addisoncrump in #1890
• Sancov based ngram & ctx implementation by @tokatoka in #1864
• update libfuzzer docs about macos by @addisoncrump in #1903
• TransferFeedback for determining if a testcase was from another node by @addisoncrump in #1906
• Implement MutatorTuple for Vecs to allow Dynamic Mutator Choices by @domenukk in #1893
• Print PID when you create a new Llmp Sender. by @tokatoka in #1898
• Make executor state available to the harness V2 by @rmalmain in #1900
• Improve readability of InProcessExecutor-related code by @rmalmain in #1912
• fuzzbench_ctx: fix duplicate package warning by @Mrmaxmeier in #1918
• token mutations: avoid a few infallible unwraps by @Mrmaxmeier in #1919
• introduce multicore load initial corpus by @R9295 in #1905
• Allow dyn in StagesTuple, add Current Testcase API, Untraitify Progress by @domenukk in #1915
• Event Manager handle_in_client hooks by @tokatoka in #1916
• Tiny optimization for into_vec by @domenukk in #1931
• Remove some arguments from pre_exec/post_exec in ExecutorHook by @tokatoka in #1933
• Remove (almost) unused stage_idx by @domenukk in #1929
• Update exec counts in objective by @tokatoka in #1945
• Better error message instead of "No entries in corpus" by @tokatoka in #1948
• Rename OSError -> OsError and merge with redundant Error::File by @domenukk in #1944
• Remove useless feedback by @tokatoka in #1953
• Upgrade automaton files by @michael-yxchen in #1956
• Update tinyinst_simple to support Linux (#1316) by @am009 in #1955
• SerdeAnyMap: add unsafe_stable_anymap feature that uses type_name instead of TypeId::of by @domenukk in #1952
• Remove hash for AnyMap (since it's a HashMap already) by @domenukk in #1951
• Change AnyMap API, add unsafe_ assert by @domenukk in #1958
• More usable ListFeedback by @tokatoka in #1959
• Use OwnedPtr in ListObserver by @tokatoka in #1961
• libafl_nyx: Allow custom input buffer size to be passed to NyxHelper by @l4yton in #1960
• WIP: QEMU exit handler by @rmalmain in #1745
• libafl_nyx: Add documentation to NyxSettings fields by @l4yton in #1962
• libafl_nyx: Add bounds check for Nyx input buffer by @l4yton in #1963
• Increase llmp timeout & Print PID in logger by @tokatoka in #1970
• Inline cmplog internal functions code by @tokatoka in #1972
• Make fuzzer examples's argument parser tell that --input is mandatory by @tokatoka in #1973
• Add MutatedTransform to the input type in TMinMutationalStage (#1251) by @am009 in #1971
• Clean up warnings in baby_fuzzers by @Marcondiro in #1981
• Add backdoors to portable header file of LibAFL QEMU. by @rmalmain in #1978
• Add unsafe to AsanErrorsObserver, fix UBs, fix Frida Version missmatch by @domenukk in #1987
• Update setup_libxml2.sh of nyx_libxml2_standalone fuzzer by @GanbaruTobi in #1990
• Use n...

0.11.2

Highlights

• Unicode-preserving mutators
• Reworked Tui (GSoC project by @ToSeven)
• Scalability introspector
• Larger libafl_frida rework, replaced capstone with yaxpeax in many places
• Extended libafl_qemu features, added CmpLog and more

