Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/AFLplusplus/AFLplusplus/llms.txt

Use this file to discover all available pages before exploring further.

AFL++ exposes extensive functionality through environment variables, allowing you to customize compilation, instrumentation, and runtime behavior without modifying source code.
Most AFL++ tools warn about unknown AFL_* environment variables (e.g., typos). Set AFL_IGNORE_UNKNOWN_ENVS to disable these warnings.

Compiler Settings

These variables control AFL++ compiler behavior (afl-cc, afl-clang-fast, afl-clang-lto, afl-gcc-fast).

Compiler Selection

AFL_CC_COMPILER
enum
default:"auto"
Select instrumentation mode:
  • GCC_PLUGIN: afl-g*-fast
  • LLVM: afl-clang-fast*
  • LTO: afl-clang-lto*
export AFL_CC_COMPILER=LTO
AFL_CC
path
Downstream C compiler to use instead of default clang or gcc.
export AFL_CC=/usr/bin/clang-14
AFL_CXX
path
Downstream C++ compiler to use instead of default clang++ or g++.
export AFL_CXX=/usr/bin/clang++-14
AFL_COMPILER_LAUNCHER
string
Prepend a command to compiler invocations (e.g., ccache for faster recompilation).
export AFL_COMPILER_LAUNCHER=ccache

Optimization Settings

AFL_DONT_OPTIMIZE
boolean
Disable automatic -O3 optimization. Use if -Werror causes issues with optimization warnings.
export AFL_DONT_OPTIMIZE=1
AFL_OPT_LEVEL
string
default:"3"
Set optimization level (e.g., z for -Oz, s for -Os).
export AFL_OPT_LEVEL=z
AFL_NOOPT
boolean
Compile without AFL++ instrumentation (useful for ./configure scripts). Unset before building the actual target!
export AFL_NOOPT=1
./configure --disable-shared
unset AFL_NOOPT
make

Hardening

AFL_HARDEN
boolean
Automatically add hardening options: -D_FORTIFY_SOURCE=2 and -fstack-protector-all. Minor performance loss (~5%).
export AFL_HARDEN=1

Instrumentation Control

AFL_INST_RATIO
integer (0-100)
Instrument only a percentage of branches. Useful for very complex programs (ffmpeg, perl, v8). 0 = function transitions only.
export AFL_INST_RATIO=50  # Instrument 50% of branches
Outdated option. Only LLVM CLASSIC mode supports this.
AFL_NO_BUILTIN
boolean
Generate code suitable for libtokencap.so (slightly slower).
export AFL_NO_BUILTIN=1

Output Control

AFL_QUIET
boolean
Suppress afl-cc/afl-as banners during compilation.
export AFL_QUIET=1
AFL_DEBUG
boolean
Force output even when stdout/stderr are redirected. Useful for debugging build issues.
export AFL_DEBUG=1

Sanitizers

AFL_USE_ASAN
boolean
Enable AddressSanitizer (memory corruption detection).
export AFL_USE_ASAN=1
AFL_USE_MSAN
boolean
Enable MemorySanitizer (uninitialized memory detection).
export AFL_USE_MSAN=1
AFL_USE_UBSAN
boolean
Enable UndefinedBehaviorSanitizer.
export AFL_USE_UBSAN=1
AFL_UBSAN_VERBOSE
boolean
Output detailed diagnostics for undefined behavior (instead of just “Illegal Instruction”).
export AFL_UBSAN_VERBOSE=1
Verbose output significantly slows fuzzing. Use only for debugging.
AFL_USE_CFISAN
boolean
Enable Control Flow Integrity Sanitizer (type confusion detection).
export AFL_USE_CFISAN=1
AFL_CFISAN_VERBOSE
boolean
Output detailed CFI violation information.
export AFL_CFISAN_VERBOSE=1
AFL_USE_TSAN
boolean
Enable ThreadSanitizer (race condition detection).
export AFL_USE_TSAN=1
AFL_USE_LSAN
boolean
Enable LeakSanitizer. Requires __AFL_LEAK_CHECK(); in target code.
export AFL_USE_LSAN=1
AFL_USE_RTSAN
boolean
Enable RealtimeSanitizer (requires clang 20+).
export AFL_USE_RTSAN=1

Paths

AFL_PATH
path
Directory containing AFL++ runtime objects, plugins, and QEMU/Frida support files.
export AFL_PATH=/usr/local/lib/afl
TMPDIR
path
default:"/tmp"
Directory for temporary files used by afl-as.
export TMPDIR=/ramdisk/tmp

LLVM/LTO Instrumentation

These variables are specific to afl-clang-fast, afl-clang-lto, and LLVM modes.

