====
TODO
====

  (See README for the general instruction manual)

Here's the list of stuff I'm currently thinking about:

  - Investigation of x86 hardware branch tracing (Via the Linux perf API?)
    as an alternative to injected instrumentation.

  - More test cases! Contributions welcome - see testcases/wishlist.txt.

  - Detection of multi-threaded apps or apps that call execve(), to tell
    the user about trade-offs.

  - Special-cased expansion of strcmp() and related functions to replace
    them with instrumented loops; see experimental/instrumented_cmp/.

  - A rewrite of the fork server code in C, converted to assembly as a part
    of the build process.

  - Incorporation of the second part of Jann's fork server patch, allowing
    afl to skip over program initialization steps and stop precisely at first
    read.

  - A pluggable version of fuzz_one() to make it easy to write syntax-aware
    mutators without navigating a huge blob of code.

  - Breaking up afl-fuzz.c into several smaller files, for aesthetic purposes.

  - Proper support for threads, which would probably entail keeping track of
    prev_loc on a per-tid basis (may be slow).

  - Support for DynamoRIO (or PIN) for closed-source instrumentation of
    non-obfuscated binaries. Should be pretty easy, just not a top priority
    right now. Contributions welcome.

There is also one thing I get asked to do but am a bit unconvinced about:
support for fuzzing network services. When you want to fuzz a non-modified
daemon, you need to deal with multiple different process models, e.g.:

  - One-shot (inetd-style),
  - Single process (traditional UDP services),
  - accept-fork (traditional TCP services),
  - Worker pool (Apache),
  - Privilege-separated stuff (OpenSSH).

So, it's difficult to even understand which process needs to be monitored and
how to reset it to the original state for every new connection. The
implementation would be very messy and still probably fail more often than
it should. Your best bet is just to hack the code a bit to make it read from
stdin an exit when done.