What's Changed

• bolts write_minibsod solaris version. by @devnexen in #1494
• Add embed-runtime feature by @novafacing in #1489
• implement the AFL-Style Tui by @ToSeven in #1432
• reduce memory usage of the construct_automata script by @lenawanel in #1481
• add the metrics(pending,pend_fav, own_finds,imported) by @ToSeven in #1351
• remove libafl/src/feedbacks/owned.rs by @lenawanel in #1508
• Add an example fuzzer with AFL-Style UI by @ToSeven in #1501
• Apparently cargo:error does nothing by @elnardu in #1517
• Rework Frida instrumentation to decouple it from FuzzerOptions and add FridaInstrumentationHelperBuilder by @fabianfreyer in #1523
• Remove check and error when both fuzz_time and iters passed by @beyretb in #1531
• feat(frida): Allow setting path for DrCovRuntime by @fabianfreyer in #1536
• Change profiles for the fuzzbench fuzzers. by @tokatoka in #1546
• Some AFL UI example fuzzer cleanup by @domenukk in #1529
• Don't send unstable entries if there's nothing by @tokatoka in #1552
• libafl_ar: add extensions by @s1341 in #1568
• windows: Support LIBAFL_DEBUG_OUTPUT by @s1341 in #1569
• Qemu features3 by @WorksButNotTested in #1538
• frida-asan: move to mmap-rs by @s1341 in #1570
• Write coverage for QEMU into separate files by @WorksButNotTested in #1571
• Added qemu_cmin by @WorksButNotTested in #1572
• Make fuzzbench debugging easier by @tokatoka in #1574
• Use /dev/urandom for probing the valid memory by @tokatoka in #1586
• libafl_libfuzzer: documentation and build script by @addisoncrump in #1596
• Make Signals compatible with nix, implement TryFrom<&str> by @domenukk in #1599
• Add OptionalStage by @domenukk in #1600
• chore(drcov_rt): remove unused a field and methods by @saruman9 in #1601
• added ninja-build and python3-venv as dependencies by @cube0x8 in #1604
• Call the original QEMU user crash handler in libafl_qemu by @andreafioraldi in #1575
• Add executions count at proper places by @tokatoka in #1608
• Fuzz_loop should not return CorpusId by @domenukk in #1606
• Refactor cmplog observers by @tokatoka in #1603
• Document how to use cpp() and optimize() by @tokatoka in #1615
• New logo in the book by @andreafioraldi in #1618
• Autodetect llvm-config for QEMU bindings generation by @andreafioraldi in #1610
• Break on timeout in QEMU system mode by @andreafioraldi in #1619
• Add iter() to owned slice by @andreafioraldi in #1620
• Rename option name by @tokatoka in #1623
• Add SplitBorrow trait to split borrow tuple_list elements by @andreafioraldi in #1624
• Rename more options by @tokatoka in #1626
• Update llvm ver in Dockerfile by @tokatoka in #1629
• CmpLog {Instruction, Switches} pass by @tokatoka in #1612
• updated rust container image + default nightly by @cube0x8 in #1631
• Update LibAFL concolic by @tokatoka in #1634
• QEMU Asan backtrace and report by @andreafioraldi in #1628
• [WithObservers] Call the wrapped observer's post run function by @anneborcherding in #1640
• Add post_run for shadow executor by @tokatoka in #1641
• bolts: beginning of haiku support. by @devnexen in #1643
• Improve the libafl_libfuzzer corpus by @addisoncrump in #1539
• bolts haiku, addressing clippy warnings by @devnexen in #1647
• Add Android Ashmem stub header to libafl_targets forkserver.c by @domenukk in #1648
• Allow MinimizerScheduler to not cleanup the metadata after use by @beyretb in #1658
• Remove debug log by @beyretb in #1659
• Allow compiling 32bit by @s1341 in #1666
• Support precompiled headers in clang/ar wrappers by @s1341 in #1668
• refactor: Remove unnecessary Debug trait bounds by @mlgiraud in #1667
• Avoid lagged receiver in TCP manager by @andreafioraldi in #1672
• Add CmpLog routines to LibAFL QEMU and various fixes by @andreafioraldi in #1664
• Update libfuzer libpng launcher to use compound configurations by @s1341 in #1676
• bolts for haiku update. by @devnexen in #1673
• Add whole-archive feature to libafl_targets by @addisoncrump in #1544
• libafl_libfuzzer: rename all symbols by @addisoncrump in #1565
• Unicode-preserving mutators by @addisoncrump in #1542
• Add arg for profile in libafl_libfuzzer build.sh by @addisoncrump in #1680
• Scalability introspector + State refactor by @tokatoka in #1674
• scalability monitor 2nd by @tokatoka in #1685
• Monitor refactor + add aggregator by @tokatoka in #1671
• QEMU Synchronous Exit + Syx Snapshot update by @rmalmain in #1681
• Refactor QEMU hooks by @andreafioraldi in #1690
• Update qemu-libafl-bridge by @rmalmain in #1697
• bolts: support dump_registers for x86 linux by @Mrmaxmeier in #1694
• JIT fast path for edge cov hooks in libafl_qemu by @andreafioraldi in #1696
• Add Features for C Targets by @novafacing in #1663
• libafl_cc custom llvm_config lookup for solaris/illumos by @devnexen in #1708
• libafl: forkserver in persistent mode bug by @tbethe in #1715
• Adding support for shutdown upon Ctrl+C on Windows for LLMP by @mkravchik in #1704
• Add Resource by Jordan Whitehead by @tokatoka in #1718
• Make inner value of llmp Flags pub by @G33KatWork in #1725
• Remove capstone from frida [x86_64] by @tokatoka in #1720
• Remove capstone from frida [aarch64] by @mineo333 in #1723
• Last cleanup after decapstone by @tokatoka in #1727
• use yaxpeax-x86 version from crates.io instead of direct git dep by @iximeow in #1733
• Add file descriptor logger by @domenukk in #1742

FIxes

• ForkserverExecutor: stop forked children on exit by @domenukk in #1493
• bolts linux arm64 clippy fix build. by @devnexen in #1496
• bolts core affinity illumos clippy fixes. by @devnexen in #1497
• Fixed libafl_atheris Makefile and reading of input flag by @eceo902 in #1499
• Fix memopidx bug in libafl_qemu r/w hooks and update QEMU by @andreafioraldi in #1500
• openbsd (snapshot) bolts clippy fix by @devnexen in #1502
• Fix missing usage of saved_tree in AsanGiovese by @andreafioraldi in #1506
• Fix linkage on arm macs when buildi...

0.11.1

What's Changed

• Fix doc for publish by @andreafioraldi in #1472
• Fix libafl_libfuzzer publish by @andreafioraldi in #1475
• Introduce document-features feature by @domenukk in #1477
• remove unneeded loop in SpliceMutator::mutate by @lenawanel in #1471
• Add readmes by @andreafioraldi in #1476
• Fix document_features for libafl_libfuzzer by @domenukk in #1480
• bolts: Make xxh3 hashing optional with xxh3 feature flag (else use ahash for everything) by @domenukk in #1478
• Update LibAFL_CC README.md by @kiwids0220 in #1483
• bolts: Fix shmem leak when Drop-ing CommonUnixShMem by @xdqi in #1484
• Document LIBAFL_DEBUG_OUTPUT in Launcher by @domenukk in #1485
• Fixes for serdeany_autoreg by @addisoncrump in #1479
• Fix TuneableMutationalStage _std function generics by @domenukk in #1486
• fix frida build for linux arm64 by @devnexen in #1487
• Update from unmaintained tui-rs to ratatui by @novafacing in #1488
• Fix clippy lint in libafl_libfuzzer by @andreafioraldi in #1490
• Bump to 0.11.1 by @andreafioraldi in #1491

New Contributors

• @kiwids0220 made their first contribution in #1483
• @xdqi made their first contribution in #1484