Instrumentation Mode

AFL_LLVM_INSTRUMENT
enum
Select instrumentation type. Options:
  • CLASSIC: Classic AFL (colliding coverage)
  • PCGUARD: pcguard-based (default, non-colliding)
  • NATIVE: Clang’s original pcguard
  • CTX: Context-sensitive coverage
  • NGRAM-X: N-gram coverage (X = 2-16)
  • LTO: LTO instrumentation
  • CFG: Control Flow Graph (LTO mode)
Combine with comma: CLASSIC,CTX,NGRAM-4
export AFL_LLVM_INSTRUMENT=PCGUARD,CTX

CMPLOG

AFL_LLVM_CMPLOG
boolean
Produce a CMPLOG instrumented binary for input-to-state correspondence.
export AFL_LLVM_CMPLOG=1
CC=afl-clang-fast ./configure && make
AFL_GCC_CMPLOG
boolean
CMPLOG for afl-gcc-fast.
export AFL_GCC_CMPLOG=1

Context-Sensitive Coverage

AFL_LLVM_CTX
boolean
Activate context-sensitive branch coverage (each edge combined with caller).
export AFL_LLVM_CTX=1
Increase MAP_SIZE_POW2 in config.h to 18-20 to reduce collisions.

N-gram Coverage

AFL_LLVM_NGRAM_SIZE
integer (2-16)
Activate N-gram previous location coverage.
export AFL_LLVM_NGRAM_SIZE=4

LAF-Intel / COMPCOV

AFL_LLVM_LAF_ALL
boolean
Enable all LAF-Intel transformations (split compares, switches, floats).
export AFL_LLVM_LAF_ALL=1
AFL_LLVM_LAF_SPLIT_COMPARES
boolean
Split integer comparisons (64/32/16-bit CMP instructions).
export AFL_LLVM_LAF_SPLIT_COMPARES=1
AFL_LLVM_LAF_SPLIT_SWITCHES
boolean
Split switch constructs.
export AFL_LLVM_LAF_SPLIT_SWITCHES=1
AFL_LLVM_LAF_SPLIT_FLOATS
boolean
Split floating point comparisons (requires AFL_LLVM_LAF_SPLIT_COMPARES).
export AFL_LLVM_LAF_SPLIT_FLOATS=1
AFL_LLVM_LAF_TRANSFORM_COMPARES
boolean
Transform string comparison functions.
export AFL_LLVM_LAF_TRANSFORM_COMPARES=1

Dictionary Generation

AFL_LLVM_DICT2FILE
path
Write constant string comparisons to dictionary file.
export AFL_LLVM_DICT2FILE=/path/to/output.dict
AFL_LLVM_DICT2FILE_NO_MAIN
boolean
Skip parsing main() when generating dictionary.
export AFL_LLVM_DICT2FILE_NO_MAIN=1

Selective Instrumentation

AFL_LLVM_ALLOWLIST
path
Instrument only files/functions listed in this file.
export AFL_LLVM_ALLOWLIST=allowlist.txt
Format (one per line):
foo.cpp
fun: specific_function
AFL_LLVM_DENYLIST
path
Skip instrumenting files/functions listed in this file.
export AFL_LLVM_DENYLIST=denylist.txt

Injection Detection

AFL_LLVM_INJECTIONS_ALL
boolean
Enable all injection vulnerability hooks (SQL, LDAP, XSS).
export AFL_LLVM_INJECTIONS_ALL=1
AFL_LLVM_INJECTIONS_SQL
boolean
Enable SQL injection hooks.
export AFL_LLVM_INJECTIONS_SQL=1
AFL_LLVM_INJECTIONS_LDAP
boolean
Enable LDAP injection hooks.
export AFL_LLVM_INJECTIONS_LDAP=1
AFL_LLVM_INJECTIONS_XSS
boolean
Enable XSS injection hooks in libxml2.
export AFL_LLVM_INJECTIONS_XSS=1

