1# NeverZero counters for LLVM instrumentation 2 3## Usage 4 5In larger, complex or reiterative programs the byte sized counters that collect 6the edge coverage can easily fill up and wrap around. 7This is not that much of an issue - unless by chance it wraps just to a value 8of zero when the program execution ends. 9In this case afl-fuzz is not able to see that the edge has been accessed and 10will ignore it. 11 12NeverZero prevents this behaviour. If a counter wraps, it jumps over the value 130 directly to a 1. This improves path discovery (by a very little amount) 14at a very little cost (one instruction per edge). 15 16(The alternative of saturated counters has been tested also and proved to be 17inferior in terms of path discovery.) 18 19This is implemented in afl-gcc and afl-gcc-fast, however for llvm_mode this is 20optional if multithread safe counters are selected or the llvm version is below 219 - as there are severe performance costs in these cases. 22 23If you want to enable this for llvm versions below 9 or thread safe counters 24then set 25 26``` 27export AFL_LLVM_NOT_ZERO=1 28``` 29 30In case you are on llvm 9 or greater and you do not want this behaviour then 31you can set: 32``` 33AFL_LLVM_SKIP_NEVERZERO=1 34``` 35If the target does not have extensive loops or functions that are called 36a lot then this can give a small performance boost. 37 38Please note that the default counter implementations are not thread safe! 39 40Support for thread safe counters in mode LLVM CLASSIC can be activated with setting 41`AFL_LLVM_THREADSAFE_INST=1`.