Full Changelog: 0.11.0...0.11.1

0.11.0

Highlights

• libafl_qemu update to QEMU 8
• Hexagon support in libafl_qemu
• libafl::bolts moved to its own crate, libafl_bolts: use bolts for other projects
• libafl_libfuzzer runtime with full libfuzzer compatibility: replace any libfuzzer with LibAFL
• noaslr and gdb_qemu utilities
• Updated FRIDA

What's Changed

• Post gen by @WorksButNotTested in #1282
• Allow multiple source file in libafl_cc by @tokatoka in #1296
• Update to QEMU 8 by @andreafioraldi in #1299
• Add sample fuzzer which collects DrCov coverage for various architectures by @WorksButNotTested in #1300
• Make it possible to escape from simple event restarter by @addisoncrump in #1303
• Give baby fuzzer listings unique package names by @kokkonisd in #1307
• libafl_cc: add override env vars by @s1341 in #1310
• Add TcpEventManager by @domenukk in #1302
• Trigger feedback side effects during force-loading by @Andrew-Fryer in #1317
• Add feature to build variants/configurations automatically, with libtool/cc/cxx shims by @s1341 in #1322
• Insert into corpus if feedback is_interesting on crash/timeout by @s1341 in #1327
• Extend **qemu_launcher ** to support multiple architectures by @WorksButNotTested in #1328
• Added gdb_qemu utility by @WorksButNotTested in #1331
• Added noaslr by @WorksButNotTested in #1333
• util/noaslr porting to FreeBSD (the non-lib part). by @devnexen in #1337
• AFL++ redqueen update by @tokatoka in #1291
• Hexagon support by @ifratric in #1323
• Make harness function take mut ref by @novafacing in #1338
• Algorithm to choose to serialize the observers or not by @andreafioraldi in #1227
• Arch independent helpers in libafl_qemu by @WorksButNotTested in #1355
• update ForkserverBytesCoverageSugar to use parse_afl_cmdline by @epi052 in #1343
• libnoaslr freebsd implementation proposal. by @devnexen in #1361
• noaslr disable aslr for dragonflybsd. by @devnexen in #1364
• Add RefCellValueObserver by @addisoncrump in #1363
• Launcher: Allow setting a distinct stderr redirect by @s1341 in #1329
• libnoaslr netbsd implementation proposal by @devnexen in #1366
• Make all no_mangle fns extern "C" by @domenukk in #1369
• noaslr netbsd implementation proposal by @devnexen in #1371
• read_time_counter port for the RISCV family. by @devnexen in #1378
• Extract linker args when building QEMU by @andreafioraldi in #1377
• libafl_qemu snapshot device filter by @andreafioraldi in #1386
• Named Mutators and MultiMutator API change by @domenukk in #1387
• Less unsafe type_eq in stable by @domenukk in #1392
• Move Bolts to libafl_bolts by @domenukk in #1335
• Book: Info about how to migrate to 0.11 by @domenukk in #1395
• libafl_cc sanitizer using hwasan on Linux/Android arm64 which is usua… by @devnexen in #1399
• Add serdeany_autoreg feature flag to allow disabling ctor use by @domenukk in #1398
• Make bolts work without alloc by @domenukk in #1401
• Removed unused intrinsics features by @domenukk in #1404
• Remove unused owned (for now) by @domenukk in #1405
• update documentation of PowerQueueScheduler::on_add by @lenawanel in #1409
• Remove dead code for better semantic compliance by @mark0-cn in #1411
• Add serdeany_autoreg to libafl_qemu by @d0ntrash in #1416
• Add serdeany_autoreg to libafl_frida by @domenukk in #1417
• minibsod::generate_minibsod openbsd's implementation proposal by @devnexen in #1420
• Add more libafl_qemu archs to libafl_sugar by @domenukk in #1419
• update documentation of feedbacks::map::OneOrFilledIsNovel by @lenawanel in #1423
• write_minibsod apple implementation proposal. by @devnexen in #1425
• Update frida by @domenukk in #1408
• Allow the FridaInProcessExecutor to attach Stalker on specific thread by @r4ve1 in #1256
• bolts write_minibsod netbsd implementation. by @devnexen in #1428
• Make CmpValues Clone by @novafacing in #1439
• Reset headers with a memcpy, not an assign from zeroed by @novafacing in #1443
• qemu snapshot little update proposal. by @devnexen in #1431
• Use postcard with default-features = false by @Manishearth in #1446
• qemu handy cpu page size call proposal. by @devnexen in #1433
• Add bolts::math, make functions const, cleanup by @domenukk in #1444
• Allow multiple tuneable mutational stages by @wtdcode in #1437
• Allow setting the max iterations by @wtdcode in #1436
• Document features by @domenukk in #1453
• Full libfuzzer shimming (for cargo-fuzz libfuzzer alternative and other use cases) by @addisoncrump in #981
• Create _std public methods on TunableMutationalStage by @domenukk in #1458
• Prep for publishing libafl_libfuzzer by @addisoncrump in #1457
• bolts: disable build for rust < 1.70 proposal. by @devnexen in #1460
• Add generic cmp observer metadata, rename cmp observers, fix cmplogmap reset by @novafacing in #1461
• llmp update proposal. by @devnexen in #1465
• Update FreeBSD on CI by @devnexen in #1463
• Replace binary search with stdlib by @domenukk in #1466
• Add Broker.peek_next_client_id by @domenukk in #1468
• Less pub in LLMP by @domenukk in #1470
• Bump to 0.11.0 by @andreafioraldi in #1469