Advanced LLVM Options

AFL_LLVM_NOT_ZERO
boolean
Use counters that skip zero on overflow (default for LLVM ≥ 9).
export AFL_LLVM_NOT_ZERO=1
AFL_LLVM_SKIP_NEVERZERO
boolean
Disable never-zero counter test (small performance boost for targets with few loops).
export AFL_LLVM_SKIP_NEVERZERO=1
AFL_LLVM_THREADSAFE_INST
boolean
Inject thread-safe instrumentation counters (disables neverzero).
export AFL_LLVM_THREADSAFE_INST=1
AFL_LLVM_DENY_EXEC
boolean
Abort when any exec* function is called (prevents coverage map corruption).
export AFL_LLVM_DENY_EXEC=1
AFL_LLVM_NO_RPATH
boolean
Disable setting rpath when LLVM is not in a standard location.
export AFL_LLVM_NO_RPATH=1

LTO Mode Specific

AFL_LLVM_MAP_ADDR
hex address
Set fixed map address (default: 0x10000). Use 0 for dynamic (slower).
export AFL_LLVM_MAP_ADDR=0x20000
AFL_LLVM_DOCUMENT_IDS
path
Document which edge ID was assigned to which function.
export AFL_LLVM_DOCUMENT_IDS=edge_mapping.txt
AFL_LLVM_LTO_STARTID
integer
default:"1"
Starting location ID for instrumentation.
export AFL_LLVM_LTO_STARTID=1000

GCC Plugin Settings

AFL_GCC_INSTRUMENT_FILE
path
Instrument only files listed (GCC_PLUGIN mode). Alias: AFL_GCC_ALLOWLIST.
export AFL_GCC_ALLOWLIST=allowlist.txt
AFL_GCC_DENYLIST
path
Skip files/functions listed (GCC_PLUGIN mode).
export AFL_GCC_DENYLIST=denylist.txt
AFL_GCC_OUT_OF_LINE
boolean
Use subroutine calls instead of inline instrumentation (slower).
export AFL_GCC_OUT_OF_LINE=1
AFL_GCC_SKIP_NEVERZERO
boolean
Disable never-zero counter test in GCC mode.
export AFL_GCC_SKIP_NEVERZERO=1
AFL_KEEP_ASSEMBLY
boolean
Prevent afl-as from deleting instrumented assembly files (GCC mode only).
mkdir assembly_output
export TMPDIR=$PWD/assembly_output
export AFL_KEEP_ASSEMBLY=1

Runtime Settings (Instrumented Binaries)

AFL_DUMP_MAP_SIZE
boolean
Dump the map size of the target and exit.
AFL_DUMP_MAP_SIZE=1 ./target
AFL_OLD_FORKSERVER
boolean
Use vanilla AFL forkserver (for compatibility with other tools like symcc).
export AFL_OLD_FORKSERVER=1
AFL_DISABLE_LLVM_INSTRUMENTATION
boolean
Disable instrumentation collection (internal use).
export AFL_DISABLE_LLVM_INSTRUMENTATION=1

afl-fuzz Settings

These control afl-fuzz behavior at runtime.

Basic Options

AFL_AUTORESUME
boolean
Resume fuzzing from existing output directory even if different -i is provided.
export AFL_AUTORESUME=1
afl-fuzz -i new_seeds -o existing_output -- ./target @@
AFL_INPUT_PLACEHOLDER
string
default:"@@"
Use custom placeholder instead of @@ for input file.
export AFL_INPUT_PLACEHOLDER=INPUT_FILE
afl-fuzz -i in -o out -- ./target INPUT_FILE
AFL_SKIP_CPUFREQ
boolean
Skip CPU frequency scaling check.
export AFL_SKIP_CPUFREQ=1
AFL_NO_AFFINITY
boolean
Disable CPU core binding (allows running more instances than cores).
export AFL_NO_AFFINITY=1
AFL_TRY_AFFINITY
boolean
Try CPU binding but don’t fail if unavailable.
export AFL_TRY_AFFINITY=1