Fixes

• Ignore UTF-8 errors by @WorksButNotTested in #1403
• Fix for CommandExecutor when using InputLocation::StdIn (issue #1306) by @DanBlackwell in #1308
• Fix AnyMap for TypeIds with 128 bit by @domenukk in #1311
• Fixes offset math in Frida Offset Checks by @WilliamParks in #1314
• Fixed Forkserver shmem input length, made it configurable by @domenukk in #1342
• Fix build/clippy errors and update CASR by @addisoncrump in #1375
• fix(libafl): update Z3 dependency by @saruman9 in #1372
• fix riscv(32) tick reading albeit it passes with gcc it does not with… by @devnexen in #1381
• Fix generic hooks bug in libafl_qemu by @andreafioraldi in #1382
• Fix UB in frida fuzzers by @Mrmaxmeier in #1385
• ControlFlowGraph::calculate_difference_all_edges build warning fix. by @devnexen in #1390
• fix bolts build, intrinsics is an internal feature. by @devnexen in #1402
• bolts fix musl build. by @devnexen in #1421
• minibsod, fix clippy warning on generate_minibsod function's complexity by @devnexen in #1424
• Fix LLMP p2p + restart bug with CentralizedE...

0.10.1

Highlights

• libafl_cc pass to dump the whole program CFG
• Centralized event manager with main-secondary architecture
• MiniBSoD support for more BSDs
• General fuzzing improvements

What's Changed

• Centralized Testcase evaluation EventManager by @andreafioraldi in #1216
• Dump whole program's CFG pass by @tokatoka in #1226
• add the version information of LibAFL in the UI by @ToSeven in #1224
• Dump Call Graph by @tokatoka in #1230
• switch fuzzbench to FAST schedule by @vanhauser-thc in #1233
• switch sancov_8bit.rs to use OwnedMutSlice by @f0rki in #1235
• Use InMemoryOnDiskCorpus in fuzzbench fuzzer by @tokatoka in #1240
• Change DumpToDiskStage's callback by @tokatoka in #1242
• Update llvm for FreeBSD CI by @domenukk in #1243
• More security sensitive functions for coverage accounting by @tokatoka in #1246
• Ignore 'Broken Pipe' if child process does not read all of stdin by @arpankapoor in #1244
• Add a CI task that checks performance regression by @ToSeven in #1248
• Add file extension for clang in libafl_cc/build.rs by @NeXX451 in #1237
• Alternative scheduled count strategy by @addisoncrump in #1252
• Add pyproject.toml to python bindings by @twizmwazin in #1239
• Add suggestion for arg & args by @July541 in #1257
• Update pyo3 crate to 0.18.3 by @twizmwazin in #1255
• LibAFL_qemu: Disable Capstone to fix build issues on some distributions by @intrigus-lgtm in #1263
• Don't add llvm pass args when there're no passes & Don't pass -mllvm arguments when compiling asm files by @tokatoka in #1266
• Add check for if mutations were skipped to MutationalStages by @addisoncrump in #1265
• Allow configuring timeout for CommandExecutor by @arpankapoor in #1269
• Automatically add the comment about executions when a new PR triggers by @ToSeven in #1270
• Linking arguments for LLVM passes by @tokatoka in #1273
• Don't pass LLVM pass & its args during linking by @tokatoka in #1274
• Filter out unwanted arguments in libafl_cc by @tokatoka in #1276
• Disable capstone when building qemu-afl-bridge for user-mode fuzzing by @WorksButNotTested in #1281
• afl_cc fix build for LLVM 17 by @devnexen in #1286
• minibsod: generate_minibsod further memory maps data for freebsd. by @devnexen in #1285
• minibsod dragonflybsd's portage by @devnexen in #1287
• Add an observer for COUNTERS_MAPS for 8-bit SanCov by @novafacing in #1283
• Improve baby_fuzzer chapter of the documentation by @kokkonisd in #1289

Fixes

• Fix CommandExecutor type params by @tokatoka in #1222
• Fix #1228 by @tokatoka in #1229
• Fix double crash for solutions with the same filename (#1232) by @tokatoka in #1236
• Eco fuzz fix by @tokatoka in #1253
• Ecofuzz Fix 2 by @tokatoka in #1262
• Fix performance regression detection in CI #1248 by @ToSeven in #1259
• Fix #1276 by @tokatoka in #1277
• Fix CI by @tokatoka in #1292

New Contributors

• @NeXX451 made their first contribution in #1237
• @twizmwazin made their first contribution in #1239
• @July541 made their first contribution in #1257
• @novafacing made their first contribution in #1283
• @kokkonisd made their first contribution in #1289

Full Changelog: 0.10.0...0.10.1

0.10.0

Highlights

• AFL++'s Redqueen implementation
• New Scheduler method to run on evaluation
• EcoFuzz implementation
• Integration with CASR for deduplication
• Input loading from disk API moved to Corpus (this allows Corpora to be backed by network or databases)
• Batch mode timeout algorithm with lower syscall overhead (Linux only)
• Logic stages to enable and disable stages conditionally
• Full AFL++ forkserver support
• New WASM fuzzing example

What's Changed

• Change to combine restoration prologue with coverage register spill by @WorksButNotTested in #1029
• Remove unused imports by @tokatoka in #1035
• Add information about system mode QEMU by @domenukk in #1038
• Restart loading initial inputs even after a crash/timeout by @andreafioraldi in #1040
• Allow to load a list of files by @domenukk in #1044
• libafl: with_capacity method for NewHashFeedback by @langston-barrett in #1034
• Update deps for libafl by @rchildre3 in #1042
• libafl: Increase default capacity of NewHashFeedback by @langston-barrett in #1049
• Rename LLMP Timeout message by @tokatoka in #1048
• Send stability in calibration stage & FridaInstrumentationHelper retunrs Result<Self, Error> by @tokatoka in #1056
• Revert FridaInstrumentationHelper changes by @tokatoka in #1062
• Colorization stage by @tokatoka in #1039
• Remove unused deps by @tokatoka in #1069
• Use the log facade instead of println by @fabianfreyer in #1060
• QEMU: do not crash in helpers pre and post execs by @andreafioraldi in #1065
• Add stub lib for fuzzbench by @andreafioraldi in #1074
• minibsod solarish on amd64 implementations by @devnexen in #1068
• Use Instant::now instead of duration by @SpaceWhite in #1064
• Forkserver: 1. Add mem barrier 2. Don't send the initial 4 bytes message when it uses dynamic map option only by @tokatoka in #1073
• Add a missing condition for FS_OPT_MAPSIZE by @tokatoka in #1076
• CorpusMinimizer opt: don't add to map if it's the initial value (uninteresting) by @addisoncrump in #1078
• Make sure input was loaded to avoid panic on unwrap in MutatedTransform by @f0rki in #1077
• Weak link token section by @tokatoka in #1080* Use GuestAddr in QemuInstrumentationFilter by @andreafioraldi in #1085
• Move bytecount to dev-dependencies by @rchildre3 in #1090
• Exit broker when last client exits by @domenukk in #1057
• libafl: Generator instance for Iterator by @langston-barrett in #1101
• Cleanup forkserver exec builder by @clesmian in #1094
• UsesObserver by @tokatoka in #1104
• Add example for WASM by @addisoncrump in #1093
• on_evaluation Scheduler method by @andreafioraldi in #1106
• Real OnDiskCorpus by @domenukk in #1096
• Remove unnecessary check in calibration stage by @tokatoka in #1111
• Track parent testcase, tuneable stage probabilistic settings by @domenukk in #1081
• Implement EcoFuzz by @andreafioraldi in #1115
• Use a different crash history in forkserver examples by @arpankapoor in #1118
• SimpleLogger by @tokatoka in #1109
• Cargo feature to avoid regex dependency by @langston-barrett in #1102
• Forward on_evaluation callback in MinimizerScheduler by @EliaGeretto in #1122
• Use InMemoryCorpus in libfuzzer_libpng by @tokatoka in #1125
• Check CI result on cargo make test for available fuzzers by @SpaceWhite in #1107
• Improve find_llvm for MacOS by @Marcondiro in #1124
• Increase LLMP clients timeout to 5 min by @andreafioraldi in #1126
• Define custom collectors for QemuCallTracerHelper by @andreafioraldi in #1099
• Use regex feature in libafl_qemu by @andreafioraldi in #1127
• Safer EoP handling by @domenukk in #1128
• Allows libafl tests to run in miri by @domenukk in #1130
• Allow take the ownership of the BytesInput by @wtdcode in #1135
• Resolve zero-sized allocation in swap diff fuzzer by @addisoncrump in #1139
• AFL++ RedQueen by @tokatoka in #1087
• Added Truncate trait by @domenukk in #1141
• Make it explicit that clang/clang++ is needed by @tokatoka in #1142
• Created functions to get the metadata from State and Testcase by @matheusbaptistella in #1123
• Rename MetaData to Metadata by @tokatoka in #1144
• Create SchedulerTestcaseMetadata if it doesn't exist by @domenukk in #1151
• Implement From for usize by @domenukk in #1152
• Logic stages by @tokatoka in #1148
• IfStage by @tokatoka in #1157
• checks the presence of clang frontends. by @devnexen in #1158
• new metadata() and testcase() function added to the code by @matheusbaptistella in #1155
• Removed new_ from constructors that don't need it (API consistency) by @domenukk in #1159
• Don't build z3 from source by default (and add static_z3 feature) by @domenukk in #1160
• Remove duplicate lines in attributes by @bkrl in #1165
• libafl_frida run executable by @SpaceWhite in #1117
• fix UB in baby_fuzzer_grimoire by @Vincebye in #1166
• Install libz3-dev in CI by @domenukk in #1163
• Solves issue #1137 by @arimallick in #1168
• core_affinity freebsd constants are included in libc now. by @devnexen in #1170
• Remove libfuzzer_stb_image_sugar for now by @tokatoka in #1177
• Implement restarting without serializing the corpus by @andreafioraldi in #1182
• add readme documentation description about the tui feature by @Vincebye in #1198
• CASR deduplication for StacktraceObservers by @anfedotoff in #1184
• Use observers to handle crashes in run_target for TimeoutForkserverExecutor by @anfedotoff in #1189
• Bump to 0.10.0 by @andreafioraldi in #1156
• Removed more new_ (follow-up on #1159) by @domenukk in #1200
• qemu: Return errors from Emulator::new instead of asserting by @langston-barrett in #1197
• libafl: Copy-editing LLMP manager docstrings by @langston-barrett in #1208
• libafl: Mark buffer_{self_,}copy as unsafe, don't export them by @langston-barrett in #1207
• Tuneable stage with per-seed timeout by @domenukk in #1209
• Example fuzzers with even less UB by @domenukk in #1212
• serial_test as normal optional dep enabled with std by @andreafioraldi in #1215
• Batch mode timeouts (Linux only ATM) by @andreafioraldi in #1193
• Move Input loading and dumping APIs from Testcase to Corpus by @domenukk in #1201

Fixes

• Fix readme position in qemu sys by...