Mutator Configuration

AFL_CUSTOM_MUTATOR_LIBRARY
path
Load custom mutator library (C/C++). Supports multiple (semicolon-separated).
export AFL_CUSTOM_MUTATOR_LIBRARY="/path/to/mutator1.so;/path/to/mutator2.so"
AFL_PYTHON_MODULE
string
Python module name for custom mutator.
export PYTHONPATH=/path/to/dir
export AFL_PYTHON_MODULE=my_mutator
AFL_CUSTOM_MUTATOR_ONLY
boolean
Use only custom mutators, disable AFL++ mutations.
export AFL_CUSTOM_MUTATOR_ONLY=1
AFL_CUSTOM_MUTATOR_LATE_SEND
boolean
Call afl_custom_fuzz_send() after target restart (for TCP services).
export AFL_CUSTOM_MUTATOR_LATE_SEND=1
AFL_DISABLE_TRIM
boolean
Disable test case trimming (usually a bad idea).
export AFL_DISABLE_TRIM=1
AFL_EXPAND_HAVOC_NOW
boolean
Start in extended havoc mode immediately (normally enabled automatically).
export AFL_EXPAND_HAVOC_NOW=1
AFL_NO_ARITH
boolean
Skip deterministic arithmetics (useful for text formats).
export AFL_NO_ARITH=1

Dictionary Options

AFL_NO_AUTODICT
boolean
Don’t load LTO auto-generated dictionary.
export AFL_NO_AUTODICT=1
AFL_MAX_DET_EXTRAS
integer
default:"200"
Threshold for probabilistic dictionary mode.
export AFL_MAX_DET_EXTRAS=300

CMPLOG Options

AFL_CMPLOG_ONLY_NEW
boolean
Run CMPLOG only on new findings, not startup seeds.
export AFL_CMPLOG_ONLY_NEW=1

Seed Handling

AFL_IGNORE_SEED_PROBLEMS
boolean
Skip crashing/timeout seeds instead of exiting.
export AFL_IGNORE_SEED_PROBLEMS=1
AFL_EXIT_ON_SEED_ISSUES
boolean
Restore vanilla AFL behavior: exit on crash/timeout seeds.
export AFL_EXIT_ON_SEED_ISSUES=1
AFL_CRASHING_SEEDS_AS_NEW_CRASH
boolean
Treat crashing seeds as new crashes (written to crashes folder).
export AFL_CRASHING_SEEDS_AS_NEW_CRASH=1

Performance Tuning

AFL_FAST_CAL
boolean
Speed up calibration stage (~2.5x faster, less precise).
export AFL_FAST_CAL=1
AFL_NO_STARTUP_CALIBRATION
boolean
Skip initial seed calibration, start fuzzing immediately.
export AFL_NO_STARTUP_CALIBRATION=1
Use only if calibration takes too long for your CI/short fuzzing runs.
AFL_TESTCACHE_SIZE
integer (MB)
Override TESTCASE_CACHE size. Recommended: 50-250MB.
export AFL_TESTCACHE_SIZE=100
AFL_TMPDIR
path
Write .cur_input file to this directory (use ramdisk for speed).
export AFL_TMPDIR=/ramdisk

Timeout/Memory

AFL_FORKSRV_INIT_TMOUT
integer (ms)
Timeout to wait for forkserver startup.
export AFL_FORKSRV_INIT_TMOUT=5000  # 5 seconds
AFL_HANG_TMOUT
integer (ms)
Timeout for determining if input is a “hang”.
export AFL_HANG_TMOUT=2000  # 2 seconds
AFL_KILL_SIGNAL
integer
default:"9"
Signal to deliver to child on timeout (default: SIGKILL).
export AFL_KILL_SIGNAL=15  # SIGTERM
AFL_FORK_SERVER_KILL_SIGNAL
integer
default:"15"
Signal to deliver to fork server on exit.
export AFL_FORK_SERVER_KILL_SIGNAL=15
AFL_MAP_SIZE
integer
Set coverage map size (must match compiled target).
export AFL_MAP_SIZE=65536
AFL_INPUT_LEN_MIN
integer
Minimum generated input length.
export AFL_INPUT_LEN_MIN=10
AFL_INPUT_LEN_MAX
integer
Maximum generated input length.
export AFL_INPUT_LEN_MAX=1000