0.9.0

Highlights

• Userspace snapshot-fuzzing using libafl_qemu
• QEMU system mode fuzzing with fast snapshots
• Tuneable Stage, Scheduler, ScheduledMutator to change behavior on the fly
• Differential observers
• SyncFromBrokerStage to sync from a broker with a different Input type
• Introduce stable CorpusId to remove/update entries in Corpus
• Forkserver support to AFL++ adaptive map size and CmpLog
• Tinyinst binary-only instrumentation support
• New logo

What's Changed

• Calling original UnhandledExceptionFilter in the hook by @expend20 in #832
• token mutations: set MutationResult for CmpValues::Bytes by @Mrmaxmeier in #838
• Bump Nyx-QEMU to resolve GTK configuration by @rchildre3 in #837
• Install no_std nightly toolchain by @domenukk in #847
• Refactor QEMU snapshot helper and add mmap memory limit by @andreafioraldi in #844
• CI: Build fuzzers with shared cargo target dir by @Mrmaxmeier in #845
• Expose OUT_DIR for compiler passes to other components by @domenukk in #840
• DiffExecutor has two observers by @elManto in #843
• Set persistent mode env variables. by @tokatoka in #852
• Refactor Output Observers by @domenukk in #856
• Associated types for Corpus, State by @domenukk in #767
• Implement thread-safe AsanGiovese in Rust with snapshots support by @andreafioraldi in #851
• Disabling qemu dependecies for qemu fullsystem by @TeumessianFox in #737
• dump_registers update on netbsd x86_64 arch. by @devnexen in #863
• Remove fuzzbench_weighted and update fuzzbench by @andreafioraldi in #865
• Delete blob and add CI check by @andreafioraldi in #867
• dump_register/write_crash for freebsd arm64 by @devnexen in #870
• Monitor to export fuzzer metrics to Prometheus server by @peterwhitingyb in #875
• More Associated Types by @domenukk in #881
• Remove unused stage stub by @domenukk in #882
• stdio observers should use bytes, not strings by @langston-barrett in #885
• Reworked Docs, add missing files by @domenukk in #888
• Forkserver: support File input, update clap by @pr0me in #880
• Add standalone toolchain link to frida_libpng by @domenukk in #890
• FuzzbenchDumpStage in fuzzbench_text to dump the grimoire inputs as bytes for the fuzzbench measurers by @andreafioraldi in #869
• Tuneable Stage, Scheduler, ScheduledMutator by @domenukk in #874
• Pthread introspection hook (extends #263) by @fabianfreyer in #891
• More precise handling of libafl_cc dll_extensions by @domenukk in #892
• forkserver support attempt on freebsd by @devnexen in #898
• mopt: seed from state rand instead of current_nanos by @Mrmaxmeier in #902
• autotokens pass set elf section on other unixes too by @devnexen in #900
• Update observer.md by @Jorgecmartins in #904
• Adding DrCov for qemu by @TeumessianFox in #878
• Differential observers by @VTCAKAVSMoACE in #868
• Forksrv adaptive map size and AFL++ CmpLog support by @andreafioraldi in #896
• Save and restore CPU state in libafl_qemu by @andreafioraldi in #907
• libafl_frida: Point to in-repo docs from API docs by @langston-barrett in #886
• emu::current_cpu() is now the CPU that hitted the breakpoint in fullsystem by @andreafioraldi in #910
• libafl_qemu_sys and libafl_qemu_build to have bindgen with QEMU by @andreafioraldi in #915
• Add ValueObserver, an observer for a single value by @langston-barrett in #923
• Handle broker-to-broker connection interruptions more gracefully by @omergreen in #921
• SIGINT handlers, and Release StateRestorer shmem by @tokatoka in #894
• [Windows] Setup ASAN death callback by @tokatoka in #908
• TinyInst by @tokatoka in #854
  #931
• libafl: Remove set_initial, initial_mut from MapObserver trait by @langston-barrett in #932
• [Windows] Handle crashes without exception by @maxammann in #912
• Fast device+mem QEMU snapshots by @andreafioraldi in #930
• CI: Only test fuzzers with diffing deps by @andreafioraldi in #940
• disable libafl's default features in libafl-frida by @omergreen in #939
• Add mips support for QemuTracerHelper by @Sparrrgh in #941
• Deduplicate crash handlers by @tokatoka in #951
• [Windows] Add libfuzzer example for windows with ASAN by @maxammann in #934
• Make stalker.exclude() configurable from command line arguments by @tokatoka in #956
• Remodelling Observers/Examples that rely on UB by @domenukk in #950
• SimpleMonitor optionally with user_monitor stats by @TeumessianFox in #970
• Forkserver example with forkserver.c (#726) by @ergrelet in #973
• Remove declare -A by @tokatoka in #976
• Better MIPS register naming by @Sparrrgh in #977
• book review part2 by @hexcoder- in #980
• Book: Explain SymCC constraint solving (follow up on #980) by @domenukk in #986
• Changes to improve FRIDA x64 performance by @WorksButNotTested in #985
• Corpus maps by @andreafioraldi in #947
• OnDiskCorpus: Write metadata by default, metadata gzip compression by @domenukk in #995
• stacktrace: Use unresolved backtrace call by @arafel in #1002
• Optimization of FRIDA instrumentation for AARCH64 by @WorksButNotTested in #989
• SyncFromBrokerStage to sync from a broker with a different Input type by @andreafioraldi in #997
• TinyInst Update by @tokatoka in #968
• LLMP Message Timeout by @domenukk in #1005
• Introduce MutatorId, Tuneable fixes by @domenukk in #1022
• libafl_frida: Allow compilation for iOS by @fabianfreyer in #1023
• New Logo by @domenukk in #1025
• Python CI by @domenukk in #1024
• Remove {update,clear}_hash from ObserverWithHashField, add hasher (extending #1019) by @domenukk in #1028

##Fixes

• check_for_blobs.sh: respect gitignore by @Mrmaxmeier in #876
• Fix windows timeout by @tokatoka in #842
• Fix memory leaks and module instrumentation in frida_gdiplus by @khang06 in #841
• Fix aarch64 read_time_counter() by @tokatoka in #849
• CI: small fixes by @Mrmaxmeier in #855
• Fix launcher to work with returning run_client functions by @eknoes in #860
• sort of fix core affinity on mac arm64 by @devnexen in #873
• fixing freebsd unused import warning in core affinity. by @devnexen in #897
• Fix QEMU systemmode fuzzing by @alwinber in #883
• Update and fix concolic support by @julihoh in #901
• Fix scores when using on_replace by @VTCAKAVSMoACE in https://github.com/AFL...

0.8.2

Highlights

• NYX bridge with LibAFL with libafl_nyx by @syheliel
• JSON logging monitor by @eknoes
• Testcase and corpus minimizers by @VTCAKAVSMoACE
• TimeoutInprocessForkExecutor by @tokatoka
• Builds on various *nix operating systems by @devnexen

What's Changed

• New Pass Manager Arguments in #724
• Core affinity implementation for freebsd by @devnexen in #736
• NYX Executor (GSoC '22) by @syheliel in #693
• OSX force_load option in #743
• Add continous JSON Logging monitor by @eknoes in #738
• Netopenbsd build fix by @devnexen in #746
• follow-up on netbsd build fix, simplification. by @devnexen in #750
• Add test case minimising stage by @VTCAKAVSMoACE in #735
• Implement a corpus minimiser by @VTCAKAVSMoACE in #739
• Skippable stage, generator wrapper for Grimoire in #748
• MapFeedback: Adding support for with_name() by @TeumessianFox in #752
• dragonflybsd build fix for core affinity. by @devnexen in #753
• CI for FreeBSD in #754
• core affinity for FreeBSD pinning task to the wanted cpu by @devnexen in #756
• Do not zero-init struct in QEMU in #758
• adjust NyxExecutor trait bound to HasTargetBytes from HasBytesVec by @tcheinen in #760
• libafl_frida ASan hook adding apple's memset_pattern* api. by @devnexen in #761
• frida follow up on previous change for apple. by @devnexen in #763
• Add track_stability option to CalibrationStage in #781
• Dump registers on freebsd amd64 by @devnexen in #779
• Builds on Illumos, by @devnexen in #775
• reduces warnings when only version output is asked. by @devnexen in #778
• Extend gramatron recursive mutator to recurse 5 times in #783
• Dump registers on NetBSD amd64 by @devnexen in #786
• Add support for ARMBE8 by @WorksButNotTested in #768
• Dump reg for openbsd by @devnexen in #787
• Windows gdiplus by @expend20 in #789 & #792
• Remove clang download from windows CI by @expend20 in #791
• write_crash netbsd implementation by @devnexen in #788
• bolts::cpu::read_time_counter on arm64 by @devnexen in #790
• Add ability to use virtual dispatch to stagesTuple by @radl97 in #801
• Adding CPSR register for arm qemu emulation by @TeumessianFox in #800
• Enable additional rustc errors in test only in #809
• Adding fork feature passing from libafl_qemu to libafl crate by @TeumessianFox in #806
• Hide prelude behind feature flag in #782
• TimeoutInprocessForkExecutor in #797
• Fixes typo and grammar in spawn_instances.md doc by @Emauz in #811
• Minor changes for linux without fork feature by @TeumessianFox in #814
• Hook IsProcessorFeaturePresent to crash with STATUS_STACK_BUFFER_OVERRUN exception by @expend20 in #804
• Added Hacking TMNF blogpost to Resources in #819
• Moving to named parameters in format strings in #827

Fixes

• Unbreak tui with 1 client by @nicklangsysdig in #734
• Fix autotokens doc in #751
• Fix spelling error by @AidenRHall in #745
• Fix documentation error by @Lancern in #747
• Add doc for nyx by @syheliel in #759
• Fix cargo doc failed on windows by @SpaceWhite in #762
• Fix forkserver options in #771
• Stability improvements in #773
• Fix len miscalculation in grimoire string replace in #794
• Disable ObserversOwnedMap due to new Rust error in #807
• Fix FreeBSD CI in #820
• Backport AFL++ issue #1548 in #826
• Various Doc and CI fixes by @andreafioraldi, @tokatoka, @domenukk, @thebendavis, @Emauz

New Contributors

• @nicklangsysdig made their first contribution in #734
• @AidenRHall made their first contribution in #745
• @Lancern made their first contribution in #747
• @VTCAKAVSMoACE made their first contribution in #735
• @tcheinen made their first contribution in #760
• @SpaceWhite made their first contribution in #762
• @WorksButNotTested made their first contribution in #768
• @thebendavis made their first contribution in #796
• @radl97 made their first contribution in #801
• @Emauz made their first contribution in #811

Full Changelog: 0.8.1...0.8.2

0.8.1

Highlights

• Qemu arm launcher example by @TeumessianFox in #708
• Windows support for LLVM passes by @abgeana in #710
• Mac OS Autotokens by @tokatoka #723
• Raw API for full-system libafl_qemu by @andreafioraldi in #692

Further Changes

• Prelude module by @andreafioraldi in #709
• Change StdWeightedScheduler API by @tokatoka in #712
• Add HitcountsIterableMapObserver, rename AsMutIter to AsIterMut by @domenukk in #713
• Updated requirements in #714 & #715
• Remove num_cpus dependency by @domenukk in #717
• Deriving Clone for NopMonitor by @z2-2z in #721
• add rustfmt.toml by @syheliel in #722