Parallel Fuzzing

AFL_IMPORT_FIRST
boolean
Import test cases from other instances before doing anything else.
export AFL_IMPORT_FIRST=1
AFL_FINAL_SYNC
boolean
Perform final import of test cases when terminating (for -M main fuzzer).
export AFL_FINAL_SYNC=1
AFL_SYNC_TIME
integer (minutes)
default:"20"
Minimum time between fuzzing instance synchronization.
export AFL_SYNC_TIME=30
AFL_NO_SYNC
boolean
Disable all syncing (overrides other sync options).
export AFL_NO_SYNC=1

Exit Conditions

AFL_EXIT_ON_TIME
integer (seconds)
Terminate if no new paths found within specified time.
export AFL_EXIT_ON_TIME=3600  # 1 hour
AFL_EXIT_WHEN_DONE
boolean
Terminate when all paths fuzzed and no finds for a while.
export AFL_EXIT_WHEN_DONE=1

Crash Handling

AFL_CRASH_EXITCODE
integer
Treat specific exit code as crash.
export AFL_CRASH_EXITCODE=-1
AFL_ALLOW_CORES
boolean
Allow writing core files on crashes.
export AFL_ALLOW_CORES=1
AFL_NO_CRASH_README
boolean
Don’t write README.txt to crashes directory.
export AFL_NO_CRASH_README=1

Debugging

AFL_DEBUG_CHILD
boolean
Don’t suppress child output (useful for debugging).
export AFL_DEBUG_CHILD=1
AFL_NO_UI
boolean
Disable UI, print basic stats periodically.
export AFL_NO_UI=1
AFL_FORCE_UI
boolean
Force UI even without valid terminal.
export AFL_FORCE_UI=1
AFL_NO_COLOR
boolean
Disable colored console output.
export AFL_NO_COLOR=1
AFL_PRINT_FILENAMES
boolean
Print each filename as it’s processed (for afl-cmin, afl-showmap).
export AFL_PRINT_FILENAMES=1

Advanced Options

AFL_PRELOAD
path
Set LD_PRELOAD for target without affecting afl-fuzz.
export AFL_PRELOAD=/path/to/libdislocator.so
AFL_TARGET_ENV
string
Set environment variables for target binary.
export AFL_TARGET_ENV="VAR1=value1 VAR2='value 2'"
AFL_NO_FORKSRV
boolean
Disable forkserver optimization (fork + execve for every test).
export AFL_NO_FORKSRV=1
AFL_DEFER_FORKSRV
boolean
Enforce deferred forkserver even if not detected.
export AFL_DEFER_FORKSRV=1
AFL_PERSISTENT
boolean
Enforce persistent mode even if not detected.
export AFL_PERSISTENT=1
AFL_PERSISTENT_RECORD
integer
Record N previous inputs before crash in persistent mode.
export AFL_PERSISTENT_RECORD=10
Must be enabled in config.h first!
AFL_SHUFFLE_QUEUE
boolean
Randomly reorder input queue on startup.
export AFL_SHUFFLE_QUEUE=1
AFL_SHA1_FILENAMES
boolean
Name files by SHA1 hash instead of id:000000,....
export AFL_SHA1_FILENAMES=1
Disables syncing with other AFL instances!
AFL_CYCLE_SCHEDULES
boolean
Switch power schedule after each cycle.
export AFL_CYCLE_SCHEDULES=1
AFL_KEEP_TIMEOUTS
boolean
Keep longer-running inputs if they reach new coverage.
export AFL_KEEP_TIMEOUTS=1
AFL_IGNORE_TIMEOUTS
boolean
Ignore timeouts entirely for extra speed.
export AFL_IGNORE_TIMEOUTS=1
AFL_DISABLE_REDUNDANT
boolean
Disable redundant queue items.
export AFL_DISABLE_REDUNDANT=1