Fixes

• Update fuzzbench_weighted to EXPLORE, fix linking by @tokatoka in #707
• Fix Autotokens by @tokatoka in #706
• Fix SIGILL handling in libafl_qemu by @andreafioraldi in #711
• Resize MapFeedbackMetadata with observer.initial() by @tokatoka in #718
• Simd Fix by @tokatoka in #729
• fix typo in aarch64.rs by @zuypt in #731

New Contributors

• @zuypt made their first contribution in #731

Full Changelog: 0.8.0...0.8.1

0.8.0

Highlights

• Graphical TUI Monitor based on tui-rs (#480)
• Differential Fuzzing Support: Differential executor, diff feedback, stdio observers (#521)
• Grimoire structured fuzzing support (#487)
• LLVM AutoTokens (#470)
• Much simpler API for feedback states (#627)
• Switched all example fuzzers from Makefiles to cargo-make (#537)
• libafl::Error can generate Backtraces (#617)
• Refactored libafl Python (#632)
• [libafl_frida] Enabled ASan for Apple (#478)
• [libafl_qemu] snapshot fuzzing (#484)
• [libafl_qemu] custom GDB commands for LibAFL (#671)

Further Changes

• Rework ShMem by @domenukk in #472
• libfuzzer-like repro arguments for fuzzbench by @andreafioraldi in #475
• Add AsSlice, AsMutSlice traits, refactor MapObservers to be iterable, and have associated types by @domenukk in #477
• [libafl_qemu] map_fixed and mprotect target memory by @evanrichter in #483
• AnyMap and owned collections of Observers and Stages by @andreafioraldi in #491
• [libafl_qemu] simplify emu::{read,write}_mem by @evanrichter in #496
• Expose more options to python qemu sugar by @epi052 in #492
• [libafl_qemu] GuestAddr type by @evanrichter in #501
• extend python forkserver api by @epi052 in #500
• Add options parser by @epi052 in #493
• Implement backtrace observers for crash dedupe by @yussf in #379
• Builder for CommandExecutor & Tokens Refactoring by @domenukk in #508
• Coverage accounting (BB metric atm) by @andreafioraldi in #507
• Frida Runtime Tuples by @tokatoka in #457
• frida-asan: Throw an exception on a failed new instead of just returning null by @s1341 in #512
• libafl_cc: -fsanitize=fuzzer is an alias to --libafl by @andreafioraldi in #518
• Non weak default sanitizers options functions by @andreafioraldi in #519
• Set map observers initial value to T::default() on creation by @andreafioraldi in #520
• Forkserver builder by @tokatoka in #523
• Autodict forkserver by @tokatoka in #525
• Github workflows frida build on windows by @tokatoka in #536
• Initial support to Python bindings for the libafl crate by @faroukfaiz10 in #429
• Walk the map observer using as_ref_iter() in the map feedback by @andreafioraldi in #535
• libafl_qemu decouple hooks from the executor and QemuForkExecutor by @andreafioraldi in #528
• [libafl_qemu] EasyElf::resolve_symbol return GuestAddr by @evanrichter in #540
• Add signal option to forkserver_simple by @tklengyel in #548
• Closure hooks and on thread create hook by @andreafioraldi in #542
• afl_exec_sec feature to count executions per second in the same way as AFL (sliding window), disabled by default by @andreafioraldi in #555
• Add function call level granularity for coverage accounting by @shouc in #552
• Add probabilistic sampling corpus scheduler by @shouc in #544
• Dump Control Flow Graph in AFLCoverage LLVM Pass by @shouc in #557
• Weighted corpus entry selection by @tokatoka in #570
• Set the number of stacked mutations in MOpt mutator by @tokatoka in #587
• Powerschedule::RAND by @tokatoka in #596
• Use ucontext from bolts::os::unix_signals for armv7 support by @pr0me in #612
• Update clap by @tokatoka in #621
• adding equivalent arm32 syscall for qemu snapshot by @elbiazo in #628
• Cmplog New Pass Manager & LLVM 14 Fixes by @tokatoka in #626
• Added autofix script by @domenukk in #639
• Moved to no_std preamble by @domenukk in #643
• Drop the build_id depedency and move to bolts by @andreafioraldi in #649
• Make OutFile auto-remove refcounted on drop by @domenukk in #654
• Windows-rs Update by @tokatoka in #657
• Moved core_affinity to bolts by @domenukk in #655
• Windows CI for frida by @tokatoka in #658
• C forkserver logic in libafl_targets by @andreafioraldi in #650
• Apple aarch64 fixes by @domenukk in #660
• LIBAFL_DEBUG_OUTPUT in Launcher and OnDiskTOMLMonitor to create fuzzer_stats by @andreafioraldi in #666
• Generating core ids based on the actual count of logical cores by @wizche in #669
• CustomBuf Events to exchange any data between fuzzers by @domenukk in #672
• New hooks for libafl_qemu by @andreafioraldi in #673
• Extend weighted scheduler by @tokatoka in #685
• TUI monitor no longer breaks the terminal if main thread panics by @TeumessianFox in #699

New Contributors

• @sagittarius-a made their first contribution in #488
• @epi052 made their first contribution in #492
• @yussf made their first contribution in #379
• @tklengyel made their first contribution in #548
• @shouc made their first contribution in #552
• @syheliel made their first contribution in #564
• @h1994st made their first contribution in #606
• @WilliamParks made their first contribution in #623
• @aoli-al made their first contribution in #616
• @elbiazo made their first contribution in #628
• @peamaeq made their first contribution in #637
• @wizche made their first contribution in #669
• @z2-2z made their first contribution in #688
• @Scepticz made their first contribution in #675
• @TeumessianFox made their first contribution in #699

Full Changelog: 0.7.1...0.8.0