Frameshift

AFL_FRAMESHIFT_DISABLE
boolean
Disable frameshift analysis stage.
export AFL_FRAMESHIFT_DISABLE=1
AFL_FRAMESHIFT_MAX_OVERHEAD
float
default:"0.10"
Maximum fraction of time frameshift can consume (0.0-1.0).
export AFL_FRAMESHIFT_MAX_OVERHEAD=0.15

Statistics

AFL_STATSD
boolean
Enable StatsD metrics collection.
export AFL_STATSD=1
export AFL_STATSD_HOST=127.0.0.1
export AFL_STATSD_PORT=8125
AFL_STATSD_HOST
string
default:"127.0.0.1"
StatsD server host.
AFL_STATSD_PORT
integer
default:"8125"
StatsD server port.
AFL_STATSD_TAGS_FLAVOR
enum
StatsD tags format: dogstatsd, influxdb, librato, signalfx.
export AFL_STATSD_TAGS_FLAVOR=dogstatsd
AFL_FUZZER_STATS_UPDATE_INTERVAL
integer (seconds)
Interval to update fuzzer_stats file.
export AFL_FUZZER_STATS_UPDATE_INTERVAL=10

QEMU Mode Settings

AFL_QEMU_CUSTOM_BIN
boolean
Skip prepending afl-qemu-trace (use custom QEMU).
export AFL_QEMU_CUSTOM_BIN=1
AFL_ENTRYPOINT
hex address
Specify entry point into binary (must be basic block address).
export AFL_ENTRYPOINT=0x4004110
AFL_INST_LIBS
boolean
Instrument dynamically linked libraries (including glibc).
export AFL_INST_LIBS=1
AFL_QEMU_INST_RANGES
string
Instrument only specific memory ranges.
export AFL_QEMU_INST_RANGES=0x1000-0x2000,0x3000-0x4000
AFL_QEMU_EXCLUDE_RANGES
string
Exclude specific memory ranges from instrumentation.
export AFL_QEMU_EXCLUDE_RANGES=0x5000-0x6000
AFL_COMPCOV_LEVEL
integer (1-2)
CompareCoverage level for QEMU/libcompcov.
  • 1: Only immediate values / read-only memory
  • 2: All comparisons (more accurate, needs larger map)
export AFL_COMPCOV_LEVEL=2
AFL_QEMU_PERSISTENT_ADDR
hex address
Address of persistent loop body function.
export AFL_QEMU_PERSISTENT_ADDR=0x400500
AFL_QEMU_PERSISTENT_GPR
boolean
Save/restore general purpose registers in persistent mode.
export AFL_QEMU_PERSISTENT_GPR=1

Third-Party Sanitizer Options

AFL++ sets these to optimal values, but you can override:

ASAN Options

export ASAN_OPTIONS=abort_on_error=1:detect_leaks=0:malloc_context_size=0:symbolize=0:allocator_may_return_null=1
Always include abort_on_error=1 and symbolize=0 for AFL++ to work correctly.

MSAN Options

export MSAN_OPTIONS=exit_code=86:abort_on_error=1:symbolize=0:msan_track_origins=0:allocator_may_return_null=1

LSAN Options

export LSAN_OPTIONS=exit_code=23:fast_unwind_on_malloc=0:symbolize=0:print_suppressions=0

Quick Reference by Use Case

export AFL_QUIET=1
export AFL_FAST_CAL=1
export AFL_NO_UI=1

export AFL_TMPDIR=/ramdisk
export AFL_TESTCACHE_SIZE=200
export AFL_DISABLE_TRIM=1
export AFL_SKIP_CPUFREQ=1

export AFL_DEBUG=1
export AFL_DEBUG_CHILD=1
export AFL_NO_UI=1

export AFL_FINAL_SYNC=1          # Main fuzzer
export AFL_IMPORT_FIRST=1
export AFL_TESTCACHE_SIZE=100
export AFL_TMPDIR=/ramdisk

export AFL_LLVM_LAF_ALL=1        # Compile-time
export AFL_LLVM_CMPLOG=1
export AFL_CMPLOG_ONLY_NEW=1     # Runtime